We are excited to announce the Cilium 1.16.0 release. A total of 2969 new commits have been contributed to this release by a growing community of over 750 developers and over 19300 GitHub stars! :star_struck:

To keep up to date with all the latest Cilium releases, join #release on Slack.

Here's what's new in v1.16.0:

• :mountain_cableway: Networking

  • :speedboat: Cilium NetKit: container-network throughput and latency as fast as host-network.
  • :globe_with_meridians: BGPv2: Fresh new API for Cilium's BGP feature.
  • :loudspeaker: BGP ClusterIP Advertisement: BGP advertisements of ExternalIP and Cluster IP Services.
  • :twisted_rightwards_arrows: Service Traffic Distribution: Kubernetes 1.30 Service Traffic Distribution can be enabled directly in the Service spec instead of using annotations.
  • :arrows_counterclockwise: Local Redirect Policy promoted to Stable: Redirecting the traffic bound for services to the local backend, such as node-local DNS.
  • :satellite: Multicast Datapath: Define multicast groups in Cilium.
  • :label: Per-Pod Fixed MAC Address: Specify the MAC address used on a pod.

• :spider_web: Service Mesh & Ingress/Gateway API

  • :compass: Gateway API GAMMA Support: East-west traffic management for the cluster via Gateway API.
  • :shinto_shrine: Gateway API 1.1 Support: Cilium now supports Gateway API 1.1.
  • :passport_control: ExternalTrafficPolicy support for Ingress/Gateway API: External traffic can now be routed to node-local or cluster-wide endpoints.
  • :spider_web: L7 Envoy Proxy as dedicated DaemonSet: With a dedicated DaemonSet, Envoy and Cilium can have a separate life-cycle from each other. Now on by default for new installs.
  • :card_index_dividers: NodeSelector support for CiliumEnvoyConfig: Instead of being applied on all nodes, it's now possible to select which nodes a particular CiliumEnvoyConfig should select.

• :guardswoman: Security

  • :signal_strength: Port Range support in Network Policies: This long-awaited feature has been implemented into Cilium.
  • :clipboard: Network Policy Validation Status: kubectl describe cnp will be able to tell if the Cilium Network Policy is valid or invalid.
  • :no_entry: Control Cilium Network Policy Default Deny behavior: Policies usually enable default deny for the subject of the policies, but this can now be disabled on a per-policy basis.
  • :busts_in_silhouette: CIDRGroups support for Egress and Deny rules: Add support for matching CiliumCIDRGroups in Egress policy rules.
  • :floppy_disk: Load "default" Network Policies from Filesystem: In addition to reading policies from Kubernetes, Cilium can be configured to read policies locally.
  • :card_index_dividers: Support to Select Nodes as Target of Cilium Network Policies: With new ToNodes/FromNodes selectors, traffic can be allowed or denied based on the labels of the target Node in the cluster.

• :sunrise: Day 2 Operations and Scale

  • :elf: New ELF Loader Logic: With this new loader logic, the median memory usage of Cilium was decreased by 24%.
  • :rocket: Improved DNS-based network policy performance: DNS-based network policies had up to 5x reduction in tail latency.
  • :spider_web: KVStoreMesh default option for ClusterMesh: Introduced in Cilium 1.14, and after a lot of adoption and feedback from the community, KVStoreMesh is now the default way to deploy ClusterMesh.

• :artificial_satellite: Hubble & Observability

  • :speaking_head: CEL Filters Support: Hubble supports Common Express Language (CEL) giving support for more complex conditions that cannot be expressed using the existing flow filters.
  • :bar_chart: Improved HTTP metrics: There are additional metrics to count the HTTP requests and their duration.
  • :straight_ruler: Improved BPF map pressure metrics: New metric to track the BPF map pressure metric for the Connection Tracking BPF map.
  • :eyes: Improvements for Egress Traffic Path Observability: Some metrics were added on this release to help troubleshooting Cilium Egress Routing.
  • :microscope: K8S Event Generation on Packet Drop: Hubble is now able to generate a k8s event for a packet dropped from a pod and it that can be verified with kubectl get events.
  • :card_index_dividers: Filtering Hubble flows by node labels: Filter Hubble flows observed on nodes matching the given label.

• :houses: Community:

  • :heart: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
    • Rabobank
    • SmartNews
    • G Data CyberDefense
    • WSO2
    • Sicredi
    • PostFinance
    • DigitalOcean
    • Nemlig.com

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. :heart:

For a full summary of changes, see https://github.com/cilium/cilium/blob/v1.16.0/CHANGELOG.md.

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058 quay.io/cilium/cilium:stable@sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e quay.io/cilium/clustermesh-apiserver:stable@sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe quay.io/cilium/docker-plugin:stable@sha256:024a17aa8ec70d42f0ac1a4407ad9f8fd1411aa85fd8019938af582e20522efe

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d quay.io/cilium/hubble-relay:stable@sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea quay.io/cilium/operator-alibabacloud:stable@sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea

operator-aws

quay.io/cilium/operator-aws:v1.16.0@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f quay.io/cilium/operator-aws:stable@sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f

operator-azure

quay.io/cilium/operator-azure:v1.16.0@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d quay.io/cilium/operator-azure:stable@sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d

operator-generic

quay.io/cilium/operator-generic:v1.16.0@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316 quay.io/cilium/operator-generic:stable@sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316

operator

quay.io/cilium/operator:v1.16.0@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488 quay.io/cilium/operator:stable@sha256:6aaa05737f21993ff51abe0ffe7ea4be88d518aa05266c3482364dce65643488