fix(deps): update module github.com/cilium/cilium to v1.18.4 [security]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cilium/cilium	v1.18.1 -> v1.18.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-64715

Impact

CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended.

Patches

This issue has been patched in:

• Cilium v1.18.4
• Cilium v1.17.10
• Cilium v1.16.17

This issue affects:

• Cilium v1.18 between v1.18.0 and v1.18.3 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.9 inclusive
• Cilium v1.16.16 and below

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​SeanEmac for reporting this issue and to @​fristonio for the patch.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.18.4: 1.18.4

Compare Source

Security Advisories

This release addresses GHSA-38pp-6gcp-rqvm.

Summary of Changes

Minor Changes:

• fix indentation for certgen resources in helm templates (Backport PR #​42450, Upstream PR #​42412, @​sdickhoven)

Bugfixes:

• bpf: Do not accidentally update IPcache in cluster-aware routing (Backport PR #​42577, Upstream PR #​42472, @​brb)
• cilium-operator: ciliumendpoints are not garbage collected until a minimum age is reached (5m by default) (Backport PR #​42577, Upstream PR #​42413, @​zhouhaibing089)
• controller: avoid spurious errors when RemoveControllerAndWait is invoked when the controller does not exist (Backport PR #​42617, Upstream PR #​41384, @​asdfmi)
• encrypt status: also check tcx attachment on interfaces (Backport PR #​42450, Upstream PR #​42328, @​bersoare)
• envoy: pass stream idle timeout from Helm to configmap (Backport PR #​42617, Upstream PR #​42499, @​mhofstetter)
• Fix BGP operator crash when bgp-secrets-namespace not set. (Backport PR #​42577, Upstream PR #​42425, @​rastislavs)
• Fix cilium_operator_lbipam_conflicting_pools metric to report correct value. (Backport PR #​42289, Upstream PR #​41999, @​hanapedia)
• Fix issue where fqdn GC starts too early that results in potentially missed ips in the IPCache (Backport PR #​42617, Upstream PR #​42502, @​odinuge)
• Fix potential policy deadlock causing endpoint to use previous identity for policy calculation when endpoint changes identity (Backport PR #​42617, Upstream PR #​42420, @​odinuge)
• Fix the output of cilium lrp list command to show LRP selected backends. (Backport PR #​42577, Upstream PR #​42110, @​Bigdelle)
• Fix trace aggregation for IPv4 Host Firewall, reducing the amount of generated events. (Backport PR #​42617, Upstream PR #​42595, @​smagnani96)
• fix: Panic during endpoint restore due to nil logger (Backport PR #​42450, Upstream PR #​42385, @​pinaki-08)
• gatewayAPI: correctly handle reference to CGCC as cluster-scoped resource instead of namespaced one (Backport PR #​42289, Upstream PR #​42172, @​oblazek)
• operator/ciliumenvoyconfig: consistently propagate --http-stream-idle-timeout value (Backport PR #​42577, Upstream PR #​42495, @​tklauser)
• policy: prevent incorrect mutation of network policy when using policy-default-local-cluster (Backport PR #​42698, Upstream PR #​42668, @​MrFreezeex)
• Preventing removal of existing tproxy iptables rules for other services when they share a name prefix. (Backport PR #​42450, Upstream PR #​42236, @​dackroyd)
• When using the Egress Strict Mode for Transparent Encryption with Wireguard, packets destined to the local host are no longer excluded from encryption enforcement (when leaving the node), and will be dropped. (Backport PR #​42450, Upstream PR #​42419, @​julianwiedmann)

CI Changes:

• .github/actions/e2e: define static job names (Backport PR #​42435, Upstream PR #​42332, @​aanm)
• [v1.18] .github/workflows: Add base-SHA input to ariane triggered workflows (#​42192, @​dylandreimerink)
• ci: Allow for alpine image overwrite within cache Dockerfile (Backport PR #​42289, Upstream PR #​42108, @​jpayne3506)
• conformance-aws-cni: disable l7 proxy with aws-cni (Backport PR #​42617, Upstream PR #​42578, @​aanm)
• Deflake TestNodeManagerAbortReleaseIPReassignment (Backport PR #​42577, Upstream PR #​42276, @​lconnery)
• gh: ginkgo: fix focus for service hairpin test (Backport PR #​42641, Upstream PR #​42633, @​julianwiedmann)
• gh: ginkgo: reduce number of tested k8s versions in PRs (Backport PR #​42470, Upstream PR #​42465, @​julianwiedmann)
• gh: ginkgo: replace rhel8 with 5.10 kernel (Backport PR #​42449, Upstream PR #​42084, @​julianwiedmann)
• gha/conformance-clustermesh: let service nodeport be selected randomly (Backport PR #​42617, Upstream PR #​41697, @​giorio94)
• gha: allow configuring runner for workflows building Cilium binaries (Backport PR #​42617, Upstream PR #​42582, @​giorio94)
• Testing for RHEL8 compatibility now uses a RHEL8.10-compatible kernel (previously this was a RHEL8.6-compatible kernel). (Backport PR #​42604, Upstream PR #​41639, @​julianwiedmann)

Misc Changes:

• [v1.18] deps: bump CNI plugins version (#​42443, @​ferozsalam)
• bpf: host: remove stale code comment (Backport PR #​42450, Upstream PR #​42237, @​julianwiedmann)
• bpf: lxc: always set identity mark on forwarded egressing traffic (Backport PR #​42617, Upstream PR #​42551, @​julianwiedmann)
• bpf: nodeport: don't include EGW reply hook in bpf_wireguard (Backport PR #​42450, Upstream PR #​42187, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.18) (#​42397, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42541, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42682, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.8 (v1.18) (#​42346, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e3652a0 (v1.18) (#​42539, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.10 docker digest to c3ea417 (v1.18) (#​42679, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.9 docker digest to 5034fa4 (v1.18) (#​42396, @​cilium-renovate[bot])
• chore(deps): update github artifact actions (v1.18) (#​42398, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.10 (v1.18) (#​42621, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5 (v1.18) (#​42680, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-llvm docker tag to v1758805548 (v1.18) (#​42399, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42540, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42681, @​cilium-renovate[bot])
• ci: Add workflow permissions for auto-approve and renovate (Backport PR #​42450, Upstream PR #​42281, @​kyle-c-simmons)
• ci: Fix call-backport-label-updater permissions (Backport PR #​42450, Upstream PR #​42510, @​kyle-c-simmons)
• ci: Update hubble test workflow permissions (Backport PR #​42450, Upstream PR #​41911, @​kyle-c-simmons)
• cilium, routes: Downgrade warning on direct-routing-skip-unreachable (Backport PR #​42289, Upstream PR #​42210, @​borkmann)
• docs: tuning: remove some references to old kernels (Backport PR #​42617, Upstream PR #​42601, @​julianwiedmann)
• Docs: update fragmentation docs to reflect ipv6 (Backport PR #​42289, Upstream PR #​41748, @​tommyp1ckles)
• fix: run post-release and publish-helm workflows on cilium org (Backport PR #​42450, Upstream PR #​42279, @​sekhar-isovalent)
• loadbalancer: fix up code comment (Backport PR #​42450, Upstream PR #​42273, @​julianwiedmann)
• Log proxy instance creation at debug level (Backport PR #​42617, Upstream PR #​42319, @​sjohnsonpal)
• operator: Prevent panic when GCing identities (Backport PR #​42289, Upstream PR #​42217, @​HadrienPatte)
• pkg/nodediscover: Don't log warnings for intermittent updates (Backport PR #​42577, Upstream PR #​42505, @​aditighag)

Other Changes:

