cilium: add IP option packet tracing feature by Bigdelle · Pull Request #41306 · cilium/cilium

Bigdelle · 2025-08-20T21:55:51Z

This change introduces packet tracing via trace IDs embedded in IP options, observable via cilium monitor and hubble

Summary

The design CFP is the ultimate resource for understanding this feature, but the following summary should provide context in a more succint way.

This pull request adds a packet tracing feature using a configurable IPv4 option.

The feature allows a trace ID to be embedded within a custom IPv4 option. When a packet containing this option is processed by Cilium, the trace ID is extracted and propagated into monitor events and Hubble flows. This enables the precise tracking of a specific packet's path and outcome, which is useful for debugging policy and connectivity issues.

Implementation Details

The implementation consists of three main parts:

BPF Dataplane

A new Cilium agent flag, --ip-tracing-option-type, configures the BPF programs to look for a specific IP option type.
BPF programs were updated to parse this IPv4 option and extract its payload as a 64-bit trace ID.
The extracted trace ID is stored in a per-CPU map and associated with the packet during its processing in the datapath.

Control Plane

The DropNotify and TraceNotify event structures have been extended to include the IPTraceID.
When a packet with a trace ID is dropped or traced, the ID is included in the corresponding event sent to the agent.
The cilium-monitor output now displays the IP Trace ID when present in an event.

Hubble Observability

The Hubble flow.proto definition was updated to include an IPTraceID message within the Flow object.
The Hubble parser now populates this field from the monitor events.
A new filter, --ip-trace-id, has been added to the hubble observe command to allow filtering flows by one or more trace IDs.

sypakine

LGTM, just relaying some lingering comments from 8ffc09a

It looks like you addressed some of them, so perhaps you already looked into the others as well.

bpf/lib/ip_options.h

bpf/lib/trace_helpers.h

bpf/lib/drop.h

pkg/hubble/parser/threefour/parser_test.go

bpf/lib/drop.h

pkg/hubble/parser/threefour/parser_test.go

pkg/monitor/datapath_drop.go

pkg/monitor/datapath_drop_test.go

sypakine · 2025-08-26T20:59:19Z

/test

This change refactors the drop notify tests to be version-aware. This is a preparatory step to allow for the introduction of new fields to the `DropNotify` struct in a backward-compatible manner. The tests are updated to: - Define separate test cases for different versions of the `DropNotify` struct. Signed-off-by: Ben Bigdelle <[email protected]>

This change extends the `DropNotify` struct to include the IP trace  ID. The following changes are included: - The `DropNotify` struct in the control plane is updated to include the `IPTraceID` field. - The BPF code is updated to check to see if there is a stored trace ID in the BPF map and, if so, populating it. - The `cilium-monitor` output is updated to display the IP trace ID when present in a drop notify message. Signed-off-by: Ben Bigdelle <[email protected]>

This change extends the `TraceNotify` struct to include the IP trace. The following changes are included: - The `TraceNotify` struct in the control plane is updated to include the `IPTraceID` field. - At the creation of a TraceNotify event, check to see if IP trace is stored in the BPF map and populate it in the message if so. - The `cilium-monitor` output is updated to display the IP trace ID when present in a trace notify message. Signed-off-by: Ben Bigdelle <[email protected]>

This change introduces the IPTraceID field to the Hubble protobuf. This allows IP-based tracing information to be propagated and associated with flows observed by Hubble. The following changes are included: - A new `IPTraceID` message type is defined in `flow.proto`, containing the trace ID and the IP option type. - The Hubble parser is updated to decode the IP trace ID from monitor events (both drop and trace notifications) and populate the `ip_trace_id` field in the resulting `Flow` message. - The Hubble printer is updated to display the IP trace ID in the output. Signed-off-by: Ben Bigdelle <[email protected]>

This change introduces the ability to filter Hubble flows by IP trace ID directly from the Hubble CLI. The following changes are included: - A new `--ip-trace-id` flag is added to the `hubble observe` command, which can be specified multiple times to filter for multiple trace IDs. - A new `IPTraceIDFilter` is implemented to perform the filtering logic based onthe provided trace IDs. - The `IPTraceIDFilter` is added to the list of default filters. - The help text for the `hubble observe` command is updated to include the new flag. Signed-off-by: Ben Bigdelle <[email protected]>

jrife · 2025-09-08T18:16:00Z

/test

Bigdelle · 2025-09-08T20:07:44Z

The two workflow failures relate to flakes:
ci-integration is hitting #41550
ci-e2e-upgrade is hitting #41520

Bigdelle · 2025-09-08T20:34:56Z

ci-e2e-upgrade hitting #37520

Bigdelle · 2025-09-08T21:17:30Z

Failing K8s test related to #40575 and this PR

*Reran and passed

pchaigno · 2025-09-11T12:38:40Z

@Bigdelle Congrats on your first pull request in Cilium! Not starting with an easy one 😅

joamaki · 2025-09-24T12:40:19Z

This is causing flakes in CI: error="loading eBPF collection into the kernel: map cilium_percpu_trace_id: pin map to /sys/fs/bpf/tc/globals/cilium_percpu_trace_id: file exists" (1 occurrences)

The BPF loader in Cilium is trying to pin the map in parallel, causing the first load to succeed and others to fail. A map must either not be marked as PIN_BY_NAME or if it is it must be OpenAndCreated by the agent before the loader starts (e.g. from a Start hook added from a constructor that provides bpf.BpfMap). Or if there's no Cell for this it could be done the "old" way via e.g. daemon/cmd/datapath.go in Daemon.initMaps.

I know there's no way to discover this when you're new to the code base. We are trying to figure out how to avoid or enforce this.

Bigdelle · 2025-09-24T16:39:22Z

This is causing flakes in CI: error="loading eBPF collection into the kernel: map cilium_percpu_trace_id: pin map to /sys/fs/bpf/tc/globals/cilium_percpu_trace_id: file exists" (1 occurrences)

The BPF loader in Cilium is trying to pin the map in parallel, causing the first load to succeed and others to fail. A map must either not be marked as PIN_BY_NAME or if it is it must be OpenAndCreated by the agent before the loader starts (e.g. from a Start hook added from a constructor that provides bpf.BpfMap). Or if there's no Cell for this it could be done the "old" way via e.g. daemon/cmd/datapath.go in Daemon.initMaps.

I know there's no way to discover this when you're new to the code base. We are trying to figure out how to avoid or enforce this.

Thank you for letting me know about this! I'll work on this and update to avoid this issue coming up.

Bigdelle · 2025-09-24T19:42:51Z

This is causing flakes in CI: error="loading eBPF collection into the kernel: map cilium_percpu_trace_id: pin map to /sys/fs/bpf/tc/globals/cilium_percpu_trace_id: file exists" (1 occurrences)

The BPF loader in Cilium is trying to pin the map in parallel, causing the first load to succeed and others to fail. A map must either not be marked as PIN_BY_NAME or if it is it must be OpenAndCreated by the agent before the loader starts (e.g. from a Start hook added from a constructor that provides bpf.BpfMap). Or if there's no Cell for this it could be done the "old" way via e.g. daemon/cmd/datapath.go in Daemon.initMaps.

I know there's no way to discover this when you're new to the code base. We are trying to figure out how to avoid or enforce this.

Hi Jussi, I drafted a solution and have it open as a draft PR right now (#41886). Please feel free to take a look and leave comments. Thank you, again, for bringing this to our attention!

jrife · 2025-09-24T20:05:08Z

The BPF loader in Cilium is trying to pin the map in parallel

@joamaki No strong objections to just calling OpenAndCreate() on startup with something similar to the PR Ben opened. For the sake of argument though, I wonder if there's anything wrong with teaching the loader to ignore EEXISTS errors on map pins or more gracefully handle it? If the intent is to ensure a map exists at a desired pin path and another load operation beats the current one to the punch, that seems OK actually provided that the map at that pin path matches the desired spec from the operation that received the error. Maybe we could do something like this to avoid introducing startup cruft just to prevent races?

(pseudocode)

if err == EEXISTS {
    if the map spec at pin path == my map spec {
        // ignore the error
    } else {
        // return some other error
    }
}

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.18.6` → `1.19.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](cilium/cilium@1.18.6...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩 ⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@jrajahalme](https://github.com/jrajahalme)) - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@rgo3](https://github.com/rgo3), [@julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others, [@ldelossa](https://github.com/ldelossa), [@rgo3](https://github.com/rgo3), [@nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@oblazek](https://github.com/oblazek)) - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3699 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium/cilium](https://github.com/cilium/cilium) | minor | `1.18.6` → `1.19.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium/cilium)</summary> ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](cilium/cilium@1.18.6...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩 ⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@jrajahalme](https://github.com/jrajahalme)) - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@rgo3](https://github.com/rgo3), [@julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others, [@ldelossa](https://github.com/ldelossa), [@rgo3](https://github.com/rgo3), [@nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@oblazek](https://github.com/oblazek)) - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3715 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 20, 2025

github-actions bot added hubble-cli PRs or GitHub issues related with hubble-cli kind/community-contribution This was a contribution made by a community member. labels Aug 20, 2025

jrife assigned jrife and unassigned jrife Aug 21, 2025

jrife self-requested a review August 21, 2025 16:10

sypakine reviewed Aug 22, 2025

View reviewed changes

bpf/lib/ip_options.h Outdated Show resolved Hide resolved

bpf/lib/trace_helpers.h Outdated Show resolved Hide resolved

bpf/lib/trace_helpers.h Show resolved Hide resolved

bpf/lib/trace_helpers.h Outdated Show resolved Hide resolved

bpf/lib/trace_helpers.h Outdated Show resolved Hide resolved

sypakine approved these changes Aug 22, 2025

View reviewed changes

bpf/lib/drop.h Show resolved Hide resolved

sypakine reviewed Aug 22, 2025

View reviewed changes

pkg/hubble/parser/threefour/parser_test.go Outdated Show resolved Hide resolved

pkg/hubble/parser/threefour/parser_test.go Outdated Show resolved Hide resolved

sypakine reviewed Aug 22, 2025

View reviewed changes

maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Aug 22, 2025

Bigdelle force-pushed the flows branch 11 times, most recently from 0b45583 to 19cfe24 Compare August 26, 2025 20:53

Bigdelle force-pushed the flows branch 2 times, most recently from 27e469b to 9a2580d Compare August 26, 2025 21:32

Bigdelle added 5 commits September 8, 2025 18:06

Bigdelle force-pushed the flows branch from d1c4336 to 5e6528b Compare September 8, 2025 18:06

maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 8, 2025

pchaigno added this pull request to the merge queue Sep 11, 2025

Merged via the queue into cilium:main with commit d49e81f Sep 11, 2025
68 of 69 checks passed

Bigdelle mentioned this pull request Sep 11, 2025

Adding bpf.monitorTraceIPOption flag to helm chart #41636

Merged

Bigdelle mentioned this pull request Sep 24, 2025

fix(bpf) Initialize cilium_percpu_trace_id map via Hive Start hook #41886

Merged

Bigdelle mentioned this pull request Oct 10, 2025

ladder: add bigdelle to members cilium/community#299

Merged

This was referenced Jan 23, 2026

feat(bpf,hubble): enhanced IP Option packet tracing support, hubble filtering, and documentation #43958

Open

docs(observability): Add tutorial for IP option tracing #43961

Merged

cilium-release-bot bot added this to cilium v1.19.0 Feb 3, 2026

cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026

Conversation

Bigdelle commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Implementation Details

Uh oh!

sypakine left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sypakine commented Aug 26, 2025

Uh oh!

jrife commented Sep 8, 2025

Uh oh!

Bigdelle commented Sep 8, 2025

Uh oh!

Bigdelle commented Sep 8, 2025

Uh oh!

Bigdelle commented Sep 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

pchaigno commented Sep 11, 2025

Uh oh!

joamaki commented Sep 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Bigdelle commented Sep 24, 2025

Uh oh!

Bigdelle commented Sep 24, 2025

Uh oh!

jrife commented Sep 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

Bigdelle commented Aug 20, 2025 •

edited

Loading

Bigdelle commented Sep 8, 2025 •

edited

Loading

joamaki commented Sep 24, 2025 •

edited

Loading