RATATOSKRATATOSK
ログイン

Cilium

v1.18.9Networking & Messaging
2026年4月16日

Cilium v1.18.9 is a patch release focused on memory leak fixes, panic prevention, and load balancer correctness — several bugs here could cause real production incidents.

  • breakingIPAM reassignment risk: upgrade dual-stack clusters promptly

    If you run dual-stack with cluster-pool IPAM, a bug could reassign a node's IPv4 PodCIDR to another node after an operator restart — with an existing duplicate IPv6 PodCIDR in play. This causes IP conflicts and broken pod networking. Upgrade to 1.18.9 before your next operator restart or planned maintenance window.

  • securitygo-jose dependency patched — update if using Cilium's auth features

    go-jose/go-jose/v4 was updated to v4.1.4 as a security fix. If your Cilium deployment uses mutual auth or any JWT/JOSE-based features, this patch addresses a known vulnerability in that library. Treat this upgrade as a priority if those code paths are active.

  • enhancementMemory leaks under policy churn are fixed — relevant for dynamic environments

    Two separate memory leak paths were closed: one from incremental policy updates, one from policies being frequently created and deleted. Clusters with high policy churn (CI environments, multi-tenant setups, frequent namespace deployments) were slowly leaking memory. After upgrading, monitor Cilium agent memory baselines — you should see stabilization over hours to days.

主な変更 (5)

  • Two distinct memory leaks fixed: one triggered by incremental policy updates, another by policy create/delete cycles
  • Load balancer backend slot gaps fixed — maintenance backends could cause traffic misrouting to wrong endpoints
  • Dual-stack cluster-pool IPAM bug fixed: operator restart with duplicate IPv6 PodCIDR could cause IPv4 PodCIDR to be freed and reassigned to another node
  • Static pod endpoints stuck in init identity resolved
  • New configDriftDetection Helm values added; go-jose security dependency update included