Enable PLPMTUD on endpoint netns#42012
Merged
tommyp1ckles merged 3 commits intocilium:mainfrom Nov 12, 2025
Merged
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
e473b9a to
155885f
Compare
msune
suggested changes
Oct 6, 2025
Member
msune
left a comment
msune
left a comment
There was a problem hiding this comment.
A quick review, with minor comments. In general, LGTM.
Do we know if there are known "drawbacks" of enabling TCP MTU probing?
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
2 times, most recently
from
66b8b6b to
0edafe9
Compare
Contributor
Author
|
/test |
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
0edafe9 to
01bef57
Compare
Contributor
Author
|
/test |
Contributor
Author
From my research, the primary drawbacks is some reduced performance on new connections while the correct MTU size is being established. |
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
01bef57 to
ac34bfc
Compare
Contributor
Author
|
/test |
tommyp1ckles
added
area/datapath
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
tommyp1ckles
added
the
area/documentation
Member
There was a problem hiding this comment.
Nice! Looks simple enough :).
A few thoughts:
- This won't help for proxy-originating connections (in host netns)
- Does stuff like Kata containers mirror this sysctl?
- Changing the agent config value currently won't change the sysctl for existing pods. Probably ok for now, something we can/should improve in general.
- Have you thought about what kind of testing we could apply here?
I'm a bit hesitant on enabling this by default. But let's see, at least until we branch v1.19 that's perfectly fine.
Contributor
Author
|
/test |
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
be0fd1e to
ae5d333
Compare
Contributor
Author
|
/test |
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
ae5d333 to
ec312a0
Compare
Contributor
Author
|
/test |
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
ec312a0 to
e069031
Compare
Contributor
Author
|
/test |
This adds option for enabling Linux TCP PMPMTU probing by default for Cilium managed endpoints via enabling the tcp_mtu_probing sysctl option on Pod netns. By default, all endpoints will now have this option enabled. When on, this will configure the endpoint with reasonable config values for base mss, as well as setting the mtu probing value to be '2'; which means it will always attempt using mtu probing. The idea of this change is that we will allow for more robust MTU handling at a very small cost of sub-optional initial MTU windows. In the future, we may want to also be more smart with regards to how we set the base MSS in combination with vxlan/geneve tunneling. Signed-off-by: Tom Hadlaw <[email protected]>
In previous commits this was introduced as on-by-default feature which is designed to provide a more robust MTU discovery mechanism over the classic ICMP error message based PMTUD. However, this may have some modest network performance implications that should be mentioned for users who are sensitive to such changes. Subsequent commits will also introduce upgrade notes mentioning the change to make it clear to users upgrading to v1.19 of the change. Signed-off-by: Tom Hadlaw <[email protected]>
With this release, tcp_mtu_probing will be enabled for all Cilium managed Pod network namespaces. This should be a safe change but it may impact some users so we should mention it in the upgrade notes. Signed-off-by: Tom Hadlaw <[email protected]>
tommyp1ckles
force-pushed
the
pr/tp/plpmtu-v1
branch
from
e069031 to
a4a72a0
Compare
Contributor
Author
|
/test |
mhofstetter
added a commit
to mhofstetter/cilium
that referenced
this pull request
Dec 11, 2025
Checking for recently added global config properties in `DaemonConfig` I stumble across `EnablePacketizationLayerPMTUD` that has been added but is not used. Let's remove it. Fixes: cilium#42012 Signed-off-by: Marco Hofstetter <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Dec 11, 2025
Checking for recently added global config properties in `DaemonConfig` I stumble across `EnablePacketizationLayerPMTUD` that has been added but is not used. Let's remove it. Fixes: #42012 Signed-off-by: Marco Hofstetter <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Dec 12, 2025
Checking for recently added global config properties in `DaemonConfig` I stumble across `EnablePacketizationLayerPMTUD` that has been added but is not used. Let's remove it. Fixes: #42012 Signed-off-by: Marco Hofstetter <[email protected]>
nezdolik
pushed a commit
to nezdolik/cilium
that referenced
this pull request
Jan 14, 2026
- `go mod tidy && go mod vendor && go mod verify` - `cd enterprise/hubble-timescape && go mod tidy && cd ../..` - fixed minor conflicts in `bpf/bpf_lxc.c`, `bpf/bpf_overlay.c` and `bpf/lib/nodeport.h` so that both new OSS code and previous Enterprise includes are present - fixed conflicts in `pkg/datapath/config/host_config.go`, `pkg/datapath/config/lxc_config.go` and `pkg/datapath/config/overlay_config.go` - adapted `enterprise/pkg/maps/extepspolicy/table.go`, `enterprise/pkg/fqdnha/relay/namemanager.go` and `enterprise/pkg/maps/extepspolicy/writer_test.go` due to function signature changes in OSS - `git cherry-pick -n 3d4abeb61b72d910c58ddb199b189c86c4eaf326 71023768865b9085e6aa8991c553997e1cc6f9b8` to pick up patches from @rastislavs (+ manual added fix in `enterprise/pkg/bgpv1/manager/reconcilerv2/neighbor_test.go` based on patch changes) - `make -C images update-builder-image update-runtime-image` - `make -C Documentation update-cmdref` - `./contrib/scripts/enterprise-testowners.sh` - remove duplicate `Cleanup Disk space in runner` step in `.github/workflows/cilium-cli.yaml` - fix mindfulness issues by manually fixing stuff coming from the following PRs: - cilium#42169 - cilium#42011 - cilium#42012 - `make generate-enterprise-apis` - adjusted `enterprise/pkg/ingresspolicy` after commit 2faed3a ("policy: fix selector policy leak and detachment issues") removed the implicit addition of the identity on lookup. Now the identity needs to be added and removed in the identity manager. - Set `clustermesh.config.enabled=true` in enterprise-clustermesh-overlapping-podcidr workflow following commit 562ba2c ("clustermesh: set authMode to migration by default"). Signed-off-by: Nicolas Busseneau <[email protected]>
nezdolik
pushed a commit
to nezdolik/cilium
that referenced
this pull request
Jan 14, 2026
- `go mod tidy && go mod vendor && go mod verify` - `cd enterprise/hubble-timescape && go mod tidy && cd ../..` - fixed minor conflicts in `bpf/bpf_lxc.c`, `bpf/bpf_overlay.c` and `bpf/lib/nodeport.h` so that both new OSS code and previous Enterprise includes are present - fixed conflicts in `pkg/datapath/config/host_config.go`, `pkg/datapath/config/lxc_config.go` and `pkg/datapath/config/overlay_config.go` - adapted `enterprise/pkg/maps/extepspolicy/table.go`, `enterprise/pkg/fqdnha/relay/namemanager.go` and `enterprise/pkg/maps/extepspolicy/writer_test.go` due to function signature changes in OSS - `git cherry-pick -n 3d4abeb61b72d910c58ddb199b189c86c4eaf326 71023768865b9085e6aa8991c553997e1cc6f9b8` to pick up patches from @rastislavs (+ manual added fix in `enterprise/pkg/bgpv1/manager/reconcilerv2/neighbor_test.go` based on patch changes) - `make -C images update-builder-image update-runtime-image` - `make -C Documentation update-cmdref` - `./contrib/scripts/enterprise-testowners.sh` - remove duplicate `Cleanup Disk space in runner` step in `.github/workflows/cilium-cli.yaml` - fix mindfulness issues by manually fixing stuff coming from the following PRs: - [cilium#42169](cilium#42169) - [cilium#42011](cilium#42011) - [cilium#42012](cilium#42012) - `make generate-enterprise-apis` ~- adjusted `enterprise/pkg/ingresspolicy` after commit 2faed3a ("policy: fix selector policy leak and detachment issues") removed the implicit addition of the identity on lookup. Now the identity needs to be added and removed in the identity manager.~ Split into separate PR isovalent/cilium#9506 to ease review and backporting. - Set `clustermesh.config.enabled=true` in enterprise-clustermesh-overlapping-podcidr workflow following commit 562ba2c ("clustermesh: set authMode to migration by default"). - Had to revert the following commits because they break the ILB CI workflow. Thanks to @mhofstetter for bisecting! See discussion for more details. Upstream fix and re-applying the changes is tracked in isovalent/cilium#9511. - cilium#42986 - 6781758 - 3cfe7a1 - a8fd4ed - 64e171e - cilium#42973 - c171f22 (with minor conflict resolution) - 9530af5 - not necessary to revert the last 2 commit of that PR
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Feb 5, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.18.6` → `1.19.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](cilium/cilium@1.18.6...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@​fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@​aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@​kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@​antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@​MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@​vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@​jrajahalme](https://github.com/jrajahalme)) -⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@​sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@​TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@​rgo3](https://github.com/rgo3), [@​julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others, [@​ldelossa](https://github.com/ldelossa), [@​rgo3](https://github.com/rgo3), [@​nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@​christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@​pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@​gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@​tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@​pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@​pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@​behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@​alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@​msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@​saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@​youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@​rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@​rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@​oblazek](https://github.com/oblazek)) -⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@​rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@​Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@​SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@​41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@​jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@​odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@​BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@​bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@​liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@​aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@​phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@​MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@​MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@​aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@​sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@​youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@​rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@​sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@​sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@​sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@​sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@​sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@​sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@​sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@​sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@​sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4wLjIiLCJ1cGRhdGVkSW5WZXIiOiI0My4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3699 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Feb 5, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium/cilium](https://github.com/cilium/cilium) | minor | `1.18.6` → `1.19.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium/cilium)</summary> ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](cilium/cilium@1.18.6...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@​fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@​aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@​kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@​antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@​MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@​vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@​jrajahalme](https://github.com/jrajahalme)) -⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@​sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@​TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@​rgo3](https://github.com/rgo3), [@​julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others, [@​ldelossa](https://github.com/ldelossa), [@​rgo3](https://github.com/rgo3), [@​nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@​christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@​pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@​gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@​tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@​pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@​pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@​behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@​alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@​msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@​saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@​youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@​rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@​rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@​oblazek](https://github.com/oblazek)) -⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@​rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@​Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@​SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@​41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@​jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@​odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@​BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@​bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@​liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@​aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@​phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@​MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@​MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@​aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@​sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@​youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@​rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@​sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@​sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@​sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@​sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@​sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@​sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@​sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@​sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@​sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4wLjMiLCJ1cGRhdGVkSW5WZXIiOiI0My4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3715 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds option for enabling Linux TCP PMPMTU probing by default for Cilium managed endpoints via enabling the tcp_mtu_probing sysctl option on Pod netns. By default, all endpoints will now have this option enabled. When on, this will configure the endpoint with reasonable config values for base mss, as well as setting the mtu probing value to be '2'; which means it will always attempt using mtu probing.
The idea of this change is that we will allow for more robust MTU handling at a very small cost of sub-optional initial MTU
windows.
In the future, we may want to also be more smart with regards to how we set the base MSS in conjuction with vxlan/geneve tunneling.