Cilium
v1.18.9Networking & MessagingCilium v1.18.9 is a patch release focused on memory leak fixes, panic prevention, and load balancer correctness — several bugs here could cause real production incidents.
breakingIPAM reassignment risk: upgrade dual-stack clusters promptly
If you run dual-stack with cluster-pool IPAM, a bug could reassign a node's IPv4 PodCIDR to another node after an operator restart — with an existing duplicate IPv6 PodCIDR in play. This causes IP conflicts and broken pod networking. Upgrade to 1.18.9 before your next operator restart or planned maintenance window.
securitygo-jose dependency patched — update if using Cilium's auth features
go-jose/go-jose/v4 was updated to v4.1.4 as a security fix. If your Cilium deployment uses mutual auth or any JWT/JOSE-based features, this patch addresses a known vulnerability in that library. Treat this upgrade as a priority if those code paths are active.
enhancementMemory leaks under policy churn are fixed — relevant for dynamic environments
Two separate memory leak paths were closed: one from incremental policy updates, one from policies being frequently created and deleted. Clusters with high policy churn (CI environments, multi-tenant setups, frequent namespace deployments) were slowly leaking memory. After upgrading, monitor Cilium agent memory baselines — you should see stabilization over hours to days.
主な変更 (5)
- Two distinct memory leaks fixed: one triggered by incremental policy updates, another by policy create/delete cycles
- Load balancer backend slot gaps fixed — maintenance backends could cause traffic misrouting to wrong endpoints
- Dual-stack cluster-pool IPAM bug fixed: operator restart with duplicate IPv6 PodCIDR could cause IPv4 PodCIDR to be freed and reassigned to another node
- Static pod endpoints stuck in init identity resolved
- New configDriftDetection Helm values added; go-jose security dependency update included