feat(helm): update chart cilium ( 1.17.3 → 1.18.4 )

[samip5-bot]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	1.17.3 -> 1.18.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cilium/cilium (cilium)

v1.18.4: 1.18.4

Compare Source

Security Advisories

This release addresses GHSA-38pp-6gcp-rqvm.

Summary of Changes

Minor Changes:

• fix indentation for certgen resources in helm templates (Backport PR #​42450, Upstream PR #​42412, @​sdickhoven)

Bugfixes:

• bpf: Do not accidentally update IPcache in cluster-aware routing (Backport PR #​42577, Upstream PR #​42472, @​brb)
• cilium-operator: ciliumendpoints are not garbage collected until a minimum age is reached (5m by default) (Backport PR #​42577, Upstream PR #​42413, @​zhouhaibing089)
• controller: avoid spurious errors when RemoveControllerAndWait is invoked when the controller does not exist (Backport PR #​42617, Upstream PR #​41384, @​asdfmi)
• encrypt status: also check tcx attachment on interfaces (Backport PR #​42450, Upstream PR #​42328, @​bersoare)
• envoy: pass stream idle timeout from Helm to configmap (Backport PR #​42617, Upstream PR #​42499, @​mhofstetter)
• Fix BGP operator crash when bgp-secrets-namespace not set. (Backport PR #​42577, Upstream PR #​42425, @​rastislavs)
• Fix cilium_operator_lbipam_conflicting_pools metric to report correct value. (Backport PR #​42289, Upstream PR #​41999, @​hanapedia)
• Fix issue where fqdn GC starts too early that results in potentially missed ips in the IPCache (Backport PR #​42617, Upstream PR #​42502, @​odinuge)
• Fix potential policy deadlock causing endpoint to use previous identity for policy calculation when endpoint changes identity (Backport PR #​42617, Upstream PR #​42420, @​odinuge)
• Fix the output of cilium lrp list command to show LRP selected backends. (Backport PR #​42577, Upstream PR #​42110, @​Bigdelle)
• Fix trace aggregation for IPv4 Host Firewall, reducing the amount of generated events. (Backport PR #​42617, Upstream PR #​42595, @​smagnani96)
• fix: Panic during endpoint restore due to nil logger (Backport PR #​42450, Upstream PR #​42385, @​pinaki-08)
• gatewayAPI: correctly handle reference to CGCC as cluster-scoped resource instead of namespaced one (Backport PR #​42289, Upstream PR #​42172, @​oblazek)
• operator/ciliumenvoyconfig: consistently propagate --http-stream-idle-timeout value (Backport PR #​42577, Upstream PR #​42495, @​tklauser)
• policy: prevent incorrect mutation of network policy when using policy-default-local-cluster (Backport PR #​42698, Upstream PR #​42668, @​MrFreezeex)
• Preventing removal of existing tproxy iptables rules for other services when they share a name prefix. (Backport PR #​42450, Upstream PR #​42236, @​dackroyd)
• When using the Egress Strict Mode for Transparent Encryption with Wireguard, packets destined to the local host are no longer excluded from encryption enforcement (when leaving the node), and will be dropped. (Backport PR #​42450, Upstream PR #​42419, @​julianwiedmann)

CI Changes:

• .github/actions/e2e: define static job names (Backport PR #​42435, Upstream PR #​42332, @​aanm)
• [v1.18] .github/workflows: Add base-SHA input to ariane triggered workflows (#​42192, @​dylandreimerink)
• ci: Allow for alpine image overwrite within cache Dockerfile (Backport PR #​42289, Upstream PR #​42108, @​jpayne3506)
• conformance-aws-cni: disable l7 proxy with aws-cni (Backport PR #​42617, Upstream PR #​42578, @​aanm)
• Deflake TestNodeManagerAbortReleaseIPReassignment (Backport PR #​42577, Upstream PR #​42276, @​lconnery)
• gh: ginkgo: fix focus for service hairpin test (Backport PR #​42641, Upstream PR #​42633, @​julianwiedmann)
• gh: ginkgo: reduce number of tested k8s versions in PRs (Backport PR #​42470, Upstream PR #​42465, @​julianwiedmann)
• gh: ginkgo: replace rhel8 with 5.10 kernel (Backport PR #​42449, Upstream PR #​42084, @​julianwiedmann)
• gha/conformance-clustermesh: let service nodeport be selected randomly (Backport PR #​42617, Upstream PR #​41697, @​giorio94)
• gha: allow configuring runner for workflows building Cilium binaries (Backport PR #​42617, Upstream PR #​42582, @​giorio94)
• Testing for RHEL8 compatibility now uses a RHEL8.10-compatible kernel (previously this was a RHEL8.6-compatible kernel). (Backport PR #​42604, Upstream PR #​41639, @​julianwiedmann)

