github cilium/cilium v1.16.7
1.16.7
on GitHub

3 days ago

Summary of Changes

Minor Changes:

  • Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR #37124, Upstream PR #36598, @pippolo84)
  • doc: Added hostLegacyRouting limitation for Talos (Backport PR #37168, Upstream PR #36852, @PhilipSchmid)

Bugfixes:

  • agent: defend against null pointer refs in cecManager.getEndpoint() (Backport PR #37375, Upstream PR #37188, @aetimmes)
  • Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR #37278, Upstream PR #37123, @julianwiedmann)
  • ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR #37417, Upstream PR #37347, @gandro)
  • envoy: add configurable access log buffer size (Backport PR #37168, Upstream PR #36823, @aetimmes)
  • Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR #37168, Upstream PR #36929, @julianwiedmann)
  • Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR #37278, Upstream PR #37085, @giorio94)
  • Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR #37168, Upstream PR #37086, @giorio94)
  • Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR #37168, Upstream PR #36103, @viktor-kurchenko)
  • maps/nat/stats: Use Start context when waiting for maps (Backport PR #37278, Upstream PR #37262, @tommyp1ckles)
  • nodeinit: move kubelet restart inside if/else in startup.bash (Backport PR #37375, Upstream PR #37282, @ayuspin)
  • Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR #37168, Upstream PR #36504, @viktor-kurchenko)
  • socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR #37441, Upstream PR #37426, @alvaroaleman)

CI Changes:

  • [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (#37380, @giorio94)
  • gh: harmonize lvh kernel naming scheme (Backport PR #37375, Upstream PR #37322, @julianwiedmann)
  • gh: update removed --loglevel option for kind (Backport PR #37168, Upstream PR #36935, @julianwiedmann)
  • gha: bump ubuntu version in conformance-externalworkloads (Backport PR #37168, Upstream PR #36859, @giorio94)
  • gha: correctly downgrade to patch release in ipsec workflows (Backport PR #37168, Upstream PR #36858, @giorio94)
  • gha: fix retrieval of DNS server in conformance external workloads (Backport PR #37375, Upstream PR #37361, @giorio94)
  • gha: Retrieve eks supported version via aws cli (Backport PR #37223, Upstream PR #37210, @sayboras)
  • Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR #37168, Upstream PR #36364, @smagnani96)
  • Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR #37168, Upstream PR #36962, @smagnani96)
  • test: Fix the flake for TestRestoredPort (Backport PR #37278, Upstream PR #37106, @sayboras)
  • test: Move demo-httpd from Docker to Quay (Backport PR #37278, Upstream PR #37149, @joestringer)
  • test: Move the dind image to Quay to avoid rate-limiting (Backport PR #37441, Upstream PR #37388, @pchaigno)

Misc Changes:

  • build: Remove debug leftover from Makefile (Backport PR #37168, Upstream PR #36917, @gentoo-root)
  • chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (#37117, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#37244, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#37505, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#37343, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#37550, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (#37338, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (#37215, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (#37503, @cilium-renovate[bot])
  • chore(deps): update go to v1.23.6 (v1.16) (#37497, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (#37201, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#37411, @cilium-renovate[bot])
  • cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport PR #37375, Upstream PR #37326, @aanm)
  • clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR #37168, Upstream PR #36602, @joestringer)
  • doc(glossary): Geneve as final RFC (Backport PR #37375, Upstream PR #37316, @alagoutte)
  • doc: ebpf host-routing and netfilter (Backport PR #37168, Upstream PR #36921, @PhilipSchmid)
  • doc: eks cluster restriction removed (Backport PR #37278, Upstream PR #37043, @viktor-kurchenko)
  • doc: Removed nodeinit from aks byocni install (Backport PR #37168, Upstream PR #37048, @PhilipSchmid)
  • docs: Add SNI policy example (Backport PR #37375, Upstream PR #37234, @sayboras)
  • docs: Clarify Identity-Relevant Labels description (Backport PR #37168, Upstream PR #36924, @joestringer)
  • docs: Fix broken link in BGP control plane docs (Backport PR #37375, Upstream PR #37241, @mikejoh)
  • docs: pass current_version to html_context (Backport PR #37168, Upstream PR #37008, @ayuspin)
  • docs: Remove stale limitation on KPR+IPsec (Backport PR #37168, Upstream PR #37054, @pchaigno)
  • images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR #37375, Upstream PR #34488, @tklauser)
  • proxy: Mark restored port as configured (Backport PR #37168, Upstream PR #36953, @jrajahalme)
  • Remove outdated roadmap matrix and links to it (Backport PR #37278, Upstream PR #37170, @xmulligan)
  • remove stable tags from image build (#37394, @aanm)
  • renovate: add fix grpc-go autodetection (Backport PR #37278, Upstream PR #33570, @aanm)

Other Changes:

  • [v1.16] envoy: Bump envoy version to v1.31.x (#37157, @sayboras)
  • chore(deps): update go to v1.23.5 (v1.16) (#37189, @sayboras)
  • Do not leak ipcache entries when apiserver entities are cluster external (#36927, @antonipp)
  • install: Update image digests for v1.16.6 (#37154, @cilium-release-bot[bot])
  • Revert "chore(deps): update all-dependencies (v1.16)" (#37525, @sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.7@sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.7@sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.7@sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803

hubble-relay

quay.io/cilium/hubble-relay:v1.16.7@sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.7@sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8

operator-aws

quay.io/cilium/operator-aws:v1.16.7@sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba

operator-azure

quay.io/cilium/operator-azure:v1.16.7@sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69

operator-generic

quay.io/cilium/operator-generic:v1.16.7@sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0

operator

quay.io/cilium/operator:v1.16.7@sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d

Check out latest releases or
releases around cilium/cilium v1.16.7

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications