fix(deps): update module github.com/cilium/cilium to v1.16.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.16.1 -> v1.16.9

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-52529

Impact

For users with the following configuration:

• An allow policy that selects a Layer 3 identity and a port range AND
• A Layer 7 allow policy that selects a specific port within the first policy's range

then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy.

This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16.

For reference, an example of a pair of policies that would trigger this issue is:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "layer-3-and-4"
spec:
  endpointSelector:
    matchLabels:
      app: service
  ingress:
    - fromCIDR:
      - 192.168.60.0/24
      toPorts:
      - ports:
        - port: "80"
          endPort: 444
          protocol: TCP

and

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "layer-4-and-7"
spec:
  endpointSelector:
    matchLabels:
      app: service
  ingress:
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/public"

In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intended by the layer-4-and-7 policy. In patched versions of Cilium, the layer-4-and-7 rule would take precedence over the layer-3-and-4 rule.

Patches

This issue is patched in https://github.com/cilium/cilium/pull/35150.

This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive.

This issue is patched in Cilium v1.16.4.

Workarounds

Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jrajahalme for resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-23028

Impact

In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster.

For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to restart.

Patches

This issue affects:

• Cilium v1.14 between v1.14.0 and v1.14.17 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.11 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.4 inclusive

This issue is fixed in:

• Cilium v1.14.18
• Cilium v1.15.12
• Cilium v1.16.5

Workarounds

There are no known workarounds to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare these mitigations. Special thanks to @​kokelley-cisco for reporting this issue and @​bimmlerd for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-23047

Impact

For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In order for this vulnerability to be exploited, a victim would have to first visit a malicious page.

Patches

This issue was patched in cilium/cilium@a3489f1

This issue affects:

• Cilium between v1.14.0 and v1.14.18 inclusive
• Cilium between v1.15.0 and v1.15.12 inclusive
• Cilium between v1.16.0 and v1.16.5 inclusive

This issue is patched in:

• Cilium v1.14.19
• Cilium v1.15.13
• Cilium v1.16.6

Workarounds

Users who deploy Hubble UI using the Cilium Helm chart directly can remove the CORS headers from the Helm template as shown in the patch.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​ciffelia for reporting this issue and to @​geakstr for the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-30162

Impact

For Cilium users who:

• Use Gateway API for Ingress for some services AND
• Use LB-IPAM or BGP for LB Service implementation AND
• Use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces

Egress traffic from workloads covered by such network policies to LoadBalancers configured by Gateway resources will incorrectly be allowed.

LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue.

Patches

This issue was fixed by https://github.com/cilium/proxy/pull/1172.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.14 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.7 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.1 inclusive

This issue is fixed in:

• Cilium v1.15.15
• Cilium v1.16.8
• Cilium v1.17.2

Workarounds

A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. An outline of such a policy is provided below:

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "workaround"
spec:
  endpointSelector:
    matchExpressions:
    - key: reserved:ingress
      operator: Exists
  ingress:
  - fromEntities:
    - world

• The policy opens up connectivity from all locations outside the cluster into the Cilium Ingress Gateway.
• The policy establishes a default deny for all other traffic towards the Cilium Ingress Gateway, including all in-cluster sources.
• It is possible to tailor the policy to more narrowly allow inbound traffic while creating a default deny posture for traffic between namespaces. Users should edit the policy to bring it in line with the security requirements particular to their environments.

Acknowledgements

The Cilium community has worked together with members of the Isovalent team to prepare these mitigations. Special thanks to @​jrajahalme for the fix.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-30163

Impact

Node based network policies (fromNodes and toNodes) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based network policy is disabled by default in Cilium.

Patches

This issue was fixed by https://github.com/cilium/cilium/pull/36657.

This issue affects:

• Cilium v1.16 between v1.16.0 and v1.16.7 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.1 inclusive

This issue is fixed in:

• Cilium v1.16.8
• Cilium v1.17.2

Workarounds

Users can work around this issue by ensuring that the labels used in fromNodes and toNodes fields are used exclusively by nodes and not by other endpoints.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​oblazek for reporting and fixing this issue.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

CVE-2025-32793

Impact

When using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium.

