RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Cilium解除 ×

Cilium

Networking & Messaging2026年6月16日

Cilium v1.19.5 is a bugfix-heavy patch release addressing policy enforcement bugs, Gateway API panics, and load-balancer correctness issues. No CVEs, but several fixes warrant attention before upgrading.

  • breakingMigrate away from `l2podAnnouncements.interface` Helm value before upgrading

    The `l2podAnnouncements.interface` Helm key was removed because it wrote a configmap entry the agent no longer reads, causing crash-loops when L2 pod announcements are enabled. Before upgrading, check your Helm values for this key and replace it with `l2podAnnouncements.interfacePattern`. Clusters using the old key will fail to start after the upgrade.

  • breakingCheck CiliumEgressGatewayPolicy if you use NamespaceSelector

    A bug caused the NamespaceSelector field in CiliumEgressGatewayPolicy to be silently corrupted, making those rules ineffective. After upgrading to 1.19.5, verify that egress policies with NamespaceSelector are actually being enforced — traffic that was previously leaking may now be blocked.

  • enhancementVerify ipBlock network policies if you rely on selectorless rules

    A bypass was fixed where wildcard namespace selectors could skip ipBlock rules without a pod selector. If you have CiliumNetworkPolicies using ipBlock without explicit namespace selectors, review them post-upgrade to confirm enforcement behavior matches your intent — the fix may change observed traffic patterns.

主な変更 (5)
  • Fixed wildcard namespace bypass for selectorless ipBlock rules — network policy was not enforced correctly in some cases
  • Removed defunct `l2podAnnouncements.interface` Helm value; clusters using it will crash-loop unless migrated to `interfacePattern`
  • Fixed CiliumEgressGatewayPolicy NamespaceSelector corruption that silently rendered egress policies ineffective
  • Fixed node connectivity disruption when ClusterIP/LoadBalancer VIPs overlapped with node-local IPs
  • Load-balancing backend internals refactored to handle thousands of services sharing a backend without performance degradation
原文

Cilium

Networking & Messaging2026年6月16日

Cilium 1.18.11 is a patch release focused on stability, fixing memory leaks, socket handling crashes, and Gateway API routing bugs. No breaking changes; safe to adopt for teams running 1.18.x in production.

  • securityApply patch if you see agent crashes in socket handling

    Cilium 1.18.11 fixes a nil pointer dereference in filterAndDestroySockets that could crash the agent. If you have seen sudden agent pod restarts or panic logs mentioning socket filtering, upgrade promptly. This is a stability issue that affects 1.18.10 and earlier.

  • breakingVerify MTU settings on non-Cilium interfaces after upgrade

    1.18.11 changes MTU handling to skip interfaces not managed by Cilium. If your infrastructure depends on Cilium adjusting MTU on external interfaces (e.g., host-managed veth pairs), test this upgrade in a staging environment first. Mark interfaces with altname to ensure they are recognized as Cilium-owned; otherwise, MTU will not be modified.

  • enhancementAdopt if running Kubernetes Gateway API with TLS routes

    This patch fixes two distinct bugs in Gateway API support: weighted backend routing for TLSRoute passthrough and mixed listener handling. If you use Gateway API with TLS termination or passthrough, this upgrade eliminates silent routing failures. No configuration changes needed; test existing Gateway API resources in a staging cluster first.

主な変更 (5)
  • Fixed memory leak in StateDB watch channel hash map reuse for large transactions
  • Corrected weighted backend traffic splitting for TLSRoute passthrough listeners in Gateway API
  • Fixed nil pointer dereference in socket filtering code that could crash the agent
  • Fixed MTU change behavior to only affect Cilium-managed interfaces, skipping others
  • Improved troubleshoot commands to report more kvstore and clustermesh diagnostic data
原文

Cilium

Networking & Messaging2026年5月13日

Cilium v1.19.4 is a stability-focused patch release with 20+ bug fixes covering crash prevention, IPsec reliability, and Cluster Mesh correctness — upgrade if you run any of those features.

  • securityUpdate moby/spdystream dependency (security fix included)

    This release bumps github.com/moby/spdystream to v0.5.1 as a security fix. The dependency is used in Kubernetes API communication paths. No CVE number is listed in the release notes, but treat this as a prompt to upgrade — staying on v1.19.3 leaves the exposure open.

  • breakingHand-managed EndpointSlices need service-proxy-name label added

    If you set --k8s-service-proxy-name and manage EndpointSlices manually, those slices will now be filtered OUT at the watch level unless they carry the matching service.kubernetes.io/service-proxy-name label. After upgrading, any untagged hand-managed slice becomes invisible to Cilium, causing traffic drops. Audit your EndpointSlices before upgrading and stamp the label on any that are missing it.

  • enhancementPrioritize upgrade if you run IPsec, WireGuard, or Cluster Mesh

    Three distinct data-plane reliability fixes land here: IPsec packet drops during rolling key rotation, WireGuard silent packet loss under constrained MTU with IPv6, and Cluster Mesh missing backends for multi-port services. Any of these can cause hard-to-diagnose intermittent connectivity issues. If your environment uses any of these features, this patch should move to the front of your upgrade queue.

主な変更 (5)
  • Agent no longer crashes on transient network errors during CiliumNode updates — retries instead of calling Fatal
  • IPsec rolling restarts with key rotation fixed: SPI advertisement now deferred until XFRM states are ready, eliminating packet drops
  • WireGuard MTU clamped to IPv6 minimum (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption setups
  • EndpointSlice watch now filtered by service-proxy-name label at the watch level — operators with hand-managed slices must add the label
  • Cluster Mesh: missing global service backends restored when multiple service ports share the same target port
原文

Cilium

Networking & Messaging2026年5月13日

v1.17.16 patches a cross-namespace traffic hijacking vulnerability in CiliumLocalRedirectPolicy, fixes an IPsec panic on malformed input, and resolves a static pod identity resolution bug.

  • securityAudit LRP addressMatcher configs before upgrading

    The LRP addressMatcher change fixes a real attack vector: a policy in one namespace could previously override a Service frontend and redirect traffic cross-namespace. After upgrading, any LRP that was relying on this override behavior will stop working silently — traffic won't redirect as expected. Before upgrading, audit your CiliumLocalRedirectPolicy objects for addressMatcher entries that overlap with existing Service frontends. If you legitimately need the old behavior, set --enable-lrp-address-matcher-override=true, but treat that as a temporary measure and redesign the policy.

  • securityUpgrade if running IPsec — agent crash risk on malformed input

    The parseSPI panic means a malformed IPsec packet could crash the Cilium agent, taking down networking on that node. This is a low-complexity denial-of-service risk for any cluster using Cilium's IPsec transparent encryption. Upgrade to v1.17.16 promptly if IPsec is enabled in your environment.

  • breakingLRP addressMatcher behavior change is not fully backward-compatible

    This is a behavior change, not just a bug fix. If you have CiliumLocalRedirectPolicies using addressMatcher that overlap with Service ClusterIPs or external IPs, those policies will now be rejected or ignored where they previously worked. Test your LRP configurations in a non-production environment before rolling this upgrade out. The opt-in flag --enable-lrp-address-matcher-override=true exists, but using it means you are accepting the previously-vulnerable behavior.

主な変更 (5)
  • CiliumLocalRedirectPolicy addressMatcher now blocks overriding existing Service frontends — prevents cross-namespace traffic hijacking and service-map corruption; legacy behavior requires opt-in flag
  • IPsec: fixed panic in parseSPI when processing malformed SPI input — previously could crash the agent
  • Static pod endpoint identity resolution fixed for cases where CNI pod UID differs from the Kubernetes mirror pod UID
  • Cluster-pool IPAM metrics for CiliumNode synchronization now properly registered with Kubernetes
  • Security dependency update: moby/spdystream bumped to v0.5.1 (security fix)
原文

Cilium

Networking & Messaging2026年5月13日

Cilium v1.18.10 is a stability-focused patch release fixing agent crashes, IPsec panics, Cluster Mesh backend gaps, and a data race in IPAM — all backported from upstream.

  • securitymoby/spdystream and x/net security updates are included

    This release pulls in a security fix for github.com/moby/spdystream and bumps x/net to v0.53. Both are network-layer dependencies. If your policy or threat model tracks transitive dependency CVEs, this patch justifies the upgrade on its own.

  • breakingUpgrade encrypted clusters to fix IPsec panic risk

    A panic in parseSPI on malformed IPsec input could crash the agent on nodes running encrypted traffic. If you use IPsec encryption, treat this as a priority upgrade — a malformed packet or misconfigured peer can take down the agent process entirely.

  • enhancementCluster Mesh users with shared target ports should upgrade

    The missing global service backends bug silently dropped backends from services where multiple ports mapped to the same target port. Traffic would route correctly within a single cluster but fail cross-cluster. Upgrade and verify affected services post-rollout using hubble observe or service endpoint inspection.

主な変更 (5)
  • Agent no longer crashes fatally on transient network errors during CiliumNode updates — it retries instead
  • IPsec panic on malformed SPI input fixed, preventing node-level disruption in encrypted clusters
  • Cluster Mesh now correctly propagates global service backends when multiple ports share the same target port
  • CiliumLocalRedirectPolicy no longer hijacks an existing Service frontend before its backend pods are Ready
  • Data race in MultiPoolManager IPAM node updates resolved; x/net bumped to v0.53 for security
原文

Cilium

Networking & Messaging2026年4月15日

Cilium v1.19.3 is a dense bugfix release targeting memory leaks, panics, and networking correctness issues — particularly in DSR mode, WireGuard dual-stack, and IPAM edge cases.

  • securityUpdate go-jose dependency (CVE exposure)

    go-jose/go-jose was bumped to v4.1.4 as a security update. While Cilium's direct exposure depends on usage paths, this library is involved in JWT/token handling. If you're running automated audits or supply chain checks, note this dependency version change in your SBOM.

  • breakingIPAM corruption risk on dual-stack clusters — upgrade urgently

    A bug in dual-stack cluster-pool IPAM could cause IPv4 PodCIDRs to be freed and reassigned after an operator restart if duplicate IPv6 PodCIDRs existed. This is a data-plane correctness issue that causes silent IP conflicts between nodes. If you run dual-stack with cluster-pool IPAM, upgrade to v1.19.3 before your next operator restart. After upgrading, inspect node CIDRs for any anomalies.

  • enhancementMemory leak fixes matter more than they look — plan your upgrade

    Two distinct memory leaks are patched here. One is triggered by incremental policy updates (common in dynamic environments), the other by policy create/delete cycles. In clusters with frequent NetworkPolicy churn — CI namespaces, multi-tenant platforms, or GitOps-driven policy — these leaks can accumulate over hours or days. If your Cilium agents show gradual memory growth, this release likely explains it. Rolling restart after upgrade is sufficient; no config changes needed.

主な変更 (5)
  • Two separate memory leaks fixed: one triggered by incremental policy updates, another by policy create/delete cycles — both relevant for clusters with frequent policy churn
  • DSR mode NodePort fix: pod-to-NodePort via remote node IP now works correctly when the backend is local and SocketLB is disabled
  • WireGuard dual-stack fix: IPv6 underlay setting is now respected when selecting peer endpoints, resolving silent connectivity failures
  • Dual-stack cluster-pool IPAM bug fixed: operator restart with duplicate IPv6 PodCIDR could incorrectly free and reassign IPv4 PodCIDRs to other nodes
  • go-jose/go-jose security update to v4.1.4 included as a dependency bump
原文

Cilium

Networking & Messaging2026年4月15日

Cilium v1.18.9 is a patch release focused on memory leak fixes, panic prevention, and load balancer correctness — several bugs here could cause real production incidents.

  • securitygo-jose dependency patched — update if using Cilium's auth features

    go-jose/go-jose/v4 was updated to v4.1.4 as a security fix. If your Cilium deployment uses mutual auth or any JWT/JOSE-based features, this patch addresses a known vulnerability in that library. Treat this upgrade as a priority if those code paths are active.

  • breakingIPAM reassignment risk: upgrade dual-stack clusters promptly

    If you run dual-stack with cluster-pool IPAM, a bug could reassign a node's IPv4 PodCIDR to another node after an operator restart — with an existing duplicate IPv6 PodCIDR in play. This causes IP conflicts and broken pod networking. Upgrade to 1.18.9 before your next operator restart or planned maintenance window.

  • enhancementMemory leaks under policy churn are fixed — relevant for dynamic environments

    Two separate memory leak paths were closed: one from incremental policy updates, one from policies being frequently created and deleted. Clusters with high policy churn (CI environments, multi-tenant setups, frequent namespace deployments) were slowly leaking memory. After upgrading, monitor Cilium agent memory baselines — you should see stabilization over hours to days.

主な変更 (5)
  • Two distinct memory leaks fixed: one triggered by incremental policy updates, another by policy create/delete cycles
  • Load balancer backend slot gaps fixed — maintenance backends could cause traffic misrouting to wrong endpoints
  • Dual-stack cluster-pool IPAM bug fixed: operator restart with duplicate IPv6 PodCIDR could cause IPv4 PodCIDR to be freed and reassigned to another node
  • Static pod endpoints stuck in init identity resolved
  • New configDriftDetection Helm values added; go-jose security dependency update included
原文

Cilium

Networking & Messaging2026年4月15日

v1.17.15 is a bug-fix patch tackling memory leaks, endpoint regeneration hangs, IPAM data corruption, and policy update deadlocks — all of which can cause silent production degradation.

  • breakingIPAM corruption risk: upgrade before operator restarts in dual-stack clusters

    If you run dual-stack with cluster-pool IPAM and have any duplicate IPv6 PodCIDR conditions, an operator restart can cause IPv4 PodCIDR reassignment across nodes — effectively giving two nodes the same subnet. This is silent data-plane corruption. Upgrade to v1.17.15 before performing any operator restarts or node scaling operations in affected clusters.

  • enhancementAddress memory leak accumulation in policy-heavy environments

    Two separate memory leaks were patched: one from incremental policy updates (slow, hard to detect) and another from policy churn (create/delete cycles). If you use GitOps-driven policy workflows or frequently rotate NetworkPolicies, your agents may be leaking memory right now. After upgrading, watch agent memory trends over 24-48 hours — you should see stabilization compared to a pre-upgrade baseline.

  • enhancementEndpoints stuck in waiting-to-regenerate? This release fixes it

    A race condition caused endpoints to get permanently stuck in the 'waiting-to-regenerate' state, meaning policy changes stopped being applied to affected pods without obvious errors. If you've seen endpoints failing to pick up policy updates without a pod restart, upgrade and validate that endpoint regeneration completes cleanly after policy changes using 'cilium endpoint list'.

主な変更 (6)
  • Fixed two distinct memory leaks: one triggered by incremental policy updates, another by policies being created and deleted in rapid succession
  • Endpoints stuck in 'waiting-to-regenerate' state now unblock — a bug that could silently starve workloads of connectivity updates
  • Dual-stack cluster-pool IPAM bug fixed: operator restart with duplicate IPv6 PodCIDR no longer risks freeing and reassigning a node's IPv4 PodCIDR to another node
  • ipcache identity update hang resolved when the last proxy listener is removed — previously caused a deadlock requiring restart
  • Hubble Relay panic on unresolvable peer addresses fixed, plus CPU waste in 'hubble observe' from log coloring overhead eliminated
  • gRPC updated to v1.79.3 and CNI plugins bumped to v1.9.1
原文

Cilium

Networking & Messaging2026年3月23日

Cilium v1.19.2 is a patch release focused on stability: fixes span IPSec key rotation races, L7 LB policy bypass, clustermesh goroutine leaks, and a world-accessible Envoy admin socket.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created accessible to all users on the node (world-accessible). Any workload on the same node could interact with the Envoy admin API. If you're running Cilium with L7 policies or Envoy-based features, upgrade to v1.19.2 now. No config change needed — the fix is in the binary.

  • securityIPSec users: silent packet drops during key rotation are fixed

    A race condition in IPSec key rotation caused packets to be dropped when a peer started using the new key before local XFRM states were ready. If you use IPSec encryption and do rolling key rotations, you were likely seeing unexplained connectivity blips. Upgrade and review your key rotation procedures — the fix also adds logging to the rotation flow, so you'll have better visibility going forward.

  • breakingL7 LB ingress policy bypass — check your enforcement posture

    A bug allowed traffic to bypass ingress policies for local backends when L7 load balancing was active. If you rely on Cilium network policy enforcement for local service backends with L7 LB enabled, your policies may not have been enforced as expected. After upgrading to v1.19.2, verify that traffic is behaving as your policies intend — this fix restores correct enforcement, which could change observed traffic patterns.

主な変更 (5)
  • Security fix: Envoy admin socket was world-accessible (0.0.0.0), now bound correctly — upgrade immediately if running L7 policies
  • IPSec key rotation race condition fixed — packets were silently dropped during key rotation when peers adopted the new key before XFRM states were ready
  • L7 LB bug fixed where ingress policies could be bypassed for local backends — critical for anyone using L7 load balancing with network policy
  • ClusterMesh goroutine leak and EndpointSlice cleanup race fixed when removing a cluster from the mesh
  • Service load balancing backend slot gap bug fixed — could cause traffic misrouting when maintenance backends were present
原文

Cilium

Networking & Messaging2026年3月23日

Cilium v1.18.8 is a bug-fix patch with one critical caveat: GKE users must skip it due to a known regression introduced by the XDP jumbo MTU change.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created with world-readable/writable permissions, exposing it to any process on the node. This is fixed in v1.18.8. If you're running Cilium with L7 policy or any Envoy-based features, upgrade promptly. On existing nodes, verify socket permissions at /var/run/cilium/envoy/sockets/ — world access means any container with host path access could interact with the admin API.

  • breakingGKE users: do not deploy v1.18.8

    The XDP jumbo MTU support (PR #44499) introduced a regression on GKE. If you're on GKE, skip this version entirely and upgrade to v1.19.2 instead. Running v1.18.8 on GKE risks network disruption. Non-GKE users are not affected by this specific issue.

  • enhancementL7 LB policy bypass and FQDN SNI fixes are worth prioritizing

    Two policy-enforcement bugs are fixed here. First, local backends could bypass ingress policies under L7 LB — meaning traffic wasn't being filtered as expected. Second, wildcard FQDN policies weren't propagating correctly to Envoy when SNI-based matching was in use. If your environment uses either L7 load balancing or FQDN network policies with SNI, this release closes real security gaps. Plan the upgrade accordingly.

主な変更 (5)
  • GKE users: known regression in this release — skip v1.18.8 and go directly to v1.19.2
  • Security fix: Envoy admin socket was world-accessible (0666 permissions); now restricted
  • Fix for wildcard FQDN network policy identities not being pushed to Envoy with SNI-based policies
  • L7 load balancer now correctly enforces ingress policies for local backends (bypass bug fixed)
  • EndpointSlice address removal could be silently missed when multiple slices shared a name — now fixed
原文