Merged
Conversation
[ upstream commit b1aa28a ] The Role/RoleBinding for cilium-tlsinterception-secrets had mismatched conditionals, causing the RoleBinding to be created without its Role when operator.enabled=false. Align both to use consistent agent-based conditionals. Fixes: #44053 Signed-off-by: Pavan More <pavansmore05@gmail.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
[ upstream commit 3975517 ] Currently, the endpoint watchdog reloads all Cilium endpoint BPF programs as soon as it detects one endpoint without the programs loaded. While analysing these watchdog warnings, it would be helpful to have the list of the endpoints without the programs loaded in the log message (and not just the total count of all endpoints). Therefore, this commit slightly changes the logic and collects all endpoints without the programs loaded before reloading the programs (incl. the proper log message). Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
[ upstream commit d7ad784 ] Verify RuleOrigin values of computed policies against the expected ones in policy unit tests. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
[ upstream commit 8cf9ac2 ] Higher precedence rules override lower precedence ones, but we still merged the rule origin metadata regardless. Move rule origin merging to L4Filter.mergePortProto() so that the rule priority overrides can considered also for rule origin updates. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
[ upstream commit d88b6bb ] PerSelectorPolicy is not just for L7 rules any more, it is high time to reflect this in the local variable names used. 'newPerSelectorPolicy' would be a a bit long, so use just 'newPolicy' and 'existingPolicy' with comments that make it obvious that these are PerSelectorPolicies. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
[ upstream commit 3953c12 ] Previously cilium-operator fails to start if MCS/installCRDs is enabled because it does not have permissions to update the CRD with this log message: level=error msg="Unable to update CRD" module=operator.operator-controlplane.leader-lifecycle.create-crds name=serviceimports.multicluster.x-k8s.io error="customresourcedefinitions.apiextensions.k8s.io \"serviceimports.multicluster.x-k8s.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" This patch adds the necessary permissions to cilium-operator if you have mcs/installCRDs enabled Fixes: #44210 Fixes: 3874013 ("clustermesh: add config for auto installing MCS-API CRDs") Signed-off-by: Florian Ströger <stroeger@youniqx.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
[ upstream commit 24e7add ] This commit fixes a cilium-agent panic during datapath reinitialization when a DirectRouting device is required but not configured. This can happen when the direct routing device drops, for example during networkd restart. ``` time=2026-01-14T07:39:46.444386888Z level=info msg="Devices changed" module=agent.datapath.devices-controller devices=[] time=2026-01-14T07:39:46.444654289Z level=info msg="Fallback node addresses updated" module=agent.datapath.node-address addresses="127.0.0.1 (primary), ::1 (primary)" device=* time=2026-01-14T07:39:46.44474159Z level=info msg="Node addresses updated" module=agent.datapath.node-address addresses="127.0.0.1 (primary), ::1 (primary)" device=* time=2026-01-14T07:39:46.444833191Z level=info msg="Node addresses updated" module=agent.datapath.node-address addresses="" device=eth0 panic: runtime error: index out of range [3] with length 0 goroutine 415 [running]: github.com/cilium/cilium/pkg/byteorder.NetIPv4ToHost32({0x0?, 0xc000e9e5d0?, 0x49e07bb?}) /go/src/github.com/cilium/cilium/pkg/byteorder/byteorder.go:15 +0x65 github.com/cilium/cilium/pkg/datapath/linux/config.(*HeaderfileWriter).WriteNodeConfig(0xc0004280e0, {0x7ff1517a6ba8, 0xc0023ec400}, 0xc001d00508) /go/src/github.com/cilium/cilium/pkg/datapath/linux/config/config.go:150 +0xa4b github.com/cilium/cilium/pkg/datapath/loader.hashDatapath({0x50fbfb0, 0xc0004280e0}, 0xc001d00508) /go/src/github.com/cilium/cilium/pkg/datapath/loader/hash.go:20 +0x9e github.com/cilium/cilium/pkg/datapath/loader.(*objectCache).UpdateDatapathHash(0xc001d027d0, 0xc001422870?) /go/src/github.com/cilium/cilium/pkg/datapath/loader/cache.go:62 +0x4d github.com/cilium/cilium/pkg/datapath/loader.(*loader).Reinitialize(0xc002573580, {0x50f9c98, 0xc0008474d0}, 0xc001d00508, {{0x49d15b6, 0x4}, {0x0, 0x0}, 0x0, 0x0, ...}, ...) /go/src/github.com/cilium/cilium/pkg/datapath/loader/base.go:377 +0x3c8 github.com/cilium/cilium/pkg/datapath/orchestrator.(*orchestrator).reinitialize(0xc001d36288, {0x50f9c98?, 0xc0008474d0?}, {{0x0?, 0x0?}, 0x0?}, 0xc001d00508) /go/src/github.com/cilium/cilium/pkg/datapath/orchestrator/orchestrator.go:275 +0x110 github.com/cilium/cilium/pkg/datapath/orchestrator.(*orchestrator).reconciler(0xc001d36288, {0x50f9c98, 0xc0008474d0}, {0x5104260, 0xc002feafc0}) /go/src/github.com/cilium/cilium/pkg/datapath/orchestrator/orchestrator.go:219 +0x6fd github.com/cilium/hive/job.(*jobOneShot).start(0xc002082e40, {0x50f9c98, 0xc0008474d0}, 0xc00143dce4?, {0x5104260, 0xc002082de0}, {{{0x0, 0x0, 0x0}}, 0xc001791770, ...}) /go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/oneshot.go:138 +0x4fd created by github.com/cilium/hive/job.(*queuedJob).Start.func1 in goroutine 1 /go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/job.go:126 +0x16f ``` With the change in this commit when a direct routing device is not found datapath orchestrator will log a warning and wait for device updates in the reconciliation loop, skipping reinitialization. Fixes 8fae439 ("datapath: move DirectRoutingDevice validation to orchestrator") Signed-off-by: Deepesh Pathak <deepeshpathak09@gmail.com> Signed-off-by: Antony Reynaud <antony.reynaud@isovalent.com>
mhofstetter
approved these changes
Feb 10, 2026
Contributor
Author
|
/test |
fristonio
approved these changes
Feb 10, 2026
Preisschild
approved these changes
Feb 10, 2026
jrajahalme
approved these changes
Feb 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cilium-tlsinterception-secretsRole/RoleBinding conditionals #44159 (@puwun)Once this PR is merged, a GitHub action will update the labels of these PRs: