Skip to content

redirectpolicy: Do not redirect when no local target pods exist#41463

Merged
joamaki merged 2 commits intocilium:mainfrom
joamaki:pr/joamaki/lrp-fix-no-local-pods
Sep 4, 2025
Merged

redirectpolicy: Do not redirect when no local target pods exist#41463
joamaki merged 2 commits intocilium:mainfrom
joamaki:pr/joamaki/lrp-fix-no-local-pods

Conversation

@joamaki
Copy link
Copy Markdown
Contributor

@joamaki joamaki commented Sep 2, 2025

The local redirection should only be in effect when local target pods are available. Fix the issue by only setting the redirect when the LRP service has associated backends.

Fix issue in Local Redirect Policies where traffic was dropped when no local pods were available to be redirected to. In these scenarios the traffic should have been processed as if the Local Redirect Policy did not exist.

@maintainer-s-little-helper maintainer-s-little-helper Bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 2, 2025
@joamaki joamaki added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Sep 2, 2025
@maintainer-s-little-helper maintainer-s-little-helper Bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Sep 2, 2025
@joamaki

This comment was marked as resolved.

Sign in to view
@joamaki joamaki force-pushed the pr/joamaki/lrp-fix-no-local-pods branch from c42a5d8 to 8cdaa90 Compare September 2, 2025 06:22
@joamaki
Copy link
Copy Markdown
Contributor Author

joamaki commented Sep 2, 2025

/test

@joamaki joamaki marked this pull request as ready for review September 2, 2025 07:01
@joamaki joamaki requested a review from a team as a code owner September 2, 2025 07:01
@joamaki joamaki requested a review from ysksuzuki September 2, 2025 07:01
This was referenced Sep 2, 2025
Closed
Closed
@joamaki joamaki enabled auto-merge September 2, 2025 07:10
aditighag
aditighag requested changes Sep 2, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@aditighag aditighag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix lgtm, except the missing case for AddressMatcher LRP.

Comment thread pkg/loadbalancer/redirectpolicy/controller.go
@joamaki joamaki mentioned this pull request Sep 3, 2025
Closed
7 tasks
@joamaki
redirectpolicy: Add test case for no pods to redirect to
c8cc953 
Add a failing test case to show that we incorrectly set redirects for
a service even when there's no local pods we can redirect to.

Related: cilium#41450
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@joamaki
redirectpolicy: Only set redirection when target pods available
8e1692d 
The local redirection should only be in effect when local target pods
are available. Fix the issue by only setting the redirect when the
LRP service has associated backends.

Fixes: cilium#41450
Signed-off-by: Jussi Maki <jussi@isovalent.com>
@joamaki joamaki force-pushed the pr/joamaki/lrp-fix-no-local-pods branch from 8cdaa90 to 8e1692d Compare September 3, 2025 14:09
@joamaki joamaki requested a review from aditighag September 3, 2025 14:09
@joamaki
Copy link
Copy Markdown
Contributor Author

joamaki commented Sep 3, 2025

/test

aditighag
aditighag reviewed Sep 3, 2025
View reviewed changes
Comment thread pkg/loadbalancer/redirectpolicy/controller.go
@aditighag aditighag added the kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. label Sep 3, 2025
@joamaki joamaki requested a review from aditighag September 4, 2025 08:47
@joamaki joamaki added this pull request to the merge queue Sep 4, 2025
Merged via the queue into cilium:main with commit c6b2c2a Sep 4, 2025
72 checks passed
@joamaki joamaki deleted the pr/joamaki/lrp-fix-no-local-pods branch September 4, 2025 15:35
@tklauser tklauser mentioned this pull request Sep 9, 2025
Merged
14 tasks
@tklauser tklauser added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Sep 9, 2025
@github-actions github-actions Bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Sep 10, 2025
@julianwiedmann julianwiedmann mentioned this pull request Sep 24, 2025
Closed
3 tasks
@cilium-release-bot cilium-release-bot Bot moved this to Released in cilium v1.19.0 Feb 3, 2026
schwarlex pushed a commit to la-demos/vcluster-workshop-prep that referenced this pull request Feb 11, 2026
chore(deps): update helm release cilium to v1.18.2 (#78)
d24a023 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.18.1` -> `1.18.2` |

---

### Release Notes

<details>
<summary>cilium/cilium (cilium)</summary>

### [`v1.18.2`](https://github.com/cilium/cilium/releases/tag/v1.18.2): 1.18.2

[Compare Source](cilium/cilium@1.18.1...1.18.2)

## Summary of Changes

**Minor Changes:**

- Fix validation bug where namespaced CiliumNetworkPolicies with nodeSelector in specs array were silently accepted but ignored. Now properly rejected with validation error. (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;40702](cilium/cilium#40702), [@&#8203;pillai-ashwin](https://github.com/pillai-ashwin))
- lbipam: do not reallocate IPs in LB IPAM on operator restart (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41147](cilium/cilium#41147), [@&#8203;marseel](https://github.com/marseel))
- lbipam: widening CIDR range or updating selector of CiliumLoadBalancerIPPool does no longer reassign IPs (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41122](cilium/cilium#41122), [@&#8203;marseel](https://github.com/marseel))

**Bugfixes:**

- Add option to configure BGP origin attribute for LoadBalancer IPs in BGP Control Plane v2, allowing smoother migration from MetalLB integration. (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41231](cilium/cilium#41231), [@&#8203;hanapedia](https://github.com/hanapedia))
- Add toleration for 'node.cloudprovider.kubernetes.io/uninitialized' to Cilium Operator (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41098](cilium/cilium#41098), [@&#8203;guettli](https://github.com/guettli))
- bgpv2: Avoid modifying CiliumBGPPeerConfig in resource store (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41088](cilium/cilium#41088), [@&#8203;rastislavs](https://github.com/rastislavs))
- bpf: add support for delinearized ARP packets (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41233](cilium/cilium#41233), [@&#8203;vsinitsyn](https://github.com/vsinitsyn))
- ctmap/gc: continue interval time on partial GC pass. (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41258](cilium/cilium#41258), [@&#8203;tommyp1ckles](https://github.com/tommyp1ckles))
- Disable unnecessary headless service watching to reduce API server load in clusters not using the Gateway API or Ingress features. (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;40844](cilium/cilium#40844), [@&#8203;moscicky](https://github.com/moscicky))
- Fix "Error while correcting L4 checksum" dropped packets for ICMP destination unreachable error packets. (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;40194](cilium/cilium#40194), [@&#8203;br4243](https://github.com/br4243))
- Fix "No mapping for NAT masquerade" flakes in the CI, make NAT LRU fallbacks more robust. (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;40971](cilium/cilium#40971), [@&#8203;gentoo-root](https://github.com/gentoo-root))
- Fix --exclude-local-address with eBPF Host-Routing (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41275](cilium/cilium#41275), [@&#8203;antonipp](https://github.com/antonipp))
- Fix a BGP bug where the routerID specified in a CiliumBGPNodeConfigOverride was not correctly updated in RouterIDIPPool mode. (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;40340](cilium/cilium#40340), [@&#8203;liyihuang](https://github.com/liyihuang))
- Fix a bug that would cause NodePort requests to be sent to the wrong backends when using KPR and Clustermesh with two identical, non-global NodePort services on different clusters. (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41337](cilium/cilium#41337), [@&#8203;pchaigno](https://github.com/pchaigno))
- Fix a bug where cilium-agent would report "Link not found" for an endpoint deleted during state restore after cilium-agent restart. (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;40568](cilium/cilium#40568), [@&#8203;fristonio](https://github.com/fristonio))
- Fix a regression where enabling unknown Hubble metrics would crash the cilium agent (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41368](cilium/cilium#41368), [@&#8203;devodev](https://github.com/devodev))
- Fix agent config initContainer unable to hit apiservers in apiServerURLs by passing as container arg (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41110](cilium/cilium#41110), [@&#8203;JJGadgets](https://github.com/JJGadgets))
- Fix bug that would cause error messages when disabling agent health checks (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41297](cilium/cilium#41297), [@&#8203;HadrienPatte](https://github.com/HadrienPatte))
- Fix issue in Local Redirect Policies where traffic was dropped when no local pods were available to be redirected to. In these scenarios the traffic should have been processed as if the Local Redirect Policy did not exist. (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41463](cilium/cilium#41463), [@&#8203;joamaki](https://github.com/joamaki))
- Fix issue where Local Redirect Policy (LRP) services with a single named port did not create a local redirect service entry. (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41534](cilium/cilium#41534), [@&#8203;aditighag](https://github.com/aditighag))
- Fix the bug local redirect policy not doing filter based destination port (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41411](cilium/cilium#41411), [@&#8203;liyihuang](https://github.com/liyihuang))
- Fixes a cosmetic bug where the cilium\_bpf\_map\_ops\_total error count was incorrectly being incremented for map cilium\_lb\_affinity\_match. (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41378](cilium/cilium#41378), [@&#8203;squeed](https://github.com/squeed))
- Fixes an issue in NodeManager where restored cluster nodes can be pruned before the initial node listing completes. (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41039](cilium/cilium#41039), [@&#8203;0xch4z](https://github.com/0xch4z))
- Helm: Ensure consistent default labels for all ServiceMonitor resources (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41240](cilium/cilium#41240), [@&#8203;baurmatt](https://github.com/baurmatt))
- iptables: Fix IPv6 SNAT for L7 proxy upstream traffic (Backport PR [#&#8203;41249](cilium/cilium#41249), Upstream PR [#&#8203;41034](cilium/cilium#41034), [@&#8203;gentoo-root](https://github.com/gentoo-root))
- loadbalancer/writer: add support for SetIsServiceHealthCheckedFunc (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41092](cilium/cilium#41092), [@&#8203;mhofstetter](https://github.com/mhofstetter))
- neighbor: Fix bug where neighbor discovery subsystem reports unhealthy when it is healthy (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41186](cilium/cilium#41186), [@&#8203;mhofstetter](https://github.com/mhofstetter))
- pkg/ipam: fix nil dereference during pool shrink operation (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41198](cilium/cilium#41198), [@&#8203;alimehrabikoshki](https://github.com/alimehrabikoshki))
- policy: fix agent crash due to policy cache update-delete race (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41079](cilium/cilium#41079), [@&#8203;fristonio](https://github.com/fristonio))

**CI Changes:**

- .github/actions: fix boolean condition check in post-logic action (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41395](cilium/cilium#41395), [@&#8203;aanm](https://github.com/aanm))
- .github/worfklows: copy cilium-cli binary from container (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41524](cilium/cilium#41524), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: add proper suffix for scale-test-egw (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41477](cilium/cilium#41477), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: add timeout to Install node local DNS step (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41120](cilium/cilium#41120), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: separate feature json files in different dirs (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41403](cilium/cilium#41403), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: simplify ginkgo workflow (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41396](cilium/cilium#41396), [@&#8203;aanm](https://github.com/aanm))
- .github/workflows: simplify ginkgo workflow (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41396](cilium/cilium#41396), [@&#8203;aanm](https://github.com/aanm))
- .github: fix upload artifacts for features.json (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41119](cilium/cilium#41119), [@&#8203;aanm](https://github.com/aanm))
- add missing extraArgs in CI (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41005](cilium/cilium#41005), [@&#8203;aanm](https://github.com/aanm))
- checkpatch: bump checkpatch version, and minor adaptations (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41290](cilium/cilium#41290), [@&#8203;giorio94](https://github.com/giorio94))
- ci: Re-enable go caches for privileged tests (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41102](cilium/cilium#41102), [@&#8203;rastislavs](https://github.com/rastislavs))
- ci: simplify scheduled test (Backport PR [#&#8203;41262](cilium/cilium#41262), Upstream PR [#&#8203;41261](cilium/cilium#41261), [@&#8203;brlbil](https://github.com/brlbil))
- Fix multiple workflows with missing features and steps (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41398](cilium/cilium#41398), [@&#8203;aanm](https://github.com/aanm))
- gh: e2e-upgrade: skip even more steps when not downgrading (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41468](cilium/cilium#41468), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
- gha: run checkpatch check only on PR events (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41308](cilium/cilium#41308), [@&#8203;giorio94](https://github.com/giorio94))
- ipsec: fix xfrm privileged tests (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41279](cilium/cilium#41279), [@&#8203;smagnani96](https://github.com/smagnani96))
- node:tests: fix privileged ([#&#8203;41281](cilium/cilium#41281), [@&#8203;smagnani96](https://github.com/smagnani96))
- operator/bgpv2: Avoid race in TestRouterIDAllocation test (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41499](cilium/cilium#41499), [@&#8203;rastislavs](https://github.com/rastislavs))
- pkg/metrics: define default CIDR policies values (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41422](cilium/cilium#41422), [@&#8203;aanm](https://github.com/aanm))
- testutils: differentiate {Test,Benchmark}Privileged and fix benchmarks (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41007](cilium/cilium#41007), [@&#8203;smagnani96](https://github.com/smagnani96))
- workflows/ipsec: yet another fix for downgrade (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41260](cilium/cilium#41260), [@&#8203;smagnani96](https://github.com/smagnani96))

**Misc Changes:**

- .github/workflows: add step 5 as part of the image build process (Backport PR [#&#8203;41177](cilium/cilium#41177), Upstream PR [#&#8203;41113](cilium/cilium#41113), [@&#8203;aanm](https://github.com/aanm))
- bpf: fix svc annotation handling (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41310](cilium/cilium#41310), [@&#8203;borkmann](https://github.com/borkmann))
- bpf: wireguard: re-add IPv6 fragment check in from-wireguard (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41451](cilium/cilium#41451), [@&#8203;julianwiedmann](https://github.com/julianwiedmann))
- build-images-release: specify main branch on reusable jobs (Backport PR [#&#8203;41177](cilium/cilium#41177), Upstream PR [#&#8203;41530](cilium/cilium#41530), [@&#8203;aanm](https://github.com/aanm))
- checkpatch: Update image digest (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41360](cilium/cilium#41360), [@&#8203;HadrienPatte](https://github.com/HadrienPatte))
- chore(deps): update actions/labeler action to v6.0.1 (v1.18) ([#&#8203;41565](cilium/cilium#41565), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;41351](cilium/cilium#41351), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all github action dependencies (v1.18) ([#&#8203;41660](cilium/cilium#41660), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41126](cilium/cilium#41126), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41350](cilium/cilium#41350), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41439](cilium/cilium#41439), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41509](cilium/cilium#41509), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update all-dependencies (v1.18) ([#&#8203;41612](cilium/cilium#41612), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update dependency protocolbuffers/protobuf to v32.1 (v1.18) ([#&#8203;41659](cilium/cilium#41659), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.6 docker digest to [`714ad64`](cilium/cilium@714ad64) (v1.18) ([#&#8203;41349](cilium/cilium#41349), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.6 docker digest to [`8d9e57c`](cilium/cilium@8d9e57c) (v1.18) ([#&#8203;41437](cilium/cilium#41437), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update docker.io/library/golang:1.24.7 docker digest to [`5e9d14d`](cilium/cilium@5e9d14d) (v1.18) ([#&#8203;41656](cilium/cilium#41656), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update go to v1.24.7 (v1.18) ([#&#8203;41566](cilium/cilium#41566), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 \[security] (v1.18) ([#&#8203;41319](cilium/cilium#41319), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.6-1756960514-59def10827e2fdea04b289bb00128526bde9d3c1 (v1.18) ([#&#8203;41516](cilium/cilium#41516), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.6-1757072375-ebd79127b3d1f27212d5426619daccdd15ad9e28 (v1.18) ([#&#8203;41567](cilium/cilium#41567), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1757592137-1a52bb680a956879722f48c591a2ca90f7791324 (v1.18) ([#&#8203;41657](cilium/cilium#41657), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;41438](cilium/cilium#41438), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- chore(deps): update stable lvh-images (v1.18) (patch) ([#&#8203;41658](cilium/cilium#41658), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- ci: Update workflow permissions (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41383](cilium/cilium#41383), [@&#8203;kyle-c-simmons](https://github.com/kyle-c-simmons))
- doc: use correct policy-default-local-cluster inspect command in example (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41118](cilium/cilium#41118), [@&#8203;Preisschild](https://github.com/Preisschild))
- docs: Add missing dsrDispatch parameter to annotation-based DSR examples (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;40873](cilium/cilium#40873), [@&#8203;gitsofaryan](https://github.com/gitsofaryan))
- docs: add table DSR Dispatch Mode following Routing Mode (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41431](cilium/cilium#41431), [@&#8203;alagoutte](https://github.com/alagoutte))
- docs: document portmap binary requirements (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41300](cilium/cilium#41300), [@&#8203;nbusseneau](https://github.com/nbusseneau))
- Fix release script steps (Backport PR [#&#8203;41177](cilium/cilium#41177), Upstream PR [#&#8203;41502](cilium/cilium#41502), [@&#8203;aanm](https://github.com/aanm))
- Helm: Only insert nodePort for cilium-ingress-service if specified (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41107](cilium/cilium#41107), [@&#8203;baurmatt](https://github.com/baurmatt))
- install: bump startup script version (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41299](cilium/cilium#41299), [@&#8203;Artyop](https://github.com/Artyop))
- kvstore: fix overly verbose debug log and error message (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41148](cilium/cilium#41148), [@&#8203;giorio94](https://github.com/giorio94))
- loadbalancer: Fixes to test flakes (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41085](cilium/cilium#41085), [@&#8203;joamaki](https://github.com/joamaki))
- Log kube-proxy replacement config before starting kube-proxy replacement (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41133](cilium/cilium#41133), [@&#8203;liyihuang](https://github.com/liyihuang))
- lower log severity for stale metadata to avoid CI issue (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41389](cilium/cilium#41389), [@&#8203;liyihuang](https://github.com/liyihuang))
- metrics/features: Fix counter metrics to use Set() instead of Add() (Backport PR [#&#8203;41479](cilium/cilium#41479), Upstream PR [#&#8203;41382](cilium/cilium#41382), [@&#8203;aanm](https://github.com/aanm))
- metrics/features: remove aws-vpc-cni (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41498](cilium/cilium#41498), [@&#8203;aanm](https://github.com/aanm))
- node/manager: Do not prune the local node on restart (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41544](cilium/cilium#41544), [@&#8203;joamaki](https://github.com/joamaki))
- Prevent `cilium-dbg` from panicing when `/sys` is not mounted (Backport PR [#&#8203;41365](cilium/cilium#41365), Upstream PR [#&#8203;41287](cilium/cilium#41287), [@&#8203;HadrienPatte](https://github.com/HadrienPatte))
- Support extending cilium-agent dnsPolicy as a downstream packager (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41010](cilium/cilium#41010), [@&#8203;devodev](https://github.com/devodev))
- Update all github action dependencies (v1.18) ([#&#8203;41216](cilium/cilium#41216), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- Update dependency protocolbuffers/protobuf to v32 (v1.18) ([#&#8203;41217](cilium/cilium#41217), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- Update docker.io/library/golang:1.24.6 Docker digest to [`a18e9e0`](cilium/cilium@a18e9e0) (v1.18) ([#&#8203;41214](cilium/cilium#41214), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- Update stable lvh-images (v1.18) (patch) ([#&#8203;41215](cilium/cilium#41215), [@&#8203;cilium-renovate](https://github.com/cilium-renovate)\[bot])
- workflows/conformance-ginkgo: fix steps for stable branches (Backport PR [#&#8203;41591](cilium/cilium#41591), Upstream PR [#&#8203;41599](cilium/cilium#41599), [@&#8203;aanm](https://github.com/aanm))
- xds: fix NACK logging after slog migration (Backport PR [#&#8203;41267](cilium/cilium#41267), Upstream PR [#&#8203;41171](cilium/cilium#41171), [@&#8203;mhofstetter](https://github.com/mhofstetter))

**Other Changes:**

- \[v1.18] envoy: Start serving listeners only after clusters have been ACKed ([#&#8203;41605](cilium/cilium#41605), [@&#8203;jrajahalme](https://github.com/jrajahalme))
- docs: Add new IAM permissions requirements to upgrade notes ([#&#8203;41374](cilium/cilium#41374), [@&#8203;HadrienPatte](https://github.com/HadrienPatte))
- install: Update image digests for v1.18.1 ([#&#8203;41182](cilium/cilium#41182), [@&#8203;cilium-release-bot](https://github.com/cilium-release-bot)\[bot])

#### Docker Manifests

##### cilium

`quay.io/cilium/cilium:v1.18.2@&#8203;sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667`
`quay.io/cilium/cilium:stable@sha256:858f807ea4e20e85e3ea3240a762e1f4b29f1cb5bbd0463b8aa77e7b097c0667`

##### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.18.2@&#8203;sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:cd689a07bfc7622e812fef023cb277fdc695b60a960d36f32f93614177a7a0f6`

##### docker-plugin

`quay.io/cilium/docker-plugin:v1.18.2@&#8203;sha256:be578aaae7274ef7155bd0a6d2f7c2d91085642aea4fdb24451ee9cab4ca2e5d`
`quay.io/cilium/docker-plugin:stable@sha256:be578aaae7274ef7155bd0a6d2f7c2d91085642aea4fdb24451ee9cab4ca2e5d`

##### hubble-relay

`quay.io/cilium/hubble-relay:v1.18.2@&#8203;sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac`
`quay.io/cilium/hubble-relay:stable@sha256:6079308ee15e44dff476fb522612732f7c5c4407a1017bc3470916242b0405ac`

##### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.18.2@&#8203;sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8`
`quay.io/cilium/operator-alibabacloud:stable@sha256:612b1d94c179cd8ae239e571e96ebd95662bb5cccb62aacfdf79355aa9cdddc8`

##### operator-aws

`quay.io/cilium/operator-aws:v1.18.2@&#8203;sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328`
`quay.io/cilium/operator-aws:stable@sha256:1cb856fbe265dfbcfe816bd6aa4acaf006ecbb22dcc989116a1a81bb269ea328`

##### operator-azure

`quay.io/cilium/operator-azure:v1.18.2@&#8203;sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e`
`quay.io/cilium/operator-azure:stable@sha256:9696e9b8219b9a5c16987e072eda2da378d42a32f9305375e56d7380a0c2ba8e`

##### operator-generic

`quay.io/cilium/operator-generic:v1.18.2@&#8203;sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805`
`quay.io/cilium/operator-generic:stable@sha256:cb4e4ffc5789fd5ff6a534e3b1460623df61cba00f5ea1c7b40153b5efb81805`

##### operator

`quay.io/cilium/operator:v1.18.2@&#8203;sha256:0f234ce2ab0f30c09f4f9fe1b9c6323f0c6b66d789bef5e958fce7cff85960f3`
`quay.io/cilium/operator:stable@sha256:0f234ce2ab0f30c09f4f9fe1b9c6323f0c6b66d789bef5e958fce7cff85960f3`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMjcuMiIsInVwZGF0ZWRJblZlciI6IjQxLjEyNy4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/78
@julianwiedmann julianwiedmann added the area/lrp Impacts Local Redirect Policy. label Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aditighag aditighag aditighag approved these changes

@ysksuzuki ysksuzuki Awaiting requested review from ysksuzuki ysksuzuki is a code owner automatically assigned from cilium/sig-lb

Assignees

No one assigned

Labels

area/lrp Impacts Local Redirect Policy. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@joamaki @aditighag @tklauser @msune @julianwiedmann