1.16.0-rc.1

Summary of Changes

Major Changes:

• policy: Add support for port ranges in network policies. (#32807, @nathanjsweet)

Minor Changes:

• agent: Add EnableRouteMTUForCNIChaining to propagate MTU to pods when CNI chaning is used (#33190, @brb)
• BGPv1 and BGPv2 - Reject all inbound BGP advertisements (#33035, @dswaffordcw)
• bgpv2: Fix defaulting of BGP peer config, use the default peer config only when PeerConfigRef is not specified in CiliumBGPClusterConfig. (#33392, @rastislavs)
• Change default CiliumLoadBalancerIPPool behavior and remove deprecated cidrs field from CiliumLoadBalancerIPPool (#33151, @dylandreimerink)
• envoy: Enable DaemonSet only for new installation (#33384, @sayboras)
• envoy: update envoy 1.29.x to v1.29.6 (main) (#33406, @sayboras)
• Fixes a rare cause of policy drops on first endpoint regeneration. (#32914, @squeed)
• helm: ensure that envoy daemonset is installed only when needed (#33431, @f1ko)
• k8s: improve user facing error logging for k8s decode errors. (#33245, @tommyp1ckles)
• Removed cilium-agent permissions to update CiliumNetworkPolicy and CiliumClusterWideNetworkPolicy statuses (#33228, @marseel)

Bugfixes:

• bgpv1: reorder neighbor creation and deletion steps (#33262, @harsimran-pabla)
• bgpv2: use peer asn and address in the key (#33263, @harsimran-pabla)
• bpf: rename UINT8_MAX to UINT16_max and fix cluster_id casts (#33240, @thorn3r)
• Cilium now correctly handles the case when a to/fromCIDRSet policy only contains a cidrGroupRef to a non-existent cidrGroup by denying traffic. (#33396, @bimmlerd)
• ctmap: Stop GC handler if signal map is closed (#33281, @gandro)
• datapath: Fix redirect from from L3 netdev to tunnel (#33421, @brb)
• egress-gateway: Validate ep identity before fetching labels (#33311, @pippolo84)
• Fix CiliumEnvoyConfig Nodeport handling (#33040, @youngnick)
• Fix hubble metrics leak by using CiliumEndpoint watcher to remove stale metrics. (#33260, @sgargan)
• Fix rare spurious double reconnection upon clustermesh configuration change for remote cluster (#33248, @giorio94)
• gateway-api: Un-set externalTrafficPolicy on LB service for host network (#33101, @otaconix)
• Recreate CT entries for non-TCP to fix L7 proxy redirect failures. (#33222, @ysksuzuki)
• Revert PR #32244 which caused unintended side-effects that negatively impacted network performance. (#33304, @learnitall)

CI Changes:

• Add dispatch for scale/perf workflows and notice (#33201, @marseel)
• bpf/tests: Add BPF_TEST_FILE to run a single test (#33407, @brb)
• ci: Extend K8s FQDN test to assert numeric identities after restoration (#33400, @gandro)
• Fix bug in CES migration workflow causing it to fail when it should be skipped. (#33290, @learnitall)
• hubble: deflake TestLocalObserverServer_NodeLabels (#33285, @kaworu)
• ipsec-tests: Fix flaky TestUpsertIPSecKeyMissing (#32937, @marseel)
• Revert "CI: bump default FQDN datapath timeout from 100 to 250ms" (#33354, @gandro)
• workflows: integration-test: allow to configure bigger runner (#33284, @jibi)

Misc Changes:

• .github: add workflow for renovate to build base images (#33326, @aanm)
• .github: fix cloud workflows for renovate (#33320, @aanm)
• .github: fix worfklows used by renovate (#33309, @aanm)
• .github: update kindest to 1.30.0 (#33375, @aanm)
• Add auto-merge for renovate for trusted dependencies (#33287, @aanm)
• Add explicit deprecation notice in the Ginkgo-based E2E testing documentation (#33288, @learnitall)
• bitlpm: Add Comment for UintTrie (#33241, @nathanjsweet)
• bpf,tests: Add IPv4 checsum validation (#33341, @viktor-kurchenko)
• bpf: ct: return actual error from CT lookup (#33225, @julianwiedmann)
• bpf: ensure test objects are compiled before tests are run (#33275, @lmb)
• bpf: fix skip_tunnel_nodeport_revnat (#33113, @lmb)
• bpf: host: sanitize whole skb->cb in to-netdev (#33183, @julianwiedmann)
• bpf: improve some trace notifications to report the correct ifindex (#33229, @julianwiedmann)
• bpf: lxc: fix ifindex in TO_ENDPOINT trace notification (#33085, @julianwiedmann)
• bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy() (#33181, @julianwiedmann)
• bpf: nodeport: clean up redundant 0-initializations (#33255, @julianwiedmann)
• build(deps): bump urllib3 from 2.0.7 to 2.2.2 in /Documentation (#33218, @dependabot[bot])
• build-images-base: cancel github runs based on branch name (#33353, @aanm)
• build-images-base: push to branch if pull request ref doesn't exist (#33368, @aanm)
• build-images: fetch artifacts with specific pattern (#33216, @aanm)
• chore(deps): update all github action dependencies (main) (#33300, @cilium-renovate[bot])
• chore(deps): update all github action dependencies (main) (#33402, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#33297, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#33343, @cilium-renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#33401, @cilium-renovate[bot])
• chore(deps): update all-dependencies (main) (#33298, @cilium-renovate[bot])
• chore(deps): update cilium/scale-tests-action digest to 511e3d9 (main) (#33210, @cilium-renovate[bot])
• chore(deps): update dependency renovatebot/renovate to v37.410.1 (main) (#33205, @cilium-renovate[bot])
• chore(deps): update dependency renovatebot/renovate to v37.415.0 (main) (#33350, @cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.4 docker digest to a66eda6 (main) (#33331, @cilium-renovate[bot])
• cilium: add note into upgrade guide and perf guide about netkit enablement (#33404, @borkmann)
• clustermesh: grant read permissions to the cilium/.heartbeat prefix (#33436, @giorio94)
• contrib,tool: exclude slice cleanup (#33365, @viktor-kurchenko)
• daemon/ipam: don't swallow parse error of CIDR (#33283, @bimmlerd)
• datapath: clean up unused SECLABEL_NB (#33211, @julianwiedmann)
• docs: Add note about WG and MTU with CNI chaining (#33429, @brb)
• docs: Document enable-node-selector-labels flag (#31188, @oblazek)
• docs: Extend LRP guide with troubleshooting section (#33373, @aditighag)
• docs: Fix a spelling mistake in BGP docs (#33328, @saintdle)
• docs: Improve note on kube-apiserver entity limitations (#33382, @gandro)
• Documentation update for BGPv2 transport configuration (#33307, @dswaffordcw)
• Documentation: Add troubleshooting section to L2 Announcements (#33386, @dylandreimerink)
• examples: Fix subject selector in ingress policy (#33292, @joestringer)
• Fix CiliumEnvoyConfig Nodeport handling again (#33266, @youngnick)
• fix(deps): update all go dependencies main (main) (#33200, @cilium-renovate[bot])
• fix(deps): update all go dependencies main (main) (#33359, @cilium-renovate[bot])
• fix(deps): update aws-sdk-go-v2 monorepo (main) (#33213, @cilium-renovate[bot])
• fix(deps): update kubernetes packages to v0.30.2 (main) (#33299, @cilium-renovate[bot])
• fix(deps): update module github.com/hashicorp/go-hclog to v1.6.3 (main) (#33371, @cilium-renovate[bot])
• fqdn: Skip "open ports" check for statically configured ports (#33230, @gandro)
• helm: drop IDENTITY_ALLOCATION_MODE environment variable from clustermesh-apiserver (#33191, @giorio94)
• hive: Fixed copy-paste error in reconciler.Metrics implementation (#33374, @dylandreimerink)
• identity: Ensure checkpoint runs on shutdown (#33272, @gandro)
• install/kubernetes: update nodeinit image to latest version (#33427, @marseel)
• ipam: cell for IPAM and IPAMRestAPIHandler (#33089, @mhofstetter)
• Makefile: suppress error in comment line. (#33334, @paulosjca)
• Miscellaneous improvements about closing kvstore client. (#33250, @giorio94)
• Miscellaneous improvements to clustermesh-related troubleshooting tools (#32951, @giorio94)
• operator/identitygc: Disable identitygc when Operator manages CID (#33381, @ovidiutirla)
• operator: include CRD categories when applying cilium CRDs (#33387, @mhofstetter)
• operator: Remove deprecated CES sync errors metric (#33305, @christarazi)
• pkg/endpoint: store template hash in template.txt (#33252, @lmb)
• pkg/k8s: Add required resources for Operator managing CIDs (#33021, @ovidiutirla)
• Policy catch invalid port wildcard (#33302, @jrajahalme)
• policy: Replace panics with error logs with stacktrace (#33333, @jrajahalme)
• policy: take SelectorCache read lock when applying incremental changes (#33345, @squeed)
• Prepare for release v1.16.0-rc.0 (#33207, @aanm)
• README: Update releases (#33217, @aanm)
• Reconcile qdiscs accurately when using BW manager (#33161, @hemanthmalla)
• renovate add trusted dependencies (#33312, @aanm)
• renovate: update k8s dependencies automatically (#33236, @aanm)
• Revert "Fix CiliumEnvoyConfig Nodeport handling" #33040 (#33256, @markpash)
• Revert "IPAM: Adds AWS IPv6 Prefix Delegation Config Option" (#33394, @christarazi)
• toFQDNs: Add documention and metrics for fqdn identities (#33237, @gandro)
• v1.16 stable branch preparation (#33453, @aanm)
• Wait for CEC and CCEC resources before restoring endpoints. (#32981, @jrajahalme)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-rc.1@sha256:0729d9eff50c2c6b798c073c6ecac15c880095c989bf4312b43da7be90bb44f2

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-rc.1@sha256:59ddda649562bbf369dc6584f4bf8a699e80b9db3db8f93010df8ccf11ea5eb6

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-rc.1@sha256:93b95ca13e00b3178ae2efa063bb44cbb1fc3030c84277fbaea8f0415bc6a8bf

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-rc.1@sha256:8c941e9c9cb94d23874b988adb9794a497e6d35f9893ef741e37838add909413

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-rc.1@sha256:488cf234f6730b989162e2cb2de4b479ff312d0392ec6a4bb57d697606e36a3a

operator-aws

quay.io/cilium/operator-aws:v1.16.0-rc.1@sha256:798917d351dc2ec53e9b71be6d3397c10a0d2d12135ac6a6e9d999862107d432

operator-azure

quay.io/cilium/operator-azure:v1.16.0-rc.1@sha256:0f8b0ebe8e5dc9908418602be49dfb40e5f938ed99fe1d3ddc1fec066fb42e37

operator-generic

quay.io/cilium/operator-generic:v1.16.0-rc.1@sha256:300d55216909d163060aae17de6305084c8208871d25f8e5962e643f6b58e216

operator

quay.io/cilium/operator:v1.16.0-rc.1@sha256:52adead4d4440bc85e66b32fe2ed4336cdb6b89cf4c7b2658f394e00705c2e92