fix(deps): update module github.com/cilium/cilium to v1.16.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.16.1 -> v1.16.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-52529

Impact

For users with the following configuration:

• An allow policy that selects a Layer 3 identity and a port range AND
• A Layer 7 allow policy that selects a specific port within the first policy's range

then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.

This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16.

For reference, an example of a pair of policies that would trigger this issue is:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "layer-3-and-4"
spec:
  endpointSelector:
    matchLabels:
      app: service
  ingress:
    - fromCIDR:
      - 192.168.60.0/24
      toPorts:
      - ports:
        - port: "80"
          endPort: 444
          protocol: TCP

and

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "layer-4-and-7"
spec:
  endpointSelector:
    matchLabels:
      app: service
  ingress:
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/public"

In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended by the layer-4-and-7 policy. In patched versions of Cilium, the layer-4-and-7 rule would take precedence over the layer-3-and-4 rule.

Patches

This issue is patched in https://github.com/cilium/cilium/pull/35150.

This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive.

This issue is patched in Cilium v1.16.4.

Workarounds

Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jrajahalme for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-23028

Impact

In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster.

For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to restart.

Patches

This issue affects:

• Cilium v1.14 between v1.14.0 and v1.14.17 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.11 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.4 inclusive

This issue is fixed in:

• Cilium v1.14.18
• Cilium v1.15.12
• Cilium v1.16.5

Workarounds

There are no known workarounds to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare these mitigations. Special thanks to @​kokelley-cisco for reporting this issue and @​bimmlerd for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-23047

Impact

For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page.

Patches

This issue was patched in cilium/cilium@a3489f1

This issue affects:

• Cilium between v1.14.0 and v1.14.18 inclusive
• Cilium between v1.15.0 and v1.15.12 inclusive
• Cilium between v1.16.0 and v1.16.5 inclusive

This issue is patched in:

• Cilium v1.14.19
• Cilium v1.15.13
• Cilium v1.16.6

Workarounds

Users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​ciffelia for reporting this issue and to @​geakstr for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.16.6: 1.16.6

Compare Source

Summary of Changes

Major Changes:

• Add feature tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​35852, @​aanm)
• Add feature tracking in Cilium Operator as prometheus metrics (Backport PR #​36263, Upstream PR #​36077, @​aanm)

Minor Changes:

• envoy: Use yaml format for bootstrap config (Backport PR #​36782, Upstream PR #​36820, @​sayboras)
• Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (#​36561, @​pippolo84)
• service: Cap number of backends included in monitor message (Backport PR #​36635, Upstream PR #​36394, @​joamaki)

Bugfixes:

• cilium: LB source ranges fixes (Backport PR #​36635, Upstream PR #​36517, @​borkmann)
• eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport PR #​36872, Upstream PR #​36617, @​sderoe)
• envoy: Configure internal address config based on IP family (Backport PR #​36782, Upstream PR #​36733, @​sayboras)
• Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport PR #​36635, Upstream PR #​36176, @​tamilmani1989)
• metrics/features: remove reporting metrics' defaults by default (Backport PR #​36263, Upstream PR #​36298, @​aanm)
• pkg/redirectpolicy: Fix backend slices in processConfig (Backport PR #​36872, Upstream PR #​35496, @​Sm0ckingBird)
• ui: drop CORS headers from api response (Backport PR #​36872, Upstream PR #​35762, @​geakstr)

CI Changes:

• [v1.16] .github: Remove CI Fuzz workflow (#​36641, @​joestringer)
• [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (#​36620, @​julianwiedmann)
• [v1.16] gha: use /test to trigger tests in stable branches (#​36673, @​giorio94)
• ci: fix job names for various ci workflows (Backport PR #​36263, Upstream PR #​36397, @​marseel)
• Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR #​36872, Upstream PR #​33398, @​giorio94)
• gh: e2e-upgrade: add coverage for 6.6 kernel (Backport PR #​36988, Upstream PR #​36626, @​julianwiedmann)
• gh: e2e-upgrade: de-renovate the config example (Backport PR #​36635, Upstream PR #​36463, @​julianwiedmann)
• gha: drop leftover token parameter in net-perf-gke workflow (#​36684, @​giorio94)
• gha: fix merging of features-related artifacts (#​36665, @​giorio94)
• gha: merge artifacts in net-perf-gke workflow (Backport PR #​36263, Upstream PR #​36236, @​giorio94)
• gha: Use ubuntu-24.04 for integration-test (Backport PR #​36659, Upstream PR #​36628, @​sayboras)

Misc Changes:

• .github/workflows: always install cilium-cli (Backport PR #​36263, Upstream PR #​36234, @​aanm)
• .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR #​36263, Upstream PR #​36461, @​aanm)
• .github: fix conformance-k8s NP test (Backport PR #​36263, Upstream PR #​36355, @​aanm)
• [v1.16] Use bash syntax to consume env variable (#​36636, @​ferozsalam)
• Add more features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36078, @​aanm)
• Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR #​36263, Upstream PR #​36203, @​aanm)
• Add the tls:// prefix in the Hubble TLS doc (Backport PR #​36635, Upstream PR #​36410, @​liyihuang)
• chore(deps): update all github action dependencies (v1.16) (#​36612, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36762, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36950, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36760, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36707, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36787, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36949, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37033, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (#​36895, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (#​36609, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (#​36850, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (#​36610, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.11 (v1.16) (#​37045, @​cilium-renovate[bot])
• chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (#​36839, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36611, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36699, @​cilium-renovate[bot])
• doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR #​36872, Upstream PR #​36701, @​alagoutte)
• docs: Add missing default identity label in the description of identity-relevant labels' example (Backport PR #​36635, Upstream PR #​36558, @​liyihuang)
• docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR #​36635, Upstream PR #​36549, @​verysonglaa)
• Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport PR #​36635, Upstream PR #​36417, @​EricMountain)
• Fix make -C Documentation update-cmdref when make uses --jobserver-style=fifo. (Backport PR #​36872, Upstream PR #​36788, @​gentoo-root)
• fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (#​36711, @​cilium-renovate[bot])
• ingress, gateway-api: Convert test fixtures to file based (Backport PR #​36782, Upstream PR #​36732, @​sayboras)
• metrics/features: enable ClusterMesh (Backport PR #​36263, Upstream PR #​36402, @​aanm)
• metrics/features: refactor metric names (Backport PR #​36263, Upstream PR #​36209, @​aanm)
• Prepare for release v1.16.6 (#​36989, @​cilium-release-bot[bot])
• Remove reference to DNS polling (Backport PR #​36872, Upstream PR #​36679, @​JacobHenner)

Other Changes:

• [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (#​36650, @​ysksuzuki)
• install: Update image digests for v1.16.5 (#​36671, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.6@​sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.6@​sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a
quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a

docker-plugin

quay.io/cilium/docker-plugin:v1.16.6@​sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66
quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66

hubble-relay

quay.io/cilium/hubble-relay:v1.16.6@​sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.6@​sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9
quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9

operator-aws

quay.io/cilium/operator-aws:v1.16.6@​sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d
quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d

operator-azure

quay.io/cilium/operator-azure:v1.16.6@​sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd
quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd

operator-generic

quay.io/cilium/operator-generic:v1.16.6@​sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc

operator

quay.io/cilium/operator:v1.16.6@​sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46
quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46

v1.16.5: 1.16.5

Compare Source

Summary of Changes

Minor Changes:

• hubble: Stop building 32-bit binaries (Backport PR #​36066, Upstream PR #​35974, @​michi-covalent)

Bugfixes:

• Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR #​36540, Upstream PR #​36484, @​julianwiedmann)
• bgp: fix race in bgp stores (Backport PR #​36066, Upstream PR #​35971, @​harsimran-pabla)
• BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36230, @​rastislavs)
• BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR #​36286, Upstream PR #​36165, @​rastislavs)
• Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR #​36049, Upstream PR #​35984, @​jrajahalme)
• Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR #​36462, Upstream PR #​36252, @​bimmlerd)
• cilium-health-ep controller is made to be more robust against successive failures. (Backport PR #​36066, Upstream PR #​35936, @​jrajahalme)
• DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR #​36468, Upstream PR #​36142, @​jrajahalme)
• Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR #​36049, Upstream PR #​36060, @​jrajahalme)
• Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR #​35861, Upstream PR #​35098, @​jschwinger233)
• Fix identity leak for kvstore identity mode (Backport PR #​36066, Upstream PR #​34893, @​odinuge)
• Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR #​36302, Upstream PR #​36292, @​giorio94)
• gateway-api: Fix gateway checks for namespace (Backport PR #​36462, Upstream PR #​35452, @​sayboras)
• gha: Remove hostLegacyRouting in clustermesh (Backport PR #​36357, Upstream PR #​35418, @​sayboras)
• helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR #​36066, Upstream PR #​36005, @​devodev)
• hubble: consistently use v as prefix for the Hubble version (Backport PR #​36286, Upstream PR #​35891, @​rolinh)
• iptables: Fix data race in iptables manager (Backport PR #​36066, Upstream PR #​35902, @​pippolo84)
• lrp: update LRP services with stale backends on agent restart (Backport PR #​36106, Upstream PR #​36036, @​ysksuzuki)
• policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (#​36050, @​nathanjsweet)
• Unbreak the cilium-dbg preflight migrate-identity command (Backport PR #​36286, Upstream PR #​36089, @​giorio94)
• Use strconv.Itoa instead of string() for the correct behavior when converting kafka.ErrorCode from int32 to string. Add relevant unit tests for Kafka plugin and handler. (Backport PR #​36066, Upstream PR #​35856, @​nddq)

CI Changes:

• [v1.16] ci: modularize chart CI push workflow (#​35958, @​ferozsalam)
• gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR #​36462, Upstream PR #​36384, @​julianwiedmann)
• gha: configure environment in build-images-base/image-digests job (Backport PR #​36462, Upstream PR #​36318, @​giorio94)
• node_local_store: prevent racey tests while using mock node store. (Backport PR #​36066, Upstream PR #​35945, @​tommyp1ckles)
• Remove unnecessary hubble port-forward commands (Backport PR #​36066, Upstream PR #​33523, @​michi-covalent)

Misc Changes:

• [v1.16] docs: egress masquerade selector (#​36333, @​viktor-kurchenko)
• [v1.16] images: bump cni plugins to v1.6.0 (#​36092, @​ferozsalam)
• bugtool: dump tail-call map for bpf_wireguard (Backport PR #​36286, Upstream PR #​36183, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​36155, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36275, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​36443, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​36277, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​35546, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36152, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36279, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​36444, @​cilium-renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (#​36153, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (#​36222, @​cilium-renovate[bot])
• chore(deps): update go to v1.22.10 (v1.16) (#​36441, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (#​36180, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (#​36495, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (#​36278, @​cilium-renovate[bot])
• chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (#​36442, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​36154, @​cilium-renovate[bot])
• docs: Add the tls:// prefix before the IP address (Backport PR #​36286, Upstream PR #​36118, @​liyihuang)
• docs: Fix typo in multi-pool section title (Backport PR #​36312, Upstream PR #​36305, @​joestringer)
• docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR #​36066, Upstream PR #​35923, @​yilas)
• docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR #​36066, Upstream PR #​35921, @​ysksuzuki)
• docs: system-requirements: require 5.4 kernel (Backport PR #​36462, Upstream PR #​36386, @​julianwiedmann)
• docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR #​36286, Upstream PR #​36208, @​julianwiedmann)
• Endpoint populate new policymap early if empty (Backport PR #​36479, Upstream PR #​36361, @​jrajahalme)
• envoy: Configure internal_address_config to avoid warning log (Backport PR #​36015, Upstream PR #​35943, @​sayboras)
• envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR #​36468, Upstream PR #​36330, @​jrajahalme)
• fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (#​36530, @​cilium-renovate[bot])
• Fixed BGP documentation (Backport PR #​36066, Upstream PR #​35953, @​seadog007)
• images: Use cilium-builder image instead of golang to build hubble (Backport PR #​36312, Upstream PR #​35697, @​learnitall)
• lrp: fix kernel version requirement in warning log (Backport PR #​36286, Upstream PR #​36141, @​ysksuzuki)
• Makefile: fix swagger definition for automatic renovate updates (Backport PR #​36066, Upstream PR #​35979, @​aanm)
• proxy: Take proxy port reference for new redirects immediately (Backport PR #​36468, Upstream PR #​36435, @​jrajahalme)
• proxyports: Resolve data races in test (Backport PR #​36468, Upstream PR #​36399, @​jrajahalme)
• proxyports: Sleep a bit longer in tests (Backport PR #​36468, Upstream PR #​36389, @​jrajahalme)
• Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR #​36066, Upstream PR #​35838, @​MrFreezeex)
• Rework error handling logic in neighbor discovery (Backport PR #​36093, Upstream PR #​35144, @​pippolo84)
• Silence spurious clustermesh-related warnings (Backport PR #​36225, Upstream PR #​35867, @​giorio94)
• Update documentation for egress masquerading behavior (Backport PR #​36462, Upstream PR #​36267, @​liyihuang)

Other Changes:

• [1.16] ci/ipsec-upgrade: increase cilium status wait duration (#​36082, @​harsimran-pabla)
• [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (#​36511, @​borkmann)
• install: Update image digests for v1.16.4 (#​36047, @​cilium-release-bot[bot])
• jrajahalme/v1.16 cilium cli (#​36541, @​jrajahalme)
• Revert "workflows/ipsec: Cover Ingress" (#​36116, @​harsimran-pabla)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.5@​sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.5@​sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958
quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958

docker-plugin

quay.io/cilium/docker-plugin:v1.16.5@​sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768
quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768

hubble-relay

quay.io/cilium/hubble-relay:v1.16.5@​sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00
quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.5@​sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0
quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0

operator-aws

quay.io/cilium/operator-aws:v1.16.5@​sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476
quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476

operator-azure

quay.io/cilium/operator-azure:v1.16.5@​sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9
quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9

operator-generic

quay.io/cilium/operator-generic:v1.16.5@​sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039
quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039

operator

quay.io/cilium/operator:v1.16.5@​sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940
quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940

v1.16.4: 1.16.4

Compare Source

Security Advisories

This release addresses GHSA-xg58-75qf-9r67.

Summary of Changes

Minor Changes:

• Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #​35908, Upstream PR #​35809, @​jrajahalme)
• clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #​35543, Upstream PR #​35349, @​giorio94)
• helm: Lower default hubble.tls.auto.certValidityDuration to 365 days (Backport PR #​35781, Upstream PR #​35630, @​chancez)
• helm: New socketLB.tracing flag (Backport PR #​35781, Upstream PR #​35747, @​pchaigno)
• hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #​35781, Upstream PR #​35632, @​chancez)
• netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #​35543, Upstream PR #​35306, @​jrife)

Bugfixes:

• Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #​35468, Upstream PR #​35179, @​wedaly)
• bgpv1: fix reconciliation of services with shared VIPs (Backport PR #​35468, Upstream PR #​35333, @​rastislavs)
• bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #​35863, Upstream PR #​35690, @​YutaroHayakawa)
• bgpv2: set local peering address when specified (Backport PR #​35781, Upstream PR #​35552, @​harsimran-pabla)
• Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #​35603, Upstream PR #​35150, @​jrajahalme)
• Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an timeout waiting for response error is encountered. (Backport PR #​35781, Upstream PR #​35589, @​bimmlerd)
• config: Remove superfluous warning on native routing CIDR (Backport PR #​35781, Upstream PR #​35738, @​gandro)
• Fix missing flowlabel hash on SRv6 traffic. (Backport PR #​35781, Upstream PR #​35498, @​akaliwod)
• Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #​35543, Upstream PR #​35173, @​smagnani96)
• Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #​35781, Upstream PR #​35673, @​giorio94)
• Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #​35468, Upstream PR #​35165, @​julianwiedmann)
• Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #​35908, Upstream PR #​35694, @​julianwiedmann)
• Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #​35781, Upstream PR #​35599, @​squeed)
• Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #​35543, Upstream PR #​35293, @​squeed)
• Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #​35906, Upstream PR #​35890, @​squeed)
• Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (#​35611, @​pippolo84)
• helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #​35319, Upstream PR #​35301, @​hox)
• helm: fix duplicate configmap key for bpf-lb-sock-terminate-pod-connections (Backport PR #​35781, Upstream PR #​35703, @​solidDoWant)
• helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #​35781, Upstream PR #​35674, @​ayuspin)
• hubble: fix endpoint cluster name (Backport PR #​35781, Upstream PR #​35415, @​kaworu)
• hubble: Lock exporters while gathering metrics (Backport PR #​35908, Upstream PR #​35860, @​joestringer)
• Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #​35781, Upstream PR #​35143, @​jrajahalme)
• ipam: Validate CiliumNode resource in ENI mode (Backport PR #​35792, Upstream PR #​35784, @​sayboras)
• l7lb: fix registration of flag loadbalancer-l7 (Backport PR #​35781, Upstream PR #​35623, @​mhofstetter)
• Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #​35319, Upstream PR #​35069, @​chancez)
• option: Reduce log level for WG strict mode + IPv6 (Backport PR #​35908, Upstream PR #​35763, @​pchaigno)
• Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #​35468, Upstream PR [#​35381](https://redirect.github.com/cilium

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 18 additional dependencies were updated

Details:

Package	Change
github.com/cilium/proxy	v0.0.0-20240418093727-2c7164c53e26 -> v0.0.0-20241210133824-eaae5aca0fb9
github.com/petermattis/goid	v0.0.0-20230904192822-1876fd5063bc -> v0.0.0-20240813172612-4fcff4a6cae7
github.com/sasha-s/go-deadlock	v0.3.1 -> v0.3.5
github.com/stretchr/testify	v1.9.0 -> v1.10.0
github.com/vishvananda/netlink	v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 -> v1.3.1-0.20241022031324-976bd8de7d81
go.opentelemetry.io/proto/otlp	v1.2.0 -> v1.3.1
golang.org/x/crypto	v0.24.0 -> v0.31.0
golang.org/x/net	v0.26.0 -> v0.33.0
golang.org/x/oauth2	v0.20.0 -> v0.23.0
golang.org/x/sync	v0.7.0 -> v0.10.0
golang.org/x/sys	v0.21.0 -> v0.28.0
golang.org/x/term	v0.21.0 -> v0.27.0
golang.org/x/text	v0.16.0 -> v0.21.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240515191416-fc5f0ca64291 -> v0.0.0-20241206012308-a4fef0638583
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240624140628-dc46fd24d27d -> v0.0.0-20241206012308-a4fef0638583
google.golang.org/grpc	v1.64.1 -> v1.68.1
google.golang.org/protobuf	v1.34.2 -> v1.35.2
k8s.io/klog/v2	v2.120.1 -> v2.130.1