fix(deps): update module github.com/cilium/cilium to v1.16.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cilium/cilium	v1.16.6 -> v1.16.9

GitHub Vulnerability Alerts

CVE-2025-30162

Impact

For Cilium users who:

• Use Gateway API for Ingress for some services AND
• Use LB-IPAM or BGP for LB Service implementation AND
• Use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces

Egress traffic from workloads covered by such network policies to LoadBalancers configured by Gateway resources will incorrectly be allowed.

LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue.

Patches

This issue was fixed by https://github.com/cilium/proxy/pull/1172.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.14 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.7 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.1 inclusive

This issue is fixed in:

• Cilium v1.15.15
• Cilium v1.16.8
• Cilium v1.17.2

Workarounds

A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade. An outline of such a policy is provided below:

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "workaround"
spec:
  endpointSelector:
    matchExpressions:
    - key: reserved:ingress
      operator: Exists
  ingress:
  - fromEntities:
    - world

• The policy opens up connectivity from all locations outside the cluster into the Cilium Ingress Gateway.
• The policy establishes a default deny for all other traffic towards the Cilium Ingress Gateway, including all in-cluster sources.
• It is possible to tailor the policy to more narrowly allow inbound traffic while creating a default deny posture for traffic between namespaces. Users should edit the policy to bring it in line with the security requirements particular to their environments.

Acknowledgements

The Cilium community has worked together with members of the Isovalent team to prepare these mitigations. Special thanks to @​jrajahalme for the fix.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2025-30163

Impact

Node based network policies (fromNodes and toNodes) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in fromNodes and toNodes sections of network policies. Node based network policy is disabled by default in Cilium.

Patches

This issue was fixed by https://github.com/cilium/cilium/pull/36657.

This issue affects:

• Cilium v1.16 between v1.16.0 and v1.16.7 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.1 inclusive

This issue is fixed in:

• Cilium v1.16.8
• Cilium v1.17.2

Workarounds

Users can work around this issue by ensuring that the labels used in fromNodes and toNodes fields are used exclusively by nodes and not by other endpoints.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​oblazek for reporting and fixing this issue.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

CVE-2025-32793

Impact

When using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium.

Patches

This issue has been patched in https://github.com/cilium/cilium/pull/38592.

This issue affects:

• Cilium v1.15 between v1.15.0 and v1.15.15 inclusive
• Cilium v1.16 between v1.16.0 and v1.16.8 inclusive
• Cilium v1.17 between v1.17.0 and v1.17.2 inclusive

This issue is fixed in:

• Cilium v1.15.16
• Cilium v1.16.9
• Cilium v1.17.3

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​gandro and @​pippolo84 for reporting this issue and to @​julianwiedmann for the patch.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.16.9: 1.16.9

Compare Source

Summary of Changes

Minor Changes:

• Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR #​38400, Upstream PR #​37936, @​smagnani96)
• Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR #​38747, Upstream PR #​35900, @​smagnani96)

Bugfixes:

• bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR #​38747, Upstream PR #​38592, @​julianwiedmann)
• Fix panic caused in dual cluster setups where LRPs with skipRedirectFromBackend flag set to true are installed and IPv6 is disabled. (Backport PR #​38701, Upstream PR #​38656, @​aditighag)
• For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR #​38747, Upstream PR #​38737, @​julianwiedmann)

CI Changes:

• build: update golangci-lint to v2.0.0 (Backport PR #​38631, Upstream PR #​38473, @​mhofstetter)
• ci: build CI images within merge group (Backport PR #​38525, Upstream PR #​38065, @​marseel)
• ci: prepare CI Image build for being required (Backport PR #​38525, Upstream PR #​38320, @​marseel)
• Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38264, @​smagnani96)
• Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38290, @​smagnani96)
• Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38281, @​smagnani96)
• Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38265, @​smagnani96)
• Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38292, @​smagnani96)
• Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38291, @​smagnani96)
• gh: aws-cni: set --enable-identity-mark=false option (Backport PR #​38747, Upstream PR #​38738, @​julianwiedmann)
• gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR #​38521, Upstream PR #​37551, @​jschwinger233)
• gh: update naming for bpftrace leak detection script (Backport PR #​38521, Upstream PR #​37865, @​julianwiedmann)
• Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38278, @​smagnani96)
• Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38293, @​smagnani96)
• Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38266, @​smagnani96)
• Refactoring and code comments for the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38263, @​smagnani96)
• Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38297, @​smagnani96)
• Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38280, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38289, @​smagnani96)
• Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38525, Upstream PR #​38289, @​smagnani96)
• Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR #​38521, Upstream PR #​38287, @​smagnani96)
• Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR #​38741, Upstream PR #​38268, @​smagnani96)
• test: Update FQDN related domain and IP (Backport PR #​38770, Upstream PR #​38754, @​sayboras)

Misc Changes:

• [v1.16] deps: bump github.com/containerd/containerd to v1.7.27 (#​38496, @​ferozsalam)
• [v1.16] deps: Bump package x/net (#​38323, @​ferozsalam)
• [v1.16] deps: bump package x/oauth2 (#​38404, @​ferozsalam)
• [v1.16]: deps: bump x/net to v0.38.0 (#​38781, @​ferozsalam)
• bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR #​38747, Upstream PR #​37956, @​julianwiedmann)
• bpf: let MARK_MAGIC_EGW_DONE carry source identity (Backport PR #​38747, Upstream PR #​38430, @​julianwiedmann)
• chore(deps): update all github action dependencies (v1.16) (#​38347, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​38515, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (patch) (#​38346, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38304, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38442, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38543, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.16) (#​38731, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.16) (#​38348, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.16) (#​38714, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.36.1 docker digest to e246aa2 (v1.16) (#​38344, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.21 (v1.16) (#​38613, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.8 (v1.16) (#​38345, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.16) (#​38258, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.4-1742515734-d30064faed34d8936672353d4b6d6dbcfbaa7b2d (v1.16) (#​38385, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743506100-0821ef0acdf9f824d47d34e02932be522b3e7233 (v1.16) (#​38672, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.16) (#​38774, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38317, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38614, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​38832, @​cilium-renovate[bot])
• docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR #​38525, Upstream PR #​38173, @​yrsuthari)
• docs: clarify hubble flow filter match semantics (Backport PR #​38701, Upstream PR #​38657, @​devodev)
• docs: Document jitter applied to BGP ConnectRetryTimeSeconds (Backport PR #​38525, Upstream PR #​38231, @​rastislavs)
• docs: Update LLVM requirements to 18.1 (Backport PR #​38342, Upstream PR #​38294, @​gentoo-root)
• Documentation: "cilium config set" restarts by default (Backport PR #​38299, Upstream PR #​38114, @​joamaki)
• Documentation: fix mentions of per-node cilium-dbg tool (Backport PR #​38299, Upstream PR #​38276, @​tklauser)
• images: bump distroless to static (Backport PR #​38695, Upstream PR #​38647, @​kaworu)
• pkg/controller: fix data race in update params locked (Backport PR #​38525, Upstream PR #​38327, @​aanm)
• pkg/endpoint: fix race in unit test (Backport PR #​38299, Upstream PR #​38129, @​squeed)
• remove the endpointRoutes for aws cni in the doc (Backport PR #​38701, Upstream PR #​38381, @​liyihuang)

Other Changes:

• [v1.16] hubble: fix flowfilter flag parsing allowing only one filter (#​38794, @​devodev)
• [v1.16] proxy: Bump envoy version to 1.32.x (#​38307, @​sayboras)
• fix AWS ENI IPAM mode performance regression in the Operator when --update-ec2-adapter-limit-via-api is set to true (#​38533, @​antonipp)
• gha: Skip HTTPRouteServiceTypes test (#​38343, @​sayboras)
• install: Update image digests for v1.16.8 (#​38207, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.9@​sha256:98f8e547fd0720e042a1eb7bd6f50a521cbe0a8ea8e013f783f1709fc023c266

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.9@​sha256:69b9b80046f2a293de96e228ffdf7803bdd387d2c8cc6fa836a240c4932d7066

docker-plugin

quay.io/cilium/docker-plugin:v1.16.9@​sha256:867b37f934411c11e9e50d0d691a2d1376ec4fe4c573c9b3af6950d559a97b28

hubble-relay

quay.io/cilium/hubble-relay:v1.16.9@​sha256:c978b77e607cc7fb9a92741464470002a192af47c5dec57b83f693919857199e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.9@​sha256:59d2a5d5ab017c974c42eeb7f265f9b91aafad2ee6c73d5dffe0bfe44bedd134

operator-aws

quay.io/cilium/operator-aws:v1.16.9@​sha256:f00e854ad7ae0c55e0e2352b71a98fe1358ba029e2e93b236a18c3b43664f948

operator-azure

quay.io/cilium/operator-azure:v1.16.9@​sha256:549ef9d238b84313f4a9f25518a77ec16cc9b86a19e66242bee920eb9c065fea

operator-generic

quay.io/cilium/operator-generic:v1.16.9@​sha256:0489f71dfeff23d1fbc4ee85a81a0274076ab2b53072aadbdf5963e83dc3faf7

operator

quay.io/cilium/operator:v1.16.9@​sha256:c8d0d6ca36d49bdeeb82d75b58a061f10e9e402d493241d648c4e329027b67ee

v1.16.8: 1.16.8

Compare Source

Summary of Changes

Minor Changes:

• docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR #​38106, Upstream PR #​37989, @​oblazek)
• Increase granularity of the api_duration_seconds metric buckets (Backport PR #​38014, Upstream PR #​37365, @​jaredledvina)

Bugfixes:

• Do not auto detect / auto select IPoIB devices (Backport PR #​37647, Upstream PR #​37553, @​dylandreimerink)
• Egress route reconciliation (Backport PR #​38120, Upstream PR #​37962, @​dylandreimerink)
• Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR #​37900, Upstream PR #​37419, @​javanthropus)
• Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR #​37900, Upstream PR #​37818, @​haozhangami)
• Fix the --dns-policy-unload-on-shutdown feature for restored endpoints (Backport PR #​37647, Upstream PR #​37532, @​antonipp)
• fix: cilium-config configmap was incorrectly resulting in values like 2.09715…2e+06 instead of 2097152 (Backport PR #​37647, Upstream PR #​37236, @​dee-kryvenko)
• Fix: cilium-operator no longer patches services on shutdown (Backport PR #​38106, Upstream PR #​37967, @​rsafonseca)
• helm: fix large number handling (Backport PR #​37743, Upstream PR #​37670, @​justin0u0)
• hubble: escape terminal special characters from observe output (Backport PR #​37647, Upstream PR #​37401, @​devodev)
• identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR #​38014, Upstream PR #​36657, @​oblazek)
• Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR #​38106, Upstream PR #​38029, @​julianwiedmann)

CI Changes:

• .github: Remove misleading step from ipsec workflow (Backport PR #​37743, Upstream PR #​37681, @​joestringer)
• bgpv1: wait for watchers to be ready in tests (Backport PR #​38014, Upstream PR #​37884, @​harsimran-pabla)
• ci: add leak detection to conformance-ipsec-upgrade (Backport PR #​36575, Upstream PR #​36377, @​smagnani96)
• CI: GKE backslash missing disable insecure kubelet (Backport PR #​37900, Upstream PR #​37850, @​auriaave)
• CI: GKE, disable insecure kubelet readonly port (Backport PR #​37900, Upstream PR #​37844, @​auriaave)
• ci: switch to monitor aggregation medium (Backport PR #​38106, Upstream PR #​38036, @​marseel)
• Cleanups after LLVM upgrade. (Backport PR #​37801, Upstream PR #​32067, @​gentoo-root)

Misc Changes:

• [v1.16] docs: Update requirements.txt dependencies (#​37616, @​joestringer)
• allocator: correctly propagate context to RunGC call (Backport PR #​37743, Upstream PR #​36034, @​giorio94)
• chore(deps): update all github action dependencies (v1.16) (#​37952, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37997, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​38049, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) (#​37951, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.7 (v1.16) (#​37998, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.16) (#​37834, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) (#​38149, @​cilium-renovate[bot])
• docs: fix broken links (Backport PR #​38106, Upstream PR #​37995, @​nueavv)
• Fix API generation and add trusted dependencies to renovate config (Backport PR #​37647, Upstream PR #​36957, @​aanm)
• Fix helm value for IPAM Multi-Pool (Backport PR #​38014, Upstream PR #​37963, @​saintdle)
• labels: fix TestNewFrom test (Backport PR #​37900, Upstream PR #​37846, @​giorio94)
• Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR #​37647, Upstream PR #​37399, @​ritwikranjan)
• Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR #​37900, Upstream PR #​37806, @​rolinh)
• wireguard: attach Ingress program for native routing mode configurations (Backport PR #​38117, Upstream PR #​37108, @​julianwiedmann)

Other Changes:

• [v1.16] images: update cilium-{runtime,builder} (#​38054, @​julianwiedmann)
• install: Update image digests for v1.16.7 (#​37709, @​cilium-release-bot[bot])
• v1.16: gh/workflows: Remove conformance-externalworkloads (#​37739, @​brb)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.8@​sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.8@​sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea

docker-plugin

quay.io/cilium/docker-plugin:v1.16.8@​sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e

hubble-relay

quay.io/cilium/hubble-relay:v1.16.8@​sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.8@​sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252

operator-aws

quay.io/cilium/operator-aws:v1.16.8@​sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b

operator-azure

quay.io/cilium/operator-azure:v1.16.8@​sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04

operator-generic

quay.io/cilium/operator-generic:v1.16.8@​sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d

operator

quay.io/cilium/operator:v1.16.8@​sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220

v1.16.7: 1.16.7

Compare Source

Summary of Changes

Minor Changes:

• Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR #​37124, Upstream PR #​36598, @​pippolo84)
• doc: Added hostLegacyRouting limitation for Talos (Backport PR #​37168, Upstream PR #​36852, @​PhilipSchmid)

Bugfixes:

• agent: defend against null pointer refs in cecManager.getEndpoint() (Backport PR #​37375, Upstream PR #​37188, @​aetimmes)
• Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR #​37278, Upstream PR #​37123, @​julianwiedmann)
• ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR #​37417, Upstream PR #​37347, @​gandro)
• envoy: add configurable access log buffer size (Backport PR #​37168, Upstream PR #​36823, @​aetimmes)
• Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR #​37168, Upstream PR #​36929, @​julianwiedmann)
• Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR #​37278, Upstream PR #​37085, @​giorio94)
• Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR #​37168, Upstream PR #​37086, @​giorio94)
• Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR #​37168, Upstream PR #​36103, @​viktor-kurchenko)
• maps/nat/stats: Use Start context when waiting for maps (Backport PR #​37278, Upstream PR #​37262, @​tommyp1ckles)
• nodeinit: move kubelet restart inside if/else in startup.bash (Backport PR #​37375, Upstream PR #​37282, @​ayuspin)
• Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR #​37168, Upstream PR #​36504, @​viktor-kurchenko)
• socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR #​37441, Upstream PR #​37426, @​alvaroaleman)

CI Changes:

• [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (#​37380, @​giorio94)
• gh: harmonize lvh kernel naming scheme (Backport PR #​37375, Upstream PR #​37322, @​julianwiedmann)
• gh: update removed --loglevel option for kind (Backport PR #​37168, Upstream PR #​36935, @​julianwiedmann)
• gha: bump ubuntu version in conformance-externalworkloads (Backport PR #​37168, Upstream PR #​36859, @​giorio94)
• gha: correctly downgrade to patch release in ipsec workflows (Backport PR #​37168, Upstream PR #​36858, @​giorio94)
• gha: fix retrieval of DNS server in conformance external workloads (Backport PR #​37375, Upstream PR #​37361, @​giorio94)
• gha: Retrieve eks supported version via aws cli (Backport PR #​37223, Upstream PR #​37210, @​sayboras)
• Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR #​37168, Upstream PR #​36364, @​smagnani96)
• Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR #​37168, Upstream PR #​36962, @​smagnani96)
• test: Fix the flake for TestRestoredPort (Backport PR #​37278, Upstream PR #​37106, @​sayboras)
• test: Move demo-httpd from Docker to Quay (Backport PR #​37278, Upstream PR #​37149, @​joestringer)
• test: Move the dind image to Quay to avoid rate-limiting (Backport PR #​37441, Upstream PR #​37388, @​pchaigno)

Misc Changes:

• build: Remove debug leftover from Makefile (Backport PR #​37168, Upstream PR #​36917, @​gentoo-root)
• chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (#​37117, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37244, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.16) (#​37505, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37343, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.16) (#​37550, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (#​37338, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (#​37215, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (#​37503, @​cilium-renovate[bot])
• chore(deps): update go to v1.23.6 (v1.16) (#​37497, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (#​37201, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.16) (patch) (#​37411, @​cilium-renovate[bot])
• cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport PR #​37375, Upstream PR #​37326, @​aanm)
• clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR #​37168, Upstream PR #​36602, @​joestringer)
• doc(glossary): Geneve as final RFC (Backport PR #​37375, Upstream PR #​37316, @​alagoutte)
• doc: ebpf host-routing and netfilter (Backport PR #​37168, Upstream PR #​36921, @​PhilipSchmid)
• doc: eks cluster restriction removed (Backport PR #​37278, Upstream PR #​37043, @​viktor-kurchenko)
• doc: Removed nodeinit from aks byocni install (Backport PR #​37168, Upstream PR #​37048, @​PhilipSchmid)
• docs: Add SNI policy example (Backport PR #​37375, Upstream PR #​37234, @​sayboras)
• docs: Clarify Identity-Relevant Labels description (Backport PR #​37168, Upstream PR #​36924, @​joestringer)
• docs: Fix broken link in BGP control plane docs (Backport PR #​37375, Upstream PR #​37241, @​mikejoh)
• docs: pass current_version to html_context (Backport PR #​37168, Upstream PR #​37008, @​ayuspin)
• docs: Remove stale limitation on KPR+IPsec (Backport PR #​37168, Upstream PR #​37054, @​pchaigno)
• images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR #​37375, Upstream PR #​34488, @​tklauser)
• proxy: Mark restored port as configured (Backport PR #​37168, Upstream PR #​36953, @​jrajahalme)
• Remove outdated roadmap matrix and links to it (Backport PR #​37278, Upstream PR #​37170, @​xmulligan)
• remove stable tags from image build (#​37394, @​aanm)
• renovate: add fix grpc-go autodetection (Backport PR #​37278, Upstream PR #​33570, @​aanm)

Other Changes:

• [v1.16] envoy: Bump envoy version to v1.31.x (#​37157, @​sayboras)
• chore(deps): update go to v1.23.5 (v1.16) (#​37189, @​sayboras)
• Do not leak ipcache entries when apiserver entities are cluster external (#​36927, @​antonipp)
• install: Update image digests for v1.16.6 (#​37154, @​cilium-release-bot[bot])
• Revert "chore(deps): update all-dependencies (v1.16)" (#​37525, @​sayboras)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.7@​sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.7@​sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f

docker-plugin

quay.io/cilium/docker-plugin:v1.16.7@​sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803

hubble-relay

quay.io/cilium/hubble-relay:v1.16.7@​sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.7@​sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8

operator-aws

quay.io/cilium/operator-aws:v1.16.7@​sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba

operator-azure

quay.io/cilium/operator-azure:v1.16.7@​sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69

operator-generic

quay.io/cilium/operator-generic:v1.16.7@​sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0

operator

quay.io/cilium/operator:v1.16.7@​sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: cmd/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/go-logr/logr	v1.4.1 -> v1.4.2
google.golang.org/genproto/googleapis/rpc	v0.0.0-20241206012308-a4fef0638583 -> v0.0.0-20250212204824-5a70512c5d8b
google.golang.org/grpc	v1.68.1 -> v1.70.0

File name: flow/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
google.golang.org/genproto/googleapis/rpc	v0.0.0-20241206012308-a4fef0638583 -> v0.0.0-20250212204824-5a70512c5d8b
google.golang.org/grpc	v1.68.1 -> v1.70.0

[rolinh]

Looks like we need to add tidy to Renovate's config.