feat(helm): update chart cilium ( 1.17.4 → 1.18.3 ) #79

renovate · 2025-06-24T06:43:19Z

This PR contains the following updates:

Package	Update	Change
cilium (source)	minor	`1.17.4` -> `1.18.3`

Release Notes

cilium/cilium (cilium)

`v1.18.3`: 1.18.3

Compare Source

Summary of Changes

ℹ️ The images in this release were signed with cosign v3. Please use cosign v3 tooling to validate signatures with the following command syntax:

cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name 'Image Release Build' --certificate-github-workflow-ref refs/tags/v1.18.3 --certificate-identity https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/v1.18.3 quay.io/cilium/operator-aws:v1.18.3 | jq -r '.[].critical.image'

Minor Changes:

Fix a complexity issue for the bpf_xdp program (Backport PR #42198, Upstream PR #42193, @aspsk)
hubble: mark kafka l7 visibility as deprecated (Backport PR #41968, Upstream PR #41072, @kaworu)

Bugfixes:

add the port name for address based LRP so frontend can pick the right backend (Backport PR #41828, Upstream PR #41602, @liyihuang)
Avoid scenario where ENI device configuration can be skipped. (Backport PR #41968, Upstream PR #41760, @jasonaliyetti)
Cilium now configures Envoy to allow websocket connections to be passed through with HTTP policies. (Backport PR #41828, Upstream PR #41729, @jrajahalme)
Fix a bug that was preventing Cilium to delete stale pod CIDRs routes when changing routing mode to native (Backport PR #41968, Upstream PR #41819, @pippolo84)
Fix a fatal error when accessing multicast map using cilium-dbg bpf multicast (Backport PR #42151, Upstream PR #42080, @tklauser)
Fix BGP auto discovery not sending community info (Backport PR #41968, Upstream PR #41920, @jiashengz)
Fix bug in ENI routing where Cilium would chose the wrong subnet for routing traffic on secondary interfaces (Backport PR #41828, Upstream PR #40860, @liyihuang)
Fix bug that could cause ICMP error packets to have an incorrect inner IP checksum when KPR is enabled. (Backport PR #41828, Upstream PR #41551, @yushoyamaguchi)
Fix bug with delegated IPAM where IPv6 traffic was routed via the wrong interface (Backport PR #41968, Upstream PR #41598, @NihaNallappagari)
Fix failing node health check on dual stack cluster if NodeInternalIPs are not configured for both families. (Backport PR #42055, Upstream PR #41633, @Dennor)
Fix increase in memory usage when service names are looked up at high rate during Hubble flow creation (Backport PR #42151, Upstream PR #41965, @joamaki)
Fix panic at startup in IPsec subsystem with Multi-Pool IPAM mode (#41725, @pippolo84)
Fix race condition preventing the skiplbmap BPF map from sometimes being pruned after restart. (Backport PR #41828, Upstream PR #41529, @joamaki)
Fixes a rare bug where endpoints may have incomplete policies in large clusters. (Backport PR #42151, Upstream PR #42049, @squeed)
hostfw: also exclude non-transparent proxy traffic when BPF masq is enabled (Backport PR #41989, Upstream PR #41915, @julianwiedmann)
Ignore expected error in neighbor reconciliation (Backport PR #41968, Upstream PR #41815, @dylandreimerink)
loadbalancer: allow HostPort for multiple protos on same port (Backport PR #41913, Upstream PR #41521, @bersoare)
operator/pkg/lbipam: fix LoadBalancerIPPool conditions update logic (Backport PR #41828, Upstream PR #41322, @alimehrabikoshki)

CI Changes:

.actions/cilium-config: add missing extraEnv in GH action (Backport PR #41828, Upstream PR #41420, @aanm)
.github/workflows: add variable for renovate bot username (Backport PR #41843, Upstream PR #41818, @aanm)
.github/workflows: automatically add /test for renovate PRs (Backport PR #41843, Upstream PR #41770, @aanm)
.github/workflows: do not wait on linters form forks (Backport PR #41828, Upstream PR #41822, @aanm)
.github/workflows: remove reviewers requested by auto-committer[bot] (Backport PR #41828, Upstream PR #41759, @aanm)
cli: Fix unreliable tests due to error emitted in Cilium logs "retrieving device lxc*: Link not found" (Backport PR #42200, Upstream PR #42146, @fristonio)
gha: Correct k8s version for f12-datapath-service-ns-misc (Backport PR #41756, Upstream PR #41753, @sayboras)
ginkgo: add test ownership for ginkgo tests (Backport PR #42055, Upstream PR #41950, @aanm)
Streamline ci-multi-pool workflow (Backport PR #41631, Upstream PR #40658, @pippolo84)
workflows: fix GCP OIDC authentication's project ID (#42173, @nbusseneau)

Misc Changes:

.github/workflows: stop build CI images until base images are built (Backport PR #41828, Upstream PR #41681, @aanm)
agent: Add Cilium health config cell (Backport PR #42055, Upstream PR #41627, @aditighag)
bpf/nat: Move ipv6_nat_entry to map (Backport PR #41968, Upstream PR #41902, @pchaigno)
bpf: hostfw: have from-host always pass the ipcache-based src identity (Backport PR #42113, Upstream PR #42093, @julianwiedmann)
bpf: Only send fillup signal to agent on ENOMEM error (Backport PR #41968, Upstream PR #41864, @borkmann)
chore(deps): update all github action dependencies (v1.18) (#41795, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#41931, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#42028, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#42136, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#42264, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41716, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41793, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#42035, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#42116, @cilium-renovate[bot])
chore(deps): update dependency cilium/little-vm-helper to v0.0.27 (v1.18) (#42263, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v33 (v1.18) (#42265, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.7 docker digest to 2c5f7a0 (v1.18) (#42026, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.7 docker digest to 87916ac (v1.18) (#41792, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.9 docker digest to 02ce1d7 (v1.18) (#42253, @cilium-renovate[bot])
chore(deps): update go to v1.24.8 (v1.18) (#42062, @cilium-renovate[bot])
chore(deps): update go to v1.24.9 (v1.18) (#42166, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1759058812-49b096a457d6e7f6d650229cbf95c63d59759331 (v1.18) (#41933, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41730, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41794, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41930, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#42027, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#42135, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#42300, @cilium-renovate[bot])
doc: add note on hostfw and ipsec interaction (Backport PR #41968, Upstream PR #41810, @darox)
docs/dsr: Remove IPIP example configuration (Backport PR #41828, Upstream PR #41701, @pchaigno)
docs: Clarify list of capabilities in threat model (Backport PR #41828, Upstream PR #41682, @joestringer)
docs: fix broken Chainguard SBOM link (Backport PR #41828, Upstream PR #41719, @yashisrani)
docs: remove stale kernel requirements (Backport PR #42151, Upstream PR #42081, @julianwiedmann)
docs: Update iproute2 compile steps in reference guide. (Backport PR #41828, Upstream PR #41638, @dkanaliev)
endpoint: reduce missed-policy-update log severity for restoring eps (Backport PR #42055, Upstream PR #41095, @fristonio)
endpointsynchronizer: suppress warning log when endpoint is terminating (Backport PR #41828, Upstream PR #41755, @giorio94)
gateway-api: Fix incorrect Owns call in refactor (Backport PR #41968, Upstream PR #41807, @youngnick)
hubble: allow overrrides if building from outside the tree (Backport PR #41828, Upstream PR #41726, @tklauser)
ipsec: add support for using remote PodCIDR entries (Backport PR #42073, Upstream PR #41519, @julianwiedmann)
Make kubeProxyReplacement available in the reference and documentation (Backport PR #41968, Upstream PR #41535, @liyihuang)
redirectpolicy: Always OpenOrCreate SkipLB map to avoid loader race (Backport PR #41968, Upstream PR #41707, @joamaki)
redirectpolicy: Fix comparison of BackendParams (Backport PR #41848, Upstream PR #41705, @joamaki)
Remove kiam documentation from Local Redirect Policy (Backport PR #41968, Upstream PR #41644, @liyihuang)
Update checkpatch and startup-script image digest (Backport PR #41828, Upstream PR #41710, @HadrienPatte)

Other Changes:

[v1.18] gateway-api: Refactor Gateway API reconciler (#41720, @youngnick)
[v1.18] workflows/release: add secrets for step 4 and 5 (#41733, @jrajahalme)
install: Update image digests for v1.18.2 (#41722, @cilium-release-bot[bot])
proxy: Bump cilium-envoy to 1.34.10 (#42251, @sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15
quay.io/cilium/cilium:stable@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.3@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d
quay.io/cilium/clustermesh-apiserver:stable@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d

docker-plugin

quay.io/cilium/docker-plugin:v1.18.3@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67
quay.io/cilium/docker-plugin:stable@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67

hubble-relay

quay.io/cilium/hubble-relay:v1.18.3@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3
quay.io/cilium/hubble-relay:stable@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.3@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef
quay.io/cilium/operator-alibabacloud:stable@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef

operator-aws

quay.io/cilium/operator-aws:v1.18.3@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24
quay.io/cilium/operator-aws:stable@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24

operator-azure

quay.io/cilium/operator-azure:v1.18.3@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143
quay.io/cilium/operator-azure:stable@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143

operator-generic

quay.io/cilium/operator-generic:v1.18.3@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797
quay.io/cilium/operator-generic:stable@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797

operator

quay.io/cilium/operator:v1.18.3@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff
quay.io/cilium/operator:stable@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff

`v1.18.2`: 1.18.2

Compare Source

Summary of Changes

Minor Changes:

Fix validation bug where namespaced CiliumNetworkPolicies with nodeSelector in specs array were silently accepted but ignored. Now properly rejected with validation error. (Backport PR #41365, Upstream PR #40702, @pillai-ashwin)
lbipam: do not reallocate IPs in LB IPAM on operator restart (Backport PR #41267, Upstream PR #41147, @marseel)
lbipam: widening CIDR range or updating selector of CiliumLoadBalancerIPPool does no longer reassign IPs (Backport PR #41267, Upstream PR #41122, @marseel)

Bugfixes:

Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (Backport PR #41479, Upstream PR #41231, @hanapedia)
Add toleration for 'node.cloudprovider.kubernetes.io/uninitialized' to Cilium Operator (Backport PR #41267, Upstream PR #41098, @guettli)
bgpv2: Avoid modifying CiliumBGPPeerConfig in resource store (Backport PR #41267, Upstream PR #41088, @rastislavs)
bpf: add support for delinearized ARP packets (Backport PR #41365, Upstream PR #41233, @vsinitsyn)
ctmap/gc: continue interval time on partial GC pass. (Backport PR #41591, Upstream PR #41258, @tommyp1ckles)
Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (Backport PR #41479, Upstream PR #40844, @moscicky)
Fix "Error while correcting L4 checksum" dropped packets for ICMP destination unreachable error packets. (Backport PR #41591, Upstream PR #40194, @br4243)
Fix "No mapping for NAT masquerade" flakes in the CI, make NAT LRU fallbacks more robust. (Backport PR #41365, Upstream PR #40971, @gentoo-root)
Fix --exclude-local-address with eBPF Host-Routing (Backport PR #41365, Upstream PR #41275, @antonipp)
Fix a BGP bug where the routerID specified in a CiliumBGPNodeConfigOverride was not correctly updated in RouterIDIPPool mode. (Backport PR #41267, Upstream PR #40340, @liyihuang)
Fix a bug that would cause NodePort requests to be sent to the wrong backends when using KPR and Clustermesh with two identical, non-global NodePort services on different clusters. (Backport PR #41591, Upstream PR #41337, @pchaigno)
Fix a bug where cilium-agent would report "Link not found" for an endpoint deleted during state restore after cilium-agent restart. (Backport PR #41267, Upstream PR #40568, @fristonio)
Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (Backport PR #41479, Upstream PR #41368, @devodev)
Fix agent config initContainer unable to hit apiservers in apiServerURLs by passing as container arg (Backport PR #41267, Upstream PR #41110, @JJGadgets)
Fix bug that would cause error messages when disabling agent health checks (Backport PR #41479, Upstream PR #41297, @HadrienPatte)
Fix issue in Local Redirect Policies where traffic was dropped when no local pods were available to be redirected to. In these scenarios the traffic should have been processed as if the Local Redirect Policy did not exist. (Backport PR #41591, Upstream PR #41463, @joamaki)
Fix issue where Local Redirect Policy (LRP) services with a single named port did not create a local redirect service entry. (Backport PR #41591, Upstream PR #41534, @aditighag)
Fix the bug local redirect policy not doing filter based destination port (Backport PR #41479, Upstream PR #41411, @liyihuang)
Fixes a cosmetic bug where the cilium_bpf_map_ops_total error count was incorrectly being incremented for map cilium_lb_affinity_match. (Backport PR #41479, Upstream PR #41378, @squeed)
Fixes an issue in NodeManager where restored cluster nodes can be pruned before the initial node listing completes. (Backport PR #41267, Upstream PR #41039, @0xch4z)
Helm: Ensure consistent default labels for all ServiceMonitor resources (Backport PR #41267, Upstream PR #41240, @baurmatt)
iptables: Fix IPv6 SNAT for L7 proxy upstream traffic (Backport PR #41249, Upstream PR #41034, @gentoo-root)
loadbalancer/writer: add support for SetIsServiceHealthCheckedFunc (Backport PR #41267, Upstream PR #41092, @mhofstetter)
neighbor: Fix bug where neighbor discovery subsystem reports unhealthy when it is healthy (Backport PR #41365, Upstream PR #41186, @mhofstetter)
pkg/ipam: fix nil dereference during pool shrink operation (Backport PR #41365, Upstream PR #41198, @alimehrabikoshki)
policy: fix agent crash due to policy cache update-delete race (Backport PR #41267, Upstream PR #41079, @fristonio)

CI Changes:

.github/actions: fix boolean condition check in post-logic action (Backport PR #41479, Upstream PR #41395, @aanm)
.github/worfklows: copy cilium-cli binary from container (Backport PR #41591, Upstream PR #41524, @aanm)
.github/workflows: add proper suffix for scale-test-egw (Backport PR #41591, Upstream PR #41477, @aanm)
.github/workflows: add timeout to Install node local DNS step (Backport PR #41267, Upstream PR #41120, @aanm)
.github/workflows: separate feature json files in different dirs (Backport PR #41479, Upstream PR #41403, @aanm)
.github/workflows: simplify ginkgo workflow (Backport PR #41479, Upstream PR #41396, @aanm)
.github/workflows: simplify ginkgo workflow (Backport PR #41591, Upstream PR #41396, @aanm)
.github: fix upload artifacts for features.json (Backport PR #41365, Upstream PR #41119, @aanm)
add missing extraArgs in CI (Backport PR #41365, Upstream PR #41005, @aanm)
checkpatch: bump checkpatch version, and minor adaptations (Backport PR #41365, Upstream PR #41290, @giorio94)
ci: Re-enable go caches for privileged tests (Backport PR #41267, Upstream PR #41102, @rastislavs)
ci: simplify scheduled test (Backport PR #41262, Upstream PR #41261, @brlbil)
Fix multiple workflows with missing features and steps (Backport PR #41479, Upstream PR #41398, @aanm)
gh: e2e-upgrade: skip even more steps when not downgrading (Backport PR #41591, Upstream PR #41468, @julianwiedmann)
gha: run checkpatch check only on PR events (Backport PR #41365, Upstream PR #41308, @giorio94)
ipsec: fix xfrm privileged tests (Backport PR #41365, Upstream PR #41279, @smagnani96)
node:tests: fix privileged (#41281, @smagnani96)
operator/bgpv2: Avoid race in TestRouterIDAllocation test (Backport PR #41591, Upstream PR #41499, @rastislavs)
pkg/metrics: define default CIDR policies values (Backport PR #41479, Upstream PR #41422, @aanm)
testutils: differentiate {Test,Benchmark}Privileged and fix benchmarks (Backport PR #41267, Upstream PR #41007, @smagnani96)
workflows/ipsec: yet another fix for downgrade (Backport PR #41365, Upstream PR #41260, @smagnani96)

Misc Changes:

.github/workflows: add step 5 as part of the image build process (Backport PR #41177, Upstream PR #41113, @aanm)
bpf: fix svc annotation handling (Backport PR #41365, Upstream PR #41310, @borkmann)
bpf: wireguard: re-add IPv6 fragment check in from-wireguard (Backport PR #41479, Upstream PR #41451, @julianwiedmann)
build-images-release: specify main branch on reusable jobs (Backport PR #41177, Upstream PR #41530, @aanm)
checkpatch: Update image digest (Backport PR #41479, Upstream PR #41360, @HadrienPatte)
chore(deps): update actions/labeler action to v6.0.1 (v1.18) (#41565, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#41351, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#41660, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41126, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41350, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41439, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41509, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#41612, @cilium-renovate[bot])
chore(deps): update dependency protocolbuffers/protobuf to v32.1 (v1.18) (#41659, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.6 docker digest to 714ad64 (v1.18) (#41349, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.6 docker digest to 8d9e57c (v1.18) (#41437, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.7 docker digest to 5e9d14d (v1.18) (#41656, @cilium-renovate[bot])
chore(deps): update go to v1.24.7 (v1.18) (#41566, @cilium-renovate[bot])
chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (v1.18) (#41319, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.6-1756960514-59def10827e2fdea04b289bb00128526bde9d3c1 (v1.18) (#41516, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.6-1757072375-ebd79127b3d1f27212d5426619daccdd15ad9e28 (v1.18) (#41567, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324 (v1.18) (#41657, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41438, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41658, @cilium-renovate[bot])
ci: Update workflow permissions (Backport PR #41479, Upstream PR #41383, @kyle-c-simmons)
doc: use correct policy-default-local-cluster inspect command in example (Backport PR #41365, Upstream PR #41118, @Preisschild)
docs: Add missing dsrDispatch parameter to annotation-based DSR examples (Backport PR #41479, Upstream PR #40873, @gitsofaryan)
docs: add table DSR Dispatch Mode following Routing Mode (Backport PR #41591, Upstream PR #41431, @alagoutte)
docs: document portmap binary requirements (Backport PR #41365, Upstream PR #41300, @nbusseneau)
Fix release script steps (Backport PR #41177, Upstream PR #41502, @aanm)
Helm: Only insert nodePort for cilium-ingress-service if specified (Backport PR #41267, Upstream PR #41107, @baurmatt)
install: bump startup script version (Backport PR #41365, Upstream PR #41299, @Artyop)
kvstore: fix overly verbose debug log and error message (Backport PR #41267, Upstream PR #41148, @giorio94)
loadbalancer: Fixes to test flakes (Backport PR #41267, Upstream PR #41085, @joamaki)
Log kube-proxy replacement config before starting kube-proxy replacement (Backport PR #41479, Upstream PR #41133, @liyihuang)
lower log severity for stale metadata to avoid CI issue (Backport PR #41479, Upstream PR #41389, @liyihuang)
metrics/features: Fix counter metrics to use Set() instead of Add() (Backport PR #41479, Upstream PR #41382, @aanm)
metrics/features: remove aws-vpc-cni (Backport PR #41591, Upstream PR #41498, @aanm)
node/manager: Do not prune the local node on restart (Backport PR #41591, Upstream PR #41544, @joamaki)
Prevent cilium-dbg from panicing when /sys is not mounted (Backport PR #41365, Upstream PR #41287, @HadrienPatte)
Support extending cilium-agent dnsPolicy as a downstream packager (Backport PR #41267, Upstream PR #41010, @devodev)
Update all github action dependencies (v1.18) (#41216, @cilium-renovate[bot])
Update dependency protocolbuffers/protobuf to v32 (v1.18) (#41217, @cilium-renovate[bot])
Update docker.io/library/golang:1.24.6 Docker digest to a18e9e0 (v1.18) (#41214, @cilium-renovate[bot])
Update stable lvh-images (v1.18) (patch) (#41215, @cilium-renovate[bot])
workflows/conformance-ginkgo: fix steps for stable branches (Backport PR #41591, Upstream PR #41599, @aanm)
xds: fix NACK logging after slog migration (Backport PR #41267, Upstream PR #41171, @mhofstetter)

Other Changes:

[v1.18] envoy: Start serving listeners only after clusters have been ACKed (#41605, @jrajahalme)
docs: Add new IAM permissions requirements to upgrade notes (#41374, @HadrienPatte)
install: Update image digests for v1.18.1 (#41182, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.2@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667
quay.io/cilium/cilium:stable@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.2@sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6
quay.io/cilium/clustermesh-apiserver:stable@sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6

docker-plugin

quay.io/cilium/docker-plugin:v1.18.2@sha256:be578aaae7274ef7155bd0a6d2f7c2d91085642aea4fdb24451ee9cab4ca2e5d
quay.io/cilium/docker-plugin:stable@sha256:be578aaae7274ef7155bd0a6d2f7c2d91085642aea4fdb24451ee9cab4ca2e5d

hubble-relay

quay.io/cilium/hubble-relay:v1.18.2@sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac
quay.io/cilium/hubble-relay:stable@sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.2@sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8
quay.io/cilium/operator-alibabacloud:stable@sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8

operator-aws

quay.io/cilium/operator-aws:v1.18.2@sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328
quay.io/cilium/operator-aws:stable@sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328

operator-azure

quay.io/cilium/operator-azure:v1.18.2@sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e
quay.io/cilium/operator-azure:stable@sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e

operator-generic

quay.io/cilium/operator-generic:v1.18.2@sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805
quay.io/cilium/operator-generic:stable@sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805

operator

quay.io/cilium/operator:v1.18.2@sha256:0f234ce2ab0f30c09f4f9fe1b9c6323f0c6b66d789bef5e958fce7cff85960f3
quay.io/cilium/operator:stable@sha256:0f234ce2ab0f30c09f4f9fe1b9c6323f0c6b66d789bef5e958fce7cff85960f3

`v1.18.1`: 1.18.1

Compare Source

Summary of Changes

Minor Changes:

Add kernel_version, endpoint_routes_enabled, strict_mode_enabled and kubernetes_version feature metrics. (Backport PR #41078, Upstream PR #41003, @aanm)
eni: improve logging and speed up ipam reconciliation in case of node scale-downs (Backport PR #40979, Upstream PR #40852, @marseel)
kvstore: Cilium Agent no longer fails health-check if operator is unavailable (Backport PR #40979, Upstream PR #40920, @marseel)
operator: CRDs are updated in series instead of in parallel now during Cilium upgrades. This should lower the pressure on the k8s control plane (Backport PR #40847, Upstream PR #40322, @marseel)

Bugfixes:

Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. (#41116, @joamaki)
aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR #40979, Upstream PR #40656, [@HadrienP

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2025-06-24T06:43:45Z

--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

@@ -13,13 +13,13 @@

     spec:
       chart: cilium
       sourceRef:
         kind: HelmRepository
         name: cilium
         namespace: kube-system
-      version: 1.17.4
+      version: 1.18.3
   install:
     remediation:
       retries: -1
   interval: 1h
   upgrade:
     cleanupOnFail: true

github-actions · 2025-06-24T06:43:47Z

--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -27,13 +27,13 @@

     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -194,13 +194,13 @@

         - name: xtables-lock
           mountPath: /run/xtables.lock
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -219,13 +219,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -251,13 +251,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -281,13 +281,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -297,13 +297,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -345,13 +345,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.17.4@sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a
+        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -29,13 +29,13 @@

         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.17.4@sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5
+        image: quay.io/cilium/operator-generic:v1.17.6@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)

renovate bot added renovate/helm type/patch labels Jun 24, 2025

renovate bot force-pushed the renovate/cilium-1.x branch 4 times, most recently from 97b03f2 to 8568cb1 Compare July 5, 2025 00:45

renovate bot force-pushed the renovate/cilium-1.x branch 5 times, most recently from 2b07d4c to fb5e89c Compare July 13, 2025 09:41

renovate bot force-pushed the renovate/cilium-1.x branch 6 times, most recently from 735a5dd to 91e6784 Compare July 19, 2025 13:41

renovate bot changed the title ~~fix(helm): update chart cilium ( 1.17.4 → 1.17.5 )~~ fix(helm): update chart cilium ( 1.17.4 → 1.17.6 ) Jul 19, 2025

renovate bot force-pushed the renovate/cilium-1.x branch 6 times, most recently from 92dd783 to d206e15 Compare July 27, 2025 08:48

renovate bot force-pushed the renovate/cilium-1.x branch 4 times, most recently from 47d8fc3 to ca13abb Compare July 29, 2025 12:00

renovate bot force-pushed the renovate/cilium-1.x branch 6 times, most recently from b063328 to e309b17 Compare October 6, 2025 13:39

renovate bot force-pushed the renovate/cilium-1.x branch 4 times, most recently from a5d4172 to 345b28f Compare October 13, 2025 21:42

renovate bot force-pushed the renovate/cilium-1.x branch 8 times, most recently from f67525d to b1bda7e Compare October 25, 2025 23:30

renovate bot force-pushed the renovate/cilium-1.x branch from b1bda7e to 16d6300 Compare October 26, 2025 21:08

renovate bot changed the title ~~feat(helm): update chart cilium ( 1.17.4 → 1.18.2 )~~ feat(helm): update chart cilium ( 1.17.4 → 1.18.3 ) Oct 26, 2025

renovate bot force-pushed the renovate/cilium-1.x branch 3 times, most recently from a501555 to 7409319 Compare November 2, 2025 09:56

renovate bot force-pushed the renovate/cilium-1.x branch 4 times, most recently from 8e1b6d2 to 4b5c9a1 Compare November 9, 2025 14:02

renovate bot force-pushed the renovate/cilium-1.x branch from 4b5c9a1 to 800a5cb Compare November 11, 2025 03:38

feat(helm): update chart cilium ( 1.17.4 → 1.18.3 )

6dedd4e

renovate bot force-pushed the renovate/cilium-1.x branch from 800a5cb to 6dedd4e Compare November 11, 2025 08:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(helm): update chart cilium ( 1.17.4 → 1.18.3 ) #79

feat(helm): update chart cilium ( 1.17.4 → 1.18.3 ) #79

Uh oh!

renovate bot commented Jun 24, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Jun 24, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Jun 24, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

feat(helm): update chart cilium ( 1.17.4 → 1.18.3 ) #79

Are you sure you want to change the base?

feat(helm): update chart cilium ( 1.17.4 → 1.18.3 ) #79

Uh oh!

Conversation

renovate bot commented Jun 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v1.18.3: 1.18.3

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.2: 1.18.2

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.1: 1.18.1

Summary of Changes

Configuration

Uh oh!

github-actions bot commented Jun 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jun 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Jun 24, 2025 •

edited

Loading

`v1.18.3`: 1.18.3

`v1.18.2`: 1.18.2

`v1.18.1`: 1.18.1

github-actions bot commented Jun 24, 2025 •

edited

Loading

github-actions bot commented Jun 24, 2025 •

edited

Loading