Cilium
v1.18.8Networking & MessagingCilium v1.18.8 is a bug-fix patch with one critical caveat: GKE users must skip it due to a known regression introduced by the XDP jumbo MTU change.
breakingGKE users: do not deploy v1.18.8
The XDP jumbo MTU support (PR #44499) introduced a regression on GKE. If you're on GKE, skip this version entirely and upgrade to v1.19.2 instead. Running v1.18.8 on GKE risks network disruption. Non-GKE users are not affected by this specific issue.
securityPatch the world-accessible Envoy admin socket immediately
The Envoy admin socket was being created with world-readable/writable permissions, exposing it to any process on the node. This is fixed in v1.18.8. If you're running Cilium with L7 policy or any Envoy-based features, upgrade promptly. On existing nodes, verify socket permissions at /var/run/cilium/envoy/sockets/ — world access means any container with host path access could interact with the admin API.
enhancementL7 LB policy bypass and FQDN SNI fixes are worth prioritizing
Two policy-enforcement bugs are fixed here. First, local backends could bypass ingress policies under L7 LB — meaning traffic wasn't being filtered as expected. Second, wildcard FQDN policies weren't propagating correctly to Envoy when SNI-based matching was in use. If your environment uses either L7 load balancing or FQDN network policies with SNI, this release closes real security gaps. Plan the upgrade accordingly.
主な変更 (5)
- GKE users: known regression in this release — skip v1.18.8 and go directly to v1.19.2
- Security fix: Envoy admin socket was world-accessible (0666 permissions); now restricted
- Fix for wildcard FQDN network policy identities not being pushed to Envoy with SNI-based policies
- L7 load balancer now correctly enforces ingress policies for local backends (bypass bug fixed)
- EndpointSlice address removal could be silently missed when multiple slices shared a name — now fixed