Misc Changes:

• [v1.18] deps: bump CNI plugins version (#​42443, @​ferozsalam)
• bpf: host: remove stale code comment (Backport PR #​42450, Upstream PR #​42237, @​julianwiedmann)
• bpf: lxc: always set identity mark on forwarded egressing traffic (Backport PR #​42617, Upstream PR #​42551, @​julianwiedmann)
• bpf: nodeport: don't include EGW reply hook in bpf_wireguard (Backport PR #​42450, Upstream PR #​42187, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.18) (#​42397, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42541, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42682, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.8 (v1.18) (#​42346, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e3652a0 (v1.18) (#​42539, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.10 docker digest to c3ea417 (v1.18) (#​42679, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.9 docker digest to 5034fa4 (v1.18) (#​42396, @​cilium-renovate[bot])
• chore(deps): update github artifact actions (v1.18) (#​42398, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.10 (v1.18) (#​42621, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.10-1762597008-ff7ae7d623be00078865cff1b0672cc5d9bfc6d5 (v1.18) (#​42680, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-llvm docker tag to v1758805548 (v1.18) (#​42399, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42540, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42681, @​cilium-renovate[bot])
• ci: Add workflow permissions for auto-approve and renovate (Backport PR #​42450, Upstream PR #​42281, @​kyle-c-simmons)
• ci: Fix call-backport-label-updater permissions (Backport PR #​42450, Upstream PR #​42510, @​kyle-c-simmons)
• ci: Update hubble test workflow permissions (Backport PR #​42450, Upstream PR #​41911, @​kyle-c-simmons)
• cilium, routes: Downgrade warning on direct-routing-skip-unreachable (Backport PR #​42289, Upstream PR #​42210, @​borkmann)
• docs: tuning: remove some references to old kernels (Backport PR #​42617, Upstream PR #​42601, @​julianwiedmann)
• Docs: update fragmentation docs to reflect ipv6 (Backport PR #​42289, Upstream PR #​41748, @​tommyp1ckles)
• fix: run post-release and publish-helm workflows on cilium org (Backport PR #​42450, Upstream PR #​42279, @​sekhar-isovalent)
• loadbalancer: fix up code comment (Backport PR #​42450, Upstream PR #​42273, @​julianwiedmann)
• Log proxy instance creation at debug level (Backport PR #​42617, Upstream PR #​42319, @​sjohnsonpal)
• operator: Prevent panic when GCing identities (Backport PR #​42289, Upstream PR #​42217, @​HadrienPatte)
• pkg/nodediscover: Don't log warnings for intermittent updates (Backport PR #​42577, Upstream PR #​42505, @​aditighag)

Other Changes:

• [v1.18] ipam: fix TestNodeManagerAbortReleaseIPReassignment test (#​42636, @​rastislavs)
• [v1.18] test: ginkgo: skip BPF masq tests on configs without external node (#​42462, @​julianwiedmann)
• install: Update image digests for v1.18.3 (#​42344, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.4@​sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
quay.io/cilium/cilium:stable@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.4@​sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d
quay.io/cilium/clustermesh-apiserver:stable@sha256:c240a7cbead5479d9085b5e837977bf6750164167a1c9f956720815d160d447d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.4@​sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a
quay.io/cilium/docker-plugin:stable@sha256:5ec897904e4bd9784df8353b1bdc3559f541f4ca5957103addd46b600430888a

hubble-relay

quay.io/cilium/hubble-relay:v1.18.4@​sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723
quay.io/cilium/hubble-relay:stable@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.4@​sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7
quay.io/cilium/operator-alibabacloud:stable@sha256:c57d07e5dde3a1974c5cd5d46596db5ea7264f66e9e4ce98a59236aa88b857f7

operator-aws

quay.io/cilium/operator-aws:v1.18.4@​sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336
quay.io/cilium/operator-aws:stable@sha256:f4c19007a804d37c781d6c8982006c5f1d8a890941036f9ab285e517fd181336

operator-azure

quay.io/cilium/operator-azure:v1.18.4@​sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca
quay.io/cilium/operator-azure:stable@sha256:19e7465ec8b151ec444757b6ce583b7a0d1e5e9fc5e3aef31d90e93019f599ca

operator-generic

quay.io/cilium/operator-generic:v1.18.4@​sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012
quay.io/cilium/operator-generic:stable@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012

operator

quay.io/cilium/operator:v1.18.4@​sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5
quay.io/cilium/operator:stable@sha256:78a4f6fb8da0556ed3648aeb789988bd2cb6847c805fb73e381f3e3b17dce0a5

v1.18.3: 1.18.3

Compare Source

Summary of Changes

ℹ️ The images in this release were signed with cosign v3. Please use cosign v3 tooling to validate signatures with the following command syntax:

cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name 'Image Release Build' --certificate-github-workflow-ref refs/tags/v1.18.3 --certificate-identity https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/v1.18.3 quay.io/cilium/operator-aws:v1.18.3 | jq -r '.[].critical.image'

Minor Changes:

• Fix a complexity issue for the bpf_xdp program (Backport PR #​42198, Upstream PR #​42193, @​aspsk)
• hubble: mark kafka l7 visibility as deprecated (Backport PR #​41968, Upstream PR #​41072, @​kaworu)

Bugfixes:

• add the port name for address based LRP so frontend can pick the right backend (Backport PR #​41828, Upstream PR #​41602, @​liyihuang)
• Avoid scenario where ENI device configuration can be skipped. (Backport PR #​41968, Upstream PR #​41760, @​jasonaliyetti)
• Cilium now configures Envoy to allow websocket connections to be passed through with HTTP policies. (Backport PR #​41828, Upstream PR #​41729, @​jrajahalme)
• Fix a bug that was preventing Cilium to delete stale pod CIDRs routes when changing routing mode to native (Backport PR #​41968, Upstream PR #​41819, @​pippolo84)
• Fix a fatal error when accessing multicast map using cilium-dbg bpf multicast (Backport PR #​42151, Upstream PR #​42080, @​tklauser)
• Fix BGP auto discovery not sending community info (Backport PR #​41968, Upstream PR #​41920, @​jiashengz)
• Fix bug in ENI routing where Cilium would chose the wrong subnet for routing traffic on secondary interfaces (Backport PR #​41828, Upstream PR #​40860, @​liyihuang)
• Fix bug that could cause ICMP error packets to have an incorrect inner IP checksum when KPR is enabled. (Backport PR #​41828, Upstream PR #​41551, @​yushoyamaguchi)
• Fix bug with delegated IPAM where IPv6 traffic was routed via the wrong interface (Backport PR #​41968, Upstream PR #​41598, @​NihaNallappagari)
• Fix failing node health check on dual stack cluster if NodeInternalIPs are not configured for both families. (Backport PR #​42055, Upstream PR #​41633, @​Dennor)
• Fix increase in memory usage when service names are looked up at high rate during Hubble flow creation (Backport PR #​42151, Upstream PR #​41965, @​joamaki)
• Fix panic at startup in IPsec subsystem with Multi-Pool IPAM mode (#​41725, @​pippolo84)
• Fix race condition preventing the skiplbmap BPF map from sometimes being pruned after restart. (Backport PR #​41828, Upstream PR #​41529, @​joamaki)
• Fixes a rare bug where endpoints may have incomplete policies in large clusters. (Backport PR #​42151, Upstream PR #​42049, @​squeed)
• hostfw: also exclude non-transparent proxy traffic when BPF masq is enabled (Backport PR #​41989, Upstream PR #​41915, @​julianwiedmann)
• Ignore expected error in neighbor reconciliation (Backport PR #​41968, Upstream PR #​41815, @​dylandreimerink)
• loadbalancer: allow HostPort for multiple protos on same port (Backport PR #​41913, Upstream PR #​41521, @​bersoare)
• operator/pkg/lbipam: fix LoadBalancerIPPool conditions update logic (Backport PR #​41828, Upstream PR #​41322, @​alimehrabikoshki)

CI Changes:

• .actions/cilium-config: add missing extraEnv in GH action (Backport PR #​41828, Upstream PR #​41420, @​aanm)
• .github/workflows: add variable for renovate bot username (Backport PR #​41843, Upstream PR #​41818, @​aanm)
• .github/workflows: automatically add /test for renovate PRs (Backport PR #​41843, Upstream PR #​41770, @​aanm)
• .github/workflows: do not wait on linters form forks (Backport PR #​41828, Upstream PR #​41822, @​aanm)
• .github/workflows: remove reviewers requested by auto-committer[bot] (Backport PR #​41828, Upstream PR #​41759, @​aanm)
• cli: Fix unreliable tests due to error emitted in Cilium logs "retrieving device lxc*: Link not found" (Backport PR #​42200, Upstream PR #​42146, @​fristonio)
• gha: Correct k8s version for f12-datapath-service-ns-misc (Backport PR #​41756, Upstream PR #​41753, @​sayboras)
• ginkgo: add test ownership for ginkgo tests (Backport PR #​42055, Upstream PR #​41950, @​aanm)
• Streamline ci-multi-pool workflow (Backport PR #​41631, Upstream PR #​40658, @​pippolo84)
• workflows: fix GCP OIDC authentication's project ID (#​42173, @​nbusseneau)

Misc Changes:

• .github/workflows: stop build CI images until base images are built (Backport PR #​41828, Upstream PR #​41681, @​aanm)
• agent: Add Cilium health config cell (Backport PR #​42055, Upstream PR #​41627, @​aditighag)
• bpf/nat: Move ipv6_nat_entry to map (Backport PR #​41968, Upstream PR #​41902, @​pchaigno)
• bpf: hostfw: have from-host always pass the ipcache-based src identity (Backport PR #​42113, Upstream PR #​42093, @​julianwiedmann)
• bpf: Only send fillup signal to agent on ENOMEM error (Backport PR #​41968, Upstream PR #​41864, @​borkmann)
• chore(deps): update all github action dependencies (v1.18) (#​41795, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​41931, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42028, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42136, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​42264, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​41716, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​41793, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​42035, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​42116, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.27 (v1.18) (#​42263, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v33 (v1.18) (#​42265, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.7 docker digest to 2c5f7a0 (v1.18) (#​42026, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.7 docker digest to 87916ac (v1.18) (#​41792, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.9 docker digest to 02ce1d7 (v1.18) (#​42253, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.8 (v1.18) (#​42062, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.9 (v1.18) (#​42166, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1759058812-49b096a457d6e7f6d650229cbf95c63d59759331 (v1.18) (#​41933, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​41730, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​41794, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​41930, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42027, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42135, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​42300, @​cilium-renovate[bot])
• doc: add note on hostfw and ipsec interaction (Backport PR #​41968, Upstream PR #​41810, @​darox)
• docs/dsr: Remove IPIP example configuration (Backport PR #​41828, Upstream PR #​41701, @​pchaigno)
• docs: Clarify list of capabilities in threat model (Backport PR #​41828, Upstream PR #​41682, @​joestringer)
• docs: fix broken Chainguard SBOM link (Backport PR #​41828, Upstream PR #​41719, @​yashisrani)
• docs: remove stale kernel requirements (Backport PR #​42151, Upstream PR #​42081, @​julianwiedmann)
• docs: Update iproute2 compile steps in reference guide. (Backport PR #​41828, Upstream PR #​41638, @​dkanaliev)
• endpoint: reduce missed-policy-update log severity for restoring eps (Backport PR #​42055, Upstream PR #​41095, @​fristonio)
• endpointsynchronizer: suppress warning log when endpoint is terminating (Backport PR #​41828, Upstream PR #​41755, @​giorio94)
• gateway-api: Fix incorrect Owns call in refactor (Backport PR #​41968, Upstream PR #​41807, @​youngnick)
• hubble: allow overrrides if building from outside the tree (Backport PR #​41828, Upstream PR #​41726, @​tklauser)
• ipsec: add support for using remote PodCIDR entries (Backport PR #​42073, Upstream PR #​41519, @​julianwiedmann)
• Make kubeProxyReplacement available in the reference and documentation (Backport PR #​41968, Upstream PR #​41535, @​liyihuang)
• redirectpolicy: Always OpenOrCreate SkipLB map to avoid loader race (Backport PR #​41968, Upstream PR #​41707, @​joamaki)
• redirectpolicy: Fix comparison of BackendParams (Backport PR #​41848, Upstream PR #​41705, @​joamaki)
• Remove kiam documentation from Local Redirect Policy (Backport PR #​41968, Upstream PR #​41644, @​liyihuang)
• Update checkpatch and startup-script image digest (Backport PR #​41828, Upstream PR #​41710, @​HadrienPatte)

Other Changes:

• [v1.18] gateway-api: Refactor Gateway API reconciler (#​41720, @​youngnick)
• [v1.18] workflows/release: add secrets for step 4 and 5 (#​41733, @​jrajahalme)
• install: Update image digests for v1.18.2 (#​41722, @​cilium-release-bot[bot])
• proxy: Bump cilium-envoy to 1.34.10 (#​42251, @​sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.3@​sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
quay.io/cilium/cilium:stable@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.3@​sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d
quay.io/cilium/clustermesh-apiserver:stable@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.3@​sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67
quay.io/cilium/docker-plugin:stable@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67

hubble-relay

quay.io/cilium/hubble-relay:v1.18.3@​sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3
quay.io/cilium/hubble-relay:stable@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.3@​sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef
quay.io/cilium/operator-alibabacloud:stable@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef

operator-aws

quay.io/cilium/operator-aws:v1.18.3@​sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24
quay.io/cilium/operator-aws:stable@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24

operator-azure

quay.io/cilium/operator-azure:v1.18.3@​sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143
quay.io/cilium/operator-azure:stable@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143

operator-generic

quay.io/cilium/operator-generic:v1.18.3@​sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797
quay.io/cilium/operator-generic:stable@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797

operator

quay.io/cilium/operator:v1.18.3@​sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff
quay.io/cilium/operator:stable@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff

v1.18.2: 1.18.2

Compare Source

Summary of Changes

Minor Changes:

• Fix validation bug where namespaced CiliumNetworkPolicies with nodeSelector in specs array were silently accepted but ignored. Now properly rejected with validation error. (Backport PR #​41365, Upstream PR #​40702, @​pillai-ashwin)
• lbipam: do not reallocate IPs in LB IPAM on operator restart (Backport PR #​41267, Upstream PR #​41147, @​marseel)
• lbipam: widening CIDR range or updating selector of CiliumLoadBalancerIPPool does no longer reassign IPs (Backport PR #​41267, Upstream PR #​41122, @​marseel)

Bugfixes:

• Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (Backport PR #​41479, Upstream PR #​41231, @​hanapedia)
• Add toleration for 'node.cloudprovider.kubernetes.io/uninitialized' to Cilium Operator (Backport PR #​41267, Upstream PR #​41098, @​guettli)
• bgpv2: Avoid modifying CiliumBGPPeerConfig in resource store (Backport PR #​41267, Upstream PR #​41088, @​rastislavs)
• bpf: add support for delinearized ARP packets (Backport PR #​41365, Upstream PR #​41233, @​vsinitsyn)
• ctmap/gc: continue interval time on partial GC pass. (Backport PR #​41591, Upstream PR #​41258, @​tommyp1ckles)
• Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (Backport PR #​41479, Upstream PR #​40844, @​moscicky)
• Fix "Error while correcting L4 checksum" dropped packets for ICMP destination unreachable error packets. (Backport PR #​41591, Upstream PR #​40194, @​br4243)
• Fix "No mapping for NAT masquerade" flakes in the CI, make NAT LRU fallbacks more robust. (Backport PR #​41365, Upstream PR #​40971, @​gentoo-root)
• Fix --exclude-local-address with eBPF Host-Routing (Backport PR #​41365, Upstream PR #​41275, @​antonipp)
• Fix a BGP bug where the routerID specified in a CiliumBGPNodeConfigOverride was not correctly updated in RouterIDIPPool mode. (Backport PR #​41267, Upstream PR #​40340, @​liyihuang)
• Fix a bug that would cause NodePort requests to be sent to the wrong backends when using KPR and Clustermesh with two identical, non-global NodePort services on different clusters. (Backport PR #​41591, Upstream PR #​41337, @​pchaigno)
• Fix a bug where cilium-agent would report "Link not found" for an endpoint deleted during state restore after cilium-agent restart. (Backport PR #​41267, Upstream PR #​40568, @​fristonio)
• Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (Backport PR #​41479, Upstream PR #​41368, @​devodev)
• Fix agent config initContainer unable to hit apiservers in apiServerURLs by passing as container arg (Backport PR #​41267, Upstream PR #​41110, @​JJGadgets)
• Fix bug that would cause error messages when disabling agent health checks (Backport PR #​41479, Upstream PR #​41297, @​HadrienPatte)
• Fix issue in Local Redirect Policies where traffic was dropped when no local pods were available to be redirected to. In these scenarios the traffic should have been processed as if the Local Redirect Policy did not exist. (Backport PR #​41591, Upstream PR #​41463, @​joamaki)
• Fix issue where Local Redirect Policy (LRP) services with a single named port did not create a local redirect service entry. (Backport PR #​41591, Upstream PR #​41534, @​aditighag)
• Fix the bug local redirect policy not doing filter based destination port (Backport PR #​41479, Upstream PR #​41411, @​liyihuang)
• Fixes a cosmetic bug where the cilium_bpf_map_ops_total error count was incorrectly being incremented for map cilium_lb_affinity_match. (Backport PR #​41479, Upstream PR #​41378, @​squeed)
• Fixes an issue in NodeManager where restored cluster nodes can be pruned before the initial node listing completes. (Backport PR #​41267, Upstream PR #​41039, @​0xch4z)
• Helm: Ensure consistent default labels for all ServiceMonitor resources (Backport PR #​41267, Upstream PR #​41240, @​baurmatt)
• iptables: Fix IPv6 SNAT for L7 proxy upstream traffic (Backport PR #​41249, Upstream PR #​41034, @​gentoo-root)
• loadbalancer/writer: add support for SetIsServiceHealthCheckedFunc (Backport PR #​41267, Upstream PR #​41092, @​mhofstetter)
• neighbor: Fix bug where neighbor discovery subsystem reports unhealthy when it is healthy (Backport PR #​41365, Upstream PR #​41186, @​mhofstetter)
• pkg/ipam: fix nil dereference during pool shrink operation (Backport PR #​41365, Upstream PR #​41198, @​alimehrabikoshki)
• policy: fix agent crash due to policy cache update-delete race (Backport PR #​41267, Upstream PR #​41079, @​fristonio)

CI Changes:

• .github/actions: fix boolean condition check in post-logic action (Backport PR #​41479, Upstream PR #​41395, @​aanm)
• .github/worfklows: copy cilium-cli binary from container (Backport PR #​41591, Upstream PR #​41524, @​aanm)
• .github/workflows: add proper suffix for scale-test-egw (Backport PR #​41591, Upstream PR #​41477, @​aanm)
• .github/workflows: add timeout to Install node local DNS step (Backport PR #​41267, Upstream PR #​41120, @​aanm)
• .github/workflows: separate feature json files in different dirs (Backport PR #​41479, Upstream PR #​41403, @​aanm)
• .github/workflows: simplify ginkgo workflow (Backport PR #​41479, Upstream PR #​41396, @​aanm)
• .github/workflows: simplify ginkgo workflow (Backport PR #​41591, Upstream PR #​41396, @​aanm)
• .github: fix upload artifacts for features.json (Backport PR #​41365, Upstream PR #​41119, @​aanm)
• add missing extraArgs in CI (Backport PR #​41365, Upstream PR #​41005, @​aanm)
• checkpatch: bump checkpatch version, and minor adaptations (Backport PR #​41365, Upstream PR #​41290, @​giorio94)
• ci: Re-enable go caches for privileged tests (Backport PR #​41267, Upstream PR #​41102, @​rastislavs)
• ci: simplify

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[samip5-bot]

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -9,12 +9,13 @@

   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
   debug: 'false'
   debug-verbose: ''
+  metrics-sampling-interval: 5m
   enable-policy: default
   policy-cidr-match-mode: ''
   proxy-prometheus-port: '9964'
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
   enable-policy-secrets-sync: 'true'
@@ -27,12 +28,13 @@

   enable-bpf-tproxy: 'true'
   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
+  bpf-policy-stats-map-max: '65536'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
   bpf-lb-source-range-all-types: 'false'
   bpf-lb-algorithm-annotation: 'false'
   bpf-lb-mode-annotation: 'false'
   bpf-distributed-lru: 'false'
@@ -60,27 +62,24 @@

   iptables-random-fully: 'false'
   auto-direct-node-routes: 'false'
   direct-routing-skip-unreachable: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.40.0.0/16
   ipv6-native-routing-cidr: fd94:9bde:1ebb::/48
-  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
   bpf-lb-sock-hostns-only: 'true'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-acceleration: disabled
-  enable-experimental-lb: 'false'
   enable-svc-source-range-check: 'true'
-  enable-l2-neigh-discovery: 'true'
-  arping-refresh-period: 30s
+  enable-l2-neigh-discovery: 'false'
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-k8s-networkpolicy: 'true'
   enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: 'false'
@@ -93,16 +92,15 @@

   synchronize-k8s-nodes: 'true'
   operator-api-serve-addr: 127.0.0.1:9234
   enable-hubble: 'true'
   hubble-socket-path: /var/run/cilium/hubble.sock
   hubble-metrics-server: :9965
   hubble-metrics-server-enable-tls: 'false'
+  enable-hubble-open-metrics: 'false'
   hubble-metrics: dns:query drop tcp flow port-distribution icmp http
-  enable-hubble-open-metrics: 'false'
-  hubble-export-file-max-size-mb: '10'
-  hubble-export-file-max-backups: '5'
+  hubble-network-policy-correlation-enabled: 'true'
   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
@@ -114,15 +112,18 @@

   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-bgp-control-plane: 'true'
   bgp-secrets-namespace: kube-system
   enable-bgp-control-plane-status-report: 'true'
+  bgp-router-id-allocation-mode: default
+  bgp-router-id-allocation-ip-pool: ''
+  enable-bgp-legacy-origin-attribute: 'false'
   bpf-root: /sys/fs/bpf
   cgroup-root: /run/cilium/cgroupv2
-  enable-k8s-terminating-endpoint: 'true'
+  identity-management-mode: agent
   enable-sctp: 'false'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
   dnsproxy-enable-transparent-mode: 'true'
@@ -130,12 +131,13 @@

   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
   tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
+  tofqdns-preallocate-identities: 'true'
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
   mesh-auth-enabled: 'true'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
@@ -144,19 +146,21 @@

   proxy-initial-fetch-timeout: '30'
   proxy-max-requests-per-connection: '0'
   proxy-max-connection-duration-seconds: '0'
   proxy-idle-timeout-seconds: '60'
   proxy-max-concurrent-retries: '128'
   http-retry-count: '3'
+  http-stream-idle-timeout: '300'
   external-envoy-proxy: 'false'
   envoy-base-id: '0'
   envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
+  policy-default-local-cluster: 'false'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
   enable-internal-traffic-policy: 'true'
   enable-lb-ipam: 'true'
   enable-non-default-deny-policies: 'true'
   enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -2,17 +2,39 @@

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: hubble-ui-nginx
   namespace: kube-system
 data:
-  nginx.conf: "server {\n    listen       8081;\n    listen       [::]:8081;\n   \
-    \ server_name  localhost;\n    root /app;\n    index index.html;\n    client_max_body_size\
-    \ 1G;\n\n    location / {\n        proxy_set_header Host $host;\n        proxy_set_header\
-    \ X-Real-IP $remote_addr;\n\n        location /api {\n            proxy_http_version\
-    \ 1.1;\n            proxy_pass_request_headers on;\n            proxy_pass http://127.0.0.1:8090;\n\
-    \        }\n        location / {\n            # double `/index.html` is required\
-    \ here \n            try_files $uri $uri/ /index.html /index.html;\n        }\n\
-    \n        # Liveness probe\n        location /healthz {\n            access_log\
-    \ off;\n            add_header Content-Type text/plain;\n            return 200\
-    \ 'ok';\n        }\n    }\n}"
+  nginx.conf: |-
+    server {
+        listen       8081;
+        listen       [::]:8081;
+        server_name  localhost;
+        root /app;
+        index index.html;
+        client_max_body_size 1G;
 
+        location / {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            location /api {
+                proxy_http_version 1.1;
+                proxy_pass_request_headers on;
+                proxy_pass http://127.0.0.1:8090;
+            }
+            location / {
+                if ($http_user_agent ~* "kube-probe") { access_log off; }
+                # double `/index.html` is required here
+                try_files $uri $uri/ /index.html /index.html;
+            }
+
+            # Liveness probe
+            location /healthz {
+                access_log off;
+                add_header Content-Type text/plain;
+                return 200 'ok';
+            }
+        }
+    }
+
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -172,21 +172,21 @@

   - ciliumclusterwideenvoyconfigs.cilium.io
   - ciliumclusterwidenetworkpolicies.cilium.io
   - ciliumegressgatewaypolicies.cilium.io
   - ciliumendpoints.cilium.io
   - ciliumendpointslices.cilium.io
   - ciliumenvoyconfigs.cilium.io
-  - ciliumexternalworkloads.cilium.io
   - ciliumidentities.cilium.io
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
   - ciliumnodeconfigs.cilium.io
   - ciliumcidrgroups.cilium.io
   - ciliuml2announcementpolicies.cilium.io
   - ciliumpodippools.cilium.io
+  - ciliumgatewayclassconfigs.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
   - ciliumbgppeeringpolicies
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,27 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 307609a3f910d73be23b5aab792fd9b34cceae6b78a601d22b501e193c8322d9
+        cilium.io/cilium-configmap-checksum: 8da75c3b153cc8cfbf56dde40678617faa0e88cbfab84b6c550fa209b19404d5
+        kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
+        seccompProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -42,25 +45,27 @@

             path: /healthz
             port: 9879
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
-          failureThreshold: 105
+          failureThreshold: 300
           periodSeconds: 2
           successThreshold: 1
           initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
             path: /healthz
             port: 9879
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
+            - name: require-k8s-connectivity
+              value: 'false'
           periodSeconds: 30
           successThreshold: 1
           failureThreshold: 10
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
@@ -94,12 +99,16 @@

               resource: limits.memory
               divisor: '1'
         - name: KUBERNETES_SERVICE_HOST
           value: 192.168.2.129
         - name: KUBERNETES_SERVICE_PORT
           value: '6443'
+        - name: KUBE_CLIENT_BACKOFF_BASE
+          value: '1'
+        - name: KUBE_CLIENT_BACKOFF_DURATION
+          value: '120'
         lifecycle:
           postStart:
             exec:
               command:
               - bash
               - -c
@@ -162,13 +171,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -187,13 +196,13 @@

           value: '6443'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -210,13 +219,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -231,13 +240,13 @@

         - name: cni-path
           mountPath: /hostbin
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -270,13 +279,13 @@

         - name: cilium-cgroup
           mountPath: /run/cilium/cgroupv2
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.17.3@sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873
+        image: quay.io/cilium/cilium:v1.18.4@sha256:49d87af187eeeb9e9e3ec2bc6bd372261a0b5cb2d845659463ba7cc10fe9e45f
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,24 +20,27 @@

       maxSurge: 25%
       maxUnavailable: 100%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 307609a3f910d73be23b5aab792fd9b34cceae6b78a601d22b501e193c8322d9
+        cilium.io/cilium-configmap-checksum: 8da75c3b153cc8cfbf56dde40678617faa0e88cbfab84b6c550fa209b19404d5
         prometheus.io/port: '9963'
         prometheus.io/scrape: 'true'
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.17.3@sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597
+        image: quay.io/cilium/operator-generic:v1.18.4@sha256:1b22b9ff28affdf574378a70dade4ef835b00b080c2ee2418530809dd62c3012
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -87,12 +90,17 @@

           timeoutSeconds: 3
           failureThreshold: 5
         volumeMounts:
         - name: cilium-config-path
           mountPath: /tmp/cilium/config-map
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
@@ -103,12 +111,21 @@

               matchLabels:
                 io.cilium/app: operator
             topologyKey: kubernetes.io/hostname
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
-      - operator: Exists
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+      - key: node.kubernetes.io/not-ready
+        operator: Exists
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        operator: Exists
+      - key: node.cilium.io/agent-not-ready
+        operator: Exists
       volumes:
       - name: cilium-config-path
         configMap:
           name: cilium-config
 
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -27,22 +27,27 @@

         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: hubble-relay
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.17.3@sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55
+          seccompProfile:
+            type: RuntimeDefault
+        image: quay.io/cilium/hubble-relay:v1.18.4@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1
+        cilium.io/hubble-ui-nginx-configmap-checksum: 76283720d1bb70050debf51116121fa9a67ebc9d1cd9167c3dd9bdbfb613df37
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
@@ -32,13 +32,13 @@

         runAsUser: 1001
       priorityClassName: null
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.2@sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392
+        image: quay.io/cilium/hubble-ui:v0.13.3@sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -52,25 +52,29 @@

         - name: hubble-ui-nginx-conf
           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.2@sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15
+        image: quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80
         ports:
         - name: grpc
           containerPort: 8090
         volumeMounts: null
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
       volumes:
       - configMap:
           defaultMode: 420
           name: hubble-ui-nginx
--- HelmRelease: kube-system/cilium CronJob: kube-system/hubble-generate-certs

+++ HelmRelease: kube-system/cilium CronJob: kube-system/hubble-generate-certs

@@ -20,13 +20,13 @@

         spec:
           securityContext:
             seccompProfile:
               type: RuntimeDefault
           containers:
           - name: certgen
-            image: quay.io/cilium/certgen:v0.2.1@sha256:ab6b1928e9c5f424f6b0f51c68065b9fd85e2f8d3e5f21fbd1a3cb27e6fb9321
+            image: quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff
             imagePullPolicy: IfNotPresent
             securityContext:
               capabilities:
                 drop:
                 - ALL
               allowPrivilegeEscalation: false
--- HelmRelease: kube-system/cilium Job: kube-system/hubble-generate-certs

+++ HelmRelease: kube-system/cilium Job: kube-system/hubble-generate-certs

@@ -18,13 +18,13 @@

     spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: certgen
-        image: quay.io/cilium/certgen:v0.2.1@sha256:ab6b1928e9c5f424f6b0f51c68065b9fd85e2f8d3e5f21fbd1a3cb27e6fb9321
+        image: quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff
         imagePullPolicy: IfNotPresent
         securityContext:
           capabilities:
             drop:
             - ALL
           allowPrivilegeEscalation: false

[samip5-bot]

--- k8s/media/apps/kube-system/cilium/app Kustomization: flux-system/cluster-apps-cilium HelmRelease: kube-system/cilium

+++ k8s/media/apps/kube-system/cilium/app Kustomization: flux-system/cluster-apps-cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

       chart: cilium
       interval: 5m
       sourceRef:
         kind: HelmRepository
         name: cilium-charts
         namespace: flux-system
-      version: 1.17.3
+      version: 1.18.4
   install:
     createNamespace: true
     remediation:
       retries: 2
   interval: 5m
   upgrade: