🎉 欢迎访问本站,如有问题欢迎 留言
Docs
Cncf
Project
Cilium
Cilium V1.19.0 Pre.0 Release Note

来源: https://github.com/cilium/cilium/releases/tag/v1.19.0-pre.0

cilium/cilium v1.19.0-pre.0 Release Notes

Published at: 2025-09-03T14:10:28Z

Summary of Changes

Major Changes:

  • Add L2 announcement IPv6 support (cilium/cilium#39648, @msune)
  • Add support for VRRP and IGMP protocols in host firewall. (cilium/cilium#39872, @aditighag)
  • Support IPv6 underlay on dual-stack clusters (cilium/cilium#40324, @pchaigno)

Minor Changes:

  • Add a new config field to enable remote node masquerading in BPF routing mode. This can help to establish the pods-remote nodes communication in a BPF-masquerade enabled cluster when pod and node network are in different subnets (cilium/cilium#37568, @behzad-mir)
  • Add option for daemon kube-apiserver access to bypass host firewall (cilium/cilium#40346, @atykhyy)
  • Add securityContext & disable hostNetwork in clustermesh-apiserver cronjob helm template (cilium/cilium#39368, @giorio94)
  • Add support for Multi-Pool IPAM mode with ipsec encryption and direct routing. (cilium/cilium#40460, @pippolo84)
  • Added initial scaffolding for a standalone DNS proxy component in Cilium. This includes a new module to manage the proxy lifecycle, configuration updates, and basic test coverage. The proxy functionality is currently a placeholder and will be expanded in future releases. (cilium/cilium#39906, @vipul-21)
  • Automatically skip creating maps that are unused by Cilium’s current configuration (cilium/cilium#40416, @ti-mo)
  • Avoid VXLAN/Geneve connections filling up conntrack when tunneling is enabled (cilium/cilium#38782, @BenoitKnecht)
  • bpf: Init (ipv6_frag_hdr) frag struct (cilium/cilium#41263, @brb)
  • build: Add flag to control goexperiments and add configuration to use fipsonly package when the boringcrypto goexperiment is used (cilium/cilium#38807, @HadrienPatte)
  • Cilium EndpointSlices: improve metrics from the Operator CES controller (cilium/cilium#40418, @antonipp)
  • cilium: dsr ipip dispatch with tcx (cilium/cilium#41269, @borkmann)
  • clustermesh: add prometheus metrics about local ServiceExport and ServiceImport (cilium/cilium#40736, @MrFreezeex)
  • clustermesh: helm: add support for dict type for clustermesh.config.clusters values (cilium/cilium#40857, @MrFreezeex)
  • clustermesh: helm: move MCS-API helm config and add a job to autoconfigure CoreDNS for MCS-API for CoreDNS v1.12.2+ (cilium/cilium#40506, @MrFreezeex)
  • Deprecate v2alpha1 version of CiliumLoadBalancerIPPool CRD in favor of the v2 version (cilium/cilium#39134, @pippolo84)
  • Disables the configuration resolver InitContainer when CiliumNodeConfig is not a configuration source. (cilium/cilium#40556, @atykhyy)
  • Enhance Cilium helm chart with dedicated pod restart selector field (cilium/cilium#41146, @thetillhoff)
  • envoy: Bump envoy proxy to 1.35.0 (cilium/cilium#40569, @sayboras)
  • feat(agent): Add route-based node IP discovery (cilium/cilium#40095, @tsotne95)
  • feat: setting policy map pressure metrics threshold (cilium/cilium#40188, @pasteley)
  • Fix operator k8s workqueue metrics to use correct prefix of cilium_operator_workqueue_ (cilium/cilium#40884, @tommyp1ckles)
  • Fixes the Operator’s configuration to be compatible with Azure workload identity. (cilium/cilium#40269, @atykhyy)
  • gateway-api: Replace Endpoint with EndpointSlice (cilium/cilium#41083, @sayboras)
  • helm: use sane defaults in combination with eni.enabled=true (cilium/cilium#40445, @f1ko)
  • hubble: remove deprecated experimental fieldmask (cilium/cilium#40245, @kaworu)
  • Introduce wildcard service entries to ensure traffic towards a LoadBalancer and ClusterIPs with an unknown protocol/port combination is dropped by the data path, rather than being forwarded back to the network. (cilium/cilium#40684, @ajmmm @mikn)
  • k8s: Update tests and libraries to v1.34.0-rc.1 (cilium/cilium#41068, @sayboras)
  • kpr: Remove some deprecated flags (cilium/cilium#41238, @brb)
  • KVStoreMesh: add support for leader election, to allow running multiple replicas when Cilium operates in kvstore identity allocation mode. (cilium/cilium#39848, @balous)
  • metrics: cilium_k8s_client_rate_limiter_duration_seconds no longer has labels path and method (cilium/cilium#41247, @marseel)
  • NodePort functionality is now enabled when –kube-proxy-replacement is enabled. The –enable-nodeport flag has been removed. (cilium/cilium#41380, @brb)
  • operator: added --aws-pagination-enabled flag for enabling/disabling AWS API pagination (cilium/cilium#39543, @antonipp)
  • policy: clustermesh: policy-default-local-cluster is now set by default. See the upgrade guide for guidance on how to prepare your migration if you are using ClusterMesh and have network policies (cilium/cilium#40609, @MrFreezeex)
  • proxy: Add deprecated warning for Kafka (cilium/cilium#40967, @sayboras)
  • refactor: removed previously deprecated -bpf-lb-proto-diff option. (cilium/cilium#40505, @Surya-7890)
  • Remove EnableExternalIP and EnableHostPort (cilium/cilium#41277, @brb)
  • Support IPPrefix unassignment in order to reuse those IPPrefixes and prevent IP starvation. This would require cilium-operator’s AWS IAM role update to add “ec2:DescribeRouteTables” permissions. (cilium/cilium#39300, @hsalluri259)
  • Supports device exclusion in –devices flag (cilium/cilium#40152, @liuyuan10)
  • Switch Operator to use *metrics.Registry infra. (cilium/cilium#39341, @tommyp1ckles)
  • treewide: Remove pcap recorder (cilium/cilium#41237, @gandro)

Bugfixes:

  • Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. (cilium/cilium#41024, @joamaki)
  • Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (cilium/cilium#41231, @hanapedia)
  • bpf/bpf_host: host-fw: still attempt nodeport rev-snat on icmpv6. (cilium/cilium#40405, @tommyp1ckles)
  • bpf: fib: Fix issue where neighbor entries remain stale forever in some cases. (cilium/cilium#37725, @jrife)
  • Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (cilium/cilium#40844, @moscicky)
  • Do not fail on CNI del if namespace no longer exists (cilium/cilium#40843, @aojea)
  • Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (cilium/cilium#41368, @devodev)
  • Fix bug that would cause error messages when disabling agent health checks (cilium/cilium#41297, @HadrienPatte)
  • Fix the bug local redirect policy not doing filter based destination port (cilium/cilium#41411, @liyihuang)
  • Fixes a cosmetic bug where the cilium_bpf_map_ops_total error count was incorrectly being incremented for map cilium_lb_affinity_match. (cilium/cilium#41378, @squeed)
  • fqdn: fix persisted endpoint state synchronization for FQDN operations (cilium/cilium#40119, @fristonio)
  • gamma: support group “core” in GAMMA service parent ref check (cilium/cilium#41268, @mhofstetter)
  • Helm: Correct seccompProfile for cilium-agent pods (cilium/cilium#40476, @jcpunk)
  • ip-masq-agent: Ensure ip rules on the host match the BPF ip-masq-agent configuration in AWS ENI mode. Note that rules are set up once at pod creation and will not be regenerated if the ip-masq-agent configuration changes. (cilium/cilium#40141, @antonipp)
  • ipmasq: fix race causing potential concurrent map read/write. (cilium/cilium#40856, @tommyp1ckles)
  • Kubernetes endpoints that are terminating are retained in the backends BPF state regardless of the “serving” condition to avoid connection disruptions when a pod no longer signals readiness to process new connections. (cilium/cilium#40969, @joamaki)
  • lxcmap: rollback previous updates on failure in WriteEndpoint (cilium/cilium#40677, @suchit07-git)
  • multicast: fix nil assignment to node configuration cell.Out map (cilium/cilium#40859, @ldelossa)
  • policy: Fix a bug where transient errors in endpoint regeneration lead to broken connectivity. (cilium/cilium#40255, @jrife)

CI Changes:

  • .github/actions: fix boolean condition check in post-logic action (cilium/cilium#41395, @aanm)
  • .github/workflows: separate feature json files in different dirs (cilium/cilium#41403, @aanm)
  • .github/workflows: simplify ginkgo workflow (cilium/cilium#41396, @aanm)
  • .github/workflows: skip IPv6DualStack test (cilium/cilium#41145, @aanm)
  • .github: Run CES migration tests concurrently (cilium/cilium#41162, @joestringer)
  • Add caches to unit tests (cilium/cilium#40388, @aanm)
  • Add linter for metrics parameter matching (cilium/cilium#40863, @joestringer)
  • Add missing fuzzers from cncf-fuzzing project (cilium/cilium#41336, @joestringer)
  • Add retry logic to cosign commands (cilium/cilium#41152, @aanm)
  • Add reusable test config workflow (cilium/cilium#40935, @joestringer)
  • AKS cluster creation action (cilium/cilium#41320, @Artyop)
  • Allow Egress Gateway connectivity tests to run concurrently (cilium/cilium#40980, @tommyp1ckles)
  • ariane: allow for whitespaces after /test command (cilium/cilium#41309, @marseel)
  • bpf/complexity-tests: Improse coverage w.r.t. BPF TPROXY and BPF Host Routing (cilium/cilium#41248, @pchaigno)
  • bpf/tests: add coverage for bpf icmp nodeport snat tests. (cilium/cilium#41142, @tommyp1ckles)
  • bpf/tests: remove v6_ext_node_two_addr in pktgen.h (cilium/cilium#40963, @msune)
  • bpf: fix: Simplify and fix test structure validation logic (cilium/cilium#41139, @jrife)
  • bpf: scapy support (dev. experience) (cilium/cilium#40294, @msune)
  • ci-aks: Enable KPR and BPF masquerading (cilium/cilium#40349, @aditighag)
  • ci: Allow for running scale test for up to 1k nodes (cilium/cilium#40227, @marseel)
  • ci: fix performance testing for tunnel-ipsec (cilium/cilium#40323, @marseel)
  • ci: Gateway API conformance test logic moved to reusable Make target for better maintainability. (cilium/cilium#41038, @pillai-ashwin)
  • ci: Increase timeout for golangci-lint (cilium/cilium#40432, @pippolo84)
  • ci: reduce gke failures (cilium/cilium#41018, @brlbil)
  • ci: reuse common-post-jobs for scalability jobs (cilium/cilium#40535, @marseel)
  • ci: Temporarily disable go caches for privileged unit tests (cilium/cilium#41004, @rastislavs)
  • ci: Temporarily prevent populating go caches for privileged unit tests (cilium/cilium#41069, @rastislavs)
  • ci: update scale-tests-actions to show summary with results (cilium/cilium#40290, @marseel)
  • ci: Use newer lvh image for privileged tests (cilium/cilium#41082, @rastislavs)
  • cli: switch coredns image to registry.k8s.io, and fix renovate (cilium/cilium#40706, @giorio94)
  • contrib/cocci: add hexdump() and hexdump.h include coccinelle rules (cilium/cilium#40930, @msune)
  • Convert policy unit tests to use incremental path (cilium/cilium#39973, @fristonio)
  • Fix multiple workflows with missing features and steps (cilium/cilium#41398, @aanm)
  • Fixed an issue where privileged tests failed locally (cilium/cilium#40150, @AritraDey-Dev)
  • gh: e2e-upgrade: skip even more steps when not downgrading (cilium/cilium#41468, @julianwiedmann)
  • gha: configure read actions permissions for scalability jobs (cilium/cilium#41032, @giorio94)
  • gha: fix operator tolerations in GKE-based workflows (cilium/cilium#40507, @giorio94)
  • github: netpol-e2e: re-raise FD count to 5000 (cilium/cilium#41149, @bimmlerd)
  • GKE cluster creation action (cilium/cilium#41090, @Artyop)
  • gke: Run tests concurrently (cilium/cilium#41191, @joestringer)
  • golangci-lint: use gopacket/gopacket instead of google/gopacket (cilium/cilium#40321, @tklauser)
  • Improved capabilities of verifier complexity tests (cilium/cilium#40367, @dylandreimerink)
  • ipsec: Extend Go tests to cover IPv6 (cilium/cilium#39978, @pchaigno)
  • Make fuzzing infrastructure more reliable (cilium/cilium#41288, @joestringer)
  • make verifier complexity tests on RHEL 8.6 run with mcpu=v3 (cilium/cilium#40390, @dylandreimerink)
  • pkg/metrics: define default CIDR policies values (cilium/cilium#41422, @aanm)
  • renovate: hubble related cleanup (cilium/cilium#38122, @kaworu)
  • Streamline ci-multi-pool workflow (cilium/cilium#40658, @pippolo84)
  • tests: fix ignored unparallel tests (cilium/cilium#41385, @smagnani96)
  • Use fake external target in LVH-based workflows. (cilium/cilium#40640, @gentoo-root)
  • workflows/integration-test: fix Go cache architecture-specific restoration (cilium/cilium#41173, @aanm)
  • workflows: Cover IPv6 underlay with encryption for dual-stack clusters (cilium/cilium#40411, @pchaigno)

Misc Changes:

  • .github/release: Filter out CLI-only release notes (cilium/cilium#40550, @joestringer)
  • .github/workflows: add step 5 as part of the image build process (cilium/cilium#41113, @aanm)
  • .github/workflows: remove threshold 50m to show all files (cilium/cilium#40372, @aanm)
  • .github: add helm in release workflow (cilium/cilium#41189, @aanm)
  • .github: Notify teams as part of filing a CFP (cilium/cilium#39298, @joestringer)
  • .github: renovate add missing configuration for cilium-cli (cilium/cilium#40947, @aanm)
  • @b3a-dev is no longer an active committer (cilium/cilium#40508, @b3a-dev)
  • Add Beatriz Martínez to emeritus (cilium/cilium#40509, @xmulligan)
  • Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (cilium/cilium#40272, @syedazeez337)
  • Add Kubernetes ServiceAccount to CiliumEndpoint and CiliumEndpointSlice structures (cilium/cilium#41276, @ldelossa)
  • Add more comprehensive icmp6 snat testing (cilium/cilium#40610, @tommyp1ckles)
  • allocator: remove unused Allocator.suffix field (cilium/cilium#40483, @tklauser)
  • bgp,script: Identify gobgp server with name (cilium/cilium#40145, @YutaroHayakawa)
  • bgp: Refactor route policy reconciler (cilium/cilium#40319, @YutaroHayakawa)
  • bgp: Reset peers properly upon policy update with empty MatchNeighbors (cilium/cilium#40339, @YutaroHayakawa)
  • bgpv2: Refactor service route policy rendering logic (cilium/cilium#40123, @rastislavs)
  • bpf/fib: Remove unecessary maybe_unused (cilium/cilium#41301, @pchaigno)
  • bpf/tests/scapy: add v6 addrs and fix existing (cilium/cilium#40990, @msune)
  • bpf/tests/scapy: improve README.md guide (cilium/cilium#41086, @msune)
  • bpf/tests/scapy: show pkt diffs on assertion failures and improve outputs (cilium/cilium#41124, @msune)
  • bpf/tests: port L2 IPv6 announce to scapy and some cleanups (cilium/cilium#41071, @msune)
  • bpf/tests: remove unused method mock_ctx_redirect_peer (cilium/cilium#40588, @Andreagit97)
  • bpf: Add check for null state in snat_v6_nat (cilium/cilium#40991, @rastislavs)
  • bpf: built-in support for up to 128 bytes (cilium/cilium#41017, @msune)
  • bpf: encrypt: unify overlay handling (cilium/cilium#39660, @julianwiedmann)
  • bpf: fix invalid escape sequence ‘(’ warning (cilium/cilium#40964, @msune)
  • bpf: gitignore CLANG tmp files (*.o.tmp) (cilium/cilium#40694, @msune)
  • bpf: lxc: don’t special-case the RevDNAT path for IPsec configs (cilium/cilium#41487, @julianwiedmann)
  • bpf: minor svc wildcard followups/fixes (cilium/cilium#41470, @borkmann)
  • bpf: Skip E/W translation for proxy delegation (cilium/cilium#40573, @borkmann)
  • bpf: wireguard: re-add IPv6 fragment check in from-wireguard (cilium/cilium#41451, @julianwiedmann)
  • build: Don’t include bpf test files in cilium image (cilium/cilium#40634, @HadrienPatte)
  • build: Enforce docker build checks (cilium/cilium#40528, @HadrienPatte)
  • build: Only copy bpftool binary from bpftool image (cilium/cilium#40469, @HadrienPatte)
  • build: Update compilers and tester base images (cilium/cilium#40422, @HadrienPatte)
  • cec: introduce annotation to control use-original-source-address (cilium/cilium#40707, @mhofstetter)
  • cec: introduce annotation to override IsL7LB detection during CEC parsing (cilium/cilium#40570, @mhofstetter)
  • ces: refactor and clean up (cilium/cilium#40789, @jshr-w)
  • checkpatch: Update image digest (cilium/cilium#41360, @HadrienPatte)
  • chore(deps): update actions/download-artifact action to v5 (main) (cilium/cilium#41052, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#40503, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#40600, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#40896, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#41053, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#41348, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (cilium/cilium#41436, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#40594, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#40261, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#40362, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#40595, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#40672, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#40889, @cilium-renovate[bot])
  • chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#41048, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#40366, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#40465, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#40596, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#40739, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#40893, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#41046, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#41340, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#41358, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (main) (cilium/cilium#41433, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.18.5 (main) (cilium/cilium#40333, @cilium-renovate[bot])
  • chore(deps): update cilium/cilium-cli action to v0.18.6 (main) (cilium/cilium#40890, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/little-vm-helper to v0.0.25 (main) (cilium/cilium#40380, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/little-vm-helper to v0.0.26 (main) (cilium/cilium#40495, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.24.4 docker digest to 20a022e (main) (cilium/cilium#40379, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.24.5 docker digest to ef5b4be (main) (cilium/cilium#40738, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/golang:1.25.0 docker digest to 5502b0e (main) (cilium/cilium#41343, @cilium-renovate[bot])
  • chore(deps): update go to v1.24.5 (main) (cilium/cilium#40496, @cilium-renovate[bot])
  • chore(deps): update go to v1.24.6 (main) (cilium/cilium#40992, @cilium-renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v2.2.1 (main) (cilium/cilium#40382, @cilium-renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v2.2.2 (main) (cilium/cilium#40498, @cilium-renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v2.3.0 (main) (cilium/cilium#40644, @cilium-renovate[bot])
  • chore(deps): update golangci/golangci-lint docker tag to v2.3.1 (main) (cilium/cilium#40891, @cilium-renovate[bot])
  • chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (main) (cilium/cilium#41318, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.1-1752029260-6675448d88d49594fff5ac5d9786c51378263b9d (main) (cilium/cilium#40431, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.0-1754542821-43b62ac18029bf5e22cbcc9e7141ee55eb09555d (main) (cilium/cilium#40986, @cilium-renovate[bot])
  • chore(deps): update renovate dependencies to v41.31.1 (main) (cilium/cilium#40501, @cilium-renovate[bot])
  • chore(deps): update renovate dependencies to v41.40.0 (main) (cilium/cilium#40599, @cilium-renovate[bot])
  • chore(deps): update renovate dependencies to v41.43.5 (main) (cilium/cilium#40740, @cilium-renovate[bot])
  • chore(deps): update renovate dependencies to v41.51.0 (main) (cilium/cilium#40894, @cilium-renovate[bot])
  • chore(deps): update renovate dependencies to v41.60.3 (main) (cilium/cilium#41050, @cilium-renovate[bot])
  • chore(deps): update renovate dependencies to v41.83.1 (main) (cilium/cilium#41346, @cilium-renovate[bot])
  • ci: filter runner upgrade for old stable branches (cilium/cilium#40716, @Artyop)
  • ci: fix renovate hourly and concurrent pr count (cilium/cilium#40654, @Artyop)
  • ci: regex update variable runners (cilium/cilium#40921, @Artyop)
  • ci: remove filter for runner update in lint wfs (cilium/cilium#40683, @Artyop)
  • ci: Update workflow permissions (cilium/cilium#41383, @kyle-c-simmons)
  • Cilium EndpointSlices: fix label values for the ces_sync_total metric (cilium/cilium#40817, @antonipp)
  • Cilium monitor now shows Socket LB trace events when Socket LB is enabled for host namespace only (cilium/cilium#40943, @eddyduer)
  • Cilium’s Gateway API reconciler has been completely refactored and should be more reliable and performant as a result. (cilium/cilium#41232, @youngnick)
  • cilium, socklb: Add a flag for opting into terminating all protos (cilium/cilium#40479, @borkmann)
  • cilium, socklb: Terminate both UDP and TCP sockets (cilium/cilium#40304, @borkmann)
  • cilium-cli: report openshift detection in feature status (cilium/cilium#41328, @aanm)
  • cilium-dbg: Rename “statedb dump” to just “statedb” (cilium/cilium#40917, @joamaki)
  • Cleanup daemon options and move validation (cilium/cilium#40409, @tklauser)
  • clustermesh: improve logic to report back IPs from the derived service to the ServiceImport (cilium/cilium#40732, @MrFreezeex)
  • cni: Avoid lockfile leak on context timeout (cilium/cilium#40958, @joestringer)
  • CODEOWNERS: move pkg/logging to sig-agent (cilium/cilium#40296, @squeed)
  • CODEOWNERS: Update for common release files (cilium/cilium#32327, @joestringer)
  • codeowners: update l7lb & pod-to-ingress connectivity-test ownership (cilium/cilium#41144, @mhofstetter)
  • contrib: update verifier_diff.py to new formats (cilium/cilium#41400, @smagnani96)
  • Convert bpf endpoint config macros to load time config (cilium/cilium#40430, @fristonio)
  • Corrected logic for adding tolerations key in helm template for cilium-operator deployment (cilium/cilium#40938, @walnuts1018)
  • daemon: remove useless error log (cilium/cilium#41097, @imroc)
  • datapath: remove unused IPV4_MASK define (cilium/cilium#40961, @tklauser)
  • datapath: Use go 1.23 timers (cilium/cilium#41040, @HadrienPatte)
  • Disable host firewall bypass by default (cilium/cilium#40691, @marseel)
  • doc,bgp: Update prefix aggregation documentation (cilium/cilium#40586, @YutaroHayakawa)
  • docker: order dockerignore rules by depth to include nested targets.o (cilium/cilium#40952, @smagnani96)
  • docs: add batumbu to USERS.md (cilium/cilium#40926, @gustysap)
  • docs: add link to Slack Guidelines (cilium/cilium#40484, @xmulligan)
  • docs: Add missing dsrDispatch parameter to annotation-based DSR examples (cilium/cilium#40873, @gitsofaryan)
  • docs: clarify kernel config dependencies for CONFIG_FIB_RULES on embedded/custom Linux (cilium/cilium#40168, @theoDev-alt)
  • docs: clarify Prometheus annotation logic for metrics (cilium/cilium#40532, @RayyanSeliya)
  • docs: Clarify use of routing table IDs in Cilium. (cilium/cilium#40248, @nocturo)
  • docs: enable debug information before first authentication in mutual auth example (cilium/cilium#40940, @sudeephb)
  • docs: Enhance DSR with Geneve (cilium/cilium#40626, @alagoutte)
  • docs: fix typo in ipsec vs wireguard comparison (cilium/cilium#40761, @jwswj)
  • docs: Format masquerading docs (cilium/cilium#41285, @joestringer)
  • docs: include KubeCon talk showing Cilium, Prometheus & Grafana (cilium/cilium#41311, @lizrice)
  • docs: Remove stale mention of externalIPs.enabled (cilium/cilium#41044, @nueavv)
  • docs: Update docker images development documentation (cilium/cilium#40299, @HadrienPatte)
  • docs: update FakeClientCell reference (cilium/cilium#40334, @emmanuel-ferdman)
  • docs: Update Gateway API docs to reference Gateway API v1.3.0 (cilium/cilium#40825, @Untersander)
  • docs: update mutual auth example (cilium/cilium#40510, @ep4sh)
  • docs: Update theme to add dark mode support (cilium/cilium#41174, @qmonnet)
  • Don’t enable host firewall bypass unless host firewall is enabled (cilium/cilium#40942, @atykhyy)
  • endpoint: reduce missed-policy-update log severity for restoring eps (cilium/cilium#41095, @fristonio)
  • endpoint: remove explicit debug log checks (cilium/cilium#40486, @tklauser)
  • Enhance error context in pkg/datapath/loader/netlink.go for easier debugging (cilium/cilium#40734, @iwanhae)
  • envoy: update to latest version and import DNS cluster extension (cilium/cilium#40343, @mhofstetter)
  • examples: Update httpbin example for Istio latest release compatibility (cilium/cilium#40151, @AritraDey-Dev)
  • feat(sdp): Cilium agent server handling SDP conn (cilium/cilium#39220, @vipul-21)
  • feat(sdp): interaction flow between cells for standalone dns proxy (cilium/cilium#40982, @vipul-21)
  • Fix misc typos (cilium/cilium#40769, @HadrienPatte)
  • fix(deps): update all go dependencies main (main) (cilium/cilium#40325, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#40383, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#40499, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#40593, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#40897, @cilium-renovate[bot])
  • fix(deps): update all go dependencies main (main) (cilium/cilium#41047, @cilium-renovate[bot])
  • fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#40597, @cilium-renovate[bot])
  • fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#40895, @cilium-renovate[bot])
  • fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#41049, @cilium-renovate[bot])
  • fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#41345, @cilium-renovate[bot])
  • fix(deps): update kubernetes packages to v0.33.3 (main) (cilium/cilium#40598, @cilium-renovate[bot])
  • fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.231.0 (main) (cilium/cilium#40502, @cilium-renovate[bot])
  • fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.236.0 (main) (cilium/cilium#40741, @cilium-renovate[bot])
  • fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.18.1 (main) (cilium/cilium#40500, @cilium-renovate[bot])
  • fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.18.2 (main) (cilium/cilium#40892, @cilium-renovate[bot])
  • fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.19.0 (main) (cilium/cilium#41347, @cilium-renovate[bot])
  • fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.11.0 (main) (cilium/cilium#41051, @cilium-renovate[bot])
  • fix(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (main) (cilium/cilium#40792, @cilium-renovate[bot])
  • fix(deps): update module github.com/go-openapi/errors to v0.22.2 (main) (cilium/cilium#41063, @cilium-renovate[bot])
  • fix(deps): update module helm.sh/helm/v3 to v3.18.4 [security] (main) (cilium/cilium#40429, @cilium-renovate[bot])
  • fix: eBPF logo (cilium/cilium#41367, @xmulligan)
  • fqdn/proxy: remove unused MockFQDNProxy (cilium/cilium#40534, @tklauser)
  • fqdn/restore: remove test-only Sort methods (cilium/cilium#40681, @tklauser)
  • fqdn: clean up regex cache (cilium/cilium#40365, @squeed)
  • go.mod, vendor: pull in charts for Cilium 1.18.0 and Tetragon 1.5.0 (cilium/cilium#40823, @tklauser)
  • go.mod: use go 1.25 (cilium/cilium#41100, @bimmlerd)
  • helm: improve k8sServiceHost automatic lookup function (cilium/cilium#41291, @iuriaranda)
  • helm: misc small cleanups with certgen job spec (cilium/cilium#40628, @MrFreezeex)
  • helm: support extending cilium-operator volumes and clustermesh-apiserver arguments (cilium/cilium#41246, @giorio94)
  • images/builder: add python3 scapy dependency (bis) (cilium/cilium#40874, @msune)
  • images/builder: add python3 scapy dependency (cilium/cilium#40838, @msune)
  • images: Remove unused install-builder-deps.sh script (cilium/cilium#40870, @qmonnet)
  • images: update cilium-builder (cilium/cilium#40560, @jrife)
  • Improve logs around ipcache upserts (cilium/cilium#40866, @kamilWyszynski1)
  • Include bgp remote peer capabilities in the sysdump (cilium/cilium#40719, @liyihuang)
  • ip-masq-agent: refactor into a Hive Cell (cilium/cilium#40347, @antonipp)
  • ipam/multipool: Update local node on CiliumNode changes (cilium/cilium#41302, @joamaki)
  • ipcache: simplify generateUniqueCIDRs test helper (cilium/cilium#40945, @tklauser)
  • ipcache: slightly reduce API surface (cilium/cilium#40671, @tklauser)
  • ipsec: keep SPI in sync between keyCustodian and BPF map (cilium/cilium#41456, @smagnani96)
  • k8s: cleanup old Endpoints/beta EndpointSlices/Lease code (cilium/cilium#40555, @marseel)
  • k8s: remove a bunch of unused code (cilium/cilium#40816, @tklauser)
  • k8s: Skip endpoints without conditions (cilium/cilium#41234, @joamaki)
  • loadbalancer: Shrink BackendParams (cilium/cilium#40826, @joamaki)
  • loader: Flush BTF cache after loading bpf_sock_term programs (cilium/cilium#41009, @jrife)
  • Log kube-proxy replacement config before starting kube-proxy replacement (cilium/cilium#41133, @liyihuang)
  • Log whether CES is enabled in CID controller (cilium/cilium#41023, @kamilWyszynski1)
  • lower log severity for stale metadata to avoid CI issue (cilium/cilium#41389, @liyihuang)
  • MAINTAINERS: Add Marcel Zięba (cilium/cilium#41284, @joestringer)
  • MAINTAINERS: Move Ian to Emeritus (cilium/cilium#40833, @joestringer)
  • MAINTAINERS: New emeritus commiter (cilium/cilium#40821, @vadorovsky)
  • MAINTAINERS: New emeritus committer (cilium/cilium#40767, @xmulligan)
  • metrics/features: Fix counter metrics to use Set() instead of Add() (cilium/cilium#41382, @aanm)
  • Miscellaneous improvements to option.NewNamedMapOptions (cilium/cilium#40529, @giorio94)
  • Miscellaneous improvements to the gneigh subsystem (cilium/cilium#40939, @giorio94)
  • Modularization of WireGuard Agent. (cilium/cilium#40360, @smagnani96)
  • monitor/format: use MonitorFormatter to print on any bufio.Writer and not just on Stdout (cilium/cilium#39957, @Andreagit97)
  • multicast: use Go 1.20 slice-to-array conversion for SolicitedNodeMaddr() (cilium/cilium#40591, @suchit07-git)
  • node: Implement LocalNodeStore as StateDB table (cilium/cilium#40918, @joamaki)
  • nodediscovery: Do not log error on kvstore update if context cancelled (cilium/cilium#41315, @joamaki)
  • nodediscovery: remove unused WaitForLocalNodeInit function (cilium/cilium#40657, @giorio94)
  • operator: Attach context to logs when available (cilium/cilium#39728, @HadrienPatte)
  • operator: Modularize kvstore lock sweeper (cilium/cilium#40249, @pippolo84)
  • pkg/bpf/collection: Temporarily don’t error on unused maps (cilium/cilium#41379, @dylandreimerink)
  • plugins: Don’t install CNI conf in container image (cilium/cilium#39516, @joestringer)
  • plugins: Fix cilium-cni build for kind-image-fast (cilium/cilium#41270, @gandro)
  • pprof: support mutex contention and blocked goroutine profiling (cilium/cilium#41154, @antonipp)
  • Prepare for v1.19 development cycle (cilium/cilium#40238, @joestringer)
  • proxy/proxyports: move test-only code and use fake datapath iptables manager (cilium/cilium#40637, @tklauser)
  • README: Update releases (cilium/cilium#40309, @joestringer)
  • README: Update releases (cilium/cilium#40547, @aanm)
  • README: Update releases (cilium/cilium#41187, @aanm)
  • refactor ciliumidentity tests and export helper functions (cilium/cilium#40773, @jshr-w)
  • refactor: Add proxy lookup handler cell for DNS policy enforcement (cilium/cilium#40882, @vipul-21)
  • refactor: cleanups in unparallel tests and replace netlink with safenetlink (cilium/cilium#41363, @smagnani96)
  • Remove failsafe checks for deprecated single CIDR options (cilium/cilium#40258, @ldlb9527)
  • renovate: add more trusted dependencies for auto-merge (cilium/cilium#40948, @aanm)
  • renovate: Allow updates of images from the image-tools repo (cilium/cilium#41230, @HadrienPatte)
  • renovate: Bump cilium-envoy version for stable branches (cilium/cilium#40364, @sayboras)
  • renovate: Correct branch typo for cilium-envoy (cilium/cilium#40461, @sayboras)
  • renovate: Fix go-github exclusion rule (cilium/cilium#40911, @HadrienPatte)
  • renovate: Rebase if dont-merge/needs-rebase label is set (cilium/cilium#41271, @HadrienPatte)
  • Revert “endpoint, policy: Don’t accidentally clear out endpoint policy maps” (cilium/cilium#40695, @joestringer)
  • Revert “k8s: Update tests and libraries to v1.34.0-rc.1” (cilium/cilium#41143, @sayboras)
  • Revert “loadbalancer: increase timeout for initial sync” (cilium/cilium#40668, @YutaroHayakawa)
  • Revert “Update .readthedocs.yaml” (cilium/cilium#40517, @joestringer)
  • Revert commit 59b97eee28b7 (“maps/policymap, daemon: Create policy maps from daemon”) (cilium/cilium#40257, @atykhyy)
  • shell: don’t reconnect on connection close (cilium/cilium#40950, @bimmlerd)
  • shell: Prevent server error on graceful shutdown (cilium/cilium#41401, @HadrienPatte)
  • slices: add map helper function (cilium/cilium#41282, @giorio94)
  • sockets: In socket-LB mode, terminate sockets connected to deleted backends using BPF socket iterators. (cilium/cilium#38693, @jrife)
  • Support triggering Makefiles from outside of the tree (cilium/cilium#40286, @sayboras)
  • Support WireGuard with IPv6 Underlay (cilium/cilium#40051, @pchaigno)
  • tools/dev-doctor: remove vagrant dev VM specific checks (cilium/cilium#40536, @tklauser)
  • treewide: Centralize goleak options to pkg/testutils (cilium/cilium#41129, @joamaki)
  • Update .readthedocs.yaml to generate pdfs and epubs (cilium/cilium#40330, @skewballfox)
  • Update all github action dependencies (main) (cilium/cilium#41212, @cilium-renovate[bot])
  • Update all github action dependencies (main) (patch) (cilium/cilium#41205, @cilium-renovate[bot])
  • Update all go dependencies main (main) (cilium/cilium#41203, @cilium-renovate[bot])
  • Update all lvh-images main (main) (patch) (cilium/cilium#41206, @cilium-renovate[bot])
  • Update all-dependencies (main) (cilium/cilium#41125, @cilium-renovate[bot])
  • Update all-dependencies (main) (cilium/cilium#41175, @cilium-renovate[bot])
  • Update aws-sdk-go-v2 monorepo (main) (cilium/cilium#41208, @cilium-renovate[bot])
  • Update dependency protocolbuffers/protobuf to v32 (main) (cilium/cilium#41213, @cilium-renovate[bot])
  • Update docker.io/alpine/socat:1.8.0.3 Docker digest to 29d0f24 (main) (cilium/cilium#41204, @cilium-renovate[bot])
  • Update Functionality Overview in README (cilium/cilium#40275, @xmulligan)
  • Update Go to v1.25.0 (main) (cilium/cilium#41209, @cilium-renovate[bot])
  • Update golangci/golangci-lint Docker tag to v2.4.0 (main) (cilium/cilium#41210, @cilium-renovate[bot])
  • Update kubernetes packages to v0.33.4 (main) (cilium/cilium#41207, @cilium-renovate[bot])
  • Update maintainer affiliations (cilium/cilium#40511, @xmulligan)
  • Update makefile in containerlab/bgpv2 from hardcode to dynamic stable version and new logic to handle local image for development environments. (cilium/cilium#40726, @liyihuang)
  • Update module helm.sh/helm/v3 to v3.18.5 [SECURITY] (main) (cilium/cilium#41156, @cilium-renovate[bot])
  • Update renovate dependencies to v41.76.0 (main) (cilium/cilium#41211, @cilium-renovate[bot])
  • v1.18.0: drop support for 1.15 and add v1.18 (cilium/cilium#40781, @aanm)
  • vendor,treewide: Bump to StateDB v0.5.0 and update API usage (cilium/cilium#41002, @joamaki)
  • vendor: Prevent renovate from updating gobgp dependency (cilium/cilium#40612, @HadrienPatte)
  • vendor: Update Azure SDK armcompute module to v7 (cilium/cilium#40718, @HadrienPatte)
  • vendor: Update github.com/google/go-github to v73 (cilium/cilium#40326, @HadrienPatte)
  • version: parse Cilium version string only once (cilium/cilium#40652, @tklauser)
  • xds: optimize log message of waiting for proxy update (cilium/cilium#41190, @mhofstetter)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.0-pre.0@sha256:02d8349bea5a6a0c19dc9a8b58fef113c7b57e7480302c06f7f7d438f75982e6

