identity: wait for identities to be added to SelectorCache by squeed · Pull Request #42049 · cilium/cilium

squeed · 2025-10-06T19:22:27Z

This fixes a rare race condition where clusters with large numbers of identities and selectors may get a partial policy calculation. This happens because a given identity A may not be propagated to all cached selectors before an endpoint using that identity is added.

A flow goes like this:

UpsertIdentity(A)
m.Events <- IdentityUpdate(a)
Mark list done
Regenerate endpoint A1
A1 policy calculation calls GetSelections()
UpdateIdentities(A) adds A to SelectorCache

This leaves endpoint A1 with incorrect policy. The fix is to block identity allocation until the update queue has seen the Sync event generated by the kvstore / crd list-watch.

Fixes a rare bug where endpoints may have incomplete policies in large clusters.

squeed · 2025-10-06T20:09:02Z

/test

giorio94

Thanks! A couple of comments inline. It seems also that the TestAllocatorReset/disable_operator_manages_identities integration test is failing.

squeed · 2025-10-07T11:09:31Z

Refactored this in a manner that is ClusterMesh-aware: that is to say, every Allocator can get feedback that all outstanding events were processed.

squeed · 2025-10-07T11:44:35Z

/test

giorio94

Looks neat, thanks!

squeed · 2025-10-07T18:28:04Z

/test

squeed · 2025-10-07T19:42:07Z

/ci-integration

squeed · 2025-10-07T20:20:56Z

/test

fristonio

LGTM <3
Minor feedback to improve readability(feel free to ignore in the context of this fix).

squeed · 2025-10-08T12:55:10Z

Hitting #41980 flake.

squeed · 2025-10-09T08:02:41Z

/test

This fixes a rare race condition where clusters with large numbers of identities and selectors may get a partial policy calculation. This happens because a given identity A may not be propagated to all cached selectors before an endpoint using that identity is added. A flow goes like this: 1. UpsertIdentity(A) 2. m.Events <- IdentityUpdate(a) 3. Mark list done 4. Regenerate endpoint A1 5. A1 policy calculation calls GetSelections() 6. UpdateIdentities(A) adds A to SelectorCache This leaves endpoint A1 with incorrect policy. The fix is for allocators not to mark themselves as done until the SelectorCache has consumed all events. This adds an optional Done channel to the allocator event that is closed once successfully processed. Signed-off-by: Casey Callendrello <cdc@isovalent.com>

squeed · 2025-10-10T08:06:31Z

/test

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.18.2` -> `1.18.3` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.18.3`](https://github.com/cilium/cilium/releases/tag/v1.18.3): 1.18.3 [Compare Source](cilium/cilium@1.18.2...1.18.3) ## Summary of Changes :information\_source: The images in this release were signed with cosign v3. Please use cosign v3 tooling to validate signatures with the following command syntax: ``` cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name 'Image Release Build' --certificate-github-workflow-ref refs/tags/v1.18.3 --certificate-identity https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/v1.18.3 quay.io/cilium/operator-aws:v1.18.3 | jq -r '.[].critical.image' ``` **Minor Changes:** - Fix a complexity issue for the bpf\_xdp program (Backport PR [#42198](cilium/cilium#42198), Upstream PR [#42193](cilium/cilium#42193), [@aspsk](https://github.com/aspsk)) - hubble: mark kafka l7 visibility as deprecated (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41072](cilium/cilium#41072), [@kaworu](https://github.com/kaworu)) **Bugfixes:** - add the port name for address based LRP so frontend can pick the right backend (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41602](cilium/cilium#41602), [@liyihuang](https://github.com/liyihuang)) - Avoid scenario where ENI device configuration can be skipped. (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41760](cilium/cilium#41760), [@jasonaliyetti](https://github.com/jasonaliyetti)) - Cilium now configures Envoy to allow websocket connections to be passed through with HTTP policies. (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41729](cilium/cilium#41729), [@jrajahalme](https://github.com/jrajahalme)) - Fix a bug that was preventing Cilium to delete stale pod CIDRs routes when changing routing mode to native (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41819](cilium/cilium#41819), [@pippolo84](https://github.com/pippolo84)) - Fix a fatal error when accessing multicast map using cilium-dbg bpf multicast (Backport PR [#42151](cilium/cilium#42151), Upstream PR [#42080](cilium/cilium#42080), [@tklauser](https://github.com/tklauser)) - Fix BGP auto discovery not sending community info (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41920](cilium/cilium#41920), [@jiashengz](https://github.com/jiashengz)) - Fix bug in ENI routing where Cilium would chose the wrong subnet for routing traffic on secondary interfaces (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#40860](cilium/cilium#40860), [@liyihuang](https://github.com/liyihuang)) - Fix bug that could cause ICMP error packets to have an incorrect inner IP checksum when KPR is enabled. (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41551](cilium/cilium#41551), [@yushoyamaguchi](https://github.com/yushoyamaguchi)) - Fix bug with delegated IPAM where IPv6 traffic was routed via the wrong interface (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41598](cilium/cilium#41598), [@NihaNallappagari](https://github.com/NihaNallappagari)) - Fix failing node health check on dual stack cluster if NodeInternalIPs are not configured for both families. (Backport PR [#42055](cilium/cilium#42055), Upstream PR [#41633](cilium/cilium#41633), [@Dennor](https://github.com/Dennor)) - Fix increase in memory usage when service names are looked up at high rate during Hubble flow creation (Backport PR [#42151](cilium/cilium#42151), Upstream PR [#41965](cilium/cilium#41965), [@joamaki](https://github.com/joamaki)) - Fix panic at startup in IPsec subsystem with Multi-Pool IPAM mode ([#41725](cilium/cilium#41725), [@pippolo84](https://github.com/pippolo84)) - Fix race condition preventing the skiplbmap BPF map from sometimes being pruned after restart. (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41529](cilium/cilium#41529), [@joamaki](https://github.com/joamaki)) - Fixes a rare bug where endpoints may have incomplete policies in large clusters. (Backport PR [#42151](cilium/cilium#42151), Upstream PR [#42049](cilium/cilium#42049), [@squeed](https://github.com/squeed)) - hostfw: also exclude non-transparent proxy traffic when BPF masq is enabled (Backport PR [#41989](cilium/cilium#41989), Upstream PR [#41915](cilium/cilium#41915), [@julianwiedmann](https://github.com/julianwiedmann)) - Ignore expected error in neighbor reconciliation (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41815](cilium/cilium#41815), [@dylandreimerink](https://github.com/dylandreimerink)) - loadbalancer: allow HostPort for multiple protos on same port (Backport PR [#41913](cilium/cilium#41913), Upstream PR [#41521](cilium/cilium#41521), [@bersoare](https://github.com/bersoare)) - operator/pkg/lbipam: fix LoadBalancerIPPool conditions update logic (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41322](cilium/cilium#41322), [@alimehrabikoshki](https://github.com/alimehrabikoshki)) **CI Changes:** - .actions/cilium-config: add missing extraEnv in GH action (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41420](cilium/cilium#41420), [@aanm](https://github.com/aanm)) - .github/workflows: add variable for renovate bot username (Backport PR [#41843](cilium/cilium#41843), Upstream PR [#41818](cilium/cilium#41818), [@aanm](https://github.com/aanm)) - .github/workflows: automatically add /test for renovate PRs (Backport PR [#41843](cilium/cilium#41843), Upstream PR [#41770](cilium/cilium#41770), [@aanm](https://github.com/aanm)) - .github/workflows: do not wait on linters form forks (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41822](cilium/cilium#41822), [@aanm](https://github.com/aanm)) - .github/workflows: remove reviewers requested by auto-committer\[bot] (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41759](cilium/cilium#41759), [@aanm](https://github.com/aanm)) - cli: Fix unreliable tests due to error emitted in Cilium logs "retrieving device lxc\*: Link not found" (Backport PR [#42200](cilium/cilium#42200), Upstream PR [#42146](cilium/cilium#42146), [@fristonio](https://github.com/fristonio)) - gha: Correct k8s version for f12-datapath-service-ns-misc (Backport PR [#41756](cilium/cilium#41756), Upstream PR [#41753](cilium/cilium#41753), [@sayboras](https://github.com/sayboras)) - ginkgo: add test ownership for ginkgo tests (Backport PR [#42055](cilium/cilium#42055), Upstream PR [#41950](cilium/cilium#41950), [@aanm](https://github.com/aanm)) - Streamline ci-multi-pool workflow (Backport PR [#41631](cilium/cilium#41631), Upstream PR [#40658](cilium/cilium#40658), [@pippolo84](https://github.com/pippolo84)) - workflows: fix GCP OIDC authentication's project ID ([#42173](cilium/cilium#42173), [@nbusseneau](https://github.com/nbusseneau)) **Misc Changes:** - .github/workflows: stop build CI images until base images are built (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41681](cilium/cilium#41681), [@aanm](https://github.com/aanm)) - agent: Add Cilium health config cell (Backport PR [#42055](cilium/cilium#42055), Upstream PR [#41627](cilium/cilium#41627), [@aditighag](https://github.com/aditighag)) - bpf/nat: Move `ipv6_nat_entry` to map (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41902](cilium/cilium#41902), [@pchaigno](https://github.com/pchaigno)) - bpf: hostfw: have from-host always pass the ipcache-based src identity (Backport PR [#42113](cilium/cilium#42113), Upstream PR [#42093](cilium/cilium#42093), [@julianwiedmann](https://github.com/julianwiedmann)) - bpf: Only send fillup signal to agent on ENOMEM error (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41864](cilium/cilium#41864), [@borkmann](https://github.com/borkmann)) - chore(deps): update all github action dependencies (v1.18) ([#41795](cilium/cilium#41795), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#41931](cilium/cilium#41931), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#42028](cilium/cilium#42028), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#42136](cilium/cilium#42136), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.18) ([#42264](cilium/cilium#42264), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#41716](cilium/cilium#41716), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#41793](cilium/cilium#41793), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#42035](cilium/cilium#42035), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.18) ([#42116](cilium/cilium#42116), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.27 (v1.18) ([#42263](cilium/cilium#42263), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v33 (v1.18) ([#42265](cilium/cilium#42265), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.7 docker digest to [`2c5f7a0`](cilium/cilium@2c5f7a0) (v1.18) ([#42026](cilium/cilium#42026), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.7 docker digest to [`87916ac`](cilium/cilium@87916ac) (v1.18) ([#41792](cilium/cilium#41792), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.9 docker digest to [`02ce1d7`](cilium/cilium@02ce1d7) (v1.18) ([#42253](cilium/cilium#42253), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.8 (v1.18) ([#42062](cilium/cilium#42062), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.9 (v1.18) ([#42166](cilium/cilium#42166), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.7-1759058812-49b096a457d6e7f6d650229cbf95c63d59759331 (v1.18) ([#41933](cilium/cilium#41933), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#41730](cilium/cilium#41730), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#41794](cilium/cilium#41794), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#41930](cilium/cilium#41930), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#42027](cilium/cilium#42027), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#42135](cilium/cilium#42135), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.18) (patch) ([#42300](cilium/cilium#42300), [@cilium-renovate](https://github.com/cilium-renovate)\[bot]) - doc: add note on hostfw and ipsec interaction (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41810](cilium/cilium#41810), [@darox](https://github.com/darox)) - docs/dsr: Remove IPIP example configuration (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41701](cilium/cilium#41701), [@pchaigno](https://github.com/pchaigno)) - docs: Clarify list of capabilities in threat model (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41682](cilium/cilium#41682), [@joestringer](https://github.com/joestringer)) - docs: fix broken Chainguard SBOM link (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41719](cilium/cilium#41719), [@yashisrani](https://github.com/yashisrani)) - docs: remove stale kernel requirements (Backport PR [#42151](cilium/cilium#42151), Upstream PR [#42081](cilium/cilium#42081), [@julianwiedmann](https://github.com/julianwiedmann)) - docs: Update iproute2 compile steps in reference guide. (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41638](cilium/cilium#41638), [@dkanaliev](https://github.com/dkanaliev)) - endpoint: reduce missed-policy-update log severity for restoring eps (Backport PR [#42055](cilium/cilium#42055), Upstream PR [#41095](cilium/cilium#41095), [@fristonio](https://github.com/fristonio)) - endpointsynchronizer: suppress warning log when endpoint is terminating (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41755](cilium/cilium#41755), [@giorio94](https://github.com/giorio94)) - gateway-api: Fix incorrect `Owns` call in refactor (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41807](cilium/cilium#41807), [@youngnick](https://github.com/youngnick)) - hubble: allow overrrides if building from outside the tree (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41726](cilium/cilium#41726), [@tklauser](https://github.com/tklauser)) - ipsec: add support for using remote PodCIDR entries (Backport PR [#42073](cilium/cilium#42073), Upstream PR [#41519](cilium/cilium#41519), [@julianwiedmann](https://github.com/julianwiedmann)) - Make kubeProxyReplacement available in the reference and documentation (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41535](cilium/cilium#41535), [@liyihuang](https://github.com/liyihuang)) - redirectpolicy: Always OpenOrCreate SkipLB map to avoid loader race (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41707](cilium/cilium#41707), [@joamaki](https://github.com/joamaki)) - redirectpolicy: Fix comparison of BackendParams (Backport PR [#41848](cilium/cilium#41848), Upstream PR [#41705](cilium/cilium#41705), [@joamaki](https://github.com/joamaki)) - Remove kiam documentation from Local Redirect Policy (Backport PR [#41968](cilium/cilium#41968), Upstream PR [#41644](cilium/cilium#41644), [@liyihuang](https://github.com/liyihuang)) - Update `checkpatch` and `startup-script` image digest (Backport PR [#41828](cilium/cilium#41828), Upstream PR [#41710](cilium/cilium#41710), [@HadrienPatte](https://github.com/HadrienPatte)) **Other Changes:** - \[v1.18] gateway-api: Refactor Gateway API reconciler ([#41720](cilium/cilium#41720), [@youngnick](https://github.com/youngnick)) - \[v1.18] workflows/release: add secrets for step 4 and 5 ([#41733](cilium/cilium#41733), [@jrajahalme](https://github.com/jrajahalme)) - install: Update image digests for v1.18.2 ([#41722](cilium/cilium#41722), [@cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - proxy: Bump cilium-envoy to 1.34.10 ([#42251](cilium/cilium#42251), [@sayboras](https://github.com/sayboras)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15` `quay.io/cilium/cilium:stable@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.18.3@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d` `quay.io/cilium/clustermesh-apiserver:stable@sha256:0d15efc992a85003759232598bf05fb1a4cd3c9fa28fb96bee1789ffe27cc50d` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.18.3@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67` `quay.io/cilium/docker-plugin:stable@sha256:996d9fa5747175b1806ce01dd90dc586a5f52a32b7da409937a1f42714827d67` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.18.3@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3` `quay.io/cilium/hubble-relay:stable@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.18.3@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef` `quay.io/cilium/operator-alibabacloud:stable@sha256:df8b6830ef0545199cffc5fb9fbf14c9dc8d92093b0e6355d8659705227f89ef` ##### operator-aws `quay.io/cilium/operator-aws:v1.18.3@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24` `quay.io/cilium/operator-aws:stable@sha256:ef39d61183b3bdf0e235650461b6c4d9ec7aa5f61a6c770f33c47a6bc5165e24` ##### operator-azure `quay.io/cilium/operator-azure:v1.18.3@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143` `quay.io/cilium/operator-azure:stable@sha256:10a8a83ca6f0b02432c1ca0e67af98a48fdbefb684af44a399f58184ab174143` ##### operator-generic `quay.io/cilium/operator-generic:v1.18.3@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797` `quay.io/cilium/operator-generic:stable@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797` ##### operator `quay.io/cilium/operator:v1.18.3@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff` `quay.io/cilium/operator:stable@sha256:e350cea751afeae2f226a1bc275649c77a04a1e1ff50e61d782a371eae6fb2ff` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/140

squeed requested review from a team as code owners October 6, 2025 19:22

squeed added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Oct 6, 2025

squeed requested a review from fristonio October 6, 2025 19:22

squeed added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Oct 6, 2025

squeed requested a review from giorio94 October 6, 2025 19:22

squeed added needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Oct 6, 2025

giorio94 reviewed Oct 7, 2025

View reviewed changes

Comment thread pkg/allocator/allocator.go

Comment thread pkg/identity/cache/allocator.go Outdated

Comment thread pkg/identity/cache/cache.go Outdated

Comment thread pkg/identity/cache/cache.go Outdated

squeed force-pushed the fix-identity-sc-update-race branch from 33a1e2c to c53bf4c Compare October 7, 2025 11:07

squeed requested a review from giorio94 October 7, 2025 11:07

giorio94 approved these changes Oct 7, 2025

View reviewed changes

Comment thread pkg/allocator/allocator.go Outdated

squeed force-pushed the fix-identity-sc-update-race branch 2 times, most recently from 73d6caf to 252f05e Compare October 7, 2025 13:27

squeed force-pushed the fix-identity-sc-update-race branch from 252f05e to 816dcfc Compare October 7, 2025 19:31

fristonio approved these changes Oct 7, 2025

View reviewed changes

Comment thread pkg/identity/cache/cache.go

squeed enabled auto-merge October 8, 2025 11:25

squeed force-pushed the fix-identity-sc-update-race branch from 816dcfc to c42b90e Compare October 9, 2025 07:59

squeed force-pushed the fix-identity-sc-update-race branch from c42b90e to 696017a Compare October 10, 2025 08:05

squeed added this pull request to the merge queue Oct 10, 2025

maintainer-s-little-helper Bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 10, 2025

Merged via the queue into cilium:main with commit 887200b Oct 10, 2025
73 checks passed

squeed deleted the fix-identity-sc-update-race branch October 10, 2025 09:55

glrf mentioned this pull request Oct 13, 2025

v1.18 Backports 2025-10-13 #42151

Merged

4 tasks

glrf added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Oct 13, 2025

glrf mentioned this pull request Oct 13, 2025

v1.17 Backports 2025-10-13 #42154

Merged

1 task

glrf added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Oct 13, 2025

squeed mentioned this pull request Nov 10, 2025

policy: split selectorCache in two #42580

Merged

8 tasks

cilium-release-bot Bot added this to cilium v1.19.0 Feb 3, 2026

cilium-release-bot Bot moved this to Released in cilium v1.19.0 Feb 3, 2026

Conversation

squeed commented Oct 6, 2025

Uh oh!

squeed commented Oct 6, 2025

Uh oh!

giorio94 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

squeed commented Oct 7, 2025

Uh oh!

squeed commented Oct 7, 2025

Uh oh!

giorio94 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

squeed commented Oct 7, 2025

Uh oh!

squeed commented Oct 7, 2025

Uh oh!

squeed commented Oct 7, 2025

Uh oh!

fristonio left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

squeed commented Oct 8, 2025

Uh oh!

squeed commented Oct 9, 2025

Uh oh!

squeed commented Oct 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants