github cilium/cilium v1.16.9
1.16.9
on GitHub

latest releases: v1.17.4, v1.16.10, v1.15.17...
one month ago

Summary of Changes

Minor Changes:

  • Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #38400, Upstream PR #37936, @smagnani96)
  • Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #38747, Upstream PR #35900, @smagnani96)

Bugfixes:

  • bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #38747, Upstream PR #38592, @julianwiedmann)
  • Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport PR #38701, Upstream PR #38656, @aditighag)
  • For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #38747, Upstream PR #38737, @julianwiedmann)

CI Changes:

  • build: update golangci-lint to v2.0.0 (Backport PR #38631, Upstream PR #38473, @mhofstetter)
  • ci: build CI images within merge group (Backport PR #38525, Upstream PR #38065, @marseel)
  • ci: prepare CI Image build for being required (Backport PR #38525, Upstream PR #38320, @marseel)
  • Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #38521, Upstream PR #38264, @smagnani96)
  • Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38290, @smagnani96)
  • Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38281, @smagnani96)
  • Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #38521, Upstream PR #38265, @smagnani96)
  • Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38292, @smagnani96)
  • Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38291, @smagnani96)
  • gh: aws-cni: set --enable-identity-mark=false option (Backport PR #38747, Upstream PR #38738, @julianwiedmann)
  • gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #38521, Upstream PR #37551, @jschwinger233)
  • gh: update naming for bpftrace leak detection script (Backport PR #38521, Upstream PR #37865, @julianwiedmann)
  • Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38278, @smagnani96)
  • Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38293, @smagnani96)
  • Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38266, @smagnani96)
  • Refactoring and code comments for the check-encryption-leak script. (Backport PR #38741, Upstream PR #38263, @smagnani96)
  • Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38297, @smagnani96)
  • Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38280, @smagnani96)
  • Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38289, @smagnani96)
  • Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38525, Upstream PR #38289, @smagnani96)
  • Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #38521, Upstream PR #38287, @smagnani96)
  • Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #38741, Upstream PR #38268, @smagnani96)
  • test: Update FQDN related domain and IP (Backport PR #38770, Upstream PR #38754, @sayboras)

Misc Changes:

  • [v1.16] deps: bump github.com/containerd/containerd to v1.7.27 (#38496, @ferozsalam)
  • [v1.16] deps: Bump package x/net (#38323, @ferozsalam)
  • [v1.16] deps: bump package x/oauth2 (#38404, @ferozsalam)
  • [v1.16]: deps: bump x/net to v0.38.0 (#38781, @ferozsalam)
  • bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #38747, Upstream PR #37956, @julianwiedmann)
  • bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #38747, Upstream PR #38430, @julianwiedmann)
  • chore(deps): update all github action dependencies (v1.16) (#38347, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (#38515, @cilium-renovate[bot])
  • chore(deps): update all github action dependencies (v1.16) (patch) (#38346, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#38304, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#38442, @cilium-renovate[bot])
  • chore(deps): update all-dependencies (v1.16) (#38543, @cilium-renovate[bot])
  • chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) (#38731, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) (#38348, @cilium-renovate[bot])
  • chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) (#38714, @cilium-renovate[bot])
  • chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.16) (#38344, @cilium-renovate[bot])
  • chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) (#38613, @cilium-renovate[bot])
  • chore(deps): update go to v1.23.8 (v1.16) (#38345, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) (#38258, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) (#38385, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) (#38672, @cilium-renovate[bot])
  • chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) (#38774, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#38317, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#38614, @cilium-renovate[bot])
  • chore(deps): update stable lvh-images (v1.16) (patch) (#38832, @cilium-renovate[bot])
  • docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #38525, Upstream PR #38173, @yrsuthari)
  • docs: clarify hubble flow filter match semantics (Backport PR #38701, Upstream PR #38657, @devodev)
  • docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #38525, Upstream PR #38231, @rastislavs)
  • docs: Update LLVM requirements to 18.1 (Backport PR #38342, Upstream PR #38294, @gentoo-root)
  • Documentation: "cilium config set" restarts by default (Backport PR #38299, Upstream PR #38114, @joamaki)
  • Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #38299, Upstream PR #38276, @tklauser)
  • images: bump distroless to static (Backport PR #38695, Upstream PR #38647, @kaworu)
  • pkg/controller: fix data race in update params locked (Backport PR #38525, Upstream PR #38327, @aanm)
  • pkg/endpoint: fix race in unit test (Backport PR #38299, Upstream PR #38129, @squeed)
  • remove the endpointRoutes for aws cni in the doc (Backport PR #38701, Upstream PR #38381, @liyihuang)

Other Changes:

  • [v1.16] hubble: fix flowfilter flag parsing allowing only one filter (#38794, @devodev)
  • [v1.16] proxy: Bump envoy version to 1.32.x (#38307, @sayboras)
  • fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#38533, @antonipp)
  • gha: Skip HTTPRouteServiceTypes test (#38343, @sayboras)
  • install: Update image digests for v1.16.8 (#38207, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.9@sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.9@sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066

docker-plugin

quay.io/cilium/docker-plugin:v1.16.9@sha256:867b37f934411c11e9e50d0d691a2d1376ec4fe4c573c9b3af6950d559a97b28

hubble-relay

quay.io/cilium/hubble-relay:v1.16.9@sha256:c978b77e607cc7fb9a92741464470002a192af47c5dec57b83f693919857199e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.9@sha256:59d2a5d5ab017c974c42eeb7f265f9b91aafad2ee6c73d5dffe0bfe44bedd134

operator-aws

quay.io/cilium/operator-aws:v1.16.9@sha256:f00e854ad7ae0c55e0e2352b71a98fe1358ba029e2e93b236a18c3b43664f948

operator-azure

quay.io/cilium/operator-azure:v1.16.9@sha256:549ef9d238b84313f4a9f25518a77ec16cc9b86a19e66242bee920eb9c065fea

operator-generic

quay.io/cilium/operator-generic:v1.16.9@sha256:0489f71dfeff23d1fbc4ee85a81a0274076ab2b53072aadbdf5963e83dc3faf7

operator

quay.io/cilium/operator:v1.16.9@sha256:c8d0d6ca36d49bdeeb82d75b58a061f10e9e402d493241d648c4e329027b67ee

Check out latest releases or
releases around cilium/cilium v1.16.9

Don't miss a new cilium release

NewReleases is sending notifications on new releases.

Get notifications