fix(deps): update module github.com/cilium/cilium to v1.16.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.16.1 -> v1.16.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-52529

Impact

For users with the following configuration:

• An allow policy that selects a Layer 3 identity and a port range AND
• A Layer 7 allow policy that selects a specific port within the first policy's range

then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.

This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16.

For reference, an example of a pair of policies that would trigger this issue is:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "layer-3-and-4"
spec:
  endpointSelector:
    matchLabels:
      app: service
  ingress:
    - fromCIDR:
      - 192.168.60.0/24
      toPorts:
      - ports:
        - port: "80"
          endPort: 444
          protocol: TCP

and

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "layer-4-and-7"
spec:
  endpointSelector:
    matchLabels:
      app: service
  ingress:
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/public"

In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended by the layer-4-and-7 policy. In patched versions of Cilium, the layer-4-and-7 rule would take precedence over the layer-3-and-4 rule.

Patches

This issue is patched in https://github.com/cilium/cilium/pull/35150.

This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive.

This issue is patched in Cilium v1.16.4.

Workarounds

Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jrajahalme for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR #​35173, @​smagnani96)
• Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #​35781, Upstream PR #​35673, @​giorio94)
• Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #​35468, Upstream PR #​35165, @​julianwiedmann)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #​35908, Upstream PR #​35694, @​julianwiedmann)
• Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #​35781, Upstream PR #​35599, @​squeed)
• Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #​35543, Upstream PR #​35293, @​squeed)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #​35906, Upstream PR #​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35611, @​pippolo84)
• helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #​35319, Upstream PR #​35301, @​hox)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #​35781, Upstream PR #​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #​35781, Upstream PR #​35674, @​ayuspin)
• hubble: fix endpoint cluster name (Backport PR #​35781, Upstream PR #​35415, @​kaworu)
• hubble: Lock exporters while gathering metrics (Backport PR #​35908, Upstream PR #​35860, @​joestringer)
• Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #​35781, Upstream PR #​35143, @​jrajahalme)
• ipam: Validate CiliumNode resource in ENI mode (Backport PR #​35792, Upstream PR #​35784, @​sayboras)
• l7lb: fix registration of flag loadbalancer-l7 (Backport PR #​35781, Upstream PR #​35623, @​mhofstetter)
• Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #​35319, Upstream PR #​35069, @​chancez)
• option: Reduce log level for WG strict mode + IPv6 (Backport PR #​35908, Upstream PR #​35763, @​pchaigno)
• Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #​35468, Upstream PR #​35381, @​jrajahalme)
• treewide: Add wrapper for netlink functions that may fail with ErrDumpInterrupted (Backport PR #​35654, Upstream PR #​35614, @​gandro)
• wireguard: Fix connectivity issues following node reboots. (Backport PR #​35908, Upstream PR #​35750, @​jrife)

CI Changes:

• .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #​35468, Upstream PR #​35399, @​aanm)
• .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR #​35781, Upstream PR #​35657, @​rastislavs)
• .github: remove libncurses5 from integration tests (Backport PR #​35468, Upstream PR #​35408, @​aanm)
• [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (#​35329, @​ysksuzuki)
• [v1.16] github: update rhel8 LVH image to rhel8.6 (#​35733, @​julianwiedmann)
• Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #​35905, Upstream PR #​35679, @​giorio94)
• ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #​35582, Upstream PR #​35286, @​julianwiedmann)
• ci: datapath-verifier: bump lvh images (Backport PR #​35648, Upstream PR #​35456, @​julianwiedmann)
• gha: Update chmod command (Backport PR #​35468, Upstream PR #​35400, @​sayboras)
• github: Pass the workflow step timeout to go test (Backport PR #​35908, Upstream PR #​35814, @​jrajahalme)
• Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #​35319, Upstream PR #​35267, @​aanm)
• workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR #​35908, Upstream PR #​35584, @​pchaigno)
• workflows/ingress: Run basic checks (Backport PR #​35908, Upstream PR #​35683, @​pchaigno)
• workflows/ipsec: Cover Ingress (Backport PR #​35908, Upstream PR #​35476, @​pchaigno)
• workflows: Extend IPsec tests to cover egress gateway (Backport PR #​35540, Upstream PR #​35323, @​pchaigno)

Misc Changes:

• .github/build-images-base: checkout base branch to get scripts (Backport PR #​35319, Upstream PR #​35236, @​aanm)
• .github: remove retention days for image digests (Backport PR #​35468, Upstream PR #​35457, @​aanm)
• bpf: vxlan helper improvements (Backport PR #​35543, Upstream PR #​34755, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​35382, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35439, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35573, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35710, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35438, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (#​35730, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (#​35379, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.9 (v1.16) (#​35854, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (#​35491, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​35731, @​cilium-renovate[bot])
• cilium, docs: Extend requirements for L7 proxy (Backport PR #​35781, Upstream PR #​35669, @​borkmann)
• cilium: add probe for netkit for more user friendly error when not supported (Backport PR #​35781, Upstream PR #​35551, @​borkmann)
• ctrl-runtime: lower severity of retryable reconcile errors (Backport PR #​35592, Upstream PR #​35364, @​giorio94)
• daemon: Reduce level of socket LB tracing warning (Backport PR #​35908, Upstream PR #​35798, @​pchaigno)
• datapath: move policy map value prefix length to flags (Backport PR #​35603, Upstream PR #​35534, @​jrajahalme)
• dnsproxy: fix error when sessionUDPFactory fails (Backport PR #​35543, Upstream PR #​33998, @​marseel)
• docs/ipsec: Remove KPR limitation (Backport PR #​35908, Upstream PR #​35743, @​pchaigno)
• docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR #​35781, Upstream PR #​35626, @​pchaigno)
• docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #​35319, Upstream PR #​35288, @​oneumyvakin)
• docs: clean up stale kernel requirements (Backport PR #​35582, Upstream PR #​35575, @​julianwiedmann)
• docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR #​35781, Upstream PR #​35725, @​nvibert)
• docs: kpr: update error message regarding SocketLB tracing (Backport PR #​35468, Upstream PR #​35337, @​julianwiedmann)
• docs: tuning: XDP LB also supports tunnel routing (Backport PR #​35582, Upstream PR #​35574, @​julianwiedmann)
• docs: update 1.16 upgrade note for LRP (#​35944, @​ysksuzuki)
• docs: update default identity label filters (Backport PR #​35468, Upstream PR #​35422, @​marseel)
• docs: XFRM reference guide for IPsec development (Backport PR #​35582, Upstream PR #​35322, @​pchaigno)
• Envoy simplify listener setup (Backport PR #​35764, Upstream PR #​35642, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​35471, Upstream PR #​35090, @​sayboras)
• envoy: Limit started serving logging to the typeURL of the stream (Backport PR #​35781, Upstream PR #​35736, @​jrajahalme)
• Fix wrongly spelled config option in error message (Backport PR #​35543, Upstream PR #​35390, @​baurmatt)
• helm: clarify text for serviceNoBackendResponse (Backport PR #​35908, Upstream PR #​35734, @​julianwiedmann)
• hubble: Add 'release' Make target (Backport PR #​35781, Upstream PR #​35561, @​michi-covalent)
• image: Use cilium-builder instead of golang as operator builder image (Backport PR #​35781, Upstream PR #​35351, @​learnitall)
• iptables: always warn about missing xt_socket module (Backport PR #​35781, Upstream PR #​35591, @​julianwiedmann)
• makefile: add target to install Cilium in kvstore mode (Backport PR #​35905, Upstream PR #​35646, @​giorio94)
• proxy: Ensure proxy ports are written on shutdown (Backport PR #​35908, Upstream PR #​35839, @​jrajahalme)
• Silence spurious clustermesh-related warnings (Backport PR #​35850, Upstream PR #​35867, @​giorio94)

Other Changes:

• [v1.16] envoy: Add configuration for OverloadManager (#​35787, @​sayboras)
• [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (#​35563, @​sayboras)
• [v1.16] policy/correlation: Fix PolicyMatch{L3Proto,L4Only} case (#​35681, @​gandro)
• chore(deps): update cilium-envoy dependency (#​35920, @​sayboras)
• install: Update image digests for v1.16.3 (#​35361, @​cilium-release-bot[bot])
• Policy add deny rule test and benchmark (#​35714, @​jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.4@​sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.4@​sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2
quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2

docker-plugin

quay.io/cilium/docker-plugin:v1.16.4@​sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e
quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.4@​sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.4@​sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686
quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686

operator-aws

quay.io/cilium/operator-aws:v1.16.4@​sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be
quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be

operator-azure

quay.io/cilium/operator-azure:v1.16.4@​sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de
quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de

operator-generic

quay.io/cilium/operator-generic:v1.16.4@​sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5

operator

quay.io/cilium/operator:v1.16.4@​sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff
quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff

v1.16.3: 1.16.3

Compare Source

Summary of Changes

Bugfixes:

• bgpv2: fix reconciliation of services with shared VIPs (Backport PR #​35274, Upstream PR #​35166, @​rastislavs)
• bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport PR #​35036, Upstream PR #​34976, @​rastislavs)
• bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport PR #​35036, Upstream PR #​34913, @​ysksuzuki)
• bugtool: fix cilium-health command (Backport PR #​35274, Upstream PR #​35068, @​ayuspin)
• Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport PR #​35036, Upstream PR #​34941, @​bimmlerd)
• Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #​35036, Upstream PR #​34789, @​tommyp1ckles)
• Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport PR #​34918, Upstream PR #​34651, @​smagnani96)
• Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #​35036, Upstream PR #​34783, @​dylandreimerink)
• Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #​35274, Upstream PR #​35109, @​jrajahalme)
• Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #​35274, Upstream PR #​35033, @​WeeNews)
• Fixes startup fatal error when updating CiliumNode resource. (Backport PR #​34918, Upstream PR #​34862, @​harsimran-pabla)
• gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #​35274, Upstream PR #​34808, @​cfsnyder)
• helm template function no longer errors when using k8sServiceHost: auto (Backport PR #​35274, Upstream PR #​35186, @​kreeuwijk)
• hubble: add printer for lost events (Backport PR #​35274, Upstream PR #​35208, @​aanm)
• ipcache: Yet another refcounting fix with mix of APIs (Backport PR #​35036, Upstream PR #​34715, @​gandro)
• netkit: Allow ARP packets through when using host firewall. (Backport PR #​35274, Upstream PR #​35070, @​jrife)
• wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport PR #​35115, Upstream PR #​34612, @​jrife)

CI Changes:

• .github/lint-build-commits: fix workflow for push events (Backport PR #​35274, Upstream PR #​35264, @​aanm)
• .github: create cache directories on cache miss (Backport PR #​35157, Upstream PR #​35088, @​aanm)
• .github: do not push floating tag from PRs (Backport PR #​35230, Upstream PR #​35227, @​aanm)
• .github: install golang action after checkout (Backport PR #​35157, Upstream PR #​34843, @​aanm)
• .github: re-enable configurations in e2e-upgrade (Backport PR #​35157, Upstream PR #​34800, @​aanm)
• .github: specify cache-dependency-path in lint-workflows (Backport PR #​35157, Upstream PR #​34845, @​aanm)
• [1.16] test: Skip envoy internal_address_config warning log (#​35053, @​pippolo84)
• [v1.16] gha: fix incorrect go version in lint-build-commits workflow (#​35312, @​giorio94)
• ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #​34918, Upstream PR #​34820, @​aanm)
• fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #​34918, Upstream PR #​34902, @​Artyop)
• servicemesh, ci: run internal to NodePort test (Backport PR #​35274, Upstream PR #​35177, @​marseel)

Misc Changes:

• .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #​35157, Upstream PR #​34847, @​aanm)
• .github: clean up disk for lint-build workflow (Backport PR #​35157, Upstream PR #​35141, @​aanm)
• .github: fix build image process to commit changes (Backport PR #​35274, Upstream PR #​35262, @​aanm)
• .github: fix lvh-kind warnings (Backport PR #​35157, Upstream PR #​34811, @​aanm)
• .github: fix runtime image digests (Backport PR #​35274, Upstream PR #​35107, @​aanm)
• .github: push floating tag for push events for stable branches (#​35235, @​aanm)
• [v1.16] .github: do not update github runners for bpf workflows (#​35106, @​aanm)
• [v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) (#​35310, @​julianwiedmann)
• bgpv2/docs: add ebgp multihop documentation (Backport PR #​35036, Upstream PR #​34951, @​harsimran-pabla)
• bgpv2: cleanup service reconciliation logic (Backport PR #​35036, Upstream PR #​34959, @​rastislavs)
• Change GH runners to GH's default (Backport PR #​35157, Upstream PR #​33451, @​aanm)
• chore(deps): update all github action dependencies (v1.16) (#​35025, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35082, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​35250, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35005, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35283, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) (#​34999, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.16) (#​35101, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.8 (v1.16) (#​35201, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) (#​35137, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) (#​35218, @​cilium-renovate[bot])
• cilium-cli: Show config.cilium.io annotations on configmap (Backport PR #​35155, Upstream PR #​35020, @​joamaki)
• docs: Add known issue for netkit endpoint route issues (Backport PR #​35274, Upstream PR #​35126, @​jrife)
• docs: fix EKS Kubernetes compatibility link (Backport PR #​35036, Upstream PR #​34922, @​fjvela)
• docs: Improve warning on insecure global IPsec keys (Backport PR #​34918, Upstream PR #​34846, @​pchaigno)
• docs: move sig-policy to second Tuesday of the month (Backport PR #​35115, Upstream PR #​35040, @​squeed)
• fix: Assign PodStore from Pod resource until cell migration is completed (Backport PR #​35274, Upstream PR #​34090, @​dlapcevic)
• helm: add client auth to hubble server certificate (Backport PR #​35036, Upstream PR #​34934, @​kaworu)
• helm: set key usages for hubble certificates with cert-manager (Backport PR #​35036, Upstream PR #​34946, @​kaworu)
• Improve speed on lint commits GH workflow (Backport PR #​35157, Upstream PR #​34848, @​aanm)
• install/kubernetes: fix Operator's clusterrole for pods deletion (Backport PR #​35274, Upstream PR #​35193, @​aanm)
• Re-write GitHub cache usages across workflows (Backport PR #​35157, Upstream PR #​34866, @​aanm)
• Remove conformance-e2e tests (Backport PR #​35157, Upstream PR #​34742, @​aanm)

Other Changes:

• [v1.16] Add missing test coverage in v1.16 branch (#​35223, @​aanm)
• [v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY (#​35129, @​ysksuzuki)
• [v1.16] author backport: LRP fixes (#​35072, @​ysksuzuki)
• [v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility (#​35160, @​tklauser)
• [v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (#​35151, @​tklauser)
• install: Update image digests for v1.16.2 (#​35052, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.3@​sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.3@​sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb
quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb

docker-plugin

quay.io/cilium/docker-plugin:v1.16.3@​sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae
quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae

hubble-relay

quay.io/cilium/hubble-relay:v1.16.3@​sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.3@​sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898
quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898

operator-aws

quay.io/cilium/operator-aws:v1.16.3@​sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916
quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916

operator-azure

quay.io/cilium/operator-azure:v1.16.3@​sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542
quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542

operator-generic

quay.io/cilium/operator-generic:v1.16.3@​sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b

operator

quay.io/cilium/operator:v1.16.3@​sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f
quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f

v1.16.2: 1.16.2

Compare Source

We are happy to release Cilium v1.16.2!

This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes!

Check out the summary below for details.

Summary of Changes

Minor Changes:

• Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR #​34452, Upstream PR #​34229, @​chancez)
• bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR #​34580, Upstream PR #​33411, @​harsimran-pabla)
• docs: Update examples for CNP L7 Host (Backport PR #​34644, Upstream PR #​34578, @​sayboras)
• egressgw: drop traffic when gateway node is not configured for policy (Backport PR #​34452, Upstream PR #​33625, @​julianwiedmann)

Bugfixes:

• add support for validation of stringToString values in ConfigMap (Backport PR #​34586, Upstream PR #​34279, @​alex-berger)
• bgpv2: correct service reconciler initialization (Backport PR #​34452, Upstream PR #​34415, @​harsimran-pabla)
• bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR #​34452, Upstream PR #​34335, @​rastislavs)
• bpf: Fix Prune map operation leaking BPF map entries (Backport PR #​34586, Upstream PR #​34476, @​gandro)
• config: fix disabling config 'Debug' (Backport PR #​34469, Upstream PR #​34401, @​mhofstetter)
• daemon: Create IPsec and LRP maps early on startup (Backport PR #​34452, Upstream PR #​34388, @​pchaigno)
• daemon: Fix error logic flow for pod store being out of date (Backport PR #​34586, Upstream PR #​34389, @​christarazi)
• envoy: fix log level mapping when changing log level via API (Backport PR #​34452, Upstream PR #​34400, @​mhofstetter)
• Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR #​34586, Upstream PR #​34298, @​julianwiedmann)
• Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #​34452, Upstream PR #​34303, @​julianwiedmann)
• Fix a race condition that would cause errors related to maps LB{4,6}_SKIP_MAP when loading

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/vishvananda/netlink	v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 -> v1.3.1-0.20241022031324-976bd8de7d81