feat(container): update cilium group by lumiere-bot[bot] · Pull Request #7022 · coolguy1771/home-ops

lumiere-bot · 2025-07-29T17:11:56Z

This PR contains the following updates:

Package	Update	Change
ghcr.io/home-operations/charts-mirror/cilium (source)	minor	`1.17.6` -> `1.18.1`
quay.io/cilium/hubble-ui	patch	`v0.13.2` -> `v0.13.3`
quay.io/cilium/hubble-ui-backend	patch	`v0.13.2` -> `v0.13.3`

Release Notes

cilium/cilium (ghcr.io/home-operations/charts-mirror/cilium)

`v1.18.1`: 1.18.1

Compare Source

Summary of Changes

Minor Changes:

Add kernel_version, endpoint_routes_enabled, strict_mode_enabled and kubernetes_version feature metrics. (Backport PR #41078, Upstream PR #41003, @aanm)
eni: improve logging and speed up ipam reconciliation in case of node scale-downs (Backport PR #40979, Upstream PR #40852, @marseel)
kvstore: Cilium Agent no longer fails health-check if operator is unavailable (Backport PR #40979, Upstream PR #40920, @marseel)
operator: CRDs are updated in series instead of in parallel now during Cilium upgrades. This should lower the pressure on the k8s control plane (Backport PR #40847, Upstream PR #40322, @marseel)

Bugfixes:

Add missing safeguards to topology-aware routing: use all backends when no suitable one matching the zone hints are found or a backend exists without a zone hint. (#41116, @joamaki)
aws/eni: Don't use subnet tags to filter ENIs for GC (Backport PR #40979, Upstream PR #40656, @HadrienPatte)
clustermesh: fix regression possibly causing cross-cluster connections disruption if the clustermesh-apiserver is restarted at the same time as Cilium agents. (Backport PR #40979, Upstream PR #40786, @giorio94)
clustermesh: fix regression preventing global services with unnamed ports from including remote backends (Backport PR #40865, Upstream PR #40848, @giorio94)
Fix bug where the presence of a label called "ingress" causes incorrect assignment of identities to workloads, affecting policy enforcement. (Backport PR #40847, Upstream PR #40791, @christarazi)
Fix skipping of LoadBalancer services when IPMode is not set to VIP (KEP-1860) (Backport PR #40979, Upstream PR #40915, @joamaki)
fix(GH-37724): Sync policies on startup (Backport PR #40847, Upstream PR #40357, @anubhabMajumdar)
fix: create policy snapshot only for sdp (Backport PR #40979, Upstream PR #40785, @vipul-21)
Fixes a bug where the Cilium agent may segfault when starting. (Backport PR #40847, Upstream PR #40824, @squeed)
Fixes an error where the Ingress controller, when run in host network, created an invalid Service. (Backport PR #41078, Upstream PR #40232, @rtheobald)
helm: Create envoy-config ConfigMap for preflight (Backport PR #41078, Upstream PR #40875, @sayboras)
install/kubernetes: fix clustermesh-apiserver extraEnv (Backport PR #41078, Upstream PR #41021, @aanm)
loadbalancer: Fix backend state in REST API (Backport PR #40847, Upstream PR #40780, @mhofstetter)

CI Changes:

.github/actions: only upload files with features-tested prefix (Backport PR #40979, Upstream PR #40975, @aanm)
Add TESTOWNERS file (#40864, @joestringer)
ci: Add Cleanup Disk space step into conformance-runtime (Backport PR #40979, Upstream PR #40973, @rastislavs)
ci: Fix CI-Fuzz Build failures (Backport PR #40979, Upstream PR #40728, @lomackie)
ci: Reuse connectivity test flags in proxy-embedded (Backport PR #41078, Upstream PR #41036, @joestringer)
endpoint: Avoid unnecessarily logging a warning during endpoint deletion (Backport PR #40979, Upstream PR #40927, @christarazi)
Fix GKE cluster creation failures when branch names exceed 63-byte label limit by implementing automatic truncation with hash-based uniqueness preservation. (Backport PR #40847, Upstream PR #40725, @pillai-ashwin)
Improved test failure attribution on stable branches by using TESTOWNERS files to route failures to appropriate code quality teams rather than generic CI infrastructure teams. (Backport PR #40847, Upstream PR #40776, @pillai-ashwin)
ipsec: fix privileged tests (Backport PR #41078, Upstream PR #41006, @smagnani96)
tools/testowners: de-duplicate error logs (Backport PR #40847, Upstream PR #40778, @tklauser)
workflows/ipsec: Fix leak detection for IPv6-only in e2e downgrade (Backport PR #40979, Upstream PR #40881, @smagnani96)

Misc Changes:

.github/workflows: bump build-images-base timeout to 60 minutes (Backport PR #40979, Upstream PR #40919, @aanm)
.github/workflows: print open file descriptors (Backport PR #40979, Upstream PR #40941, @aanm)
.github: fix removal of all files in /mnt (Backport PR #40847, Upstream PR #40818, @aanm)
.github: remove all contents of /mnt in build images CI (Backport PR #40847, Upstream PR #40814, @aanm)
chore(deps): update actions/download-artifact action to v5 (v1.18) (#41055, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#40901, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (#41056, @cilium-renovate[bot])
chore(deps): update all-dependencies (v1.18) (#40900, @cilium-renovate[bot])
chore(deps): update dependency cilium/cilium-cli to v0.18.6 (v1.18) (#40898, @cilium-renovate[bot])
chore(deps): update go to v1.24.6 (v1.18) (#40993, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#40899, @cilium-renovate[bot])
chore(deps): update stable lvh-images (v1.18) (patch) (#41054, @cilium-renovate[bot])
ci: add/change runner labels (Backport PR #40979, Upstream PR #40972, @Artyop)
daemon/test: explicitly wait for identities synchronization (Backport PR #40847, Upstream PR #40811, @giorio94)
docs: Remove references to v1.15 (Backport PR #41078, Upstream PR #41033, @joestringer)
Fix loadbalancer handling of backends with ClusterID set (Backport PR #41078, Upstream PR #40968, @giorio94)
Fix race condition issues (Backport PR #40979, Upstream PR #40949, @aanm)
fix(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (v1.18) (#40793, @cilium-renovate[bot])
loadbalancer: Raise default retry duration to 1 second (Backport PR #41078, Upstream PR #40997, @joamaki)
loadbalancer: Use unique for L3n4Addr (Backport PR #40847, Upstream PR #40633, @joamaki)
Makefile: Fix multi codeowner detection (Backport PR #40847, Upstream PR #40923, @joestringer)
Reduced memory usage by roughly 10% for large EndpointSlices by sharing identical objects. (Backport PR #41078, Upstream PR #40987, @joamaki)
values(.yaml.tmpl): Add Geneve (Class Option) to dsrDispatch paramater (Backport PR #40847, Upstream PR #40625, @alagoutte)
vendor: Bump to StateDB v0.4.5 (Backport PR #40979, Upstream PR #40783, @joamaki)

Other Changes:

ci: reduce gke failures (#41070, @brlbil)
install: Update image digests for v1.18.0 (#40782, @cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
quay.io/cilium/cilium:stable@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.1@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb
quay.io/cilium/clustermesh-apiserver:stable@sha256:87ab85f33dc7e895ed6257564bf1a255d12399d9e8a075a8fc400910ff94cbeb

docker-plugin

quay.io/cilium/docker-plugin:v1.18.1@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3
quay.io/cilium/docker-plugin:stable@sha256:fb1c6ecb6dc180c97488b8ea45d81275237db14d50e22a1eff3dbfaf9f6f93f3

hubble-relay

quay.io/cilium/hubble-relay:v1.18.1@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0
quay.io/cilium/hubble-relay:stable@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.1@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a
quay.io/cilium/operator-alibabacloud:stable@sha256:e2bdc8236acec0d1ef1552c831a7cd2277624031066fbdfac884a31a4126a32a

operator-aws

quay.io/cilium/operator-aws:v1.18.1@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042
quay.io/cilium/operator-aws:stable@sha256:de522223ecd73bc06b48042fa59f78f7b3b8f2fff4f8f30a61687516798c5042

operator-azure

quay.io/cilium/operator-azure:v1.18.1@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06
quay.io/cilium/operator-azure:stable@sha256:682058e6734e397e7939e92bb463da3c1b5d8b7a7ce408c3b7a62aadb9ce4f06

operator-generic

quay.io/cilium/operator-generic:v1.18.1@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc
quay.io/cilium/operator-generic:stable@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc

operator

quay.io/cilium/operator:v1.18.1@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e
quay.io/cilium/operator:stable@sha256:f3b8d90f945167c1ac4324a0f02a9d381f83076d5ce828fab452014f9335a47e

`v1.18.0`: 1.18.0

Compare Source

We are excited to announce the Cilium 1.18.0 release!

A total of 3298 new commits have been contributed to this release by a growing community of over 955 developers and over 22,000 GitHub stars! ⭐

To keep up to date with all the latest Cilium releases, see Announcements

Here's what's new in v1.18.0:

🚠 Networking

⚖️ Load Balancing Redesign: The service load-balancing control-plane in the Cilium agent has been redesigned to reduce memory usage and improve future extensibility of load-balancing features (cilium/cilium#38469, @joamaki)
🔌 Virtual Network Devices: Added support for new virtual network device configurations such as VXLAN in IPsec (VinE) and IPIP tunnels (cilium/cilium#37723, @ldelossa; cilium/cilium#37346, @gyutaeb)
Ⓜ️ Multiple Egress Gateways: Egress Gateways policies can now direct traffic towards multiple gateway nodes (cilium/cilium#39304, @carlos-abad)
🚦 Ingress Rate Limiting: The bandwidth manager now supports ingress rate limiting (cilium/cilium#36351, @l1b0k)
📢 Multi-Device L2 Announcements: The L2 pod announcement feature now supports multiple devices (cilium/cilium#38198, @dylandreimerink)
🏢 Neighbor Subsystem Rework: The neighbor subsystem was made more resilient through a new system that reconciles desired neighbor entries with the kernel state (cilium/cilium#39987, @dylandreimerink)

🌐 IPv6

🚇 Tunneling Underlay: The tunneling datapath mode now supports using an IPv6 network underlay, including when configured with IPsec transparent encryption (cilium/cilium#38296, cilium/cilium#39497, @pchaigno)
💬 Kube Proxy Replacement: Cilium now implements service translation when running on an IPv6 underlay (cilium/cilium#39074, @pchaigno)
📋 Delegated IPAM: When delegating IP address management to a third party plugin, Cilium now configures IPv6 routes for connectivity if the plugin supports IPv6 (cilium/cilium#38249, @caorui-io, @kadevu)
📦 IP Fragment Support: Cilium now processes ordered IPv6 fragments to apply policy and routing functionality (cilium/cilium#38110, @gentoo-root)
🚪 Egress gateway policies can now match IPv6 address ranges (cilium/cilium#38452, @rgo3)

🛡️ Policy & Observability

🏷️ Policy Names in Hubble-CLI: Show the names of (C)CNPs that allowed or denied traffic when monitoring flows in Hubble (cilium/cilium#39453, @antonipp)
📝 Policy Log Fields: A new free-text log field is added to policies, which is exposed in Hubble flows for easy correlation and searching (cilium/cilium#39902, @squeed)
🛰️ Encapsulated Traffic Decoding: Hubble decodes encapsulated traffic for deeper introspection into traffic flows (cilium/cilium#37634, @kaworu)
🏰 ClusterMesh Policy Restriction: A new option allows the cluster entity to apply only to the local cluster in ClusterMesh environment (cilium/cilium#39338, @MrFreezeex)
✨ Enhanced Policy Dashboard: The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs, including policy drops in both directions (cilium/cilium#36492, cilium/cilium#37445, @squeed)

🌅 Performance

📊 Scale Test Results: Cilium implements policies and services up to 45% faster in higher scale environments (Various; @marseel, cilium/cilium#40227)
📦 Image Size Reduction: Docker image sizes are reduced by 32% on arm64 architecture images (cilium/cilium#40005, @marseel)
⚡ Improved Policy Performance: The DNS proxy can process large numbers of IPs faster, and the EndpointSelector match implementation has been optimized (cilium/cilium#39340, @squeed; cilium/cilium#40414, @marseel)
🪞 EndpointSlice Mirroring for Multi-Cluster Services: Clustermesh mirrors EndpointSlice from the local cluster instead of copying the Service selectors when using the MCS-API controller (cilium/cilium#38596, @MrFreezeex)
🌐 KVStoreMesh Optimization: Cross-cluster state distribution is optimized by only synchronizing identities keyed by ID, not by value (cilium/cilium#36471, @HadrienPatte)
🧠 Egress Gateway Processing: Egress gateway policy processing is significantly improved when matching a large number of pods (cilium/cilium#37714, @giorio94)
🗑️ Optimized Garbage Collection for Connection Tracking: Cilium leverages batched iterators for CTMap GC (cilium/cilium#36288, @tommyp1ckles)

⚙️ Operations

📈 API Server Connections at Scale: Improve kube-apiserver connections behavior at scale through failover and setting better jitter and backoff configurations (cilium/cilium#37601, @aditighag; cilium/cilium#38031, @orange30; cilium/cilium#36648, @wedaly)
🔄 ConfigMap Synchronization: New option to automatically synchronize ConfigMap changes into the agent and report metrics for when the effective configuration is different from the desired configuration (cilium/cilium#36510, @ovidiutirla)
🎓 CRD Promotion to Stable: Promote CiliumCIDRGroup, CiliumLoadBalancerIPPool and all BGP CRDs to stable API (cilium/cilium#38940, @christarazi; cilium/cilium#39090, @pippolo84; cilium/cilium#37765, @rastislavs)
⛔ Node Taints Handling: The cilium-operator Deployment uses a new default set of taints which avoids deploying to a drained node (cilium/cilium#40137, @Murat Parlakisik)
🪵 Migrate to Slog: Cilium now uses slog as log library for all components (cilium/cilium#39664, @aanm)
🔧 Cilium dependencies were updated to Kubernetes v1.33, Envoy v1.34, LLVM 19.1, and CNI v1.1 (cilium/cilium#39124, cilium/cilium#40175, cilium/cilium#39632, @sayboras; cilium/cilium#38868, @squeed)
🐧 Minimum Linux Requirements: The minimum kernel version for this release series is Linux v5.10 or similar, such as RHEL 8.6 (cilium/cilium#38308, @julianwiedmann)

🕸️ Service Mesh & Gateway API

⛩️ Gateway API v1.3.0: Gateway API support is bumped to v1.3.0 (cilium/cilium#39590, @sayboras)
🔗 Improved GatewayClass Configuration: The new CiliumGatewayClassConfig object adds service type validation allows the configuration of extra settings on a per-GatewayClass level: LoadBalancerSourceRangesPolicy, ParametersRef fields. This allows Cilium to reconcile multiple GatewayClasses with different configurations (cilium/cilium#37792, cilium/cilium#37402, cilium/cilium#40138, @sayboras)
🚏 Multiple HTTPRoutes: GAMMA reconciler now supports attaching multiple HTTPRoutes to the same Service (cilium/cilium#39922, @youngnick)
🪄 Route Changes Reconciliation: Reconcile Gateway API based on all changes to routes. This allows label updates to trigger reconciliation correctly, amongst other things (cilium/cilium#37798, @sayboras)

🏷️ IP Address Management

☁️ AWS Prefix Delegation: Prefix delegation on AWS bare metal instances is now supported natively in Cilium's AWS ENI IPAM mode (cilium/cilium#39678, @41ks)
🏬 Multi-Pool IPAM with KVStore: Add support for Multi-Pool IPAM in external KVstore mode (cilium/cilium#39638, @pippolo84)
🔐 Multi-Pool IPAM with IPSec: Add support for Multi-Pool IPAM mode with IPSec transparent encryption in tunnel routing mode (cilium/cilium#39442, @pippolo84)
↪️ Multi-Pool Tunnel Routing: Add support for tunnel routing in multi-pool IPAM mode (cilium/cilium#38483, @pippolo84)

🛣️ BGP

📇 Route Aggregation: Add support for BGP route aggregation in the control plane (cilium/cilium#37275, @romanspb80)
🎯 Overlapping Selector Matches: Support overlapping selector matches in CiliumBGPAdvertisement resources (cilium/cilium#36414, @dswaffordcw)
🆔 New Router ID generation modes: Generate router-id based on MAC addresses, or from an IP address pool (cilium/cilium#36451, @yushoyamaguchi; cilium/cilium#38300, @liyihuang)

🧑‍💻 Development Experience

🧪 Test attribution: Identify owners of test in GitHub workflow results to make it easier to connect with other developers on tricky problems (cilium/cilium#37027, @Joe Stringer)
🛏️ Policy REST API: The Cilium policy API exposed over a local unix socket is deprecated. The other mechanisms to configure policy via Kubernetes resources or the local filesystem are preferred (cilium/cilium#40212, @squeed)
🏗️ Feature Deprecation: Deprecate underused features like Custom Calls, Recorder API and External Workloads (cilium/cilium#38480, cilium/cilium#39642, cilium/cilium#37418, @brb)

🏢 Community

❤️ Production Case Studies: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
- ByteDance, Canopus Networks, Corner Banca, DB Schenker, eBay, ECCO, G-Research, Social Network Company, and Preferred Networks
🇬🇧 London Events: The community gathered at CiliumCon and the Cilium Developer Summit in London
🇺🇸 Atlanta Events: Meet us at the upcoming CiliumCon and Cilium Developers Summit in Atlanta, Georgia
👥 SIG Community Meetings: SIG Community now meets every first and third Thursday to foster, grow, and sustain the Cilium open source community

📔 Full CHANGELOG

Full CHANGELOG.md can be found here.

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ 🧑‍🤝‍🧑 ❤️

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

coderabbitai · 2025-07-29T17:12:02Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

lumiere-bot · 2025-07-29T17:12:33Z

--- kubernetes/kyak/apps/kube-system/cilium/app Kustomization: kube-system/cilium OCIRepository: kube-system/cilium

+++ kubernetes/kyak/apps/kube-system/cilium/app Kustomization: kube-system/cilium OCIRepository: kube-system/cilium

@@ -11,9 +11,9 @@

 spec:
   interval: 5m
   layerSelector:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 1.17.6
+    tag: 1.18.1
   url: oci://ghcr.io/home-operations/charts-mirror/cilium
 
--- kubernetes/kyak/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

+++ kubernetes/kyak/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium

@@ -56,18 +56,18 @@

           method: helm
         enabled: true
       ui:
         backend:
           image:
             repository: quay.io/cilium/hubble-ui-backend
-            tag: v0.13.2
+            tag: v0.13.3
         enabled: true
         frontend:
           image:
             repository: quay.io/cilium/hubble-ui
-            tag: v0.13.2
+            tag: v0.13.3
         ingress:
           annotations:
             cert-manager.io/cluster-issuer: letsencrypt-production
             ingress.home.arpa/nginx-internal: allow
           className: internal
           enabled: true

lumiere-bot · 2025-07-29T17:12:34Z

--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard

@@ -7,13 +7,13 @@

   labels:
     k8s-app: cilium
     app.kubernetes.io/name: cilium-agent
     app.kubernetes.io/part-of: cilium
     grafana_dashboard: '1'
 data:
-  cilium-dashboard.json: |
+  cilium-dashboard.json: |-
     {
       "annotations": {
         "list": [
           {
             "builtIn": 1,
             "datasource": {
@@ -49,12 +49,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -143,13 +144,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -179,12 +180,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 35,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -286,13 +288,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -327,13 +329,12 @@

           ],
           "title": "CPU Usage per node",
           "type": "timeseries"
         },
         {
           "collapsed": false,
-          "datasource": null,
           "gridPos": {
             "h": 1,
             "w": 24,
             "x": 0,
             "y": 5
           },
@@ -356,12 +357,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 35,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -508,13 +510,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -564,12 +566,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -643,13 +646,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -701,12 +704,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -780,13 +784,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -848,12 +852,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -927,13 +932,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -991,12 +996,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1055,13 +1061,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -1073,13 +1079,12 @@

           ],
           "title": "BPF map pressure",
           "type": "timeseries"
         },
         {
           "collapsed": false,
-          "datasource": null,
           "gridPos": {
             "h": 1,
             "w": 24,
             "x": 0,
             "y": 17
           },
@@ -1102,12 +1107,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1208,13 +1214,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -1242,12 +1248,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1348,13 +1355,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
                 "uid": "${DS_PROMETHEUS}"
               },
@@ -1382,12 +1389,13 @@

                 "axisBorderShow": false,
                 "axisCenteredZero": false,
                 "axisColorMode": "text",
                 "axisLabel": "",
                 "axisPlacement": "auto",
                 "barAlignment": 0,
+                "barWidthFactor": 0.6,
                 "drawStyle": "line",
                 "fillOpacity": 10,
                 "gradientMode": "none",
                 "hideFrom": {
                   "legend": false,
                   "tooltip": false,
@@ -1488,13 +1496,13 @@

             },
             "tooltip": {
               "mode": "multi",
               "sort": "none"
             }
           },
-          "pluginVersion": "10.4.3",
+          "pluginVersion": "11.3.1",
           "targets": [
             {
               "datasource": {
                 "type": "prometheus",
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config

@@ -9,12 +9,13 @@

   identity-heartbeat-timeout: 30m0s
   identity-gc-interval: 15m0s
   cilium-endpoint-gc-interval: 5m0s
   nodes-gc-interval: 5m0s
   debug: 'false'
   debug-verbose: ''
+  metrics-sampling-interval: 5m
   enable-policy: default
   policy-cidr-match-mode: ''
   prometheus-serve-addr: :9962
   controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
   operator-prometheus-serve-addr: :9963
   enable-metrics: 'true'
@@ -27,12 +28,13 @@

   enable-bpf-clock-probe: 'true'
   monitor-aggregation: medium
   monitor-aggregation-interval: 5s
   monitor-aggregation-flags: all
   bpf-map-dynamic-size-ratio: '0.0025'
   bpf-policy-map-max: '16384'
+  bpf-policy-stats-map-max: '65536'
   bpf-lb-map-max: '65536'
   bpf-lb-external-clusterip: 'false'
   bpf-lb-source-range-all-types: 'false'
   bpf-lb-algorithm-annotation: 'false'
   bpf-lb-mode-annotation: 'false'
   bpf-distributed-lru: 'false'
@@ -59,31 +61,29 @@

   install-no-conntrack-iptables-rules: 'false'
   iptables-random-fully: 'false'
   auto-direct-node-routes: 'true'
   direct-routing-skip-unreachable: 'false'
   enable-bandwidth-manager: 'true'
   enable-bbr: 'true'
+  enable-bbr-hostns-only: 'false'
   enable-local-redirect-policy: 'true'
   ipv4-native-routing-cidr: 10.96.0.0/16
   devices: en+
-  enable-runtime-device-detection: 'true'
   kube-proxy-replacement: 'true'
   kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
   bpf-lb-sock: 'false'
   nodeport-addresses: ''
   enable-health-check-nodeport: 'true'
   enable-health-check-loadbalancer-ip: 'false'
   node-port-bind-protection: 'true'
   enable-auto-protect-node-port-range: 'true'
   bpf-lb-mode: dsr
   bpf-lb-algorithm: maglev
   bpf-lb-acceleration: disabled
-  enable-experimental-lb: 'false'
   enable-svc-source-range-check: 'true'
-  enable-l2-neigh-discovery: 'true'
-  arping-refresh-period: 30s
+  enable-l2-neigh-discovery: 'false'
   k8s-require-ipv4-pod-cidr: 'false'
   k8s-require-ipv6-pod-cidr: 'false'
   enable-endpoint-routes: 'true'
   enable-k8s-networkpolicy: 'true'
   enable-endpoint-lockdown-on-policy-overflow: 'false'
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
@@ -100,14 +100,13 @@

   hubble-socket-path: /var/run/cilium/hubble.sock
   hubble-metrics-server: :9965
   hubble-metrics-server-enable-tls: 'false'
   enable-hubble-open-metrics: 'true'
   hubble-metrics: dns:query;ignoreAAAA drop tcp port-distribution icmp flow:sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity
     httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction;sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity
-  hubble-export-file-max-size-mb: '10'
-  hubble-export-file-max-backups: '5'
+  hubble-network-policy-correlation-enabled: 'true'
   hubble-listen-address: :4244
   hubble-disable-tls: 'false'
   hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
   hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
   hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
   ipam: kubernetes
@@ -119,16 +118,18 @@

   vtep-cidr: ''
   vtep-mask: ''
   vtep-mac: ''
   enable-bgp-control-plane: 'true'
   bgp-secrets-namespace: kube-system
   enable-bgp-control-plane-status-report: 'true'
+  bgp-router-id-allocation-mode: default
+  bgp-router-id-allocation-ip-pool: ''
   procfs: /host/proc
   bpf-root: /sys/fs/bpf
   cgroup-root: /sys/fs/cgroup
-  enable-k8s-terminating-endpoint: 'true'
+  identity-management-mode: agent
   enable-sctp: 'false'
   annotate-k8s-node: 'true'
   remove-cilium-node-taints: 'true'
   set-cilium-node-taints: 'true'
   set-cilium-is-up-condition: 'true'
   unmanaged-pod-watcher-interval: '15'
@@ -137,12 +138,13 @@

   tofqdns-dns-reject-response-code: refused
   tofqdns-enable-dns-compression: 'true'
   tofqdns-endpoint-max-ip-per-hostname: '1000'
   tofqdns-idle-connection-grace-period: 0s
   tofqdns-max-deferred-connection-deletes: '10000'
   tofqdns-proxy-response-max-delay: 100ms
+  tofqdns-preallocate-identities: 'true'
   agent-not-ready-taint-key: node.cilium.io/agent-not-ready
   mesh-auth-enabled: 'true'
   mesh-auth-queue-size: '1024'
   mesh-auth-rotated-identities-queue-size: '1024'
   mesh-auth-gc-interval: 5m0s
   proxy-xff-num-trusted-hops-ingress: '0'
@@ -158,12 +160,13 @@

   envoy-base-id: '0'
   envoy-access-log-buffer-size: '4096'
   envoy-keep-cap-netbindservice: 'false'
   max-connected-clusters: '255'
   clustermesh-enable-endpoint-sync: 'false'
   clustermesh-enable-mcs-api: 'false'
+  policy-default-local-cluster: 'false'
   nat-map-stats-entries: '32'
   nat-map-stats-interval: 30s
   enable-internal-traffic-policy: 'true'
   enable-lb-ipam: 'true'
   enable-non-default-deny-policies: 'true'
   enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config

@@ -3,8 +3,8 @@

 kind: ConfigMap
 metadata:
   name: cilium-envoy-config
   namespace: kube-system
 data:
   bootstrap-config.json: |
-    {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx

@@ -2,17 +2,39 @@

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: hubble-ui-nginx
   namespace: kube-system
 data:
-  nginx.conf: "server {\n    listen       8081;\n    listen       [::]:8081;\n   \
-    \ server_name  localhost;\n    root /app;\n    index index.html;\n    client_max_body_size\
-    \ 1G;\n\n    location / {\n        proxy_set_header Host $host;\n        proxy_set_header\
-    \ X-Real-IP $remote_addr;\n\n        location /api {\n            proxy_http_version\
-    \ 1.1;\n            proxy_pass_request_headers on;\n            proxy_pass http://127.0.0.1:8090;\n\
-    \        }\n        location / {\n            # double `/index.html` is required\
-    \ here \n            try_files $uri $uri/ /index.html /index.html;\n        }\n\
-    \n        # Liveness probe\n        location /healthz {\n            access_log\
-    \ off;\n            add_header Content-Type text/plain;\n            return 200\
-    \ 'ok';\n        }\n    }\n}"
+  nginx.conf: |-
+    server {
+        listen       8081;
+        listen       [::]:8081;
+        server_name  localhost;
+        root /app;
+        index index.html;
+        client_max_body_size 1G;
 
+        location / {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            location /api {
+                proxy_http_version 1.1;
+                proxy_pass_request_headers on;
+                proxy_pass http://127.0.0.1:8090;
+            }
+            location / {
+                if ($http_user_agent ~* "kube-probe") { access_log off; }
+                # double `/index.html` is required here
+                try_files $uri $uri/ /index.html /index.html;
+            }
+
+            # Liveness probe
+            location /healthz {
+                access_log off;
+                add_header Content-Type text/plain;
+                return 200 'ok';
+            }
+        }
+    }
+
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator

@@ -172,21 +172,21 @@

   - ciliumclusterwideenvoyconfigs.cilium.io
   - ciliumclusterwidenetworkpolicies.cilium.io
   - ciliumegressgatewaypolicies.cilium.io
   - ciliumendpoints.cilium.io
   - ciliumendpointslices.cilium.io
   - ciliumenvoyconfigs.cilium.io
-  - ciliumexternalworkloads.cilium.io
   - ciliumidentities.cilium.io
   - ciliumlocalredirectpolicies.cilium.io
   - ciliumnetworkpolicies.cilium.io
   - ciliumnodes.cilium.io
   - ciliumnodeconfigs.cilium.io
   - ciliumcidrgroups.cilium.io
   - ciliuml2announcementpolicies.cilium.io
   - ciliumpodippools.cilium.io
+  - ciliumgatewayclassconfigs.cilium.io
 - apiGroups:
   - cilium.io
   resources:
   - ciliumloadbalancerippools
   - ciliumpodippools
   - ciliumbgppeeringpolicies
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium

@@ -16,24 +16,27 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 7bd9c5c39976db73fa9d038de2374c1467f759b8560a6c3fb139a91ae373b05a
+        cilium.io/cilium-configmap-checksum: 62eb0690033322ac04dcd080aee6d30ccd944a06949ee2139842b76d88153f27
+        kubectl.kubernetes.io/default-container: cilium-agent
       labels:
         k8s-app: cilium
         app.kubernetes.io/name: cilium-agent
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
+        seccompProfile:
+          type: Unconfined
       containers:
       - name: cilium-agent
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         command:
         - cilium-agent
         args:
         - --config-dir=/tmp/cilium/config-map
         startupProbe:
@@ -42,13 +45,13 @@

             path: /healthz
             port: 9879
             scheme: HTTP
             httpHeaders:
             - name: brief
               value: 'true'
-          failureThreshold: 105
+          failureThreshold: 300
           periodSeconds: 2
           successThreshold: 1
           initialDelaySeconds: 5
         livenessProbe:
           httpGet:
             host: 127.0.0.1
@@ -96,12 +99,16 @@

               resource: limits.memory
               divisor: '1'
         - name: KUBERNETES_SERVICE_HOST
           value: 127.0.0.1
         - name: KUBERNETES_SERVICE_PORT
           value: '7445'
+        - name: KUBE_CLIENT_BACKOFF_BASE
+          value: '1'
+        - name: KUBE_CLIENT_BACKOFF_DURATION
+          value: '120'
         lifecycle:
           postStart:
             exec:
               command:
               - bash
               - -c
@@ -196,13 +203,13 @@

           mountPath: /var/lib/cilium/tls/hubble
           readOnly: true
         - name: tmp
           mountPath: /tmp
       initContainers:
       - name: config
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         command:
         - cilium-dbg
         - build-config
         env:
         - name: K8S_NODE_NAME
@@ -221,13 +228,13 @@

           value: '7445'
         volumeMounts:
         - name: tmp
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
       - name: mount-cgroup
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         env:
         - name: CGROUP_ROOT
           value: /sys/fs/cgroup
         - name: BIN_PATH
           value: /opt/cni/bin
@@ -253,13 +260,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: apply-sysctl-overwrites
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
         command:
         - sh
@@ -283,13 +290,13 @@

             - SYS_ADMIN
             - SYS_CHROOT
             - SYS_PTRACE
             drop:
             - ALL
       - name: mount-bpf-fs
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         args:
         - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
         command:
         - /bin/bash
         - -c
@@ -299,13 +306,13 @@

           privileged: true
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           mountPropagation: Bidirectional
       - name: clean-cilium-state
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         command:
         - /init-container.sh
         env:
         - name: CILIUM_ALL_STATE
           valueFrom:
@@ -347,13 +354,13 @@

         - name: cilium-cgroup
           mountPath: /sys/fs/cgroup
           mountPropagation: HostToContainer
         - name: cilium-run
           mountPath: /var/run/cilium
       - name: install-cni-binaries
-        image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+        image: quay.io/cilium/cilium:v1.18.1@sha256:65ab17c052d8758b2ad157ce766285e04173722df59bdee1ea6d5fda7149f0e9
         imagePullPolicy: IfNotPresent
         command:
         - /install-plugin.sh
         resources:
           requests:
             cpu: 100m
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy

@@ -17,25 +17,25 @@

     rollingUpdate:
       maxUnavailable: 2
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-envoy-configmap-checksum: 93ea335eabe243968f498f059c70367529a6a0153e78e4458c312c6304bde14c
+        cilium.io/cilium-envoy-configmap-checksum: efcd5d18b624444a6d334fcca1aef9c69f9b85247bfdb78c0f7c5bdf9c8e8a92
       labels:
         k8s-app: cilium-envoy
         name: cilium-envoy
         app.kubernetes.io/name: cilium-envoy
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         appArmorProfile:
           type: Unconfined
       containers:
       - name: cilium-envoy
-        image: quay.io/cilium/cilium-envoy:v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68@sha256:318eff387835ca2717baab42a84f35a83a5f9e7d519253df87269f80b9ff0171
+        image: quay.io/cilium/cilium-envoy:v1.34.4-1754895458-68cffdfa568b6b226d70a7ef81fc65dda3b890bf@sha256:247e908700012f7ef56f75908f8c965215c26a27762f296068645eb55450bda2
         imagePullPolicy: IfNotPresent
         command:
         - /usr/bin/cilium-envoy-starter
         args:
         - --
         - -c /var/run/cilium/envoy/bootstrap-config.json
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator

@@ -20,22 +20,25 @@

       maxSurge: 25%
       maxUnavailable: 50%
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/cilium-configmap-checksum: 7bd9c5c39976db73fa9d038de2374c1467f759b8560a6c3fb139a91ae373b05a
+        cilium.io/cilium-configmap-checksum: 62eb0690033322ac04dcd080aee6d30ccd944a06949ee2139842b76d88153f27
       labels:
         io.cilium/app: operator
         name: cilium-operator
         app.kubernetes.io/part-of: cilium
         app.kubernetes.io/name: cilium-operator
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: cilium-operator
-        image: quay.io/cilium/operator-generic:v1.17.6@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096
+        image: quay.io/cilium/operator-generic:v1.18.1@sha256:97f4553afa443465bdfbc1cc4927c93f16ac5d78e4dd2706736e7395382201bc
         imagePullPolicy: IfNotPresent
         command:
         - cilium-operator-generic
         args:
         - --config-dir=/tmp/cilium/config-map
         - --debug=$(CILIUM_DEBUG)
@@ -85,12 +88,17 @@

           timeoutSeconds: 3
           failureThreshold: 5
         volumeMounts:
         - name: cilium-config-path
           mountPath: /tmp/cilium/config-map
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         terminationMessagePolicy: FallbackToLogsOnError
       hostNetwork: true
       restartPolicy: Always
       priorityClassName: system-cluster-critical
       serviceAccountName: cilium-operator
       automountServiceAccountToken: true
@@ -101,12 +109,19 @@

               matchLabels:
                 io.cilium/app: operator
             topologyKey: kubernetes.io/hostname
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
-      - operator: Exists
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+      - key: node.kubernetes.io/not-ready
+        operator: Exists
+      - key: node.cilium.io/agent-not-ready
+        operator: Exists
       volumes:
       - name: cilium-config-path
         configMap:
           name: cilium-config
 
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay

@@ -25,22 +25,27 @@

         k8s-app: hubble-relay
         app.kubernetes.io/name: hubble-relay
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
         fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: hubble-relay
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
-        image: quay.io/cilium/hubble-relay:v1.17.6@sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60
+          seccompProfile:
+            type: RuntimeDefault
+        image: quay.io/cilium/hubble-relay:v1.18.1@sha256:7e2fd4877387c7e112689db7c2b153a4d5c77d125b8d50d472dbe81fc1b139b0
         imagePullPolicy: IfNotPresent
         command:
         - hubble-relay
         args:
         - serve
         ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui

@@ -17,13 +17,13 @@

     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
       annotations:
-        cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1
+        cilium.io/hubble-ui-nginx-configmap-checksum: 76283720d1bb70050debf51116121fa9a67ebc9d1cd9167c3dd9bdbfb613df37
       labels:
         k8s-app: hubble-ui
         app.kubernetes.io/name: hubble-ui
         app.kubernetes.io/part-of: cilium
     spec:
       securityContext:
@@ -32,13 +32,13 @@

         runAsUser: 1001
       priorityClassName: null
       serviceAccountName: hubble-ui
       automountServiceAccountToken: true
       containers:
       - name: frontend
-        image: quay.io/cilium/hubble-ui:v0.13.2@sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392
+        image: quay.io/cilium/hubble-ui:v0.13.3@sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -52,25 +52,29 @@

         - name: hubble-ui-nginx-conf
           mountPath: /etc/nginx/conf.d/default.conf
           subPath: nginx.conf
         - name: tmp-dir
           mountPath: /tmp
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: backend
-        image: quay.io/cilium/hubble-ui-backend:v0.13.2@sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15
+        image: quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15
         imagePullPolicy: IfNotPresent
         env:
         - name: EVENTS_SERVER_PORT
           value: '8090'
         - name: FLOWS_API_ADDR
           value: hubble-relay:80
         ports:
         - name: grpc
           containerPort: 8090
         volumeMounts: null
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
       volumes:
       - configMap:
           defaultMode: 420
           name: hubble-ui-nginx
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent

@@ -16,13 +16,14 @@

   endpoints:
   - port: metrics
     interval: 10s
     honorLabels: true
     path: /metrics
     relabelings:
-    - replacement: ${1}
+    - action: replace
+      replacement: ${1}
       sourceLabels:
       - __meta_kubernetes_pod_node_name
       targetLabel: node
   targetLabels:
   - k8s-app
 
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-envoy

+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-envoy

@@ -17,13 +17,14 @@

   endpoints:
   - port: envoy-metrics
     interval: 10s
     honorLabels: true
     path: /metrics
     relabelings:
-    - replacement: ${1}
+    - action: replace
+      replacement: ${1}
       sourceLabels:
       - __meta_kubernetes_pod_node_name
       targetLabel: node
   targetLabels:
   - k8s-app

lumiere-bot bot requested a review from coolguy1771 as a code owner July 29, 2025 17:11

lumiere-bot bot added renovate/container type/minor labels Jul 29, 2025

lumiere-bot bot added area/kubernetes Changes made in the kubernetes directory cluster/kyak area/bootstrap labels Jul 29, 2025

lumiere-bot bot force-pushed the renovate/cilium branch 3 times, most recently from 9811610 to de02184 Compare August 15, 2025 15:10

lumiere-bot bot changed the title ~~feat(container): update cilium group ( 1.17.6 → 1.18.0 )~~ feat(container): update cilium group ( 1.17.6 → 1.18.1 ) Aug 15, 2025

lumiere-bot bot changed the title ~~feat(container): update cilium group ( 1.17.6 → 1.18.1 )~~ feat(container): update image ghcr.io/home-operations/charts-mirror/cilium ( 1.17.6 → 1.18.1 ) Aug 16, 2025

feat(container): update cilium group

d1fd72a

lumiere-bot bot force-pushed the renovate/cilium branch from de02184 to d1fd72a Compare September 3, 2025 10:09

lumiere-bot bot changed the title ~~feat(container): update image ghcr.io/home-operations/charts-mirror/cilium ( 1.17.6 → 1.18.1 )~~ feat(container): update cilium group Sep 3, 2025

lumiere-bot bot merged commit 20a7053 into main Sep 4, 2025
12 of 16 checks passed

lumiere-bot bot deleted the renovate/cilium branch September 4, 2025 01:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(container): update cilium group#7022

feat(container): update cilium group#7022
lumiere-bot[bot] merged 1 commit intomainfrom
renovate/cilium

lumiere-bot bot commented Jul 29, 2025 •

edited

Loading

Uh oh!

coderabbitai bot commented Jul 29, 2025 •

edited

Loading

Review skipped

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

CodeRabbit Configuration File (`.coderabbit.yaml`)

Status, Documentation and Community

Uh oh!

lumiere-bot bot commented Jul 29, 2025 •

edited

Loading

Uh oh!

lumiere-bot bot commented Jul 29, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

lumiere-bot bot commented Jul 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v1.18.1: 1.18.1

Summary of Changes

Docker Manifests

cilium

clustermesh-apiserver

docker-plugin

hubble-relay

operator-alibabacloud

operator-aws

operator-azure

operator-generic

operator

v1.18.0: 1.18.0

🚠 Networking

🌐 IPv6

🛡️ Policy & Observability

🌅 Performance

⚙️ Operations

🕸️ Service Mesh & Gateway API

🏷️ IP Address Management

🛣️ BGP

🧑‍💻 Development Experience

🏢 Community

📔 Full CHANGELOG

Configuration

Uh oh!

coderabbitai bot commented Jul 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Status, Documentation and Community

Uh oh!

lumiere-bot bot commented Jul 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lumiere-bot bot commented Jul 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

lumiere-bot bot commented Jul 29, 2025 •

edited

Loading

`v1.18.1`: 1.18.1

`v1.18.0`: 1.18.0

coderabbitai bot commented Jul 29, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)

lumiere-bot bot commented Jul 29, 2025 •

edited

Loading

lumiere-bot bot commented Jul 29, 2025 •

edited

Loading