Merged
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
aditighag
force-pushed
the
pr/aditighag/kubeapi-server-ha
branch
5 times, most recently
from
28c21c7 to
7423087
Compare
aditighag
changed the title
Member
Author
|
/test |
aditighag
force-pushed
the
pr/aditighag/kubeapi-server-ha
branch
2 times, most recently
from
10d3a19 to
534bd9a
Compare
Member
Author
|
/test |
aditighag
force-pushed
the
pr/aditighag/kubeapi-server-ha
branch
from
534bd9a to
36c6f9c
Compare
Member
Author
|
/test |
aditighag
requested review from
a user,
asauber,
dylandreimerink,
squeed,
thorn3r and
youngnick
aditighag
force-pushed
the
pr/aditighag/kubeapi-server-ha
branch
from
36c6f9c to
5c330f3
Compare
Member
Author
|
/test |
aditighag
added
the
release-note/minor
This commit introduces logic to support kubeapi-server high availability with kube-proxy replacement by switching the agent Kubernetes clients to connect to the `kubernetes` service at runtime. Cilium agent requires a connection to the kubeapi-server control plane to program the BPF datapath without depending on kube-proxy load-balancing when kube-proxy replacement is enabled. To achieve this, Cilium uses API_SERVER_IP and API_SERVER_PORT configurations for direct connection to the kubeapi-server. However, this approach doesn't support production environments that require multiple kubeapi-servers for high availability. Additionally, it cannot rely on a fixed set of addresses provided at bootstrap time due to potential Kubernetes node failures or recycling in production environments. Previous commits added the logic to connect to an active kube-apiserver during bootstrap. Once the agent establishes an initial connection to the API server, it receives runtime state for services including the `kubernetes` service with API server endpoints. This state is written to a file that's watched by the k8s-client module. It then validates connectivity to the service virtual address, and updates the internal HTTP round tripper to connect to the service address. While kubelet exposes the API server virtual address in the `KUBERNETES_SERVICE_HOST` address, this is overwritten when users set `k8sServiceHost` config with kube-proxy replacement enabled. The persisted state allows for the agent to restore the service and endpoint addresses post agent restarts. Signed-off-by: Aditi Ghag <aditi@cilium.io>
The agent sends periodic heartbeats to the current API server. Until the agent switches the kubernetes client remote host to the `kubernetes` service address for high availability, API servers need to be manually rotated on failed heartbeats. Once the switch over is done to the service address, manual rotation isn't needed as the Cilium datapath will load balance API requests to the active kube-api servers. Signed-off-by: Aditi Ghag <aditi@cilium.io>
Signed-off-by: Aditi Ghag <aditi@cilium.io>
Signed-off-by: Aditi Ghag <aditi@cilium.io>
aditighag
force-pushed
the
pr/aditighag/kubeapi-server-ha
branch
from
263c8b6 to
a1681da
Compare
Member
Author
|
@squeed Updated code documentation per your review comments. PTAL. |
Member
Author
|
/test |
Member
Author
|
|
aditighag
added
the
ready-to-merge
maintainer-s-little-helper
bot
removed
the
ready-to-merge
Member
Author
joestringer
added
release-note/major
github-merge-queue bot
pushed a commit
to chezmoidotsh/arcane
that referenced
this pull request
Jul 29, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | HelmChart | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://github.com/cilium/cilium/pull/38469), [@​joamaki](https://github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://github.com/cilium/cilium/pull/37723), [@​ldelossa](https://github.com/ldelossa); [cilium/cilium#37346](https://github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://github.com/cilium/cilium/pull/36351), [@​l1b0k](https://github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://github.com/cilium/cilium/pull/39497), [@​pchaigno](https://github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://github.com/cilium/cilium/pull/39074), [@​pchaigno](https://github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://github.com/cilium/cilium/pull/38249), [@​caorui-io](https://github.com/caorui-io), [@​kadevu](https://github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://github.com/cilium/cilium/pull/38452), [@​rgo3](https://github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://github.com/cilium/cilium/pull/39453), [@​antonipp](https://github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://github.com/cilium/cilium/pull/39902), [@​squeed](https://github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://github.com/cilium/cilium/pull/37634), [@​kaworu](https://github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://github.com/cilium/cilium/pull/37445), [@​squeed](https://github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://github.com/marseel), [cilium/cilium#40227](https://github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://github.com/cilium/cilium/pull/40005), [@​marseel](https://github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://github.com/cilium/cilium/pull/39340), [@​squeed](https://github.com/squeed); [cilium/cilium#40414](https://github.com/cilium/cilium/pull/40414), [@​marseel](https://github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://github.com/cilium/cilium/pull/37714), [@​giorio94](https://github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://github.com/cilium/cilium/pull/37601), [@​aditighag](https://github.com/aditighag); [cilium/cilium#38031](https://github.com/cilium/cilium/pull/38031), [@​orange30](https://github.com/orange30); [cilium/cilium#36648](https://github.com/cilium/cilium/pull/36648), [@​wedaly](https://github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://github.com/cilium/cilium/pull/38940), [@​christarazi](https://github.com/christarazi); [cilium/cilium#39090](https://github.com/cilium/cilium/pull/39090), [@​pippolo84](https://github.com/pippolo84); [cilium/cilium#37765](https://github.com/cilium/cilium/pull/37765), [@​rastislavs](https://github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://github.com/cilium/cilium/pull/40137), [@​Murat](https://github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://github.com/cilium/cilium/pull/39664), [@​aanm](https://github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://github.com/cilium/cilium/pull/39632), [@​sayboras](https://github.com/sayboras); [cilium/cilium#38868](https://github.com/cilium/cilium/pull/38868), [@​squeed](https://github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://github.com/cilium/cilium/pull/39590), [@​sayboras](https://github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://github.com/cilium/cilium/pull/40138), [@​sayboras](https://github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://github.com/cilium/cilium/pull/39922), [@​youngnick](https://github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://github.com/cilium/cilium/pull/37798), [@​sayboras](https://github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://github.com/cilium/cilium/pull/39678), [@​41ks](https://github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://github.com/cilium/cilium/pull/39638), [@​pippolo84](https://github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://github.com/cilium/cilium/pull/39442), [@​pippolo84](https://github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://github.com/cilium/cilium/pull/38483), [@​pippolo84](https://github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://github.com/cilium/cilium/pull/37275), [@​romanspb80](https://github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://github.com/yushoyamaguchi); [cilium/cilium#38300](https://github.com/cilium/cilium/pull/38300), [@​liyihuang](https://github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://github.com/cilium/cilium/pull/37027), [@​Joe](https://github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://github.com/cilium/cilium/pull/40212), [@​squeed](https://github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://github.com/cilium/cilium/pull/37418), [@​brb](https://github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/chezmoidotsh/arcane). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidHlwZTogZGVwZW5kZW5jaWVzIl19-->
renovate bot
added a commit
to lambchop4prez/network
that referenced
this pull request
Jul 29, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | helm_release | minor | `1.17.6` -> `1.18.0` | | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://github.com/cilium/cilium/pull/38469), [@​joamaki](https://github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://github.com/cilium/cilium/pull/37723), [@​ldelossa](https://github.com/ldelossa); [cilium/cilium#37346](https://github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://github.com/cilium/cilium/pull/36351), [@​l1b0k](https://github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://github.com/cilium/cilium/pull/39497), [@​pchaigno](https://github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://github.com/cilium/cilium/pull/39074), [@​pchaigno](https://github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://github.com/cilium/cilium/pull/38249), [@​caorui-io](https://github.com/caorui-io), [@​kadevu](https://github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://github.com/cilium/cilium/pull/38452), [@​rgo3](https://github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://github.com/cilium/cilium/pull/39453), [@​antonipp](https://github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://github.com/cilium/cilium/pull/39902), [@​squeed](https://github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://github.com/cilium/cilium/pull/37634), [@​kaworu](https://github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://github.com/cilium/cilium/pull/37445), [@​squeed](https://github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://github.com/marseel), [cilium/cilium#40227](https://github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://github.com/cilium/cilium/pull/40005), [@​marseel](https://github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://github.com/cilium/cilium/pull/39340), [@​squeed](https://github.com/squeed); [cilium/cilium#40414](https://github.com/cilium/cilium/pull/40414), [@​marseel](https://github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://github.com/cilium/cilium/pull/37714), [@​giorio94](https://github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://github.com/cilium/cilium/pull/37601), [@​aditighag](https://github.com/aditighag); [cilium/cilium#38031](https://github.com/cilium/cilium/pull/38031), [@​orange30](https://github.com/orange30); [cilium/cilium#36648](https://github.com/cilium/cilium/pull/36648), [@​wedaly](https://github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://github.com/cilium/cilium/pull/38940), [@​christarazi](https://github.com/christarazi); [cilium/cilium#39090](https://github.com/cilium/cilium/pull/39090), [@​pippolo84](https://github.com/pippolo84); [cilium/cilium#37765](https://github.com/cilium/cilium/pull/37765), [@​rastislavs](https://github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://github.com/cilium/cilium/pull/40137), [@​Murat](https://github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://github.com/cilium/cilium/pull/39664), [@​aanm](https://github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://github.com/cilium/cilium/pull/39632), [@​sayboras](https://github.com/sayboras); [cilium/cilium#38868](https://github.com/cilium/cilium/pull/38868), [@​squeed](https://github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://github.com/cilium/cilium/pull/39590), [@​sayboras](https://github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://github.com/cilium/cilium/pull/40138), [@​sayboras](https://github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://github.com/cilium/cilium/pull/39922), [@​youngnick](https://github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://github.com/cilium/cilium/pull/37798), [@​sayboras](https://github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://github.com/cilium/cilium/pull/39678), [@​41ks](https://github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://github.com/cilium/cilium/pull/39638), [@​pippolo84](https://github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://github.com/cilium/cilium/pull/39442), [@​pippolo84](https://github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://github.com/cilium/cilium/pull/38483), [@​pippolo84](https://github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://github.com/cilium/cilium/pull/37275), [@​romanspb80](https://github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://github.com/yushoyamaguchi); [cilium/cilium#38300](https://github.com/cilium/cilium/pull/38300), [@​liyihuang](https://github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://github.com/cilium/cilium/pull/37027), [@​Joe](https://github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://github.com/cilium/cilium/pull/40212), [@​squeed](https://github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://github.com/cilium/cilium/pull/37418), [@​brb](https://github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/lambchop4prez/network). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
nicolerenee
pushed a commit
to nicolerenee/infra
that referenced
this pull request
Jul 29, 2025
…ilium ( 1.17.6 → 1.18.0 ) (#709) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/home-operations/charts-mirror/cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (ghcr.io/home-operations/charts-mirror/cilium)</summary> ### [`v1.18.0`](https://github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://github.com/cilium/cilium/pull/38469), [@​joamaki](https://github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://github.com/cilium/cilium/pull/37723), [@​ldelossa](https://github.com/ldelossa); [cilium/cilium#37346](https://github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://github.com/cilium/cilium/pull/36351), [@​l1b0k](https://github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://github.com/cilium/cilium/pull/39497), [@​pchaigno](https://github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://github.com/cilium/cilium/pull/39074), [@​pchaigno](https://github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://github.com/cilium/cilium/pull/38249), [@​caorui-io](https://github.com/caorui-io), [@​kadevu](https://github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://github.com/cilium/cilium/pull/38452), [@​rgo3](https://github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://github.com/cilium/cilium/pull/39453), [@​antonipp](https://github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://github.com/cilium/cilium/pull/39902), [@​squeed](https://github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://github.com/cilium/cilium/pull/37634), [@​kaworu](https://github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://github.com/cilium/cilium/pull/37445), [@​squeed](https://github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://github.com/marseel), [cilium/cilium#40227](https://github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://github.com/cilium/cilium/pull/40005), [@​marseel](https://github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://github.com/cilium/cilium/pull/39340), [@​squeed](https://github.com/squeed); [cilium/cilium#40414](https://github.com/cilium/cilium/pull/40414), [@​marseel](https://github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://github.com/cilium/cilium/pull/37714), [@​giorio94](https://github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://github.com/cilium/cilium/pull/37601), [@​aditighag](https://github.com/aditighag); [cilium/cilium#38031](https://github.com/cilium/cilium/pull/38031), [@​orange30](https://github.com/orange30); [cilium/cilium#36648](https://github.com/cilium/cilium/pull/36648), [@​wedaly](https://github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://github.com/cilium/cilium/pull/38940), [@​christarazi](https://github.com/christarazi); [cilium/cilium#39090](https://github.com/cilium/cilium/pull/39090), [@​pippolo84](https://github.com/pippolo84); [cilium/cilium#37765](https://github.com/cilium/cilium/pull/37765), [@​rastislavs](https://github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://github.com/cilium/cilium/pull/40137), [@​Murat](https://github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://github.com/cilium/cilium/pull/39664), [@​aanm](https://github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://github.com/cilium/cilium/pull/39632), [@​sayboras](https://github.com/sayboras); [cilium/cilium#38868](https://github.com/cilium/cilium/pull/38868), [@​squeed](https://github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://github.com/cilium/cilium/pull/39590), [@​sayboras](https://github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://github.com/cilium/cilium/pull/40138), [@​sayboras](https://github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://github.com/cilium/cilium/pull/39922), [@​youngnick](https://github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://github.com/cilium/cilium/pull/37798), [@​sayboras](https://github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://github.com/cilium/cilium/pull/39678), [@​41ks](https://github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://github.com/cilium/cilium/pull/39638), [@​pippolo84](https://github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://github.com/cilium/cilium/pull/39442), [@​pippolo84](https://github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://github.com/cilium/cilium/pull/38483), [@​pippolo84](https://github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://github.com/cilium/cilium/pull/37275), [@​romanspb80](https://github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://github.com/yushoyamaguchi); [cilium/cilium#38300](https://github.com/cilium/cilium/pull/38300), [@​liyihuang](https://github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://github.com/cilium/cilium/pull/37027), [@​Joe](https://github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://github.com/cilium/cilium/pull/40212), [@​squeed](https://github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://github.com/cilium/cilium/pull/37418), [@​brb](https://github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40NS4wIiwidXBkYXRlZEluVmVyIjoiNDEuNDUuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9taW5vciJdfQ==--> Co-authored-by: bot-nicole[bot] <205127124+bot-nicole[bot]@users.noreply.github.com>
renovate bot
added a commit
to rupaschomaker/home-cluster
that referenced
this pull request
Jul 30, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](https://github.com/cilium/cilium/compare/1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](https://github.com/cilium/cilium/pull/38469), [@​joamaki](https://github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](https://github.com/cilium/cilium/pull/37723), [@​ldelossa](https://github.com/ldelossa); [cilium/cilium#37346](https://github.com/cilium/cilium/pull/37346), [@​gyutaeb](https://github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](https://github.com/cilium/cilium/pull/39304), [@​carlos-abad](https://github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](https://github.com/cilium/cilium/pull/36351), [@​l1b0k](https://github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](https://github.com/cilium/cilium/pull/38198), [@​dylandreimerink](https://github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](https://github.com/cilium/cilium/pull/39987), [@​dylandreimerink](https://github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](https://github.com/cilium/cilium/pull/38296), [cilium/cilium#39497](https://github.com/cilium/cilium/pull/39497), [@​pchaigno](https://github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](https://github.com/cilium/cilium/pull/39074), [@​pchaigno](https://github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](https://github.com/cilium/cilium/pull/38249), [@​caorui-io](https://github.com/caorui-io), [@​kadevu](https://github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](https://github.com/cilium/cilium/pull/38110), [@​gentoo-root](https://github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](https://github.com/cilium/cilium/pull/38452), [@​rgo3](https://github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](https://github.com/cilium/cilium/pull/39453), [@​antonipp](https://github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](https://github.com/cilium/cilium/pull/39902), [@​squeed](https://github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](https://github.com/cilium/cilium/pull/37634), [@​kaworu](https://github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](https://github.com/cilium/cilium/pull/39338), [@​MrFreezeex](https://github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](https://github.com/cilium/cilium/pull/36492), [cilium/cilium#37445](https://github.com/cilium/cilium/pull/37445), [@​squeed](https://github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://github.com/marseel), [cilium/cilium#40227](https://github.com/cilium/cilium/pull/40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](https://github.com/cilium/cilium/pull/40005), [@​marseel](https://github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](https://github.com/cilium/cilium/pull/39340), [@​squeed](https://github.com/squeed); [cilium/cilium#40414](https://github.com/cilium/cilium/pull/40414), [@​marseel](https://github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](https://github.com/cilium/cilium/pull/38596), [@​MrFreezeex](https://github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](https://github.com/cilium/cilium/pull/36471), [@​HadrienPatte](https://github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](https://github.com/cilium/cilium/pull/37714), [@​giorio94](https://github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](https://github.com/cilium/cilium/pull/36288), [@​tommyp1ckles](https://github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](https://github.com/cilium/cilium/pull/37601), [@​aditighag](https://github.com/aditighag); [cilium/cilium#38031](https://github.com/cilium/cilium/pull/38031), [@​orange30](https://github.com/orange30); [cilium/cilium#36648](https://github.com/cilium/cilium/pull/36648), [@​wedaly](https://github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](https://github.com/cilium/cilium/pull/36510), [@​ovidiutirla](https://github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](https://github.com/cilium/cilium/pull/38940), [@​christarazi](https://github.com/christarazi); [cilium/cilium#39090](https://github.com/cilium/cilium/pull/39090), [@​pippolo84](https://github.com/pippolo84); [cilium/cilium#37765](https://github.com/cilium/cilium/pull/37765), [@​rastislavs](https://github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](https://github.com/cilium/cilium/pull/40137), [@​Murat](https://github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](https://github.com/cilium/cilium/pull/39664), [@​aanm](https://github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](https://github.com/cilium/cilium/pull/39124), [cilium/cilium#40175](https://github.com/cilium/cilium/pull/40175), [cilium/cilium#39632](https://github.com/cilium/cilium/pull/39632), [@​sayboras](https://github.com/sayboras); [cilium/cilium#38868](https://github.com/cilium/cilium/pull/38868), [@​squeed](https://github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](https://github.com/cilium/cilium/pull/38308), [@​julianwiedmann](https://github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](https://github.com/cilium/cilium/pull/39590), [@​sayboras](https://github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](https://github.com/cilium/cilium/pull/37792), [cilium/cilium#37402](https://github.com/cilium/cilium/pull/37402), [cilium/cilium#40138](https://github.com/cilium/cilium/pull/40138), [@​sayboras](https://github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](https://github.com/cilium/cilium/pull/39922), [@​youngnick](https://github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](https://github.com/cilium/cilium/pull/37798), [@​sayboras](https://github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](https://github.com/cilium/cilium/pull/39678), [@​41ks](https://github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](https://github.com/cilium/cilium/pull/39638), [@​pippolo84](https://github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](https://github.com/cilium/cilium/pull/39442), [@​pippolo84](https://github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](https://github.com/cilium/cilium/pull/38483), [@​pippolo84](https://github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](https://github.com/cilium/cilium/pull/37275), [@​romanspb80](https://github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](https://github.com/cilium/cilium/pull/36414), [@​dswaffordcw](https://github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](https://github.com/cilium/cilium/pull/36451), [@​yushoyamaguchi](https://github.com/yushoyamaguchi); [cilium/cilium#38300](https://github.com/cilium/cilium/pull/38300), [@​liyihuang](https://github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](https://github.com/cilium/cilium/pull/37027), [@​Joe](https://github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](https://github.com/cilium/cilium/pull/40212), [@​squeed](https://github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](https://github.com/cilium/cilium/pull/38480), [cilium/cilium#39642](https://github.com/cilium/cilium/pull/39642), [cilium/cilium#37418](https://github.com/cilium/cilium/pull/37418), [@​brb](https://github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/rupaschomaker/home-cluster). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvY29udGFpbmVyIiwidHlwZS9taW5vciJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Jul 30, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.17.6` -> `1.18.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.0`](https://github.com/cilium/cilium/releases/tag/v1.18.0): 1.18.0 [Compare Source](cilium/cilium@1.17.6...1.18.0) We are excited to announce the **[Cilium 1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0)** release! A total of **3298 new commits** have been contributed to this release by a growing community of over **955 developers** and over **22,000 GitHub stars**! ⭐ To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements) Here's what's new in [v1.18.0](https://github.com/cilium/cilium/releases/tag/v1.18.0): #### 🚠 Networking - **⚖️ Load Balancing Redesign**: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features ([cilium/cilium#38469](cilium/cilium#38469), [@​joamaki](https://github.com/joamaki)) - **🔌 Virtual Network Devices**: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels ([cilium/cilium#37723](cilium/cilium#37723), [@​ldelossa](https://github.com/ldelossa); [cilium/cilium#37346](cilium/cilium#37346), [@​gyutaeb](https://github.com/gyutaeb)) - **Ⓜ️ Multiple Egress Gateways**: Egress Gateways policies can now direct traffic towards multiple gateway nodes ([cilium/cilium#39304](cilium/cilium#39304), [@​carlos-abad](https://github.com/carlos-abad)) - **🚦 Ingress Rate Limiting**: The bandwidth manager now supports ingress rate limiting ([cilium/cilium#36351](cilium/cilium#36351), [@​l1b0k](https://github.com/l1b0k)) - **📢 Multi-Device L2 Announcements**: The L2 pod announcement feature now supports multiple devices ([cilium/cilium#38198](cilium/cilium#38198), [@​dylandreimerink](https://github.com/dylandreimerink)) - **🏢 Neighbor Subsystem Rework**: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state ([cilium/cilium#39987](cilium/cilium#39987), [@​dylandreimerink](https://github.com/dylandreimerink)) #### 🌐 IPv6 - **🚇 Tunneling Underlay**: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption ([cilium/cilium#38296](cilium/cilium#38296), [cilium/cilium#39497](cilium/cilium#39497), [@​pchaigno](https://github.com/pchaigno)) - **💬 Kube Proxy Replacement**: Cilium now implements service translation when running on an IPv6 underlay ([cilium/cilium#39074](cilium/cilium#39074), [@​pchaigno](https://github.com/pchaigno)) - **📋 Delegated IPAM**: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 ([cilium/cilium#38249](cilium/cilium#38249), [@​caorui-io](https://github.com/caorui-io), [@​kadevu](https://github.com/kadevu)) - **📦 IP Fragment Support**: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality ([cilium/cilium#38110](cilium/cilium#38110), [@​gentoo-root](https://github.com/gentoo-root)) - **🚪 Egress gateway policies** can now match IPv6 address ranges ([cilium/cilium#38452](cilium/cilium#38452), [@​rgo3](https://github.com/rgo3)) #### 🛡️ Policy & Observability - **🏷️ Policy Names in Hubble-CLI**: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble ([cilium/cilium#39453](cilium/cilium#39453), [@​antonipp](https://github.com/antonipp)) - **📝 Policy Log Fields**: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching ([cilium/cilium#39902](cilium/cilium#39902), [@​squeed](https://github.com/squeed)) - **🛰️ Encapsulated Traffic Decoding**: Hubble decodes encapsulated traffic for deeper introspection into traffic flows ([cilium/cilium#37634](cilium/cilium#37634), [@​kaworu](https://github.com/kaworu)) - **🏰 ClusterMesh Policy Restriction**: A new option allows the **cluster** entity to apply only to the local cluster in ClusterMesh environment ([cilium/cilium#39338](cilium/cilium#39338), [@​MrFreezeex](https://github.com/MrFreezeex)) - **✨ Enhanced Policy Dashboard**: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions ([cilium/cilium#36492](cilium/cilium#36492), [cilium/cilium#37445](cilium/cilium#37445), [@​squeed](https://github.com/squeed)) #### 🌅 Performance - **📊 Scale Test Results**: Cilium implements policies and services up to 45% faster in higher scale environments (Various; [@​marseel](https://github.com/marseel), [cilium/cilium#40227](cilium/cilium#40227)) - **📦 Image Size Reduction**: Docker image sizes are reduced by 32% on arm64 architecture images ([cilium/cilium#40005](cilium/cilium#40005), [@​marseel](https://github.com/marseel)) - **⚡ Improved Policy Performance**: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized ([cilium/cilium#39340](cilium/cilium#39340), [@​squeed](https://github.com/squeed); [cilium/cilium#40414](cilium/cilium#40414), [@​marseel](https://github.com/marseel)) - **🪞 EndpointSlice Mirroring for Multi-Cluster Services**: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller ([cilium/cilium#38596](cilium/cilium#38596), [@​MrFreezeex](https://github.com/MrFreezeex)) - **🌐 KVStoreMesh Optimization**: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value ([cilium/cilium#36471](cilium/cilium#36471), [@​HadrienPatte](https://github.com/HadrienPatte)) - **🧠 Egress Gateway Processing**: Egress gateway policy processing is significantly improved when matching a large number of pods ([cilium/cilium#37714](cilium/cilium#37714), [@​giorio94](https://github.com/giorio94)) - **🗑️ Optimized Garbage Collection for Connection Tracking**: Cilium leverages batched iterators for CTMap GC ([cilium/cilium#36288](cilium/cilium#36288), [@​tommyp1ckles](https://github.com/tommyp1ckles)) #### ⚙️ Operations - **📈 API Server Connections at Scale**: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations ([cilium/cilium#37601](cilium/cilium#37601), [@​aditighag](https://github.com/aditighag); [cilium/cilium#38031](cilium/cilium#38031), [@​orange30](https://github.com/orange30); [cilium/cilium#36648](cilium/cilium#36648), [@​wedaly](https://github.com/wedaly)) - **🔄 ConfigMap Synchronization**: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration ([cilium/cilium#36510](cilium/cilium#36510), [@​ovidiutirla](https://github.com/ovidiutirla)) - **🎓 CRD Promotion to Stable**: Promote **CiliumCIDRGroup**, **CiliumLoadBalancerIPPool** and all **BGP** CRDs to stable API ([cilium/cilium#38940](cilium/cilium#38940), [@​christarazi](https://github.com/christarazi); [cilium/cilium#39090](cilium/cilium#39090), [@​pippolo84](https://github.com/pippolo84); [cilium/cilium#37765](cilium/cilium#37765), [@​rastislavs](https://github.com/rastislavs)) - **⛔ Node Taints Handling**: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node ([cilium/cilium#40137](cilium/cilium#40137), [@​Murat](https://github.com/Murat) Parlakisik) - **:wood: Migrate to Slog**: Cilium now uses slog as log library for all components ([cilium/cilium#39664](cilium/cilium#39664), [@​aanm](https://github.com/aanm)) - **🔧 Cilium dependencies** were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 ([cilium/cilium#39124](cilium/cilium#39124), [cilium/cilium#40175](cilium/cilium#40175), [cilium/cilium#39632](cilium/cilium#39632), [@​sayboras](https://github.com/sayboras); [cilium/cilium#38868](cilium/cilium#38868), [@​squeed](https://github.com/squeed)) - **🐧 Minimum Linux Requirements**: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 ([cilium/cilium#38308](cilium/cilium#38308), [@​julianwiedmann](https://github.com/julianwiedmann)) #### 🕸️ Service Mesh & Gateway API - **⛩️ Gateway API v1.3.0**: Gateway API support is bumped to v1.3.0 ([cilium/cilium#39590](cilium/cilium#39590), [@​sayboras](https://github.com/sayboras)) - **🔗 Improved GatewayClass Configuration**: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations ([cilium/cilium#37792](cilium/cilium#37792), [cilium/cilium#37402](cilium/cilium#37402), [cilium/cilium#40138](cilium/cilium#40138), [@​sayboras](https://github.com/sayboras)) - **🚏 Multiple HTTPRoutes**: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service ([cilium/cilium#39922](cilium/cilium#39922), [@​youngnick](https://github.com/youngnick)) - **🪄 Route Changes Reconciliation**: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things ([cilium/cilium#37798](cilium/cilium#37798), [@​sayboras](https://github.com/sayboras)) #### 🏷️ IP Address Management - **☁️ AWS Prefix Delegation**: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode ([cilium/cilium#39678](cilium/cilium#39678), [@​41ks](https://github.com/41ks)) - **🏬 Multi-Pool IPAM with KVStore**: Add support for Multi-Pool IPAM in external KVstore mode ([cilium/cilium#39638](cilium/cilium#39638), [@​pippolo84](https://github.com/pippolo84)) - **🔐 Multi-Pool IPAM with IPSec**: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode ([cilium/cilium#39442](cilium/cilium#39442), [@​pippolo84](https://github.com/pippolo84)) - **↪️ Multi-Pool Tunnel Routing**: Add support for tunnel routing in multi-pool IPAM mode ([cilium/cilium#38483](cilium/cilium#38483), [@​pippolo84](https://github.com/pippolo84)) #### 🛣️ BGP - **📇 Route Aggregation**: Add support for BGP route aggregation in the control plane ([cilium/cilium#37275](cilium/cilium#37275), [@​romanspb80](https://github.com/romanspb80)) - **🎯 Overlapping Selector Matches**: Support overlapping selector matches in **CiliumBGPAdvertisement** resources ([cilium/cilium#36414](cilium/cilium#36414), [@​dswaffordcw](https://github.com/dswaffordcw)) - **🆔 New Router ID generation modes**: Generate router-id based on MAC addresses, or from an IP address pool ([cilium/cilium#36451](cilium/cilium#36451), [@​yushoyamaguchi](https://github.com/yushoyamaguchi); [cilium/cilium#38300](cilium/cilium#38300), [@​liyihuang](https://github.com/liyihuang)) #### 🧑💻 Development Experience - **🧪 Test attribution**: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems ([cilium/cilium#37027](cilium/cilium#37027), [@​Joe](https://github.com/Joe) Stringer) - **🛏️ Policy REST API**: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred ([cilium/cilium#40212](cilium/cilium#40212), [@​squeed](https://github.com/squeed)) - **🏗️ Feature Deprecation**: Deprecate underused features like Custom Calls, Recorder API and External Workloads ([cilium/cilium#38480](cilium/cilium#38480), [cilium/cilium#39642](cilium/cilium#39642), [cilium/cilium#37418](cilium/cilium#37418), [@​brb](https://github.com/brb)) #### 🏢 Community - **❤️ Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - [ByteDance](https://www.youtube.com/watch?v=cKPW67D7X10), [Canopus Networks](https://www.youtube.com/watch?v=YXl9xuIxylY), [Corner Banca](https://www.youtube.com/watch?v=HVPKSefazl4), [DB Schenker](https://www.cncf.io/case-studies/db-schenker/), [eBay](https://www.youtube.com/watch?v=xEa4KFf5FzY), [ECCO](https://www.cncf.io/case-studies/ecco/), [G-Research](https://www.youtube.com/watch?v=kjSFN34dROQ), [Social Network Company](https://cilium.io/blog/2025/04/15/tetragon-social-networking-user-story/), and [Preferred Networks](https://www.youtube.com/watch?v=n7_I4zu6f_M) - **🇬🇧 London Events**: The community gathered at [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2025-EU) in London - **🇺🇸 Atlanta Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/ciliumcon/) and Cilium Developers Summit in Atlanta, Georgia - **👥 SIG Community Meetings**: [SIG Community](https://github.com/cilium/community/tree/main/sig-community) now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community #### 📔 Full CHANGELOG - Full CHANGELOG.md can be found [here](https://github.com/cilium/cilium/blob/v1.18.0/CHANGELOG.md). And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ :people\_holding\_hands: ❤️ </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1062 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
1 task
1 task
13 tasks
This was referenced Feb 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support kube-apiserver high availability with kube-proxy replacement where the agent can fail over to an active kube-apiserver at runtime.
Background
Cilium agent requires a connection to the kube-apiserver control plane to program the BPF datapath without depending on kube-proxy load-balancing when kube-proxy replacement is enabled. To achieve this, Cilium uses
API_SERVER_IPandAPI_SERVER_PORTconfigurations for direct connection to the kube-apiserver. However, this approach doesn't support production environments that require multiple kube-apiservers for high availability. Additionally, it cannot rely on a fixed set of addresses provided at bootstrap time due to potential Kubernetes node failures or recycling in production environments.Commits summary
This PR introduces a flag for user to configure multiple kube-apiserver URLs. Additionally, it adds logic to connect to one of the active kube-apiservers in a cluster during initial connection time, and switches over to the
kubernetesservice at runtime (and post agent restarts).The PR extends - #20090.
See individual commits for implementation details.
Testing
Follow-up:
Automated E2E test in a kind cluster environment.
Fixes: #19038