来源: https://github.com/cilium/cilium/releases/tag/v1.20.0-pre.2

cilium/cilium v1.20.0-pre.2 Release Notes

Published at: 2026-05-04T23:42:00Z

Summary of Changes

Major Changes:

• Allow users to disable source IP verification per-pod by setting an annotation. This requires an annotation on the pod’s Namespace as well. (cilium/cilium#43505, @zbb88888)
• gateway-api: Cilium now supports Gateway API v1.5.1. Please note that this includes moving TLSRoute to v1. To continue safely using TLSRoute, you must migrate from TLSRoute v1alpha2 to TLSRoute v1. (cilium/cilium#45251, @youngnick)

Minor Changes:

• Add generic preferIpv6 Helm value / --prefer-ipv6 agent flag to prefer IPv6 addresses for health probes and Hubble peer communication when both address families are available. The hubble.preferIpv6 Helm value and --hubble-prefer-ipv6 agent flag are deprecated in favor of the new top-level preferIpv6 and will be removed in Cilium 1.20. (cilium/cilium#45447, @tibrezus)
• agent, devices: make children interfaces bound to VRF interfaces eligible for device auto-selection. (cilium/cilium#45146, @ldelossa)
• bgp: add –format option to the bgp/peers command to support table, json, and detailed output formats (cilium/cilium#45534, @martonra)
• bgp: Add bgp/route-policies shell command (cilium/cilium#45628, @martonra)
• bpf: add HostPort wildcard lookup to per-packet LB (cilium/cilium#45115, @saiaunghlyanhtet)
• bpf: Move edt_set_aggregate() above proto switch in cil_from_container (cilium/cilium#45129, @brb)
• ces: remove deprecated ces-slice-mode option (cilium/cilium#45512, @smagnani96)
• chore(deps): update cilium-envoy dependency (cilium/cilium#45116, @sayboras)
• cilium-agent: when --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label at the watch level, matching how Services are already filtered, operators with hand-managed EndpointSlices must stamp the matching label on those slices. (cilium/cilium#45504, @HadrienPatte)
• clustermesh: Cilium MCS-API implementation now use the v1beta1 CRDs instead of v1alpha1 (cilium/cilium#45404, @MrFreezeex)
• daemon: remove deprecated k8s-api-server option (cilium/cilium#45511, @smagnani96)
• egressgateway: Add IPv6 support for specifying egress IP in CiliumEgressGatewayPolicy (cilium/cilium#44524, @yykkibbb)
• encryption: remove deprecated enable-encryption-strict-mode encryption-strict-mode-cidr and encryption-strict-mode-allow-remote-node-identities options (cilium/cilium#45452, @smagnani96)
• feat(sdp): Add metrics for standalone dns proxy (cilium/cilium#45222, @vipul-21)
• Fix transaction handling and path usage in loadbalancer script tests. (cilium/cilium#45230, @08volt)
• helm: allow configuring cilium-envoy probe timeouts (cilium/cilium#44231, @madmecodes)
• helm: install ValidatingAdmissionPolicy when GatewayAPI is enabled (cilium/cilium#45446, @thorn3r)
• hubble: correlate policy for audit verdicts and implicit denies (cilium/cilium#45373, @Rajneesh180)
• ipsec: remove deprecated enable-ipsec-encrypted-overlay option (cilium/cilium#45449, @smagnani96)
• iptables-based masquerading: Ensure iptables rules respect longest prefix match by sorting routes by mask length when enable-masquerade-to-route-source is enabled (cilium/cilium#45192, @liyihuang)
• k8s: Validate empty (C)CNPs at admission (cilium/cilium#45145, @HadrienPatte)
• kpr: Allow users to use VXLAN in LBModeAnnotation mode (cilium/cilium#45600, @brb)
• lb: remove deprecated node-port-algorithm and node-port-mode (cilium/cilium#45509, @smagnani96)
• metrics: Add high-level hive metrics (cilium/cilium#44802, @ILL1A)
• metrics: add instance_name and local_asn label to BGP Control Plane metrics and delete the vrouter label (cilium/cilium#45268, @martonra)
• metrics: Add metric for k8s resource sync duration (cilium/cilium#44639, @ILL1A)
• metrics: fix operator DumpMetrics to report histogram/summary quantiles (cilium/cilium#45100, @skymensch)
• operator/spire: make SPIRE client configurable for ztunnel (cilium/cilium#44136, @nddq)
• pkg/endpoint: skip logger rebuild on policy revision updates (cilium/cilium#45533, @sjohnsonpal)
• Remove deprecated v2alpha1 CiliumNodeConfig API that was promoted to v2 in cilium 1.16. (cilium/cilium#44739, @HadrienPatte)
• Remove long deprecated cloud provider IPAM fields spec.eni.instance-id, spec.eni.min-allocate, spec.eni.pre-allocate, spec.eni.max-above-watermark and status.azure.interfaces[].GatewayIP. (cilium/cilium#45138, @HadrienPatte)
• The operator registers SPIFFE identities with SPIRE for all service accounts in namespaces labeled with io.cilium/mtls-enabled=true if ztunnel is enabled. (cilium/cilium#44275, @nddq)
• ztunnel: add Prometheus metrics with conditional enablement (cilium/cilium#45096, @gokulMSFT)

