🎉 欢迎访问本站,如有问题欢迎 留言
Docs
Cncf
Project
Cilium
Cilium V1.20.0 Pre.3 Release Note

来源: https://github.com/cilium/cilium/releases/tag/v1.20.0-pre.3

cilium/cilium v1.20.0-pre.3 Release Notes

Published at: 2026-06-02T00:41:32Z

Summary of Changes

Major Changes:

  • Gateway API: ExternalAuth filter support for HTTPRoutes Cilium now supports the ExternalAuth filter type in HTTPRoutes (GEP-1494). Routes can delegate authorization decisions to an external service using either gRPC (Envoy ext_authz protocol) or HTTP. Configurable options include allowed request/response headers, request body forwarding, path prefix, and TLS-backed auth backends via BackendTLSPolicy. (cilium/cilium#45739, @gauteoh)
  • proxy: Bump cilium-envoy to v1.37.x (cilium/cilium#45851, @sayboras)

Minor Changes:

  • Add encryption.ztunnel.ca.type Helm value to select ztunnel’s CA backend (spire|internal, default internal). (cilium/cilium#45861, @nddq)
  • Add helm.sh/chart standard label (cilium/cilium#45771, @chernetskyi)
  • Adds optional fields for subject and private key options in certificate template when cert-manager is used to generate clustermesh-apiserver and hubble TLS certificates. (cilium/cilium#45972, @owayss)
  • alibabacloud: Migrate IP/CIDR fields to ip.Addr/Prefix wrappers (cilium/cilium#46210, @HadrienPatte)
  • Azure IPAM: track subnet once per AzureInterface on CiliumNode status, matching AWS and AlibabaCloud IPAM models. The previous per-address addresses[].subnet and flat interfaces[].cidr fields are deprecated. (cilium/cilium#45985, @jaredledvina)
  • azure: Remove duplicate GetInstance call in per-instance resync (cilium/cilium#46192, @HadrienPatte)
  • azure: Skip listing NIC of empty VMSSs (cilium/cilium#46129, @HadrienPatte)
  • bgp: Bump GoBGP from v3 to v4.5.0 (cilium/cilium#45952, @rastislavs)
  • clustermesh/docs: Improve Cluster Mesh intro documentation (cilium/cilium#46021, @MrFreezeex)
  • Extend default APIInteractions metric buckets from 10s to 2min (cilium/cilium#46115, @kamilWyszynski1)
  • feat(sdp): Support DNS metrics from Standalone DNS Proxy (cilium/cilium#44601, @vipul-21)
  • fqdn: Deprecate toFQDNs pre-cache flag and remove preflight poller (cilium/cilium#45295, @HadrienPatte)
  • gateway-api: Add HTTPRoute CORS filter support. (cilium/cilium#45924, @arybolovlev)
  • gateway-api: add support for disabling gRPC-web translation (cilium/cilium#45984, @thorn3r)
  • helm: Remove loadBalancer.standalone option (cilium/cilium#46070, @joestringer)
  • ipam: Add CIDR-based release mechanism for ENI multipool mode (cilium/cilium#45958, @HadrienPatte)
  • ipam: Switch ENI IPAM from CRD to multi-pool allocator (cilium/cilium#45154, @HadrienPatte)
  • lb: support EndpointSlice weights for Maglev backends (cilium/cilium#46061, @mhofstetter)
  • policies that reference AWS VPC groups are now transformed in to a CiliumCIDRGroup. (cilium/cilium#44704, @squeed)
  • Prevent premature LRU eviction of newly inserted socket reverse NAT entries by touching the entry after insertion to set the LRU reference bit. (cilium/cilium#46228, @luoxuanqiang)
  • Relax DisableCiliumEndpointCRD to work with CES and operator slim mode (cilium/cilium#45698, @kamilWyszynski1)
  • Replace boringcrypto with upstream Go crypto libraries (cilium/cilium#46092, @HadrienPatte)
  • Shrink cilium-cni binary size by 80% (cilium/cilium#45845, @giorio94)
  • Updates the CiliumPodIPPool CRD version to v2. Adds a new per-CIDR configuration option “reservedRanges”. (cilium/cilium#44383, @kyounghoonJang)
  • When IPv4 traffic exits an Egress Gateway node, it strictly uses the network interface specified in the CiliumEgressGatewayPolicy (or the default interface). This matches the behavior for IPv6 traffic. (cilium/cilium#45833, @julianwiedmann)
  • wireguard:mtu: fix mtu calculation with potential padding (cilium/cilium#45940, @smagnani96)

Bugfixes:

  • Always add cluster label to node when nodeSelectorLabels is enabled to fix CiliumNetworkPolicy with fromNodes/toNodes with policy-default-local-cluster enabled (enabled by default in 1.19+) (cilium/cilium#46068, @MrFreezeex)
  • azure: Fix public IP reassignment failure loop on operator restart (cilium/cilium#46240, @HadrienPatte)
  • bgp: Don’t provide default_gateway reconciler when disabled (cilium/cilium#45911, @YutaroHayakawa)
  • bgp: Reduce amount of soft peer resets by service reconciliation and fix potentially missed incorrect metadata update upon failed reconciliation. (cilium/cilium#45927, @rastislavs)
  • bpf: don’t silently drop packets with tcx hooks (cilium/cilium#45740, @Andreagit97)
  • bpf: egressgw: don’t use bpf_redirect_neigh() for L3 packets (cilium/cilium#45703, @julianwiedmann)
  • bpf: fix host proxy packet routing to pods (cilium/cilium#45916, @atykhyy)
  • bug: fixed weighted backend traffic splitting for TLSRoute passthrough listeners in Gateway API (cilium/cilium#45937, @nickolaev)
  • cilium-dbg: cilium map list now displays “unknown” instead of 0 for maps that do not support cache-based entry counting. (cilium/cilium#44951, @skymensch)
  • datapath/mtu: add altname to mark cilium owned interfaces and do skip changing MTU on interfaces not managed by cilium (cilium/cilium#45799, @bersoare)
  • Fix a bug that causes the NamespaceSelector field in a CiliumEgressGatewayPolicy to be corrupted, and no longer effective. (cilium/cilium#45926, @julianwiedmann)
  • Fix a rare bug in clustermesh-apiserver that triggers incorrect deletion of a valid endpoint entry from the etcd under high pod churn (cilium/cilium#45780, @adamwathieu)
  • Fix allowedRoute namespace and kind restrictions on multi-listener Gateways. (cilium/cilium#45693, @eufriction)
  • Fix BGP PeerConfig status cleanup so it no longer times out when there are no managed conditions to remove. (cilium/cilium#45967, @ysksuzuki)
  • Fix BPF compilation failure on transient direct routing device address loss (cilium/cilium#44894, @christarazi)
  • Fix BPF LB map key collision where HostPort/NodePort expansion could overwrite a LoadBalancer frontend when the node IP matches the LoadBalancer external IP (e.g. k3s/RKE2 L2 ServiceLB). Also fix a ~30-minute NodePort outage that occurred after deleting a LoadBalancer whose external IP was a node address with a port in the NodePort range. (cilium/cilium#45314, @syedazeez337)
  • Fix bug that would disrupt node connectivity when ClusterIP/LoadBalancer VIPs overlapped with node-local IP addresses. (cilium/cilium#45572, @ajmmm)
  • Fix Cilium node IPv6 selection silently picking an address that failed duplicate-address detection, which could result in the node advertising an address belonging to another node (cilium/cilium#45868, @ssam18)
  • Fix dedicated Ingress reconciliation panic on invalid TLS passthrough rules (cilium/cilium#45737, @weizhoublue)
  • Fix Hubble metrics labelsContext parsing: values must now be comma-separated (e.g. labelsContext=source_ip,destination_ip). Previously, mixing , and | in the value would silently produce invalid tokens. (cilium/cilium#45809, @bitflicker64)
  • Fix Kubernetes ClusterNetworkPolicy (network-policy-api, alpha) match expressions (matchExpressions) being ignored when selecting endpoints. An “In” match selected no endpoints (e.g. a Deny rule would not block its intended traffic) and a “NotIn” match selected all endpoints, so policies using match expressions were not enforced as written. CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, and standard Kubernetes NetworkPolicy are not affected. (cilium/cilium#46253, @aanm)
  • fix(gateway-api): set ready condition in endpointSlice to true (cilium/cilium#46237, @ulrichgiraud)
  • fix: nil pointer dereference panic due to uninitialized logger (cilium/cilium#45782, @weizhoublue)
  • Fixed unsolicited IPv6 L2 announcements ignored by receiving hosts, as not conformant to RFC 4861 (cilium/cilium#46079, @giorio94)
  • Fixes a bug where policymap pressure was incorrectly being reported as 0. (cilium/cilium#45791, @squeed)
  • gateway-api: fix GatewayClass field index (cilium/cilium#46127, @thorn3r)
  • gateway-api: Fix silent drops of routes on multi listener gateways (cilium/cilium#45821, @weizhoublue)
  • iptables: match wireguard packets by proto+port instead of packet mark (cilium/cilium#45974, @bersoare)
  • multipool: Fix retries for CiliumNode Get errors (cilium/cilium#46124, @pippolo84)
  • operator/ipam: Avoid short-lived ctx for allocators start (cilium/cilium#46034, @pippolo84)
  • Revert Gateway-API/Ingress endpointslice removal (incl. restore of dummy ingress endpoint) (cilium/cilium#45679, @mhofstetter)

CI Changes:

  • .github: Enable ciliumbot to pass patch checks (cilium/cilium#45977, @joestringer)
  • bpf: remove redundant build config (cilium/cilium#46175, @julianwiedmann)
  • bpf: test: egressgw: fine-tune the FIB lookup for local packets (cilium/cilium#46099, @julianwiedmann)
  • bpf: tests: minor improvements to legacy GENEVE-DSR test (cilium/cilium#46081, @julianwiedmann)
  • chore(deps): update lvh-images for conformance-runtime (cilium/cilium#45922, @julianwiedmann)
  • ci: add interface addresses in TestPrivilegedReplaceRoute (cilium/cilium#45827, @bersoare)
  • ci: Clean-up disk before running go checks (cilium/cilium#45895, @fgiloux)
  • ci: gate conn-disrupt-test-check via explicit input (cilium/cilium#46042, @ysksuzuki)
  • ci: option to pass extra values_files_changes to dev chart push (cilium/cilium#45702, @mhofstetter)
  • ci:bpftrace: fail curl with corrupted binary download (cilium/cilium#45948, @smagnani96)
  • Fix stack depth reporting in verifier test (cilium/cilium#46182, @pchaigno)
  • gh: conn-disrupt: remove skip-include-conn-disrupt-test-ns-traffic flag (cilium/cilium#46045, @julianwiedmann)
  • gh: gateway-api: run disk-cleanup action (cilium/cilium#45897, @julianwiedmann)
  • gha/clustermesh: run on schedule, rather than on every push to main (cilium/cilium#46088, @giorio94)
  • gha: fix hour handling in Ariane scheduled workflow (cilium/cilium#46083, @giorio94)
  • gha: make conformance kubespray runner configurable (cilium/cilium#46171, @giorio94)
  • golangci-lint: Update gomodguard linter to v2 (cilium/cilium#45860, @HadrienPatte)
  • helm: allow overriding of registry_prefix in charts (cilium/cilium#46217, @sekhar-isovalent)
  • ipam: Deflake TestMarkForReleaseNoAllocate (cilium/cilium#46188, @pippolo84)
  • loader: Support max stack depth in verifier logs (cilium/cilium#46109, @pchaigno)
  • loader: Support newer verifier logs (cilium/cilium#45880, @pchaigno)
  • pkg/loadbalancer: fix loadbalancer nodeport collision test (cilium/cilium#46087, @ajmmm)
  • Revert “.github/actions/e2e: Fix incorrect devices helm option syntax” (cilium/cilium#45898, @joamaki)
  • Revert “chore(deps): update all lvh-images main” (cilium/cilium#45822, @pchaigno)
  • Revert “chore(deps): update all lvh-images main” (cilium/cilium#46221, @pchaigno)
  • workflows/verifier: Fix again always-passing workflow status (cilium/cilium#45899, @pchaigno)
  • workflows/verifier: Fix always-passing workflow status (cilium/cilium#45835, @pchaigno)
  • workflows/verifier: Fix scheduled runs (cilium/cilium#46176, @pchaigno)
  • workflows: Reject GitHub’s default email for SOB (cilium/cilium#45912, @pchaigno)
  • workflows: Update 6.6 LVH image (cilium/cilium#46190, @pchaigno)

Misc Changes:

  • .github: Make release note instructions clearer (cilium/cilium#45768, @joestringer)
  • Add documentation and warnings on DNS interception (cilium/cilium#45525, @ferozsalam)
  • Add extension points for cilium-envoy container lifecycle hooks (cilium/cilium#45857, @0xch4z)
  • Add schema to the “devices” helm option and expose it in docs. (cilium/cilium#45830, @joamaki)
  • always render enable-host-firewall in configmap (cilium/cilium#44748, @shibaPuppy)
  • Azure IPAM: Add tracking of the Primary IP per interface (cilium/cilium#45976, @jaredledvina)
  • Azure: Merge subnets during resyncInstance instead of replacing them (cilium/cilium#45715, @jaredledvina)
  • azure: Remove unused GetVpcsAndSubnets function (cilium/cilium#46173, @HadrienPatte)
  • bgp: Handle errors from NewPathForPrefix (cilium/cilium#46256, @rastislavs)
  • bgp: Use CreatedAt timestamp instead of AgeNanoseconds in the internal Path type (cilium/cilium#46113, @rastislavs)
  • bpf/analyze: Always visit global functions (cilium/cilium#45917, @pchaigno)
  • bpf: constify and minor NAT cleanups (cilium/cilium#46244, @julianwiedmann)
  • bpf: egressgw: skip redirect checks in to-netdev for non-local traffic (cilium/cilium#45955, @julianwiedmann)
  • bpf: Fix should_redirect_peer under netkit (cilium/cilium#46037, @borkmann)
  • bpf: introduce pull_l3_hdr() helper for ethertype de-mux points (cilium/cilium#45891, @saiaunghlyanhtet)
  • bpf: local_delivery: add CB flag for “use_redirect_peer” (cilium/cilium#46169, @julianwiedmann)
  • bpf: local_delivery: condense usage of skb cb slots (cilium/cilium#46064, @julianwiedmann)
  • bpf: lxc: pull L3 header at first ethertype de-mux point (cilium/cilium#45639, @saiaunghlyanhtet)
  • bpf: nodeport: make l3_off in nodeport_lb4() static (cilium/cilium#45797, @julianwiedmann)
  • bpf: Refuse legacy host routing when in netkit mode (cilium/cilium#46032, @borkmann)
  • bpf: rename aux.h to avoid malformed file path error upon go get (cilium/cilium#45804, @tklauser)
  • chore(deps): update all github action dependencies (main) (cilium/cilium#45745, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#45992, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#46014, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#46133, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#45390, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#45879, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#45725, @cilium-renovate[bot])
  • chore(deps): update base-images (main) (cilium/cilium#45991, @cilium-renovate[bot])
  • chore(deps): update base-images (main) (cilium/cilium#46054, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium digest to 6bbf438 (main) (cilium/cilium#46011, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium digest to e1b3ec8 (main) (cilium/cilium#46005, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.19.3 (main) (cilium/cilium#46134, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.19.4 (main) (cilium/cilium#46263, @cilium-renovate[bot])
  • chore(deps): update dependency bufbuild/buf to v1.69.0 (main) (cilium/cilium#45869, @cilium-renovate[bot])
  • chore(deps): update dependency bufbuild/buf to v1.70.0 (main) (cilium/cilium#46265, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/little-vm-helper to v0.0.30 (main) (cilium/cilium#46108, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.26.3 docker digest to 2d6c802 (main) (cilium/cilium#46163, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.11 (main) (cilium/cilium#45900, @cilium-renovate[bot])
  • ci: add output option “skip” tests to derive config action (cilium/cilium#45971, @smagnani96)
  • cilium-cli/sysdump: use bgp hive shell commands instead of the old rest API based commands (cilium/cilium#45754, @martonra)
  • Clarify AI policy guidance in PR template (cilium/cilium#46126, @joestringer)
  • clustermesh: add ClusterEndpointSlice type (cilium/cilium#46160, @MrFreezeex)
  • clustermesh: update MCS-api dependency to v0.5.0 and adopt the yaml conformance output (cilium/cilium#45934, @MrFreezeex)
  • cni: extract configuration into separate package (cilium/cilium#46114, @giorio94)
  • CODEOWNERS: Assign ztunnel workflows to ztunnel (cilium/cilium#45776, @joestringer)
  • completion: Prune pending completions after Wait (cilium/cilium#46060, @jrajahalme)
  • daemon: Fix privileged integration policy test (cilium/cilium#46056, @jrajahalme)
  • datapath: clean up USE_BPF_PROG_FOR_INGRESS_POLICY for endpoint programs (cilium/cilium#46121, @julianwiedmann)
  • datapath: remove USE_BPF_PROG_FOR_INGRESS_POLICY (cilium/cilium#46248, @julianwiedmann)
  • Deprecate Identity.StringID & Refactor callers to use String() instead (cilium/cilium#46131, @furkan-asani)
  • deps: Bump GoBGP to most recent 4.5.1 pre-release commit (cilium/cilium#46226, @rastislavs)
  • Do not pin Cilium GH actions (cilium/cilium#45826, @aanm)
  • docs: Add caveats on Kubernetes versions when using host L7 DNS policies (cilium/cilium#45843, @atykhyy)
  • docs: Add Gateway API default TLS certificate example (cilium/cilium#45807, @arybolovlev)
  • docs: add small CiliumCIDRGroup scalability callout (cilium/cilium#45763, @squeed)
  • docs: Document BTF as a requirement (cilium/cilium#46063, @pchaigno)
  • docs: drop stale nodeinit from Azure CNI chaining guide (cilium/cilium#46128, @vipul-21)
  • docs: Extend Azure IPAM documentation (cilium/cilium#45575, @HadrienPatte)
  • docs: Fix DOCS_BUILDER_REPO env variable for BSD sed compatibility (cilium/cilium#46033, @arybolovlev)
  • docs: fix Markdown-style hyperlink in mutual-authentication.rst (cilium/cilium#45751, @bitflicker64)
  • docs: fix typo cillium -> cilium in encryption-ztunnel.rst (cilium/cilium#45838, @kiranbabu09)
  • docs: Update docs-builder for Makefile usage (cilium/cilium#45774, @joestringer)
  • Documentation: Update outdated datapath config docs (cilium/cilium#46225, @dylandreimerink)
  • egressgw: minor changes for network interface detection (cilium/cilium#45638, @julianwiedmann)
  • endpoint: set and get the value of the RTInfo’s encoding (cilium/cilium#45794, @ldelossa)
  • endpoint: Update BenchmarkWriteHeaderfile benchmark (cilium/cilium#45592, @odinuge)
  • endpoint: use temporary directory for log file in TestPolicyLog (cilium/cilium#45801, @tklauser)
  • envoy: Apply default config in standalone_envoy_test (cilium/cilium#46052, @jrajahalme)
  • envoy: finalize policy update (cilium/cilium#46066, @jrajahalme)
  • Envoy: Network policy cleanup (cilium/cilium#46069, @jrajahalme)
  • Fix new golangci-lint findings (cilium/cilium#45894, @HadrienPatte)
  • Fix schema for gatewayAPI.gatewayClass.create. (cilium/cilium#45741, @reitermarkus)
  • Fix typo: StringID -> String in doc comment of Identity.String function (cilium/cilium#46012, @furkan-asani)
  • fix(deps): update all go dependencies main (main) (cilium/cilium#45993, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#46006, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#46136, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#46152, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#46264, @cilium-renovate[bot])
  • Fix: Prevent external-group hash collisions that can merge distinct policies (cilium/cilium#45820, @weizhoublue)
  • gateway-api: Fix BackendTLSPolicy connections to TLS 1.3-only services (cilium/cilium#45865, @weizhoublue)
  • gateway-api: remove ref of v1beta1 grpcroute (cilium/cilium#45828, @mhofstetter)
  • gateway-api: remove some usages of v1alpha2 TLSRoute (cilium/cilium#45825, @mhofstetter)
  • gateway-api: treat BackendTLSPolicy as required type (cilium/cilium#46031, @mhofstetter)
  • gateway-api: treat TLSRoute as required type (cilium/cilium#45930, @mhofstetter)
  • gw-api: add external auth example (cilium/cilium#46098, @mhofstetter)
  • gw-api: cleanup cecTranslator (cilium/cilium#46110, @mhofstetter)
  • health: Add health/history command (cilium/cilium#46102, @joamaki)
  • helm: add minReadySeconds support to DaemonSets (cilium/cilium#45808, @PhilipSchmid)
  • images: Fix Envoy update script (cilium/cilium#46057, @jrajahalme)
  • images: relax dockerfile match when updating builder and runtime images (cilium/cilium#45970, @giorio94)
  • ip: Add netip.Addr/Prefix wrappers for Kubernetes API types (cilium/cilium#46047, @HadrienPatte)
  • ipam/multi-pool: Do not propagate errors in case of conflicts (cilium/cilium#46172, @pippolo84)
  • ipam: Decorrelate agent and operator implementations (cilium/cilium#45765, @HadrienPatte)
  • ipam: Migrate AllocationResult.{CIDRs,GatewayIP} to netip types (cilium/cilium#45790, @HadrienPatte)
  • ipam: Migrate Allocator and AllocationResult to netip.Addr (cilium/cilium#45647, @HadrienPatte)
  • ipam: Migrate operator-side IP-keyed maps to netip.Addr (cilium/cilium#45859, @HadrienPatte)
  • ipam: Remove unused ForeachAddress abstraction (cilium/cilium#46111, @HadrienPatte)
  • ipsec: misc agent fixes and cleanups (cilium/cilium#45641, @smagnani96)
  • k8s/node: Remove NodeIdentity field from CiliumNode (cilium/cilium#45685, @gandro)
  • k8s/portforward: avoid panic in case of service without ports (cilium/cilium#46230, @tklauser)
  • k8s/tables: extract k8s StateDB tables out of daemon/k8s (cilium/cilium#45786, @tklauser)
  • kpr/initializer: fix reserved port range validation (cilium/cilium#46229, @tklauser)
  • lbipam: Apply fixes for bugs in LBIPAM refactor (cilium/cilium#45800, @dylandreimerink)
  • loadbalancer: Fix resource-drain and transaction churn in the background zone watcher by caching zone state and precisely filtering zone-driven traffic distribution policies. (cilium/cilium#45752, @08volt)
  • loadbalancer: proxy ports are now resolved per frontend instead of per service, preventing one port from losing its L7 redirect when multiple listeners share a service. (cilium/cilium#45949, @eufriction)
  • loadbalancer: use structured logging in config (cilium/cilium#45785, @statsops)
  • loadbalancing: Expose ReflectorWaitTime via flag (cilium/cilium#46059, @brb)
  • mac: remove unused CArrayString (cilium/cilium#45946, @tklauser)
  • MAINTAINERS: Add Simone Magnani (cilium/cilium#46094, @pchaigno)
  • Miscellaneous improvements to the fake client (cilium/cilium#45784, @giorio94)
  • operator/ipam: Consolidate cloud allocator bootstrap (cilium/cilium#45975, @HadrienPatte)
  • operator/ipam: Miscellaneous improvements to allocators (cilium/cilium#46035, @pippolo84)
  • pkg/node/sync: Add support for injecting init functions (cilium/cilium#45921, @joamaki)
  • pkg/{aws,azure}: Use go 1.26’s new() (cilium/cilium#45862, @HadrienPatte)
  • pkg/{aws,azure}: Use k8s sets.Set type for string sets (cilium/cilium#45813, @HadrienPatte)
  • Policy minor fixes (cilium/cilium#46058, @jrajahalme)
  • policy: Add error logging when parsing invalid CIDRs in GetAsEndpointSelectors (cilium/cilium#45781, @statsops)
  • policy: Fix data race in resolve tests under -race (cilium/cilium#45941, @christarazi)
  • policy: remove unused EmptyStringLabels (cilium/cilium#46044, @tklauser)
  • Prepare for release v1.20.0-pre.2 (cilium/cilium#45772, @cilium-release-bot[bot])
  • README: Update releases (cilium/cilium#45779, @joestringer)
  • README: Update releases (cilium/cilium#45964, @thorn3r)
  • refactor(endpointmanager): use GetEndpointsByNamespace in namespace_updater (cilium/cilium#45540, @zbb88888)
  • Remove defunct l2podAnnouncements.interface Helm value that rendered a configmap key the agent no longer recognises, causing crash-loops when L2 pod announcements were enabled. Users must use l2podAnnouncements.interfacePattern instead. (cilium/cilium#46093, @salamidrus)
  • renovate: skip sphinx from being updated (cilium/cilium#45812, @aanm)
  • Revert “tools/stackwhere: Add a tool to analyze BPF stack usage” (cilium/cilium#45759, @dylandreimerink)
  • Split cloud providers into specific files (cilium/cilium#45680, @aanm)
  • tools/cloud-dep-check: gitignore the built binary (cilium/cilium#45892, @HadrienPatte)
  • tools: Add statedblint (cilium/cilium#45896, @joamaki)
  • vendor: Update controller-runtime to v0.24.0 (cilium/cilium#45919, @HadrienPatte)
  • vendor: Update controller-tools fork to v0.21.0-1 (cilium/cilium#46039, @HadrienPatte)
  • ztunnel: consolidate MockEndpointManager into pkg/testutils (cilium/cilium#46067, @nddq)
  • ztunnel: split CA server into its own package (cilium/cilium#45664, @nddq)

Other Changes:

  • Fix Meeting Notes link in README (cilium/cilium#46086, @parlakisik)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.20.0-pre.3@sha256:c25d38b048b90a1755437aa71e0e1e6b778a6c16532c49300a62b8690def2cd2

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.20.0-pre.3@sha256:7604a20140321f4f0abe84284db8ee16b7817edf6593cc73016dc24ac52edae5

docker-plugin

quay.io/cilium/docker-plugin:v1.20.0-pre.3@sha256:ea9eb75ef2aca3d03330d2332748765f12d2683251be16fa4a51e891434811da

hubble-relay

quay.io/cilium/hubble-relay:v1.20.0-pre.3@sha256:d9fa9e132a9bcd5fa554995d708e152bd4b0282ac131984536d260b4c8c3abc3

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.20.0-pre.3@sha256:67e73aed47b871cb475dfdf76abcf4ddc11f7848aa16c40c77cea19b1de12e6e

operator-aws

quay.io/cilium/operator-aws:v1.20.0-pre.3@sha256:d63bd21ed1a135c2e4ff714142e293cef3fda1ff192b19a89d5c6177293eb778

operator-azure

quay.io/cilium/operator-azure:v1.20.0-pre.3@sha256:1f854ea98a4131d17fb1f956e9c5e3d2abbf1ae478030d7a20cbd50c1f371d62

operator-generic

quay.io/cilium/operator-generic:v1.20.0-pre.3@sha256:5be513260832401fa50d2e112396130ac17585c8e30a2e6e4529282c7fc39fd9

operator

quay.io/cilium/operator:v1.20.0-pre.3@sha256:12a7c328625d88a3280139a2c868ecd945f0280a557513ffdfc670a6593992f6

Cilium V1.20.0 Pre.2 Release Note