Cilium Preflight check no longer includes Envoy Configmaps, making it easier to correctly run. (Backport PR cilium/cilium#43290, Upstream PR cilium/cilium#43153, @youngnick)
bpf:wireguard: delivery host packets to bpf_host for ingress policies (Backport PR cilium/cilium#43690, Upstream PR cilium/cilium#42892, @smagnani96)
cgroup: don't start watch if KPRConfig.EnableSocketLB is disabled (Backport PR cilium/cilium#43290, Upstream PR cilium/cilium#43256, @mhofstetter)
Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR cilium/cilium#43425, Upstream PR cilium/cilium#43095, @aditighag)
Fix an issue in proxy NOTRACK iptables rule for aws-cni chaining mode which causes proxy->upstream(outside cluster) traffic not being SNAT'd. (Backport PR cilium/cilium#43676, Upstream PR cilium/cilium#43566, @fristonio)
Fix GC of possible duplicated identities in kvstore mode (Backport PR cilium/cilium#43425, Upstream PR cilium/cilium#43287, @giorio94)
Fixes a deadlock that was causing endpoint to be stuck without progressing with any updates. (Backport PR cilium/cilium#43290, Upstream PR cilium/cilium#43242, @marseel)
gateway-api: correctly handle CiliumGatewayClassConfig as a namespaced resource. (Backport PR cilium/cilium#43290, Upstream PR cilium/cilium#43254, @youngnick)
Add documentation and examples for using the egressDeny field in CiliumNetworkPolicy (Backport PR cilium/cilium#43425, Upstream PR cilium/cilium#40272, @syedazeez337)
bpf: clear mark content before storing the cluster ID (Backport PR cilium/cilium#43290, Upstream PR cilium/cilium#43159, @giorio94)
bpf: prevent cluster ID from being incorrectly retrieved from mark when aliased (Backport PR cilium/cilium#43290, Upstream PR cilium/cilium#43258, @giorio94)
chore(deps): update all github action dependencies (v1.18) (cilium/cilium#43467, @cilium-renovate[bot])
chore(deps): update all github action dependencies (v1.18) (cilium/cilium#43665, @cilium-renovate[bot])
chore(deps): update anchore/sbom-action action to v0.21.0 (v1.18) (cilium/cilium#43512, @cilium-renovate[bot])
chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 2383baa (v1.18) (cilium/cilium#43662, @cilium-renovate[bot])
chore(deps): update docker.io/library/golang:1.24.11 docker digest to 54528d1 (v1.18) (cilium/cilium#43464, @cilium-renovate[bot])
chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.7 (v1.18) (cilium/cilium#43465, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71 (v1.18) (cilium/cilium#43539, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1767794330-db497dd19e346b39d81d7b5c0dedf6c812bcc5c9 (v1.18) (cilium/cilium#43638, @cilium-renovate[bot])
chore(deps): update rhysd/actionlint docker tag to v1.7.10 (v1.18) (cilium/cilium#43541, @cilium-renovate[bot])
Fix a regression in the new services control plane where loadBalancerSourceRanges was applied by default to all service types. (Backport PR cilium/cilium#43575, Upstream PR cilium/cilium#42351, @borkmann)
operator: the K8s Secret synchronization process now resynchronizes after an hour for synced Secrets. (Backport PR cilium/cilium#43425, Upstream PR cilium/cilium#42414, @youngnick)