Bugfixes:

• alibabacloud: close HTTP response body on non-200 status codes (cilium/cilium#45092, @Aprazor)
• bandwidth: fix FQ qdisc setup on bond devices (cilium/cilium#45370, @ssam18)
• bpf: egressgw: respect egress ifindex during FIB lookup (cilium/cilium#45661, @julianwiedmann)
• bpf: fix map_capacity metric not reported after Open() (cilium/cilium#45349, @skymensch)
• bpf: host: fix source identity for IPsec trace in to-netdev (cilium/cilium#45588, @julianwiedmann)
• cilium: Fix incorrect IPv6 BIG TCP display (cilium/cilium#45529, @pchaigno)
• clustermesh: fails gracefully instead of crashing when EndpointSliceSync is not able to setup the EndpointSlice watch (cilium/cilium#45402, @MrFreezeex)
• clustermesh: Fix Helm typo preventing to add annotations when setting clustermesh.apiserver.tls.auto.method: certmanager (cilium/cilium#45576, @owayss)
• Fix a bug in load balancer traffic distribution (PreferSameNode/PreferSameZone) where incompatible local or zone backends could cause traffic to be dropped instead of falling back to other backends. (cilium/cilium#45215, @08volt)
• Fix cilium-agent crash when a transient network error occurs during CiliumNode update. The agent now retries instead of calling Fatal. (cilium/cilium#44526, @nebojsaj1726)
• Fix CiliumLocalRedirectPolicy addressMatcher overriding an existing Service’s frontend when its backend pods are not yet Ready. (cilium/cilium#45522, @ysksuzuki)
• Fix host L7 policy operation (cilium/cilium#45030, @atykhyy)
• Fix infinite HTTP redirect loops by honoring the X-Forwarded-Proto header to detect TLS termination at external load balancers. (cilium/cilium#45567, @arybolovlev)
• Fix IPsec packet drops during rolling restart with key rotation by deferring SPI advertisement until XFRM states are ready (cilium/cilium#44701, @hbangT)
• Fix issue where datapath reinitialization may get stuck when triggered from the local API (cilium/cilium#45557, @jrife)
• Fix missing global service backends in Cluster Mesh when multiple service ports point to the same target port. (cilium/cilium#45179, @RiccardoAtzori91)
• Fix TLS passthrough routes failing silently when a gateway has mixed HTTP, HTTPS, and TLS listeners and a TLSRoute with no sectionName. (cilium/cilium#45371, @syedazeez337)
• fix(egressGateway): skip unmatched gateways when using multiple gateway (cilium/cilium#44705, @ieth0)
• fix(gateway-api): prevent silent disable on CRD discovery timeout (cilium/cilium#44662, @aslafy-z)
• fix(ipsec): panic in parseSPI on malformed input (cilium/cilium#44815, @isoyuki)
• fix(socketlb): only detach Cilium-owned cgroup programs (cilium/cilium#44066, @puwun)
• Fixed intermittent ARP failures for LoadBalancer services caused by pointer reuse during BPF map iteration in the L2 responder reconciler. (cilium/cilium#45197, @Krishnachaitanyakc)
• Fixed SocketLB returning EPERM instead of EHOSTUNREACH when a Service has no backends. (cilium/cilium#45185, @chez-shanpu)
• Fixes an issue where L7 LoadBalancer and Ingress traffic would be dropped on certain kernel versions when Cilium is attached to a bridge network device. (cilium/cilium#45582, @liyihuang)
• Fixes dropped packets on ingress when full header not in linear skb area (cilium/cilium#45195, @javiercardona-work)
• gateway-api: GAMMA Routes are now filtered correctly before being passed to model ingestion. (cilium/cilium#45294, @youngnick)
• hubble-relay: fix TLS config variable shadowing preventing cleanup on shutdown (cilium/cilium#45085, @Aprazor)
• hubble: fix inverted error check and unsafe type assertions in fake recorder (cilium/cilium#45094, @Aprazor)
• operator/lbipam: prevent IP stealing during pool shrink via two-phase revalidation (cilium/cilium#45543, @Kunalbehbud)
• policy: Fix CCG matching for duplicate label keys (cilium/cilium#45225, @christarazi)
• Respect backends for BGP only when they are in state: active (cilium/cilium#45286, @CallMeFoxie)
• secretsync recreate synced secret when source secret type changes (cilium/cilium#45721, @ssam18)
• This change prevents unnecessary resource watches and potential errors by ensuring that the Cilium Operator only registers validators for enabled network policy types. (cilium/cilium#45516, @skmatti)
• WireGuard now respects the underlay-protocol=ipv6 setting when selecting peer endpoints in dual-stack clusters with IPv6 underlay, fixing connectivity issues where IPv4 was incorrectly used despite being unreachable across nodes. (cilium/cilium#44629, @tibrezus)
• wireguard: clamp cilium_wg0 MTU to IPV6_MIN_MTU (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption mode with constrained path MTU (cilium/cilium#45425, @tibrezus)

CI Changes:

• .github/workflows: bump timeout for L3/L4 tests to 60 minutes (cilium/cilium#45574, @rastislavs)
• .github/workflows: bump timeout for l7-only tests to 60 minutes (cilium/cilium#45287, @aanm)
• .github/workflows: skip full test suite for workflow_dispatch on dev … (cilium/cilium#45285, @aanm)
• .github/workflows: update renovate to 43.111.3 (cilium/cilium#45330, @aanm)
• .github: Fix environment.deployment for docs-builder (cilium/cilium#45581, @joestringer)
• bpf/tests: regularize __be16 usage (cilium/cilium#45232, @atykhyy)
• bpf:tests:encrypt_host: extend suite with Overlay coverage (cilium/cilium#45084, @smagnani96)
• bpf:tests:lb: add E/W fragment tests to tc_nodeport_lb{4,6}_fragments (cilium/cilium#45055, @smagnani96)
• CI: add cilium monitor drop logging to GKE conformance tests (cilium/cilium#45586, @ldelossa)
• ci: add strict-mode-ingress WireGuard to both stable and newest config (cilium/cilium#45397, @smagnani96)
• ci: Bump operator leader-election timing to reduce conflict noise (cilium/cilium#45667, @christarazi)
• CI: conformance {aws-cni, aks, eks, gke}: improve use of intermediate environment variables (cilium/cilium#45057, @ajmmm)
• ci: set minimum for helm chart git digest in print-chart-version.sh (cilium/cilium#45606, @mathpl)
• ci: Switch catchpoint/workflow-telemetry-action to our fork (cilium/cilium#45147, @YutaroHayakawa)
• complexity-diff: Compute percentages of diffs against original values (cilium/cilium#45657, @pchaigno)
• complexity-diff: Display results on scheduled runs (cilium/cilium#45595, @pchaigno)
• complexity-diff: Small improvements (cilium/cilium#45556, @pchaigno)
• conformance-eks: fix bpf-masq-v4 check (cilium/cilium#45709, @ajmmm)
• connectivity: make conn-disrupt sub-tests independently deployable (cilium/cilium#45382, @ysksuzuki)
• contrib: fix typo in identity_is_node.cocci (cilium/cilium#45505, @julianwiedmann)
• contrib: Pin yq sha for ginkgo script runner (cilium/cilium#45190, @joestringer)
• datapath/loader: Fix stack depth parsing for programs with functions (cilium/cilium#44963, @dylandreimerink)
• Fixes for builder.sh (cilium/cilium#41135, @gentoo-root)
• gateway-api: Fix polling interval for conformance tests (cilium/cilium#45365, @youngnick)
• gh: conformance-{aks,eks,gke,kpr}: split out bpf masquerade (cilium/cilium#45500, @ajmmm)
• gha fix: typo eks-cluster-delete.yaml that skips cluster delete (cilium/cilium#45660, @sekhar-isovalent)
• gha/clustermesh: use OCI registry for cert-manager (cilium/cilium#45326, @giorio94)
• ginkgo: remove Check N/S loadbalancing Tests externalIPs (cilium/cilium#44394, @smagnani96)
• loader: Reduce tested permutations in tests (cilium/cilium#45591, @pchaigno)
• logging: Update leader election log level override (cilium/cilium#45358, @joamaki)
• Made the verifier complexity tests extensible (cilium/cilium#45524, @dylandreimerink)
• operator/ztunnel: fix flaky enrollment reconciler Start tests (cilium/cilium#45428, @nddq)
• Remove sequential and only use concurrent tests (cilium/cilium#40103, @aanm)
• sockets: Avoid pinning BPF maps in TestPrivilegedSocketDestroyers (cilium/cilium#45537, @christarazi)
• Sysdumps of cancelled or timed-out GitHub actions are also uploaded. (cilium/cilium#45454, @jrajahalme)
• Use extra power github runner if available for multi-pool CI workflow (cilium/cilium#45555, @fristonio)
• Use fake external targets on nodes without Cilium in AKS CI workflows for better stability. (cilium/cilium#45000, @gentoo-root)
• workflows/kpr: Split across cloud providers (cilium/cilium#44884, @pchaigno)
• workflows/verifier: Fail on high complexity, stack depth or map count (cilium/cilium#45659, @pchaigno)
• workflows/verifier: Wait for complexity-diff to set workflow status (cilium/cilium#45681, @pchaigno)

Misc Changes:

• .gitattributes: Ignore generated docs dependencies (cilium/cilium#45342, @joestringer)
• .github: Add AIL disclosure to PR template (cilium/cilium#45266, @joestringer)
• .github: Auto-label PRs related to Gateway API (cilium/cilium#45552, @joestringer)
• .github: Remove USERS request in PRs (cilium/cilium#45267, @joestringer)
• Add a warning when TLS isn’t enabled for Hubble Relay (cilium/cilium#44772, @ferozsalam)
• Add Hadrien Patte to MAINTAINERS.md (cilium/cilium#45144, @hemanthmalla)
• Allow cilium-envoy 1.36.x for 1.17,1.18,1.19 (cilium/cilium#45130, @nezdolik)
• api: fix typo ’event occured’ -> ’event occurred’ in map_event (cilium/cilium#45384, @MukundaKatta)
• bgp: Disable MPTCP in the MD5 probing in the test (cilium/cilium#45102, @YutaroHayakawa)
• bgp: Make BGP Hive Shell command overridable (cilium/cilium#45128, @YutaroHayakawa)
• bgp: Move fake router to the dedicated package and consolidate adhoc implememtation (cilium/cilium#45104, @YutaroHayakawa)
• bgp: Remove unused LoadBalancerIPPool resource & store from BGP control plane cell. (cilium/cilium#45364, @rastislavs)
• bgp: Use logger with BGP instance name in registerBGPInstance (cilium/cilium#45111, @martonra)
• bpf, testing: define scapy buffers as canonical C variables. (cilium/cilium#44893, @ldelossa)
• bpf/lxc: Never allocate ct_buffers on stack (cilium/cilium#45603, @pchaigno)
• bpf/lxc: Tail call in cil_lxc_policy when IPv4/6-only (cilium/cilium#45541, @pchaigno)
• bpf: egressgw: allow FIB lookups with custom tbid (cilium/cilium#45560, @julianwiedmann)
• bpf: encap: consolidate IPv4/IPv6 paths (cilium/cilium#45573, @julianwiedmann)
• bpf: encap: move & use DSR-GENEVE helpers (cilium/cilium#45526, @julianwiedmann)
• bpf: encrypt: extract shared helper for source encryption policy (cilium/cilium#45186, @julianwiedmann)
• bpf: host: use revalidate_data in l2 announcement handling (cilium/cilium#45106, @tklauser)
• bpf: let device_mac return zero MAC in case of missing device (cilium/cilium#45434, @tklauser)
• bpf: Never allocate ct_buffers on the stack (cilium/cilium#45589, @pchaigno)
• bpf: nodeport: enable dynamic SNAT for GENEVE-DSR in XDP path (cilium/cilium#45444, @julianwiedmann)
• bpf: sock: streamline wildcard lookup logic (cilium/cilium#45216, @julianwiedmann)
• bpf: tests: add and use various BPF unit test helpers (cilium/cilium#45107, @tklauser)
• bpf:wireguard: fix packet marking identity check for encrypted packets (cilium/cilium#44340, @smagnani96)
• chore(deps): update all github action dependencies (main) (cilium/cilium#45165, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (cilium/cilium#45300, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (cilium/cilium#45391, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (cilium/cilium#45457, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (cilium/cilium#45612, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (cilium/cilium#45724, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#45458, @cilium-renovate[bot])
• chore(deps): update base-images (main) (cilium/cilium#45460, @cilium-renovate[bot])
• chore(deps): update base-images (main) (cilium/cilium#45611, @cilium-renovate[bot])
• chore(deps): update base-images (main) (cilium/cilium#45726, @cilium-renovate[bot])
• chore(deps): update base-images to v1.26.2 (main) (cilium/cilium#45297, @cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to 31db219 (main) (cilium/cilium#45484, @cilium-renovate[bot])
• chore(deps): update cilium/cilium digest to b782452 (main) (cilium/cilium#45487, @cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.67.0 (main) (cilium/cilium#45164, @cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.29 (main) (cilium/cilium#45279, @cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.10 (main) (cilium/cilium#45161, @cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (main) (cilium/cilium#45148, @cilium-renovate[bot])
• chore(deps): update module github.com/moby/spdystream to v0.5.1 [security] (main) (cilium/cilium#45430, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.5-1775137579-2b3493aca96923190423ccec7e4dbc5f074ccad4 (main) (cilium/cilium#45162, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1775912317-d56e4f5fec87556b7aaf3b8edeb100025ec87183 (main) (cilium/cilium#45298, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776000132-2437d2edeaf4d9b56ef279bd0d71127440c067aa (main) (cilium/cilium#45319, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776352947-78da350f53f63526ff6487f2e1f3b14d2062ce17 (main) (cilium/cilium#45459, @cilium-renovate[bot])
• chore(docs): adding mogenius as a cilium user (cilium/cilium#45756, @lukashankeln)
• ci: make registry configurable (cilium/cilium#45419, @Artyop)
• clustermesh: add reusable backend selector constructor (cilium/cilium#45648, @viktor-kurchenko)
• contrib/scripts: fix check-fmt.sh aborting with exit 123 (instead of printing the diff) when run with Go 1.26 or newer. (cilium/cilium#45678, @syedazeez337)
• contrib: Add saved replies directory (cilium/cilium#45193, @joestringer)
• contrib: Add saved reply for proposal rationale (cilium/cilium#45451, @joestringer)
• contrib:verifier_diff.py: store statistics, make plots optional, and minor refactors (cilium/cilium#44599, @smagnani96)
• contrib:verifier_diff: early exit when no difference among files (cilium/cilium#45691, @smagnani96)
• Datapath Plugins (CFP-41634) Part 1: API (cilium/cilium#45028, @jrife)
• Datapath Plugins (CFP-41634) Part 2: Plugin Registry And Orchestration (cilium/cilium#45429, @jrife)
• datapath/tables: add interface altnames to devices table (cilium/cilium#45351, @tklauser)
• datapath: generalize FibTableID to RTInfo (cilium/cilium#45507, @ldelossa)
• datapath: rehome all types in pkg/datapath/types to their own packages (cilium/cilium#45058, @ti-mo)
• datapath: rehome leftover loader, sysctl and NodeAddressing types (cilium/cilium#45140, @ti-mo)
• deps: bump cni plugins to v1.9.1 (cilium/cilium#45239, @ferozsalam)
• Do not require iptables for L7 proxy when BPF TProxy is enabled (cilium/cilium#44878, @javiercardona-work)
• docs(policy): update namespace label support (cilium/cilium#44922, @lconnery)
• docs: add context on recommended CEC and CCEC permissions (cilium/cilium#45056, @ferozsalam)
• docs: fix malformed code-block directive in routing.rst (cilium/cilium#45750, @bitflicker64)
• docs: fix typo in bgp-control-plane-configuration.rst (cilium/cilium#45206, @martonra)
• docs: fix wording for –allocate-node-cidrs flag description (cilium/cilium#44918, @guoard)
• docs: improve readability and fix minor issues in README (cilium/cilium#44969, @allexistence)
• docs: race conditions between EndpointSlice update and Pod termination (cilium/cilium#45593, @israelbgf)
• docs: triager role description (cilium/cilium#45187, @xtineskim)
• docs: Update sphinx theme to v3.1.0 (cilium/cilium#45289, @joestringer)
• dpgen: improve mapkv.btf determinism by sorting types by name (cilium/cilium#45132, @ti-mo)
• driftchecker: wait for DynamicConfig table initialization before checking for drift (cilium/cilium#45374, @jaredledvina)
• endpoint: remove endpoint base64 string in .h file (cilium/cilium#45546, @odinuge)
• Enhance documentation with NGINX Ingress annotations migration (cilium/cilium#44510, @nickolaev)
• envoy: add zone-awareness support (cilium/cilium#44696, @viktor-kurchenko)
• envoy: export locality cluster name (cilium/cilium#45568, @viktor-kurchenko)
• envoy: reuse the circuit breaker thresholds configuration for Envoy xDS clusters (cilium/cilium#45445, @nickolaev)
• extra info log to show enable-host-legacy-routing is enabled when kpr is disabled (cilium/cilium#44041, @liyihuang)
• Fail hive health tree script command if no status is found for filter (cilium/cilium#45554, @fristonio)
• Fix Endpoint regeneration health reporting (cilium/cilium#45011, @fristonio)
• fix lbipam: initializes sharing cluster IP for requested allocations (cilium/cilium#45720, @weizhoublue)
• Fix typo in end-to-end tests documentation (cilium/cilium#45313, @allexistence)
• fix(deps): update all go dependencies main (main) (cilium/cilium#45163, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (cilium/cilium#45299, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (cilium/cilium#45613, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (cilium/cilium#45727, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (cilium/cilium#45742, @cilium-renovate[bot])
• fix(deps): update module helm.sh/helm/v4 to v4.1.4 [security] (main) (cilium/cilium#45290, @cilium-renovate[bot])
• fix(deps): update module helm.sh/helm/v4 to v4.1.4 [security] (main) (cilium/cilium#45766, @cilium-renovate[bot])
• Fixup metrics documentation to align with code implementation (cilium/cilium#45155, @jaredledvina)
• gateway-api: clean up resources on GatewayClass handoff (cilium/cilium#45362, @mhofstetter)
• gateway-api: Fix missed version upgrades for stable objects (cilium/cilium#45515, @youngnick)
• gateway-api: Fix TLSRoute versions in yaml test data (cilium/cilium#45662, @smagnani96)
• gateway-api: Move predicates to new predicates module (cilium/cilium#45671, @youngnick)
• gateway-api: Move Watch handlers into dedicated module (cilium/cilium#45561, @youngnick)
• gateway-api: shorten generated CEC names (cilium/cilium#45368, @mhofstetter)
• gateway-api: update to v1.5.1 in docs (cilium/cilium#45324, @mhofstetter)
• github: convert issue templates to YAML forms (cilium/cilium#45411, @aanm)
• helm: allow overriding of external images in charts (cilium/cilium#45597, @sekhar-isovalent)
• helm: do not set operator health port as hostPort when hostNetwork is disabled (cilium/cilium#45386, @robinelfrink)
• helm: expose k8s.apiServerURLs in Helm chart values (cilium/cilium#45210, @kubaw)
• imges: Remove broken operator CMD with unexpanded arg (cilium/cilium#45701, @HadrienPatte)
• Introduce BPF auxiliary variables (cilium/cilium#45081, @dylandreimerink)
• ipam: Migrate cidrPool to netip (cilium/cilium#45395, @HadrienPatte)
• ipam: Migrate cidrset and CIDRAllocator to netip (cilium/cilium#45495, @HadrienPatte)
• ipam: Migrate ipallocator from net.IP to net/netip types (cilium/cilium#45260, @HadrienPatte)
• ipam: Migrate pod CIDR manager to netip.Prefix (cilium/cilium#45508, @HadrienPatte)
• ipam: Operator dual-write Spec.IPAM.Pools.Allocated for ENI mode (cilium/cilium#45110, @HadrienPatte)
• ipam: Read demand from Spec.IPAM.Pools.Requested for ENI multi-pool (cilium/cilium#45124, @HadrienPatte)
• ipam: Remove cilium_operator_ipam_ips and cilium_operator_ipam_available_interfaces IPAM metrics that have been deprecated and marked for deletion respectively since 1.15 and 1.14. (cilium/cilium#45134, @HadrienPatte)
• ipam: Remove unused InterfaceRevision wrapper struct (cilium/cilium#45372, @HadrienPatte)
• ipam: Return error from instance (re)sync instead of sentinel time.Time (cilium/cilium#45153, @HadrienPatte)
• k8s: Allow extensibility of RemoveCiliumLabels (cilium/cilium#45550, @gandro)
• k8s: Propagate context through ListerWatcher chain (cilium/cilium#44958, @HadrienPatte)
• k8s: Update libraries to v1.36.0 (cilium/cilium#45499, @HadrienPatte)
• labeler: fix invalid changed-files config for feature/k8s-gateway-api (cilium/cilium#45676, @aanm)
• lb: fall back when same-zone backend is unhealthy (cilium/cilium#45642, @viktor-kurchenko)
• LBIPAM: Code cleanup, data model refactor and test improvements (cilium/cilium#45602, @dylandreimerink)
• loadbalancer/maps: avoid unnecessary DeepCopyInto in GetPrefix methods (cilium/cilium#45416, @tklauser)
• loadbalancer/reflectors: Filter EndpointSlice watch by service labels (cilium/cilium#45528, @HadrienPatte)
• logging: replace pipe-based klog bridge with klog.SetSlogLogger (cilium/cilium#45422, @HadrienPatte)
• maps/netdev: switch cilium_devices from array to hash map (cilium/cilium#45201, @tklauser)
• Miscellaneous logging tidyups (cilium/cilium#45270, @joestringer)
• monitor, proxy: convert net.IP to netip.Addr (cilium/cilium#45180, @monta-riahi)
• monitor: convert net.IP to netip.Addr (cilium/cilium#44796, @Ignoramuss)
• operator: Move single-cell flags off the global OperatorConfig (cilium/cilium#45604, @HadrienPatte)
• pkg/multicast: convert net.IP to netip.Addr (cilium/cilium#45212, @Rajneesh180)
• policy/api: remove unused {Egress,Ingress}CommonRule.IsL3 methods (cilium/cilium#45080, @tklauser)
• policy: Add script commands, fakes, and test infrastructure (2/3) (cilium/cilium#44899, @christarazi)
• policy: Include priority in PerSelectorPolicy.Equal check (cilium/cilium#45687, @jrajahalme)
• preflight: Remove obsolete reserved:init CNP validation warning (cilium/cilium#45357, @HadrienPatte)
• Prepare for release v1.20.0-pre.1 (cilium/cilium#45117, @cilium-release-bot[bot])
• README: Update releases (cilium/cilium#45123, @aanm)
• README: Update releases after v1.19.3 release (cilium/cilium#45406, @jrajahalme)
• renovate: add dependency cooldown (cilium/cilium#45491, @peoyekunle)
• renovate: allow golangci-lint to be automatically updated (cilium/cilium#45348, @aanm)
• Switch default ztunnel image from docker.io/istio/ztunnel to quay.io/cilium/ztunnel:v1.0.0 (cilium/cilium#44829, @nddq)
• Temporary exception to allow running builder.sh as root before Renovate workflows are fixed. (cilium/cilium#45658, @gentoo-root)
• tools/stackwhere: Add a tool to analyze BPF stack usage (cilium/cilium#44987, @dylandreimerink)
• Update go to 1.26 and fix related linting issues (cilium/cilium#45336, @HadrienPatte)
• Update network-policy-api to official release-0.2 (v1alpha2) (cilium/cilium#45531, @TheBeeZee)
• vendor,hive: Bump to StateDB v0.8.0 and adapt metrics (cilium/cilium#45381, @joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.20.0-pre.2@sha256:28935c15ea65b35ab5b7c67950cb4cda32c199b915256100769f06f6832719f1

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.20.0-pre.2@sha256:d687aa37dde5b1b682de1fb8356f0a9b6f59715c84adbfb9cee457a7e31810ed

docker-plugin

quay.io/cilium/docker-plugin:v1.20.0-pre.2@sha256:ad3530abfec2720f3971814e8996352e49c088a5ec6c30da6c4e79c23c6a7a6f

hubble-relay

quay.io/cilium/hubble-relay:v1.20.0-pre.2@sha256:339a65003d15e4584e38b112969d6dc2184b822a6b453aa6d598f74642aac320

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.20.0-pre.2@sha256:158015bd97cc976bad43fc32af334c9da61a7203f747b8aeaa4937c74b60defd

operator-aws

quay.io/cilium/operator-aws:v1.20.0-pre.2@sha256:bd230d4f984c9d6419fedd4c18425b746620dd48347da7be124ca827ab69a4df

operator-azure

quay.io/cilium/operator-azure:v1.20.0-pre.2@sha256:adf274169743c7b3d9f0ebec19b99f9db900de9ee622c726bcab57feeeea893a

operator-generic

quay.io/cilium/operator-generic:v1.20.0-pre.2@sha256:28f2b7f447896ccac98c5e5ac6dece1d0778740a0779a6bbcf89b33834d67a93

operator

quay.io/cilium/operator:v1.20.0-pre.2@sha256:1ff74c7c8b9f39f41a40018b71441e9b096a2da0ee9f9652e978e6a0ac35435e