Closed tyriis-automation[bot] closed 5 days ago
sonarcloud[bot]
commented
5 days ago 
Quality Gate passedIssues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
tyriis-automation[bot]
commented
5 days ago
--- HelmRelease: kube-tools/reloader ClusterRole: kube-tools/reloader-role
+++ HelmRelease: kube-tools/reloader ClusterRole: kube-tools/reloader-role
@@ -30,12 +30,22 @@
verbs:
- list
- get
- update
- patch
- apiGroups:
+ - extensions
+ resources:
+ - deployments
+ - daemonsets
+ verbs:
+ - list
+ - get
+ - update
+ - patch
+- apiGroups:
- batch
resources:
- cronjobs
verbs:
- list
- get
--- HelmRelease: kube-tools/reloader Deployment: kube-tools/reloader
+++ HelmRelease: kube-tools/reloader Deployment: kube-tools/reloader
@@ -9,13 +9,13 @@
app: reloader
release: reloader
heritage: Helm
app.kubernetes.io/managed-by: Helm
group: com.stakater.platform
provider: stakater
- version: v1.2.0
+ version: v1.1.0
name: reloader
namespace: kube-tools
spec:
replicas: 1
revisionHistoryLimit: 2
selector:
@@ -28,29 +28,27 @@
app: reloader
release: reloader
heritage: Helm
app.kubernetes.io/managed-by: Helm
group: com.stakater.platform
provider: stakater
- version: v1.2.0
+ version: v1.1.0
spec:
containers:
- - image: ghcr.io/stakater/reloader:v1.2.0
+ - image: ghcr.io/stakater/reloader:v1.1.0
imagePullPolicy: IfNotPresent
name: reloader
env:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
- divisor: '1'
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
- divisor: '1'
ports:
- name: http
containerPort: 9090
livenessProbe:
httpGet:
path: /live
@@ -67,14 +65,12 @@
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
securityContext: {}
- args:
- - --log-level=info
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: reloader
--- HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay
@@ -1,7 +1,8 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-relay
namespace: kube-system
+automountServiceAccountToken: false
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -131,12 +131,13 @@
mesh-auth-queue-size: '1024'
mesh-auth-rotated-identities-queue-size: '1024'
mesh-auth-gc-interval: 5m0s
proxy-xff-num-trusted-hops-ingress: '0'
proxy-xff-num-trusted-hops-egress: '0'
proxy-connect-timeout: '2'
+ proxy-initial-fetch-timeout: '30'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
external-envoy-proxy: 'true'
envoy-base-id: '0'
envoy-keep-cap-netbindservice: 'false'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
@@ -262,12 +262,13 @@
}
}
]
},
"dynamicResources": {
"ldsConfig": {
+ "initialFetchTimeout": "30s",
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
@@ -277,12 +278,13 @@
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
},
"cdsConfig": {
+ "initialFetchTimeout": "30s",
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
@@ -300,20 +302,19 @@
"name": "envoy.bootstrap.internal_listener",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
}
}
],
- "layeredRuntime": {
- "layers": [
- {
- "name": "static_layer_0",
- "staticLayer": {
- "overload": {
- "global_downstream_max_connections": 50000
- }
+ "overload_manager": {
+ "resource_monitors": [
+ {
+ "name": "envoy.resource_monitors.global_downstream_max_connections",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+ "max_active_downstream_connections": "50000"
}
}
]
},
"admin": {
"address": {
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -18,24 +18,24 @@
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: '9962'
prometheus.io/scrape: 'true'
- cilium.io/cilium-configmap-checksum: 378f758a513669cb2fafa7db57ecefb6110ac4e861fb92bcc6d3ef7661f28947
+ cilium.io/cilium-configmap-checksum: 564f0de0efe70f57be43e7633315d800441ab8d84e5d7e7d62f216c109b8d874
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
@@ -164,13 +164,13 @@
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -185,13 +185,13 @@
fieldPath: metadata.namespace
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: mount-cgroup
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
env:
- name: CGROUP_ROOT
value: /run/cilium/cgroupv2
- name: BIN_PATH
value: /opt/cni/bin
@@ -208,13 +208,13 @@
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -229,13 +229,13 @@
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -264,13 +264,13 @@
- name: cilium-cgroup
mountPath: /run/cilium/cgroupv2
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
requests:
cpu: 100m
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
@@ -28,13 +28,13 @@
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-envoy
- image: quay.io/cilium/cilium-envoy:v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd@sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba
+ image: quay.io/cilium/cilium-envoy:v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16@sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed
imagePullPolicy: IfNotPresent
command:
- /usr/bin/cilium-envoy-starter
args:
- --
- -c /var/run/cilium/envoy/bootstrap-config.json
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -20,24 +20,24 @@
maxSurge: 25%
maxUnavailable: 100%
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: 378f758a513669cb2fafa7db57ecefb6110ac4e861fb92bcc6d3ef7661f28947
+ cilium.io/cilium-configmap-checksum: 564f0de0efe70f57be43e7633315d800441ab8d84e5d7e7d62f216c109b8d874
prometheus.io/port: '9963'
prometheus.io/scrape: 'true'
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
+ image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
@@ -34,13 +34,13 @@
capabilities:
drop:
- ALL
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
- image: quay.io/cilium/hubble-relay:v1.16.3@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
+ image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
imagePullPolicy: IfNotPresent
command:
- hubble-relay
args:
- serve
ports:
--- kubernetes/kube-nas/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium
+++ kubernetes/kube-nas/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium
@@ -12,13 +12,13 @@
spec:
chart: cilium
sourceRef:
kind: HelmRepository
name: cilium-charts
namespace: flux-system
- version: 1.16.3
+ version: 1.16.4
install:
remediation:
retries: 3
interval: 30m
maxHistory: 2
uninstall:
--- kubernetes/kube-nas/apps/kube-tools/reloader/app Kustomization: flux-system/reloader HelmRelease: kube-tools/reloader
+++ kubernetes/kube-nas/apps/kube-tools/reloader/app Kustomization: flux-system/reloader HelmRelease: kube-tools/reloader
@@ -12,13 +12,13 @@
spec:
chart: reloader
sourceRef:
kind: HelmRepository
name: stakater-charts
namespace: flux-system
- version: 1.2.0
+ version: 1.1.0
install:
createNamespace: true
remediation:
retries: 3
interval: 15m
maxHistory: 15
--- kubernetes/talos-flux/apps/kube-system/cilium/app Kustomization: flux-system/apps-cilium HelmRelease: kube-system/cilium
+++ kubernetes/talos-flux/apps/kube-system/cilium/app Kustomization: flux-system/apps-cilium HelmRelease: kube-system/cilium
@@ -13,13 +13,13 @@
spec:
chart: cilium
sourceRef:
kind: HelmRepository
name: cilium-charts
namespace: flux-system
- version: 1.16.3
+ version: 1.16.4
install:
remediation:
retries: 3
interval: 30m
uninstall:
keepHistory: false
--- kubernetes/talos-flux/apps/kube-tools/reloader/app Kustomization: flux-system/apps-reloader HelmRelease: kube-tools/reloader
+++ kubernetes/talos-flux/apps/kube-tools/reloader/app Kustomization: flux-system/apps-reloader HelmRelease: kube-tools/reloader
@@ -12,13 +12,13 @@
spec:
chart: reloader
sourceRef:
kind: HelmRepository
name: stakater-charts
namespace: flux-system
- version: 1.2.0
+ version: 1.1.0
install:
createNamespace: true
remediation:
retries: 3
interval: 15m
maxHistory: 15| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| ✅ EDITORCONFIG | editorconfig-checker | 4 | 0 | 0.04s | |
| ✅ REPOSITORY | gitleaks | yes | no | 3.85s | |
| ✅ YAML | prettier | 4 | 0 | 0.75s | |
| ✅ YAML | yamllint | 4 | 0 | 0.58s |
See detailed report in MegaLinter reports
_Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff_
MegaLinter is graciously provided by OX Security
tyriis-automation[bot]
commented
5 days ago
--- HelmRelease: kube-tools/reloader ClusterRole: kube-tools/reloader-role
+++ HelmRelease: kube-tools/reloader ClusterRole: kube-tools/reloader-role
@@ -30,12 +30,22 @@
verbs:
- list
- get
- update
- patch
- apiGroups:
+ - extensions
+ resources:
+ - deployments
+ - daemonsets
+ verbs:
+ - list
+ - get
+ - update
+ - patch
+- apiGroups:
- batch
resources:
- cronjobs
verbs:
- list
- get
--- HelmRelease: kube-tools/reloader Deployment: kube-tools/reloader
+++ HelmRelease: kube-tools/reloader Deployment: kube-tools/reloader
@@ -9,13 +9,13 @@
app: reloader
release: reloader
heritage: Helm
app.kubernetes.io/managed-by: Helm
group: com.stakater.platform
provider: stakater
- version: v1.2.0
+ version: v1.1.0
name: reloader
namespace: kube-tools
spec:
replicas: 1
revisionHistoryLimit: 2
selector:
@@ -28,29 +28,27 @@
app: reloader
release: reloader
heritage: Helm
app.kubernetes.io/managed-by: Helm
group: com.stakater.platform
provider: stakater
- version: v1.2.0
+ version: v1.1.0
spec:
containers:
- - image: ghcr.io/stakater/reloader:v1.2.0
+ - image: ghcr.io/stakater/reloader:v1.1.0
imagePullPolicy: IfNotPresent
name: reloader
env:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
resource: limits.cpu
- divisor: '1'
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
- divisor: '1'
ports:
- name: http
containerPort: 9090
livenessProbe:
httpGet:
path: /live
@@ -67,14 +65,12 @@
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
securityContext: {}
- args:
- - --log-level=info
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: reloader
--- HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium ServiceAccount: kube-system/hubble-relay
@@ -1,7 +1,8 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: hubble-relay
namespace: kube-system
+automountServiceAccountToken: false
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -131,12 +131,13 @@
mesh-auth-queue-size: '1024'
mesh-auth-rotated-identities-queue-size: '1024'
mesh-auth-gc-interval: 5m0s
proxy-xff-num-trusted-hops-ingress: '0'
proxy-xff-num-trusted-hops-egress: '0'
proxy-connect-timeout: '2'
+ proxy-initial-fetch-timeout: '30'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
external-envoy-proxy: 'false'
envoy-base-id: '0'
envoy-keep-cap-netbindservice: 'false'
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -16,24 +16,24 @@
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: b3b113569b2554a2aa38ec439c305508ecfd61b54c0362ef0570c9fcb1aa0070
+ cilium.io/cilium-configmap-checksum: dcd2856884e3b1d2f8ff4f5fe374266de1adb304d01a6aa52713e27ea1781a5e
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
@@ -173,13 +173,13 @@
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -198,13 +198,13 @@
value: '6443'
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -219,13 +219,13 @@
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -258,13 +258,13 @@
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
+ image: quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
requests:
cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -20,22 +20,22 @@
maxSurge: 25%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: b3b113569b2554a2aa38ec439c305508ecfd61b54c0362ef0570c9fcb1aa0070
+ cilium.io/cilium-configmap-checksum: dcd2856884e3b1d2f8ff4f5fe374266de1adb304d01a6aa52713e27ea1781a5e
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
+ image: quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
@@ -34,13 +34,13 @@
capabilities:
drop:
- ALL
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
- image: quay.io/cilium/hubble-relay:v1.16.3@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089
+ image: quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2
imagePullPolicy: IfNotPresent
command:
- hubble-relay
args:
- serve
ports:
This PR contains the following updates:
1.16.3->1.16.41.16.3->1.16.4Release Notes
cilium/cilium (cilium)
### [`v1.16.4`](https://redirect.github.com/cilium/cilium/releases/tag/v1.16.4): 1.16.4 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.16.3...1.16.4) ## Summary of Changes **Minor Changes:** - Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35809](https://redirect.github.com/cilium/cilium/issues/35809), [@jrajahalme](https://redirect.github.com/jrajahalme)) - clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#35349](https://redirect.github.com/cilium/cilium/issues/35349), [@giorio94](https://redirect.github.com/giorio94)) - helm: Lower default `hubble.tls.auto.certValidityDuration` to 365 days (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35630](https://redirect.github.com/cilium/cilium/issues/35630), [@chancez](https://redirect.github.com/chancez)) - helm: New socketLB.tracing flag (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35747](https://redirect.github.com/cilium/cilium/issues/35747), [@pchaigno](https://redirect.github.com/pchaigno)) - hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35632](https://redirect.github.com/cilium/cilium/issues/35632), [@chancez](https://redirect.github.com/chancez)) - netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#35306](https://redirect.github.com/cilium/cilium/issues/35306), [@jrife](https://redirect.github.com/jrife)) **Bugfixes:** - Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35179](https://redirect.github.com/cilium/cilium/issues/35179), [@wedaly](https://redirect.github.com/wedaly)) - bgpv1: fix reconciliation of services with shared VIPs (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35333](https://redirect.github.com/cilium/cilium/issues/35333), [@rastislavs](https://redirect.github.com/rastislavs)) - bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR [#35863](https://redirect.github.com/cilium/cilium/issues/35863), Upstream PR [#35690](https://redirect.github.com/cilium/cilium/issues/35690), [@YutaroHayakawa](https://redirect.github.com/YutaroHayakawa)) - bgpv2: set local peering address when specified (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35552](https://redirect.github.com/cilium/cilium/issues/35552), [@harsimran-pabla](https://redirect.github.com/harsimran-pabla)) - Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR [#35603](https://redirect.github.com/cilium/cilium/issues/35603), Upstream PR [#35150](https://redirect.github.com/cilium/cilium/issues/35150), [@jrajahalme](https://redirect.github.com/jrajahalme)) - Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an `timeout waiting for response` error is encountered. (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35589](https://redirect.github.com/cilium/cilium/issues/35589), [@bimmlerd](https://redirect.github.com/bimmlerd)) - config: Remove superfluous warning on native routing CIDR (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35738](https://redirect.github.com/cilium/cilium/issues/35738), [@gandro](https://redirect.github.com/gandro)) - Fix missing flowlabel hash on SRv6 traffic. (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35498](https://redirect.github.com/cilium/cilium/issues/35498), [@akaliwod](https://redirect.github.com/akaliwod)) - Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#35173](https://redirect.github.com/cilium/cilium/issues/35173), [@smagnani96](https://redirect.github.com/smagnani96)) - Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35673](https://redirect.github.com/cilium/cilium/issues/35673), [@giorio94](https://redirect.github.com/giorio94)) - Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35165](https://redirect.github.com/cilium/cilium/issues/35165), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35694](https://redirect.github.com/cilium/cilium/issues/35694), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35599](https://redirect.github.com/cilium/cilium/issues/35599), [@squeed](https://redirect.github.com/squeed)) - Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#35293](https://redirect.github.com/cilium/cilium/issues/35293), [@squeed](https://redirect.github.com/squeed)) - Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR [#35906](https://redirect.github.com/cilium/cilium/issues/35906), Upstream PR [#35890](https://redirect.github.com/cilium/cilium/issues/35890), [@squeed](https://redirect.github.com/squeed)) - Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". ([#35611](https://redirect.github.com/cilium/cilium/issues/35611), [@pippolo84](https://redirect.github.com/pippolo84)) - helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR [#35319](https://redirect.github.com/cilium/cilium/issues/35319), Upstream PR [#35301](https://redirect.github.com/cilium/cilium/issues/35301), [@hox](https://redirect.github.com/hox)) - helm: fix duplicate configmap key for `bpf-lb-sock-terminate-pod-connections` (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35703](https://redirect.github.com/cilium/cilium/issues/35703), [@solidDoWant](https://redirect.github.com/solidDoWant)) - helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35674](https://redirect.github.com/cilium/cilium/issues/35674), [@ayuspin](https://redirect.github.com/ayuspin)) - hubble: fix endpoint cluster name (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35415](https://redirect.github.com/cilium/cilium/issues/35415), [@kaworu](https://redirect.github.com/kaworu)) - hubble: Lock exporters while gathering metrics (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35860](https://redirect.github.com/cilium/cilium/issues/35860), [@joestringer](https://redirect.github.com/joestringer)) - Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35143](https://redirect.github.com/cilium/cilium/issues/35143), [@jrajahalme](https://redirect.github.com/jrajahalme)) - ipam: Validate CiliumNode resource in ENI mode (Backport PR [#35792](https://redirect.github.com/cilium/cilium/issues/35792), Upstream PR [#35784](https://redirect.github.com/cilium/cilium/issues/35784), [@sayboras](https://redirect.github.com/sayboras)) - l7lb: fix registration of flag loadbalancer-l7 (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35623](https://redirect.github.com/cilium/cilium/issues/35623), [@mhofstetter](https://redirect.github.com/mhofstetter)) - Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR [#35319](https://redirect.github.com/cilium/cilium/issues/35319), Upstream PR [#35069](https://redirect.github.com/cilium/cilium/issues/35069), [@chancez](https://redirect.github.com/chancez)) - option: Reduce log level for WG strict mode + IPv6 (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35763](https://redirect.github.com/cilium/cilium/issues/35763), [@pchaigno](https://redirect.github.com/pchaigno)) - Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35381](https://redirect.github.com/cilium/cilium/issues/35381), [@jrajahalme](https://redirect.github.com/jrajahalme)) - treewide: Add wrapper for `netlink` functions that may fail with `ErrDumpInterrupted` (Backport PR [#35654](https://redirect.github.com/cilium/cilium/issues/35654), Upstream PR [#35614](https://redirect.github.com/cilium/cilium/issues/35614), [@gandro](https://redirect.github.com/gandro)) - wireguard: Fix connectivity issues following node reboots. (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35750](https://redirect.github.com/cilium/cilium/issues/35750), [@jrife](https://redirect.github.com/jrife)) **CI Changes:** - .github/conformance-ginkgo: replace deprecated jq flag (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35399](https://redirect.github.com/cilium/cilium/issues/35399), [@aanm](https://redirect.github.com/aanm)) - .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35657](https://redirect.github.com/cilium/cilium/issues/35657), [@rastislavs](https://redirect.github.com/rastislavs)) - .github: remove libncurses5 from integration tests (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35408](https://redirect.github.com/cilium/cilium/issues/35408), [@aanm](https://redirect.github.com/aanm)) - \[v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade ([#35329](https://redirect.github.com/cilium/cilium/issues/35329), [@ysksuzuki](https://redirect.github.com/ysksuzuki)) - \[v1.16] github: update rhel8 LVH image to rhel8.6 ([#35733](https://redirect.github.com/cilium/cilium/issues/35733), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - Additionally test KVStore mode in E2E/IPSec workflows (Backport PR [#35905](https://redirect.github.com/cilium/cilium/issues/35905), Upstream PR [#35679](https://redirect.github.com/cilium/cilium/issues/35679), [@giorio94](https://redirect.github.com/giorio94)) - ci: conformance-kind: re-enable flaky Aggregator test (Backport PR [#35582](https://redirect.github.com/cilium/cilium/issues/35582), Upstream PR [#35286](https://redirect.github.com/cilium/cilium/issues/35286), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - ci: datapath-verifier: bump lvh images (Backport PR [#35648](https://redirect.github.com/cilium/cilium/issues/35648), Upstream PR [#35456](https://redirect.github.com/cilium/cilium/issues/35456), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - gha: Update chmod command (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35400](https://redirect.github.com/cilium/cilium/issues/35400), [@sayboras](https://redirect.github.com/sayboras)) - github: Pass the workflow step timeout to go test (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35814](https://redirect.github.com/cilium/cilium/issues/35814), [@jrajahalme](https://redirect.github.com/jrajahalme)) - Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR [#35319](https://redirect.github.com/cilium/cilium/issues/35319), Upstream PR [#35267](https://redirect.github.com/cilium/cilium/issues/35267), [@aanm](https://redirect.github.com/aanm)) - workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35584](https://redirect.github.com/cilium/cilium/issues/35584), [@pchaigno](https://redirect.github.com/pchaigno)) - workflows/ingress: Run basic checks (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35683](https://redirect.github.com/cilium/cilium/issues/35683), [@pchaigno](https://redirect.github.com/pchaigno)) - workflows/ipsec: Cover Ingress (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35476](https://redirect.github.com/cilium/cilium/issues/35476), [@pchaigno](https://redirect.github.com/pchaigno)) - workflows: Extend IPsec tests to cover egress gateway (Backport PR [#35540](https://redirect.github.com/cilium/cilium/issues/35540), Upstream PR [#35323](https://redirect.github.com/cilium/cilium/issues/35323), [@pchaigno](https://redirect.github.com/pchaigno)) **Misc Changes:** - .github/build-images-base: checkout base branch to get scripts (Backport PR [#35319](https://redirect.github.com/cilium/cilium/issues/35319), Upstream PR [#35236](https://redirect.github.com/cilium/cilium/issues/35236), [@aanm](https://redirect.github.com/aanm)) - .github: remove retention days for image digests (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35457](https://redirect.github.com/cilium/cilium/issues/35457), [@aanm](https://redirect.github.com/aanm)) - bpf: vxlan helper improvements (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#34755](https://redirect.github.com/cilium/cilium/issues/34755), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - chore(deps): update all github action dependencies (v1.16) ([#35382](https://redirect.github.com/cilium/cilium/issues/35382), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#35439](https://redirect.github.com/cilium/cilium/issues/35439), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#35573](https://redirect.github.com/cilium/cilium/issues/35573), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.16) ([#35710](https://redirect.github.com/cilium/cilium/issues/35710), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.16) ([#35438](https://redirect.github.com/cilium/cilium/issues/35438), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.8 docker digest to [`0ca97f4`](https://redirect.github.com/cilium/cilium/commit/0ca97f4) (v1.16) ([#35730](https://redirect.github.com/cilium/cilium/issues/35730), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.8 docker digest to [`b274ff1`](https://redirect.github.com/cilium/cilium/commit/b274ff1) (v1.16) ([#35379](https://redirect.github.com/cilium/cilium/issues/35379), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.9 (v1.16) ([#35854](https://redirect.github.com/cilium/cilium/issues/35854), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) ([#35491](https://redirect.github.com/cilium/cilium/issues/35491), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.16) (patch) ([#35731](https://redirect.github.com/cilium/cilium/issues/35731), [@cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - cilium, docs: Extend requirements for L7 proxy (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35669](https://redirect.github.com/cilium/cilium/issues/35669), [@borkmann](https://redirect.github.com/borkmann)) - cilium: add probe for netkit for more user friendly error when not supported (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35551](https://redirect.github.com/cilium/cilium/issues/35551), [@borkmann](https://redirect.github.com/borkmann)) - ctrl-runtime: lower severity of retryable reconcile errors (Backport PR [#35592](https://redirect.github.com/cilium/cilium/issues/35592), Upstream PR [#35364](https://redirect.github.com/cilium/cilium/issues/35364), [@giorio94](https://redirect.github.com/giorio94)) - daemon: Reduce level of socket LB tracing warning (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35798](https://redirect.github.com/cilium/cilium/issues/35798), [@pchaigno](https://redirect.github.com/pchaigno)) - datapath: move policy map value prefix length to flags (Backport PR [#35603](https://redirect.github.com/cilium/cilium/issues/35603), Upstream PR [#35534](https://redirect.github.com/cilium/cilium/issues/35534), [@jrajahalme](https://redirect.github.com/jrajahalme)) - dnsproxy: fix error when sessionUDPFactory fails (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#33998](https://redirect.github.com/cilium/cilium/issues/33998), [@marseel](https://redirect.github.com/marseel)) - docs/ipsec: Remove KPR limitation (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35743](https://redirect.github.com/cilium/cilium/issues/35743), [@pchaigno](https://redirect.github.com/pchaigno)) - docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35626](https://redirect.github.com/cilium/cilium/issues/35626), [@pchaigno](https://redirect.github.com/pchaigno)) - docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR [#35319](https://redirect.github.com/cilium/cilium/issues/35319), Upstream PR [#35288](https://redirect.github.com/cilium/cilium/issues/35288), [@oneumyvakin](https://redirect.github.com/oneumyvakin)) - docs: clean up stale kernel requirements (Backport PR [#35582](https://redirect.github.com/cilium/cilium/issues/35582), Upstream PR [#35575](https://redirect.github.com/cilium/cilium/issues/35575), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35725](https://redirect.github.com/cilium/cilium/issues/35725), [@nvibert](https://redirect.github.com/nvibert)) - docs: kpr: update error message regarding SocketLB tracing (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35337](https://redirect.github.com/cilium/cilium/issues/35337), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - docs: tuning: XDP LB also supports tunnel routing (Backport PR [#35582](https://redirect.github.com/cilium/cilium/issues/35582), Upstream PR [#35574](https://redirect.github.com/cilium/cilium/issues/35574), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - docs: update 1.16 upgrade note for LRP ([#35944](https://redirect.github.com/cilium/cilium/issues/35944), [@ysksuzuki](https://redirect.github.com/ysksuzuki)) - docs: update default identity label filters (Backport PR [#35468](https://redirect.github.com/cilium/cilium/issues/35468), Upstream PR [#35422](https://redirect.github.com/cilium/cilium/issues/35422), [@marseel](https://redirect.github.com/marseel)) - docs: XFRM reference guide for IPsec development (Backport PR [#35582](https://redirect.github.com/cilium/cilium/issues/35582), Upstream PR [#35322](https://redirect.github.com/cilium/cilium/issues/35322), [@pchaigno](https://redirect.github.com/pchaigno)) - Envoy simplify listener setup (Backport PR [#35764](https://redirect.github.com/cilium/cilium/issues/35764), Upstream PR [#35642](https://redirect.github.com/cilium/cilium/issues/35642), [@jrajahalme](https://redirect.github.com/jrajahalme)) - envoy: Configure internal_address_config to avoid warning log (Backport PR [#35471](https://redirect.github.com/cilium/cilium/issues/35471), Upstream PR [#35090](https://redirect.github.com/cilium/cilium/issues/35090), [@sayboras](https://redirect.github.com/sayboras)) - envoy: Limit started serving logging to the typeURL of the stream (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35736](https://redirect.github.com/cilium/cilium/issues/35736), [@jrajahalme](https://redirect.github.com/jrajahalme)) - Fix wrongly spelled config option in error message (Backport PR [#35543](https://redirect.github.com/cilium/cilium/issues/35543), Upstream PR [#35390](https://redirect.github.com/cilium/cilium/issues/35390), [@baurmatt](https://redirect.github.com/baurmatt)) - helm: clarify text for serviceNoBackendResponse (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35734](https://redirect.github.com/cilium/cilium/issues/35734), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - hubble: Add 'release' Make target (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35561](https://redirect.github.com/cilium/cilium/issues/35561), [@michi-covalent](https://redirect.github.com/michi-covalent)) - image: Use cilium-builder instead of golang as operator builder image (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35351](https://redirect.github.com/cilium/cilium/issues/35351), [@learnitall](https://redirect.github.com/learnitall)) - iptables: always warn about missing xt_socket module (Backport PR [#35781](https://redirect.github.com/cilium/cilium/issues/35781), Upstream PR [#35591](https://redirect.github.com/cilium/cilium/issues/35591), [@julianwiedmann](https://redirect.github.com/julianwiedmann)) - makefile: add target to install Cilium in kvstore mode (Backport PR [#35905](https://redirect.github.com/cilium/cilium/issues/35905), Upstream PR [#35646](https://redirect.github.com/cilium/cilium/issues/35646), [@giorio94](https://redirect.github.com/giorio94)) - proxy: Ensure proxy ports are written on shutdown (Backport PR [#35908](https://redirect.github.com/cilium/cilium/issues/35908), Upstream PR [#35839](https://redirect.github.com/cilium/cilium/issues/35839), [@jrajahalme](https://redirect.github.com/jrajahalme)) - Silence spurious clustermesh-related warnings (Backport PR [#35850](https://redirect.github.com/cilium/cilium/issues/35850), Upstream PR [#35867](https://redirect.github.com/cilium/cilium/issues/35867), [@giorio94](https://redirect.github.com/giorio94)) **Other Changes:** - \[v1.16] envoy: Add configuration for OverloadManager ([#35787](https://redirect.github.com/cilium/cilium/issues/35787), [@sayboras](https://redirect.github.com/sayboras)) - \[v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x ([#35563](https://redirect.github.com/cilium/cilium/issues/35563), [@sayboras](https://redirect.github.com/sayboras)) - \[v1.16] policy/correlation: Fix `PolicyMatch{L3Proto,L4Only}` case ([#35681](https://redirect.github.com/cilium/cilium/issues/35681), [@gandro](https://redirect.github.com/gandro)) - chore(deps): update cilium-envoy dependency ([#35920](https://redirect.github.com/cilium/cilium/issues/35920), [@sayboras](https://redirect.github.com/sayboras)) - install: Update image digests for v1.16.3 ([#35361](https://redirect.github.com/cilium/cilium/issues/35361), [@cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) - Policy add deny rule test and benchmark ([#35714](https://redirect.github.com/cilium/cilium/issues/35714), [@jrajahalme](https://redirect.github.com/jrajahalme)) ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf` `quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.16.4@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2` `quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.16.4@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e` `quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2` `quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.16.4@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686` `quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686` ##### operator-aws `quay.io/cilium/operator-aws:v1.16.4@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be` `quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be` ##### operator-azure `quay.io/cilium/operator-azure:v1.16.4@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de` `quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de` ##### operator-generic `quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5` `quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5` ##### operator `quay.io/cilium/operator:v1.16.4@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff` `quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff`Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.