• [v1.18] ipam: fix TestNodeManagerAbortReleaseIPReassignment test (#​42636, @​rastislavs)
• [v1.18] test: ginkgo: skip BPF masq tests on configs without external node (#​42462, @​julianwiedmann)
• install: Update image digests for v1.18.3 (#​42344, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.4@​sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
quay.io/cilium/cilium:stable@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.4@​sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d
quay.io/cilium/clustermesh-apiserver:stable@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.4@​sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a
quay.io/cilium/docker-plugin:stable@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a

hubble-relay

quay.io/cilium/hubble-relay:v1.18.4@​sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723
quay.io/cilium/hubble-relay:stable@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.4@​sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7
quay.io/cilium/operator-alibabacloud:stable@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7

operator-aws

quay.io/cilium/operator-aws:v1.18.4@​sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336
quay.io/cilium/operator-aws:stable@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336

operator-azure

quay.io/cilium/operator-azure:v1.18.4@​sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca
quay.io/cilium/operator-azure:stable@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca

operator-generic

quay.io/cilium/operator-generic:v1.18.4@​sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012
quay.io/cilium/operator-generic:stable@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012

operator

quay.io/cilium/operator:v1.18.4@​sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5
quay.io/cilium/operator:stable@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5

v1.18.3: 1.18.3

Compare Source

Summary of Changes

ℹ️ The images in this release were signed with cosign v3. Please use cosign v3 tooling to validate signatures with the following command syntax:

cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name 'Image Release Build' --certificate-github-workflow-ref refs/tags/v1.18.3 --certificate-identity https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/v1.18.3 quay.io/cilium/operator-aws:v1.18.3 | jq -r '.[].critical.image'

Minor Changes:

• Fix a complexity issue for the bpf_xdp program (Backport PR #​42198, Upstream PR #​42193, @​aspsk)
• hubble: mark kafka l7 visibility as deprecated (Backport PR #​41968, Upstream PR #​41072, @​kaworu)

Bugfixes:

• add the port name for address based LRP so frontend can pick the right backend (Backport PR #​41828, Upstream PR #​41602, @​liyihuang)
• Avoid scenario where ENI device configuration can be skipped. (Backport PR #​41968, Upstream PR #​41760, @​jasonaliyetti)
• Cilium now configures Envoy to allow websocket connections to be passed through with HTTP policies. (Backport PR #​41828, Upstream PR #​41729, @​jrajahalme)
• Fix a bug that was preventing Cilium to delete stale pod CIDRs routes when changing routing mode to native (Backport PR #​41968, Upstream PR #​41819, @​pippolo84)
• Fix a fatal error when accessing multicast map using cilium-dbg bpf multicast (Backport PR #​42151, Upstream PR #​42080, @​tklauser)
• Fix BGP auto discovery not sending community info (Backport PR #​41968, Upstream PR #​41920, @​jiashengz)
• Fix bug in ENI routing where Cilium would chose the wrong subnet for routing traffic on secondary interfaces (Backport PR #​41828, Upstream PR #​40860, @​liyihuang)
• Fix bug that could cause ICMP error packets to have an incorrect inner IP checksum when KPR is enabled. (Backport PR #​41828, Upstream PR #​41551, @​yushoyamaguchi)
• Fix bug with delegated IPAM where IPv6 traffic was routed via the wrong interface (Backport PR #​41968, Upstream PR #​41598, @​NihaNallappagari)
• Fix failing node health check on dual stack cluster if NodeInternalIPs are not configured for both families. (Backport PR #​42055, Upstream PR #​41633, @​Dennor)
• Fix increase in memory usage when service names are looked up at high rate during Hubble flow creation (Backport PR #​42151, Upstream PR #​41965, @​joamaki)
• Fix panic at startup in IPsec subsystem with Multi-Pool IPAM mode (#​41725, @​pippolo84)
• Fix race condition preventing the skiplbmap BPF map from sometimes being pruned after restart. (Backport PR #​41828, Upstream PR #​41529, @​joamaki)
• Fixes a rare bug where endpoints may have incomplete policies in large clusters. (Backport PR #​42151, Upstream PR #​42049, @​squeed)
• hostfw: also exclude non-transparent proxy traffic when BPF masq is enabled (Backport PR #​41989, Upstream PR #​41915, @​julianwiedmann)
• Ignore expected error in neighbor reconciliation (Backport PR #​41968, Upstream PR #​41815, @​dylandreimerink)
• loadbalancer: allow HostPort for multiple protos on same port (Backport PR #​41913, Upstream PR #​41521, @​bersoare)
• operator/pkg/lbipam: fix LoadBalancerIPPool conditions update logic (Backport PR #​41828, Upstream PR #​41322, @​alimehrabikoshki)

CI Changes:

• .actions/cilium-config: add missing extraEnv in GH action (Backport PR #​41828, Upstream PR #​41420, @​aanm)
• .github/workflows: add variable for renovate bot username (Backport PR #​41843, Upstream PR #​41818, @​aanm)
• .github/workflows: automatically add /test for renovate PRs (Backport PR #​41843, Upstream PR #​41770, @​aanm)
• .github/workflows: do not wait on linters form forks (Backport PR #​41828, Upstream PR #​41822, @​aanm)
• .github/workflows: remove reviewers requested by auto-committer[bot] (Backport PR #​41828, Upstream PR #​41759, @​aanm)
• cli: Fix unreliable tests due to error emitted in Cilium logs "retrieving device lxc*: Link not found" (Backport PR #​42200, Upstream PR #​42146, @​fristonio)
• gha: Correct k8s version for f12-datapath-service-ns-misc (Backport PR #​41756, Upstream PR #​41753, @​sayboras)
• ginkgo: add test ownership for ginkgo tests (Backport PR #​42055, Upstream PR #​41950, @​aanm)
• Streamline ci-multi-pool workflow (Backport PR #​41631, Upstream PR #​40658, @​pippolo84)
• workflows: fix GCP OIDC authentication's project ID (#​42173, @​nbusseneau)

Misc Changes:

• .github/workflows: stop build CI images until base images are built (Backport PR #​41828, Upstream PR #​41681, @​aanm)
• agent: Add Cilium health config cell (Backport PR #​42055, Upstream PR #​41627, @​aditighag)
• bpf/nat: Move ipv6_nat_entry to map (Backport PR #​41968, Upstream PR #​41902, @​pchaigno)
• bpf: hostfw: have from-host always pass the ipcache-based src identity (Backport PR #​42113, Upstream PR #​42093, @​julianwiedmann)
• bpf: Only send fillup signal to agent on ENOMEM error (Backport PR #​41968, Upstream PR #​41864, @​borkmann)
• chore(deps): update all github action dependencies (v1.18) (#​41795, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​41931, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42028, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42136, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42264, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​41716, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​41793, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​42035, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​42116, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.27 (v1.18) (#​42263, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v33 (v1.18) (#​42265, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.7 docker digest to 2c5f7a0 (v1.18) (#​42026, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.7 docker digest to 87916ac (v1.18) (#​41792, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.9 docker digest to 02ce1d7 (v1.18) (#​42253, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.8 (v1.18) (#​42062, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.9 (v1.18) (#​42166, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1759058812-49b096a457d6e7f6d650229cbf95c63d59759331 (v1.18) (#​41933, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​41730, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​41794, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​41930, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42027, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42135, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42300, @​cilium-renovate[bot])
• doc: add note on hostfw and ipsec interaction (Backport PR #​41968, Upstream PR #​41810, @​darox)
• docs/dsr: Remove IPIP example configuration (Backport PR #​41828, Upstream PR #​41701, @​pchaigno)
• docs: Clarify list of capabilities in threat model (Backport PR #​41828, Upstream PR #​41682, @​joestringer)
• docs: fix broken Chainguard SBOM link (Backport PR #​41828, Upstream PR #​41719, @​yashisrani)
• docs: remove stale kernel requirements (Backport PR #​42151, Upstream PR #​42081, @​julianwiedmann)
• docs: Update iproute2 compile steps in reference guide. (Backport PR #​41828, Upstream PR #​41638, @​dkanaliev)
• endpoint: reduce missed-policy-update log severity for restoring eps (Backport PR #​42055, Upstream PR #​41095, @​fristonio)
• endpointsynchronizer: suppress warning log when endpoint is terminating (Backport PR #​41828, Upstream PR #​41755, @​giorio94)
• gateway-api: Fix incorrect Owns call in refactor (Backport PR #​41968, Upstream PR #​41807, @​youngnick)
• hubble: allow overrrides if building from outside the tree (Backport PR #​41828, Upstream PR #​41726, @​tklauser)
• ipsec: add support for using remote PodCIDR entries (Backport PR #​42073, Upstream PR #​41519, @​julianwiedmann)
• Make kubeProxyReplacement available in the reference and documentation (Backport PR #​41968, Upstream PR #​41535, @​liyihuang)
• redirectpolicy: Always OpenOrCreate SkipLB map to avoid loader race (Backport PR #​41968, Upstream PR #​41707, @​joamaki)
• redirectpolicy: Fix comparison of BackendParams (Backport PR #​41848, Upstream PR #​41705, @​joamaki)
• Remove kiam documentation from Local Redirect Policy (Backport PR #​41968, Upstream PR #​41644, @​liyihuang)
• Update checkpatch and startup-script image digest (Backport PR #​41828, Upstream PR #​41710, @​HadrienPatte)

Other Changes:

• [v1.18] gateway-api: Refactor Gateway API reconciler (#​41720, @​youngnick)
• [v1.18] workflows/release: add secrets for step 4 and 5 (#​41733, @​jrajahalme)
• install: Update image digests for v1.18.2 (#​41722, @​cilium-release-bot[bot])
• proxy: Bump cilium-envoy to 1.34.10 (#​42251, @​sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.3@​sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
quay.io/cilium/cilium:stable@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.3@​sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d
quay.io/cilium/clustermesh-apiserver:stable@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.3@​sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67
quay.io/cilium/docker-plugin:stable@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67

hubble-relay

quay.io/cilium/hubble-relay:v1.18.3@​sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3
quay.io/cilium/hubble-relay:stable@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.3@​sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef
quay.io/cilium/operator-alibabacloud:stable@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef

operator-aws

quay.io/cilium/operator-aws:v1.18.3@​sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24
quay.io/cilium/operator-aws:stable@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24

operator-azure

quay.io/cilium/operator-azure:v1.18.3@​sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143
quay.io/cilium/operator-azure:stable@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143

operator-generic

quay.io/cilium/operator-generic:v1.18.3@​sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797
quay.io/cilium/operator-generic:stable@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797

operator

quay.io/cilium/operator:v1.18.3@​sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff
quay.io/cilium/operator:stable@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff

v1.18.2: 1.18.2

Compare Source

Summary of Changes

Minor Changes:

• Fix validation bug where namespaced CiliumNetworkPolicies with nodeSelector in specs array were silently accepted but ignored. Now properly rejected with validation error. (Backport PR #​41365, Upstream PR #​40702, @​pillai-ashwin)
• lbipam: do not reallocate IPs in LB IPAM on operator restart (Backport PR #​41267, Upstream PR #​41147, @​marseel)
• lbipam: widening CIDR range or updating selector of CiliumLoadBalancerIPPool does no longer reassign IPs (Backport PR #​41267, Upstream PR #​41122, @​marseel)

Bugfixes:

• Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (Backport PR #​41479, Upstream PR #​41231, @​hanapedia)
• Add toleration for 'node.cloudprovider.kubernetes.io/uninitialized' to Cilium Operator (Backport PR #​41267, Upstream PR #​41098, @​guettli)
• bgpv2: Avoid modifying CiliumBGPPeerConfig in resource store (Backport PR #​41267, Upstream PR #​41088, @​rastislavs)
• bpf: add support for delinearized ARP packets (Backport PR #​41365, Upstream PR #​41233, @​vsinitsyn)
• ctmap/gc: continue interval time on partial GC pass. (Backport PR #​41591, Upstream PR #​41258, @​tommyp1ckles)
• Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (Backport PR #​41479, Upstream PR #​40844, @​moscicky)
• Fix "Error while correcting L4 checksum" dropped packets for ICMP destination unreachable error packets. (Backport PR #​41591, Upstream PR #​40194, @​br4243)
• Fix "No mapping for NAT masquerade" flakes in the CI, make NAT LRU fallbacks more robust. (Backport PR #​41365, Upstream PR #​40971, @​gentoo-root)
• Fix --exclude-local-address with eBPF Host-Routing (Backport PR #​41365, Upstream PR #​41275, @​antonipp)
• Fix a BGP bug where the routerID specified in a CiliumBGPNodeConfigOverride was not correctly updated in RouterIDIPPool mode. (Backport PR #​41267, Upstream PR #​40340, @​liyihuang)
• Fix a bug that would cause NodePort requests to be sent to the wrong backends when using KPR and Clustermesh with two identical, non-global NodePort services on different clusters. (Backport PR #​41591, Upstream PR #​41337, @​pchaigno)
• Fix a bug where cilium-agent would report "Link not found" for an endpoint deleted during state restore after cilium-agent restart. (Backport PR #​41267, Upstream PR #​40568, @​fristonio)
• Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (Backport PR #​41479, Upstream PR #​41368, @​devodev)
• Fix agent config initContainer unable to hit apiservers in apiServerURLs by passing as container arg (Backport PR #​41267, Upstream PR #​41110, @​JJGadgets)
• Fix bug that would cause error messages when disabling agent health checks (Backport PR #​41479, Upstream PR #​41297, @​HadrienPatte)
• Fix issue in Local Redirect Policies where traffic was dropped when no local pods were available to be redirected to. In these scenarios the traffic should have been processed as if the Local Redirect Policy did not exist. (Backport PR #​41591, Upstream PR #​41463, @​joamaki)
• Fix issue where Local Redirect Policy (LRP) services with a single named port did not create a local redirect service entry. (Backport PR #​41591, Upstream PR #​41534, @​aditighag)
• Fix the bug local redirect policy not doing filter based destination port (Backport PR #​41479, Upstream PR #​41411, @​liyihuang)
• Fixes a cosmetic bug where the cilium_bpf_map_ops_total error count was incorrectly being incremented for map cilium_lb_affinity_match. (Backport PR #​41479, Upstream PR #​41378, @​squeed)
• Fixes an issue in NodeManager where restored cluster nodes can be pruned before the initial node listing completes. (Backport PR #​41267, Upstream PR #​41039, @​0xch4z)
• Helm: Ensure consistent default labels for all ServiceMonitor resources (Backport PR #​41267, Upstream PR #​41240, @​baurmatt)
• iptables: Fix IPv6 SNAT for L7 proxy upstream traffic (Backport PR #​41249, Upstream PR #​41034, @​gentoo-root)
• loadbalancer/writer: add support for SetIsServiceHealthCheckedFunc (Backport PR #​41267, Upstream PR #​41092, @​mhofstetter)
• neighbor: Fix bug where neighbor discovery subsystem reports unhealthy when it is healthy (Backport PR #​41365, Upstream PR #​41186, @​mhofstetter)
• pkg/ipam: fix nil dereference during pool shrink operation (Backport PR #​41365, Upstream PR #​41198, @​alimehrabikoshki)
• policy: fix agent crash due to policy cache update-delete race (Backport PR #​41267, Upstream PR #​41079, @​fristonio)

CI Changes:

• .github/actions: fix boolean condition check in post-logic action (Backport PR #​41479, Upstream PR #​41395, @​aanm)
• .github/worfklows: copy cilium-cli binary from container (Backport PR #​41591, Upstream PR #​41524, @​aanm)
• .github/workflows: add proper suffix for scale-test-egw (Backport PR #​41591, Upstream PR #​41477, @​aanm)
• .github/workflows: add timeout to Install node local DNS step (Backport PR #​41267, Upstream PR #​41120, @​aanm)
• .github/workflows: separate feature json files in different dirs (Backport PR #​41479, Upstream PR [#​41403](https://redirect.github.com/ci

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/go-viper/mapstructure/v2	v2.3.0 -> v2.4.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/go-viper/mapstructure/v2	v2.3.0 -> v2.4.0