cilium/cilium v1.18.9

1.18.9

on GitHub

Summary of Changes

Minor Changes:

• Fix performance bug in L7 policy proxy redirect handling (Backport PR #44827, Upstream PR #44613, @fristonio)
• helm,docs: add configDriftDetection Helm values and documentation (Backport PR #44972, Upstream PR #44703, @PhilipSchmid)

Bugfixes:

• [v1.18] Fix incorrect policy service selector handling (#44949, @fristonio)
• Ensure completion.WaitGroup always has a timeout (Backport PR #45218, Upstream PR #44731, @jrajahalme)
• envoy: Fix xds server npds listeners accounting (Backport PR #45218, Upstream PR #44830, @fristonio)
• Fix a slow memory leak triggered by incremental policy updates (Backport PR #45053, Upstream PR #44328, @odinuge)
• Fix endpoints for static pods stuck in init identity (Backport PR #45213, Upstream PR #45016, @aaroniscode)
• Fix memory leak triggered by policies being created and deleted (Backport PR #44827, Upstream PR #44724, @odinuge)
• Fix panic in Hubble Relay when new peer address is unresolvable (Backport PR #45213, Upstream PR #45021, @pesarkhobeee)
• Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (Backport PR #44867, Upstream PR #44832, @christarazi)
• Fixed a bug in service load balancing where backend slot assignments could have gaps when maintenance backends exist, potentially causing traffic misrouting. (Backport PR #44972, Upstream PR #43902, @Aman-Cool)
• Fixed an issue where policy update ack is never completed after endpoint deletion. (Backport PR #44819, Upstream PR #44754, @jrajahalme)
• Fixed ipcache identity update hang when last proxy listener is removed. (Backport PR #45218, Upstream PR #44597, @jrajahalme)
• Fixes increased CPU usage in hubble observe caused by log coloring feature, even when coloring was disabled (Backport PR #44827, Upstream PR #44119, @tporeba)
• lb: fix panic in orphan backend cleanup when addr is zero-value (Backport PR #45053, Upstream PR #44853, @vipul-21)
• lb: Skip nil slots during BPF map restore to prevent panic (Backport PR #44972, Upstream PR #44895, @vipul-21)
• operator/identitygc: fix nil pointer dereference on shutdown (Backport PR #45213, Upstream PR #45091, @tsotne95)

CI Changes:

• .github/workflows: disable cache for go steps (Backport PR #45213, Upstream PR #45073, @aanm)
• .github/workflows: replace external set-commit-status action (Backport PR #45213, Upstream PR #45078, @aanm)
• .github: cleanup disk before ci-verifier tests (Backport PR #45053, Upstream PR #44971, @aanm)
• ci: add fail-fast false to ci image builds (Backport PR #45213, Upstream PR #45079, @Artyop)
• ci: set TMPDIR=/host/tmp in datapath verifier tests (Backport PR #45213, Upstream PR #45047, @aanm)
• ci: Switch catchpoint/workflow-telemetry-action to our fork (#45220, @YutaroHayakawa)
• fix: escape $ character in regex to prevent injection (Backport PR #44827, Upstream PR #44638, @peoyekunle)

Misc Changes:

• .github/workflows: do not use deployments for environments (Backport PR #45213, Upstream PR #44908, @aanm)
• [v1.18] vendor: update google.golang.org/grpc to v1.79.3 (#45346, @aanm)
• bpf: Clear tc_classid on all ingress code paths (Backport PR #45213, Upstream PR #42105, @pchaigno)
• chore(deps): update all github action dependencies (v1.18) (#44940, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#45042, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#45174, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#45309, @cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#44833, @cilium-renovate[bot])
• chore(deps): update base-images to v1.25.9 (v1.18) (#45274, @cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.67.0 (v1.18) (#45172, @cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.29 (v1.18) (#45281, @cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 1487d0a (v1.18) (#45040, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.9 docker digest to a95d3d1 (v1.18) (#45316, @cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 186072b (v1.18) (#44935, @cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to 84e77de (v1.18) (#45306, @cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.10 (v1.18) (#45171, @cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.9 (v1.18) (#44937, @cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (v1.18) (#45150, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773729248-8de84653be3b2b3011e1cee5b3e702f6556fb3df (v1.18) (#44938, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1774363526-9d47d40f80df306891816788b71415813ce49ef3 (v1.18) (#45041, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.5-1775137579-2b3493aca96923190423ccec7e4dbc5f074ccad4 (v1.18) (#45173, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1775912317-d56e4f5fec87556b7aaf3b8edeb100025ec87183 (v1.18) (#45308, @cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776000132-2437d2edeaf4d9b56ef279bd0d71127440c067aa (v1.18) (#45321, @cilium-renovate[bot])
• docs: document reverse_sk map exhaustion impact on socket termination (Backport PR #44861, Upstream PR #44835, @ysksuzuki)
• docs: Update Gateway API docs to reference Gateway API v1.3.0 (Backport PR #44972, Upstream PR #40825, @Untersander)
• docs: Update sphinx theme to v3.1.0 (Backport PR #45338, Upstream PR #45289, @joestringer)
• fix(deps): update k8s.io patch updates stable to v0.33.10 (v1.18) (patch) (#44939, @cilium-renovate[bot])
• fix(deps): update k8s.io/utils digest to 28399d8 (v1.18) (#44936, @cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 4b9911b (v1.18) (#45170, @cilium-renovate[bot])

Other Changes:

• [1.18] Reapply "loader: XDP attach type fallback logic" (#44999, @rgo3)
• [v1.18 Backport] EKS API Server Hardening (#44977, @sekhar-isovalent)
• [v1.18] deps: bump cni plugins to v1.9.1 (#45241, @ferozsalam)
• [v1.18] Revert "loader: XDP attach type fallback logic" (#44857, @julianwiedmann)
• install: Update image digests for v1.18.8 (#44956, @cilium-release-bot[bot])
• v1.18: bpf: Clear tc_classid on all ingress code paths (#45341, @pchaigno)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.9@sha256:c9140c2ebcc636ba346a4152fb28d616a4a51586c22c72dcd6f273bed41053c0

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.9@sha256:140bbb0433dbdb12e3ab0aaca0cb6fd1a8430812816ccff54c0d7f0adb713175

docker-plugin

quay.io/cilium/docker-plugin:v1.18.9@sha256:da9e6d08f8c11624619692af7ae022b2a7e8e1136d9164910bc6776acdc60079

hubble-relay

quay.io/cilium/hubble-relay:v1.18.9@sha256:031288422f2b0bfff3372fba9812d2867dd9262a6f12c6e6282cfebe54e5efe1

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.9@sha256:2116cd9ec94484a1bb7f5cb9703fb6d7c4e63b11431cf145280abda218f3e8b9

operator-aws

quay.io/cilium/operator-aws:v1.18.9@sha256:48d78a4d22fc055a2223019941fc30a51f8a980691e55225bfd6b9cffb164a45

operator-azure

quay.io/cilium/operator-azure:v1.18.9@sha256:4523175c9452c2eab7fa537faa85654120e29b740843f72d55b43c5cbc774f71

operator-generic

quay.io/cilium/operator-generic:v1.18.9@sha256:9094fe19965c558bc9361aa4f0d19fcc48f7377f835dc70f138bf4dc1db48ca4

operator

quay.io/cilium/operator:v1.18.9@sha256:da7b86562f4db18d61e6d34bb1f998d826f993af9d2047bf3e0b7346f658d65c