Cilium
v1.19.3Networking & MessagingCilium v1.19.3 is a dense bugfix release targeting memory leaks, panics, and networking correctness issues — particularly in DSR mode, WireGuard dual-stack, and IPAM edge cases.
breakingIPAM corruption risk on dual-stack clusters — upgrade urgently
A bug in dual-stack cluster-pool IPAM could cause IPv4 PodCIDRs to be freed and reassigned after an operator restart if duplicate IPv6 PodCIDRs existed. This is a data-plane correctness issue that causes silent IP conflicts between nodes. If you run dual-stack with cluster-pool IPAM, upgrade to v1.19.3 before your next operator restart. After upgrading, inspect node CIDRs for any anomalies.
securityUpdate go-jose dependency (CVE exposure)
go-jose/go-jose was bumped to v4.1.4 as a security update. While Cilium's direct exposure depends on usage paths, this library is involved in JWT/token handling. If you're running automated audits or supply chain checks, note this dependency version change in your SBOM.
enhancementMemory leak fixes matter more than they look — plan your upgrade
Two distinct memory leaks are patched here. One is triggered by incremental policy updates (common in dynamic environments), the other by policy create/delete cycles. In clusters with frequent NetworkPolicy churn — CI namespaces, multi-tenant platforms, or GitOps-driven policy — these leaks can accumulate over hours or days. If your Cilium agents show gradual memory growth, this release likely explains it. Rolling restart after upgrade is sufficient; no config changes needed.
主な変更 (5)
- Two separate memory leaks fixed: one triggered by incremental policy updates, another by policy create/delete cycles — both relevant for clusters with frequent policy churn
- DSR mode NodePort fix: pod-to-NodePort via remote node IP now works correctly when the backend is local and SocketLB is disabled
- WireGuard dual-stack fix: IPv6 underlay setting is now respected when selecting peer endpoints, resolving silent connectivity failures
- Dual-stack cluster-pool IPAM bug fixed: operator restart with duplicate IPv6 PodCIDR could incorrectly free and reassign IPv4 PodCIDRs to other nodes
- go-jose/go-jose security update to v4.1.4 included as a dependency bump