fix(deps): update module github.com/cilium/cilium to v1.17.14 [security] (v1.4) - abandoned

[cilium-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cilium/cilium	v1.17.10 → v1.17.14

---

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

BIT-cilium-2026-33726 / BIT-cilium-operator-2026-33726 / BIT-hubble-relay-2026-33726 / CVE-2026-33726 / GHSA-hxv8-4j4r-cqgv / GO-2026-4856

More information

Details

Impact

Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled.

Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, but not AKS BYOCNI), and some GKE deployments (gke.enabled; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment.

Patches

This issue was fixed by #​44693.

This issue affects:

• Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
• Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
• All versions of Cilium prior to v1.17.13

This issue is fixed in:

• Cilium v1.19.2
• Cilium v1.18.8
• Cilium v1.17.14

Workarounds

Disclaimer: There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.

Acknowledgements

The Cilium community has worked together with members of the Northflank and Isovalent teams to prepare these mitigations. Cilium thanks @​sudeephb and @​Champ-Goblem for reporting the issue and to @​smagnani96 and @​julianwiedmann for helping with the resolution.

For more information

Anyone who believes a vulnerability affecting Cilium has been found is strongly encouraged to report it to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and any such report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv
• https://nvd.nist.gov/vuln/detail/CVE-2026-33726
• https://github.com/cilium/cilium/pull/44693
• https://docs.cilium.io/en/stable/network/concepts/routing/#routing
• https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy
• https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management
• https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing
• https://github.com/cilium/cilium

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium

BIT-cilium-2026-33726 / BIT-cilium-operator-2026-33726 / BIT-hubble-relay-2026-33726 / CVE-2026-33726 / GHSA-hxv8-4j4r-cqgv / GO-2026-4856

More information

Details

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium

Severity

Unknown

References

• https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv
• https://github.com/cilium/cilium/pull/44693
• https://docs.cilium.io/en/stable/network/concepts/routing/#routing
• https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy
• https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management
• https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.17.14: 1.17.14

Compare Source

Summary of Changes

Bugfixes:

• bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44709, Upstream PR #​44658, @​smagnani96)
• Fix envoy admin socket being created as world-accessible (Backport PR #​44591, Upstream PR #​44512, @​0xch4z)
• l7lb: fix bypassing ingress policies for local backends (Backport PR #​44805, Upstream PR #​44693, @​smagnani96)

CI Changes:

• pkg: Mark node_linux_test.go as unparallel (Backport PR #​44591, Upstream PR #​38172, @​jschwinger233)

Misc Changes:

• [1.17] gha: Use eks 1.30 from us-west-2 (#​44752, @​sayboras)
• chore(deps): update all github action dependencies (v1.17) (#​44376, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​44485, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​44583, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​44687, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​44794, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​44373, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.8 (v1.17) (#​44811, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.17) (#​44345, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.17) (#​44402, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.17) (#​44552, @​cilium-renovate[bot])
• chore(deps): update dependency mfridman/protoc-gen-go-json to v1.6.0 (v1.17) (#​44684, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v34 (v1.17) (#​44584, @​cilium-renovate[bot])
• chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.17) (#​44685, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to d1e2e92 (v1.17) (#​44481, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to e3f9456 (v1.17) (#​44798, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f512d81 (v1.17) (#​44581, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.17) (#​44686, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.17) (#​44374, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.17) (#​44483, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.17) (#​44682, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.17) (#​44792, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.17) (#​44808, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​44375, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​44484, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​44683, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​44793, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable (v1.17) (patch) (#​44508, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.32.13 (v1.17) (patch) (#​44582, @​cilium-renovate[bot])
• fix(deps): update k8s.io/utils digest to b8788ab (v1.17) (#​44482, @​cilium-renovate[bot])
• Include the results of find /sys/fs/bpf in bugtool output (Backport PR #​44591, Upstream PR #​38980, @​ti-mo)

Other Changes:

• Fix gke channels (#​44558, @​Artyop)
• install: Update image digests for v1.17.13 (#​44325, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.14@​sha256:cdcfab5b4466d607f713d1ada281ee4513dd3982eb2c48ef2d0cc708cc3d1ba3

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.14@​sha256:6cc4e47b2a50649e739dbb61f266497e7ef53d048b60dc32ba563bd4efd7f0ba

docker-plugin

quay.io/cilium/docker-plugin:v1.17.14@​sha256:087072e60566cc37e21facec0e4096d49bef2e83cd340896ae477a7746819067

hubble-relay

quay.io/cilium/hubble-relay:v1.17.14@​sha256:ce5b991bb011fa744c94e04fd7f1a7d3c8e3ce7d2da0652766abe6c468ead990

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.14@​sha256:bdfa469e453986b995632f889cfb90bc501b80a809ff4b8be8d236eba5fcc2cb

operator-aws

quay.io/cilium/operator-aws:v1.17.14@​sha256:182c13e6edda041bfc885932d5e87b1d8ac3588f6f6af309944efee46a2193b2

operator-azure

quay.io/cilium/operator-azure:v1.17.14@​sha256:a462e7265ee34a667905c6144b7aa5d5ee8328ee1a4eca3f44bdc1463cc69741

operator-generic

quay.io/cilium/operator-generic:v1.17.14@​sha256:773886ec9337f6628ba84e36ac7e3e554c1622024fc2a8b04a3377970aee8889

operator

quay.io/cilium/operator:v1.17.14@​sha256:2113d66000847f39135722c61545ddb2c1bbd9fc4479f10dca175fc4bf9bda1b

v1.17.13: 1.17.13

Compare Source

Summary of Changes

Minor Changes:

• runtime: Add libatomic1 for cilium-envoy dependency (Backport PR #​43926, Upstream PR #​43292, @​sayboras)

CI Changes:

• gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #​44152, Upstream PR #​44109, @​julianwiedmann)
• gh: ariane: skip more workflows for LVH kernel updates (Backport PR #​44152, Upstream PR #​44115, @​julianwiedmann)
• gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #​44005, Upstream PR #​43921, @​giorio94)

Misc Changes:

• .github/workflows: use proper directory structure for GH actions (#​43761, @​aanm)
• chore(deps): update all github action dependencies (v1.17) (#​43852, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​43989, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​44102, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​44259, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​43846, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.17) (#​43847, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.17) (#​44256, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.17) (#​43851, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v33.5 (v1.17) (#​44101, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.17) (#​44254, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.17) (#​43985, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.12 docker digest to c213114 (v1.17) (#​43986, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.17) (#​43987, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.17) (#​44255, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.17) (#​43848, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1768563234-33034fa55d3270872c9e2b24285bfaad20a90a54 (v1.17) (#​43849, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.17) (#​43988, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.17) (#​44257, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.17) (#​44261, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43850, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​44100, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​44258, @​cilium-renovate[bot])
• docs: adjust URL to latest stable Hubble CLI version (Backport PR #​43778, Upstream PR #​43745, @​tklauser)
• docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #​44057, Upstream PR #​44042, @​EmilyShepherd)
• docs: Update docsearch to v4.5.4 (Backport PR #​44274, Upstream PR #​44233, @​joestringer)
• gitattributes: make install/kubernetes driver match more specific. (Backport PR #​44057, Upstream PR #​43943, @​tommyp1ckles)
• workflows: Add id-token permission to call-publish-helm job (Backport PR #​43778, Upstream PR #​43717, @​aanm)

Other Changes:

• [v1.17] Backport setup gke cluster (#​43795, @​Artyop)
• install: Update image digests for v1.17.12 (#​43713, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.13@​sha256:1e3907ba8815e2e474ea8da25876911af2da0ae07c04eaa87a326ba4343aa539

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.13@​sha256:3aeee4e88b68934f45faf211a1e6b1b7310ac31b2dda448f5df77860c57a71fa

docker-plugin

quay.io/cilium/docker-plugin:v1.17.13@​sha256:a37e314f585cb57165605c50449ed9fb4458d766689a328405644920ae6de6ee

hubble-relay

quay.io/cilium/hubble-relay:v1.17.13@​sha256:0c49b7363157849623099de9fc9378da7146f49e7d5f602d113223542b789ace

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.13@​sha256:a383d4c3896d150aad8e6f1d54df942e98e83033f381e5b9a7f424d1caf77471

operator-aws

quay.io/cilium/operator-aws:v1.17.13@​sha256:8c6faae3a985690d35f77309a1300f4dd0e8f11544537e2589ffa3c0132d978a

operator-azure

quay.io/cilium/operator-azure:v1.17.13@​sha256:4ad4c0cc236efe751f33fb1449a056af10654bc9cb7407862d412bc065ba6185

operator-generic

quay.io/cilium/operator-generic:v1.17.13@​sha256:c2582d9eaeec598de9cd8815a3ed20caade17c26858eea672cff3240b0970983

operator

quay.io/cilium/operator:v1.17.13@​sha256:581d5d54e5993be947cbce34fd5cb3401d124e2859dad0c947272f911b9b0d16

v1.17.12: 1.17.12

Compare Source

Summary of Changes

Major Changes:

• Publish Helm charts to OCI registries (Backport PR #​43687, Upstream PR #​43624, @​aanm)

Bugfixes:

• Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode which causes proxy->upstream(outside cluster) traffic not being SNAT'd. (Backport PR #​43677, Upstream PR #​43566, @​fristonio)
• ipcache: Fix leak in CIDR metadata consolidation logic (Backport PR #​43426, Upstream PR #​43074, @​christarazi)
• iptables: Fix IPv6 SNAT for L7 proxy upstream traffic (Backport PR #​43677, Upstream PR #​41034, @​gentoo-root)
• xds: fix nil-pointer in processRequestStream (Backport PR #​43613, Upstream PR #​43609, @​mhofstetter)

CI Changes:

• chore: comment job to use generated token instead of PAT (Backport PR #​43613, Upstream PR #​43148, @​sekhar-isovalent)
• ci: Use newer lvh image for privileged tests (Backport PR #​43489, Upstream PR #​41082, @​rastislavs)
• workflows/eks: Reduce test concurrency to 2 (#​43223, @​smagnani96)

Misc Changes:

• Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (Backport PR #​43426, Upstream PR #​40272, @​syedazeez337)
• chore(deps): update all github action dependencies (v1.17) (#​43469, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​43669, @​cilium-renovate[bot])
• chore(deps): update anchore/sbom-action action to v0.21.0 (v1.17) (#​43513, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.18.9 (v1.17) (#​43186, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v33.3 (v1.17) (#​43668, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 2383baa (v1.17) (#​43666, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.11 docker digest to 54528d1 (v1.17) (#​43417, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.11 docker digest to a61b432 (v1.17) (#​43544, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.17) (#​43545, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43468, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43547, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43572, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43667, @​cilium-renovate[bot])
• release: change OCI registry (Backport PR #​43687, Upstream PR #​43646, @​aanm)
• route: install ingress proxy routes with WireGuard and L7Proxy (Backport PR #​43435, Upstream PR #​42835, @​smagnani96)

Other Changes:

• [v1.17] bpf:hubble: support policy verdict from L3 devices (#​43382, @​smagnani96)
• [v1.17] deps: bump CNI plugins version to v1.9.0 (#​43592, @​diyi0926)
• [v1.17] ipcache: Fix leak in CIDR metadata consolidation logic (#​43355, @​christarazi)
• install: Update image digests for v1.17.11 (#​43399, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.12@​sha256:f525e12698149b3958024599493d9cc56fadbc46c9250cbced8016e9b9b679e5

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.12@​sha256:4c26ba1e62c44df28d58fc5bd8e1a87aa1d442aa081ff3e170e122f0106cd006

docker-plugin

quay.io/cilium/docker-plugin:v1.17.12@​sha256:4a17b4cfa041a0206242b2ead6c83598c2aec34c4d470c614d673840427f04e0

hubble-relay

quay.io/cilium/hubble-relay:v1.17.12@​sha256:ef2a294e81f91c74b729794f7098d61ee21b4c2efa11461c4e62623f5b5c240c

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.12@​sha256:fda5705cb82d601172b25f098031960bf79cad86a43acc180e7176be001b263f

operator-aws

quay.io/cilium/operator-aws:v1.17.12@​sha256:9b9aebf43f6ddd59a2db05a523422842d69c88662a901effabda8bca242136be

operator-azure

quay.io/cilium/operator-azure:v1.17.12@​sha256:69c9aea1b3d41017fc5f0066b818d4b8c123067f53feef4d855baad9daeb6515

operator-generic

quay.io/cilium/operator-generic:v1.17.12@​sha256:0b675406b1e43b198962d4f9c3a5ba6bb68fc98836cba05b224860109112f6d9

operator

quay.io/cilium/operator:v1.17.12@​sha256:42d19b80461bad1d0f4f0f08aa23ff5a5e3950ef516c1c514cb053144da336b8

v1.17.11: 1.17.11

Compare Source

Summary of Changes

Bugfixes:

• AWS EC2: Fix ENI attachment on multi-network card instances with high-performance networking (EFA) setups (Backport PR #​42744, Upstream PR #​42512, @​41ks)
• CiliumEnvoyConfig proxy ports are now restored on agent restarts. (Backport PR #​43118, Upstream PR #​43108, @​jrajahalme)
• Do not opt-out Endpoint ID 1 from dnsproxy transparent mode. (Backport PR #​42949, Upstream PR #​42887, @​jrajahalme)
• Fix a bug that would cause IPsec logs to incorrectly report the XFRM rules being processed as "Ingress" rules. (Backport PR #​42827, Upstream PR #​42640, @​sjohnsonpal)
• Fix bug that could cause the agent to fail to add XFRM states when IPsec is enabled, thus preventing a proper startup. (Backport PR #​42949, Upstream PR #​42666, @​pchaigno)
• Fix certain cases where LRPs with the skipRedirectFromBackend flag set were not correctly processed. (#​42751, @​aditighag)
• policy: Fix Endpoint Selector Policy Deadlock (Backport PR #​42969, Upstream PR #​38139, @​nathanjsweet)
• policy: Fix rare bug that prevented two endpoints that shared the same identity from being simultaneously updated. (Backport PR #​42969, Upstream PR #​37910, @​nathanjsweet)
• policy: Fix rare Endpoint Selector Policy Deadlock causing policies to not be updated with new identities (Backport PR #​42969, Upstream PR #​42306, @​odinuge)

CI Changes:

• .github: Consistently clean up workers on start (Backport PR #​43215, Upstream PR #​39644, @​joestringer)
• [v1.17] ci: bump ubuntu version for lint build commit workflow (#​42842, @​giorio94)
• bpf: test: egressgw: fix up ENABLE_MASQUERADE (Backport PR #​42967, Upstream PR #​42912, @​julianwiedmann)
• ci: install libtinfo5 for clang in build commits workflow (#​43142, @​tklauser)
• Delete .github/workflows/build-images-hotfixes.yaml (Backport PR #​42967, Upstream PR #​42958, @​sekhar-isovalent)
• gh: conn-disrupt: fix XFRM error checks (Backport PR #​42765, Upstream PR #​42724, @​julianwiedmann)
• gh: ipsec-e2e: fix flaky connection disruptivity test (Backport PR #​42850, Upstream PR #​42780, @​julianwiedmann)
• gha: additionally cleanup disk space in clustermesh upgrade workflow (Backport PR #​42949, Upstream PR #​42862, @​giorio94)
• gha: wait for cert-manager CRDs to be ready in conformance clustermesh (Backport PR #​42967, Upstream PR #​42947, @​giorio94)
• makefile: More reliable update-helm-values (Backport PR #​42827, Upstream PR #​42736, @​devodev)

Misc Changes:

• .github/workflows: make adjustments for new GitHub workflow behavior (#​43218, @​aanm)
• .github/workflows: remove auto-requested reviewers (Backport PR #​43345, Upstream PR #​42952, @​aanm)
• chore(deps): update all external docker images dependencies (v1.17) (#​43053, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​42685, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​43269, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (#​43324, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.17) (patch) (#​43321, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.17) (#​42402, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.28 (v1.17) (#​42772, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v33.1 (v1.17) (#​42808, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v33.2 (v1.17) (#​43189, @​cilium-renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf-go to v1.36.11 (v1.17) (#​43322, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to d80cd69 (v1.17) (#​43319, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.10 docker digest to 7b13449 (v1.17) (#​42806, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.24.11 docker digest to e3fb71a (v1.17) (#​43320, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to 2b7c93f (v1.17) (#​43185, @​cilium-renovate[bot])
• chore(deps): update github artifact actions (v1.17) (#​43325, @​cilium-renovate[bot])
• chore(deps): update go to v1.24.11 (v1.17) (#​43187, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​42807, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​42938, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43038, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43188, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.17) (patch) (#​43323, @​cilium-renovate[bot])
• docs: Add limitation about LB to same backend via multiple VIPs (Backport PR #​42744, Upstream PR #​42632, @​brb)
• Documentation: host firewall: document emergency recovery (Backport PR #​42949, Upstream PR #​42776, @​squeed)
• Minor improvements around certificate validation in etcd/clustermesh troubleshoot commands (Backport PR #​42949, Upstream PR #​42782, @​giorio94)
• tools/slogloggercheck: remove tool added by renovate (#​42738, @​aanm)

Other Changes:

• [v1.17] deps: bump x/crypto to v0.45.0 (#​43115, @​ferozsalam)
• [v1.17] proxy: Bump envoy version to v1.34.11 (#​43144, @​sayboras)
• [v1.17] proxy: Bump envoy version to v1.34.12 (#​43261, @​sayboras)
• install: Update image digests for v1.17.10 (#​42734, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.17.11@​sha256:260f7892b1e554f57618022070960bfbb78fc7a679feb934299f907e47ea8992

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.17.11@​sha256:cd298620390b388320b4e2178ab81f928160d410789eb590299e5d3877badace

docker-plugin

quay.io/cilium/docker-plugin:v1.17.11@​sha256:b8561a129770de63b776e7b7d3d02b8e5bb332507a14757284e9423f45fb1224

hubble-relay

quay.io/cilium/hubble-relay:v1.17.11@​sha256:e3fd2efae4563f06a15565af6c7e5b766ebb301b372acaa68e2f9184bafc98a6

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.17.11@​sha256:312dc6c796c809255dee302eebc613909500c5fe153df3f3b025c067f44e03bd

operator-aws

quay.io/cilium/operator-aws:v1.17.11@​sha256:363779644fc8a6d1f503140548fb3e8d0a861e27d2ee2ff4d86d75802beeea6e

operator-azure

quay.io/cilium/operator-azure:v1.17.11@​sha256:0782670b423ae84bef6728dd8626e2a6bd0512737207aa128392d70450fe5418

operator-generic

quay.io/cilium/operator-generic:v1.17.11@​sha256:dbd985d5b5602a4f2ae4aafd1332829bdd7d3bf452164b7288c90e3470590422

operator

quay.io/cilium/operator:v1.17.11@​sha256:5158e04f5a4e6d1a60f56e1aa5c23db685edd22d54cad23a06441187a38272a5

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[cilium-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.32.3 -> v0.32.13
k8s.io/apiextensions-apiserver	v0.32.3 -> v0.32.13
k8s.io/apimachinery	v0.32.3 -> v0.32.13
k8s.io/apiserver	v0.32.3 -> v0.32.13
k8s.io/client-go	v0.32.3 -> v0.32.13
k8s.io/code-generator	v0.32.3 -> v0.32.13
sigs.k8s.io/controller-runtime	v0.20.3 -> v0.20.4
k8s.io/component-base	v0.32.3 -> v0.32.13
k8s.io/utils	v0.0.0-20241210054802-24370beab758 -> v0.0.0-20260210185600-b8788abfbbc2

File name: pkg/k8s/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 13 additional dependencies were updated

Details:

Package	Change
golang.org/x/sync	v0.17.0 -> v0.18.0
k8s.io/apiextensions-apiserver	v0.32.3 -> v0.32.13
k8s.io/apimachinery	v0.32.3 -> v0.32.13
k8s.io/client-go	v0.32.3 -> v0.32.13
k8s.io/code-generator	v0.32.3 -> v0.32.13
golang.org/x/mod	v0.27.0 -> v0.29.0
golang.org/x/net	v0.45.0 -> v0.47.0
golang.org/x/sys	v0.36.0 -> v0.38.0
golang.org/x/term	v0.35.0 -> v0.37.0
golang.org/x/text	v0.29.0 -> v0.31.0
golang.org/x/tools	v0.36.0 -> v0.38.0
k8s.io/api	v0.32.3 -> v0.32.13
k8s.io/utils	v0.0.0-20241210054802-24370beab758 -> v0.0.0-20260210185600-b8788abfbbc2

[mtardy]

Based on your latest patch with renovate and vendor would you know what could be happening here @dangome3 ?

[mtardy]

We need to fix it manually or fix it systematically (better) by finding out what went wrong.

[dangome3]

Hey @mtardy 👋

I checked for a while what happened in the run that updated this commit, is this one renovate run

It didn't run the postUpgradeTasks at all, and I guess the reason for that is because this update is not managed by go.mod directly, but for this custom manager

tetragon/.github/renovate.json5

Lines 522 to 530 in 38a6543

	{
	"customType": "regex",
	"managerFilePatterns": [
	"tests/e2e/flags/flags.go"
	],
	"matchStrings": [
	"\\/\\/ renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+CiliumVersion:\\s*\"(?<currentValue>.*?)\""
	]
	},

I think that is the issue for two reasons, first this log in the renovate run when it starts to update the branch:

DEBUG: Starting search at index 609 (repository=cilium/tetragon, baseBranch=v1.4, packageFile=tests/e2e/flags/flags.go, branch=renovate/v1.4-go-github.com-cilium-cilium-vulnerability)

Notice the packageFile=tests/e2e/flags/flags.go part, the other reason is that this specific file is also updated, which I guess wouldn't happen if this is just a go.mod update.

That being said, I would like to try the following fix:

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index d9e247f63..972b575d0 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -526,7 +526,12 @@
       ],
       "matchStrings": [
         "\\/\\/ renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+CiliumVersion:\\s*\"(?<currentValue>.*?)\""
-      ]
+      ],
+      "postUpgradeTasks": {
+        "commands": ["make vendor"],
+        "fileFilters": ["**/**"],
+        "executionMode": "branch"
+      }
     },
     {
       "customType": "regex",

I din't include the other commands because I think just updating cilium would not change the crds but I'm not 100% sure about that, what do you think? Should we try it?

[cilium-renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.