Patches

This issue has been patched in https://github.com/cilium/cilium/pull/38592.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.15 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.8 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.2 inclusive

This issue is fixed in:

• Cilium v1.15.16
• Cilium v1.16.9
• Cilium v1.17.3

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​gandro and @​pippolo84 for reporting this issue and to @​julianwiedmann for the patch.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.16.9: 1.16.9

Compare Source

Summary of Changes

Minor Changes:

• Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #​38400, Upstream PR #​37936, @​smagnani96)
• Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #​38747, Upstream PR #​35900, @​smagnani96)

Bugfixes:

• bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #​38747, Upstream PR #​38592, @​julianwiedmann)
• Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport PR #​38701, Upstream PR #​38656, @​aditighag)
• For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #​38747, Upstream PR #​38737, @​julianwiedmann)

CI Changes:

• build: update golangci-lint to v2.0.0 (Backport PR #​38631, Upstream PR #​38473, @​mhofstetter)
• ci: build CI images within merge group (Backport PR #​38525, Upstream PR #​38065, @​marseel)
• ci: prepare CI Image build for being required (Backport PR #​38525, Upstream PR #​38320, @​marseel)
• Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38264, @​smagnani96)
• Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38290, @​smagnani96)
• Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38281, @​smagnani96)
• Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38265, @​smagnani96)
• Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38292, @​smagnani96)
• Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38291, @​smagnani96)
• gh: aws-cni: set --enable-identity-mark=false option (Backport PR #​38747, Upstream PR #​38738, @​julianwiedmann)
• gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #​38521, Upstream PR #​37551, @​jschwinger233)
• gh: update naming for bpftrace leak detection script (Backport PR #​38521, Upstream PR #​37865, @​julianwiedmann)
• Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38278, @​smagnani96)
• Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38293, @​smagnani96)
• Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38266, @​smagnani96)
• Refactoring and code comments for the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38263, @​smagnani96)
• Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38297, @​smagnani96)
• Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38280, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38289, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38525, Upstream PR #​38289, @​smagnani96)
• Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38287, @​smagnani96)
• Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38268, @​smagnani96)
• test: Update FQDN related domain and IP (Backport PR #​38770, Upstream PR #​38754, @​sayboras)

Misc Changes:

• [v1.16] deps: bump github.com/containerd/containerd to v1.7.27 (#​38496, @​ferozsalam)
• [v1.16] deps: Bump package x/net (#​38323, @​ferozsalam)
• [v1.16] deps: bump package x/oauth2 (#​38404, @​ferozsalam)
• [v1.16]: deps: bump x/net to v0.38.0 (#​38781, @​ferozsalam)
• bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #​38747, Upstream PR #​37956, @​julianwiedmann)
• bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #​38747, Upstream PR #​38430, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​38347, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​38515, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​38346, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38304, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38442, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38543, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) (#​38731, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) (#​38348, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) (#​38714, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.16) (#​38344, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) (#​38613, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.8 (v1.16) (#​38345, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) (#​38258, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) (#​38385, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) (#​38672, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) (#​38774, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38317, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38614, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38832, @​cilium-renovate[bot])
• docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #​38525, Upstream PR #​38173, @​yrsuthari)
• docs: clarify hubble flow filter match semantics (Backport PR #​38701, Upstream PR #​38657, @​devodev)
• docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #​38525, Upstream PR #​38231, @​rastislavs)
• docs: Update LLVM requirements to 18.1 (Backport PR #​38342, Upstream PR #​38294, @​gentoo-root)
• Documentation: "cilium config set" restarts by default (Backport PR #​38299, Upstream PR #​38114, @​joamaki)
• Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #​38299, Upstream PR #​38276, @​tklauser)
• images: bump distroless to static (Backport PR #​38695, Upstream PR #​38647, @​kaworu)
• pkg/controller: fix data race in update params locked (Backport PR #​38525, Upstream PR #​38327, @​aanm)
• pkg/endpoint: fix race in unit test (Backport PR #​38299, Upstream PR #​38129, @​squeed)
• remove the endpointRoutes for aws cni in the doc (Backport PR #​38701, Upstream PR #​38381, @​liyihuang)

Other Changes:

• [v1.16] hubble: fix flowfilter flag parsing allowing only one filter (#​38794, @​devodev)
• [v1.16] proxy: Bump envoy version to 1.32.x (#​38307, @​sayboras)
• fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#​38533, @​antonipp)
• gha: Skip HTTPRouteServiceTypes test (#​38343, @​sayboras)
• install: Update image digests for v1.16.8 (#​38207, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.9@​sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.9@​sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066

docker-plugin

quay.io/cilium/docker-plugin:v1.16.9@​sha256:867b37f934411c11e9e50d0d691a2d1376ec4fe4c573c9b3af6950d559a97b28

hubble-relay

quay.io/cilium/hubble-relay:v1.16.9@​sha256:c978b77e607cc7fb9a92741464470002a192af47c5dec57b83f693919857199e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.9@​sha256:59d2a5d5ab017c974c42eeb7f265f9b91aafad2ee6c73d5dffe0bfe44bedd134

operator-aws

quay.io/cilium/operator-aws:v1.16.9@​sha256:f00e854ad7ae0c55e0e2352b71a98fe1358ba029e2e93b236a18c3b43664f948

operator-azure

quay.io/cilium/operator-azure:v1.16.9@​sha256:549ef9d238b84313f4a9f25518a77ec16cc9b86a19e66242bee920eb9c065fea

operator-generic

quay.io/cilium/operator-generic:v1.16.9@​sha256:0489f71dfeff23d1fbc4ee85a81a0274076ab2b53072aadbdf5963e83dc3faf7

operator

quay.io/cilium/operator:v1.16.9@​sha256:c8d0d6ca36d49bdeeb82d75b58a061f10e9e402d493241d648c4e329027b67ee

v1.16.8: 1.16.8

Compare Source

Summary of Changes

Minor Changes:

• docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #​38106, Upstream PR #​37989, @​oblazek)
• Increase granularity of the api_duration_seconds metric buckets (Backport PR #​38014, Upstream PR #​37365, @​jaredledvina)

Bugfixes:

• Do not auto detect / auto select IPoIB devices (Backport PR #​37647, Upstream PR #​37553, @​dylandreimerink)
• Egress route reconciliation (Backport PR #​38120, Upstream PR #​37962, @​dylandreimerink)
• Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #​37900, Upstream PR #​37419, @​javanthropus)
• Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #​37900, Upstream PR #​37818, @​haozhangami)
• Fix the --dns-policy-unload-on-shutdown feature for restored endpoints (Backport PR #​37647, Upstream PR #​37532, @​antonipp)
• fix: cilium-config configmap was incorrectly resulting in values like 2.09715…2e+06 instead of 2097152 (Backport PR #​37647, Upstream PR #​37236, @​dee-kryvenko)
• Fix: cilium-operator no longer patches services on shutdown (Backport PR #​38106, Upstream PR #​37967, @​rsafonseca)
• helm: fix large number handling (Backport PR #​37743, Upstream PR #​37670, @​justin0u0)
• hubble: escape terminal special characters from observe output (Backport PR #​37647, Upstream PR #​37401, @​devodev)
• identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #​38014, Upstream PR #​36657, @​oblazek)
• Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #​38106, Upstream PR #​38029, @​julianwiedmann)

CI Changes:

• .github: Remove misleading step from ipsec workflow (Backport PR #​37743, Upstream PR #​37681, @​joestringer)
• bgpv1: wait for watchers to be ready in tests (Backport PR #​38014, Upstream PR #​37884, @​harsimran-pabla)
• ci: add leak detection to conformance-ipsec-upgrade (Backport PR #​36575, Upstream PR #​36377, @​smagnani96)
• CI: GKE backslash missing disable insecure kubelet (Backport PR #​37900, Upstream PR #​37850, @​auriaave)
• CI: GKE, disable insecure kubelet readonly port (Backport PR #​37900, Upstream PR #​37844, @​auriaave)
• ci: switch to monitor aggregation medium (Backport PR #​38106, Upstream PR #​38036, @​marseel)
• Cleanups after LLVM upgrade. (Backport PR #​37801, Upstream PR #​32067, @​gentoo-root)

Misc Changes:

• [v1.16] docs: Update requirements.txt dependencies (#​37616, @​joestringer)
• allocator: correctly propagate context to RunGC call (Backport PR #​37743, Upstream PR #​36034, @​giorio94)
• chore(deps): update all github action dependencies (v1.16) (#​37952, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37997, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38049, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) (#​37951, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.7 (v1.16) (#​37998, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.16) (#​37834, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) (#​38149, @​cilium-renovate[bot])
• docs: fix broken links (Backport PR #​38106, Upstream PR #​37995, @​nueavv)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37647, Upstream PR #​36957, @​aanm)
• Fix helm value for IPAM Multi-Pool (Backport PR #​38014, Upstream PR #​37963, @​saintdle)
• labels: fix TestNewFrom test (Backport PR #​37900, Upstream PR #​37846, @​giorio94)
• Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #​37647, Upstream PR #​37399, @​ritwikranjan)
• Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #​37900, Upstream PR #​37806, @​rolinh)
• wireguard: attach Ingress program for native routing mode configurations (Backport PR #​38117, Upstream PR #​37108, @​julianwiedmann)

Other Changes:

• [v1.16] images: update cilium-{runtime,builder} (#​38054, @​julianwiedmann)
• install: Update image digests for v1.16.7 (#​37709, @​cilium-release-bot[bot])
• v1.16: gh/workflows: Remove conformance-externalworkloads (#​37739, @​brb)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.8@​sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.8@​sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea

docker-plugin

quay.io/cilium/docker-plugin:v1.16.8@​sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.8@​sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.8@​sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252

operator-aws

quay.io/cilium/operator-aws:v1.16.8@​sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b

operator-azure

quay.io/cilium/operator-azure:v1.16.8@​sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04

operator-generic

quay.io/cilium/operator-generic:v1.16.8@​sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d

operator

quay.io/cilium/operator:v1.16.8@​sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220

v1.16.7: 1.16.7

Compare Source

Summary of Changes

Minor Changes:

• Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR #​37124, Upstream PR #​36598, @​pippolo84)
• doc: Added hostLegacyRouting limitation for Talos (Backport PR #​37168, Upstream PR #​36852, @​PhilipSchmid)

Bugfixes:

• agent: defend against null pointer refs in cecManager.getEndpoint() (Backport PR #​37375, Upstream PR #​37188, @​aetimmes)
• Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR #​37278, Upstream PR #​37123, @​julianwiedmann)
• ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR #​37417, Upstream PR #​37347, @​gandro)
• envoy: add configurable access log buffer size (Backport PR #​37168, Upstream PR #​36823, @​aetimmes)
• Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR #​37168, Upstream PR #​36929, @​julianwiedmann)
• Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR #​37278, Upstream PR #​37085, @​giorio94)
• Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR #​37168, Upstream PR #​37086, @​giorio94)
• Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR #​37168, Upstream PR #​36103, @​viktor-kurchenko)
• maps/nat/stats: Use Start context when waiting for maps (Backport PR #​37278, Upstream PR #​37262, @​tommyp1ckles)
• nodeinit: move kubelet restart inside if/else in startup.bash (Backport PR #​37375, Upstream PR #​37282, @​ayuspin)
• Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR #​37168, Upstream PR #​36504, @​viktor-kurchenko)
• socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR #​37441, Upstream PR #​37426, @​alvaroaleman)

CI Changes:

• [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (#​37380, @​giorio94)
• gh: harmonize lvh kernel naming scheme (Backport PR #​37375, Upstream PR #​37322, @​julianwiedmann)
• gh: update removed --loglevel option for kind (Backport PR #​37168, Upstream PR #​36935, @​julianwiedmann)
• gha: bump ubuntu version in conformance-externalworkloads (Backport PR #​37168, Upstream PR #​36859, @​giorio94)
• gha: correctly downgrade to patch release in ipsec workflows (Backport PR #​37168, Upstream PR #​36858, @​giorio94)
• gha: fix retrieval of DNS server in conformance external workloads (Backport PR #​37375, Upstream PR #​37361, @​giorio94)
• gha: Retrieve eks supported version via aws cli (Backport PR #​37223, Upstream PR #​37210, @​sayboras)
• Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR #​37168, Upstream PR #​36364, @​smagnani96)
• Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR #​37168, Upstream PR #​36962, @​smagnani96)
• test: Fix the flake for TestRestoredPort (Backport PR #​37278, Upstream PR #​37106, @​sayboras)
• test: Move demo-httpd from Docker to Quay (Backport PR #​37278, Upstream PR #​37149, @​joestringer)
• test: Move the dind image to Quay to avoid rate-limiting (Backport PR #​37441, Upstream PR #​37388, @​pchaigno)

Misc Changes:

• build: Remove debug leftover from Makefile (Backport PR #​37168, Upstream PR #​36917, @​gentoo-root)
• chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (#​37117, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37244, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37505, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37343, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37550, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (#​37338, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (#​37215, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (#​37503, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.6 (v1.16) (#​37497, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (#​37201, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​37411, @​cilium-renovate[bot])
• cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport PR #​37375, Upstream PR #​37326, @​aanm)
• clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR #​37168, Upstream PR #​36602, @​joestringer)
• doc(glossary): Geneve as final RFC (Backport PR #​37375, Upstream PR #​37316, @​alagoutte)
• doc: ebpf host-routing and netfilter (Backport PR #​37168, Upstream PR #​36921, @​PhilipSchmid)
• doc: eks cluster restriction removed (Backport PR #​37278, Upstream PR #​37043, @​viktor-kurchenko)
• doc: Removed nodeinit from aks byocni install (Backport PR #​37168, Upstream PR #​37048, @​PhilipSchmid)
• docs: Add SNI policy example (Backport PR #​37375, Upstream PR #​37234, @​sayboras)
• docs: Clarify Identity-Relevant Labels description (Backport PR #​37168, Upstream PR #​36924, @​joestringer)
• docs: Fix broken link in BGP control plane docs (Backport PR #​37375, Upstream PR [#​37241](https://redirect.github.com/c

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 19 additional dependencies were updated

Details:

Package	Change
github.com/cilium/proxy	v0.0.0-20240418093727-2c7164c53e26 -> v0.0.0-20241210133824-eaae5aca0fb9
github.com/go-jose/go-jose/v4	v4.0.2 -> v4.0.5
github.com/petermattis/goid	v0.0.0-20230904192822-1876fd5063bc -> v0.0.0-20240813172612-4fcff4a6cae7
github.com/sasha-s/go-deadlock	v0.3.1 -> v0.3.5
github.com/stretchr/testify	v1.9.0 -> v1.10.0
github.com/vishvananda/netlink	v1.2.1-beta.2.0.20240524165444-4d4ba1473f21 -> v1.3.1-0.20241022031324-976bd8de7d81
go.opentelemetry.io/proto/otlp	v1.2.0 -> v1.3.1
golang.org/x/crypto	v0.24.0 -> v0.32.0
golang.org/x/net	v0.26.0 -> v0.33.0
golang.org/x/oauth2	v0.20.0 -> v0.23.0
golang.org/x/sync	v0.7.0 -> v0.10.0
golang.org/x/sys	v0.21.0 -> v0.29.0
golang.org/x/term	v0.21.0 -> v0.28.0
golang.org/x/text	v0.16.0 -> v0.21.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240515191416-fc5f0ca64291 -> v0.0.0-20241206012308-a4fef0638583
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240624140628-dc46fd24d27d -> v0.0.0-20241206012308-a4fef0638583
google.golang.org/grpc	v1.64.1 -> v1.68.1
google.golang.org/protobuf	v1.34.2 -> v1.35.2
k8s.io/klog/v2	v2.120.1 -> v2.130.1

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: module github.com/cilium/[email protected] requires go >= 1.23.0; switching to go1.23.8
go: downloading go1.23.8 (linux/amd64)
go: download go1.23.8: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off