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.0-pre.0@sha256:6f287a8fab9771088117e9d93cc5e2a2ef6951002fe924aaea86f9ec2dca3cdd

docker-plugin

quay.io/cilium/docker-plugin:v1.19.0-pre.0@sha256:b9850ec9b3e45240261ed0e798c1d24822ec020a8c9bacdcb92e2cceda8cd138

hubble-relay

quay.io/cilium/hubble-relay:v1.19.0-pre.0@sha256:584cfccd3f3a3f8e791767bace0e7563c2fc9f630b0a7986fa00f8debbd5d751

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.0-pre.0@sha256:0638e3f906a327f2adcd427cef73841da5ed458e06da5ca686ec68f127de5dea

operator-aws

quay.io/cilium/operator-aws:v1.19.0-pre.0@sha256:7f34d0a22ab307be575528f3828f3ee0ef72c37dfdfae449e434aa32ae94aa77

operator-azure

quay.io/cilium/operator-azure:v1.19.0-pre.0@sha256:905996bce67b9d99c20de0bdc51d89381ec7c257340d8da6ebfa9c65c9852f20

operator-generic

quay.io/cilium/operator-generic:v1.19.0-pre.0@sha256:84c935be65c01c5298764def57a147ca130267c070ce970473a8f40b29c61c7e

operator

quay.io/cilium/operator:v1.19.0-pre.0@sha256:bc1df458f342e74c2143664458e8caaff6c3d0f62bd7f3a9b0ea1e7f9f19d4b3

Cilium V1.18.3 Release NoteCilium V1.19.0 Pre.1 Release Note