Exclude topology.kubernetes.io labels from security labels by default (Backport PR cilium/cilium#43780, Upstream PR cilium/cilium#43725, @moscicky)
hubble-relay: Add hubble.relay.logOptions.format and hubble.relay.logOptions.level Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR cilium/cilium#44003, Upstream PR cilium/cilium#43644, @puwun)
Split selector cache to reduce cpu usage and reduce lock contention in the selector cache (Backport PR cilium/cilium#44025, Upstream PR cilium/cilium#42580, @odinuge)
Bugfixes:
Add support for specifying plpmtud (mtu discovery) settings for Pod endpoints, with the default now being "1" (blackhole-detected). (Backport PR cilium/cilium#44025, Upstream PR cilium/cilium#43710, @tommyp1ckles)
clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR cilium/cilium#44025, Upstream PR cilium/cilium#43807, @MrFreezeex)
endpoint/manager: wait for completed endpoint restoration before starting periodic GC & regeneration controllers (Backport PR cilium/cilium#43866, Upstream PR cilium/cilium#43776, @mhofstetter)
endpoint/mgr: don't register periodic regeneration if interval is 0 (Backport PR cilium/cilium#43866, Upstream PR cilium/cilium#43790, @mhofstetter)
Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR cilium/cilium#44025, Upstream PR cilium/cilium#43999, @EmilyShepherd)
fix: incorrect schema entries for cpu limits (Backport PR cilium/cilium#43780, Upstream PR cilium/cilium#43735, @jcpunk)
gateway api: fix for multiple listeners on a gateway check (Backport PR cilium/cilium#43922, Upstream PR cilium/cilium#43802, @xtineskim)
Hubble Export FieldMask - Introduce functionality to specify multiple 'oneof' variants like l4.TCP/l4.UDP Hubble Export Aggregation - Enrich aggregated flow logs with timestamp to preserve temporal context (Backport PR cilium/cilium#44003, Upstream PR cilium/cilium#43924, @mereta)
Make BIG TCP initialization flow more robust and fix bugs. (Backport PR cilium/cilium#44025, Upstream PR cilium/cilium#43891, @gentoo-root)
chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.19) (cilium/cilium#43973, @cilium-renovate[bot])
chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260114104534-18147eee9c49 (v1.19) (cilium/cilium#43835, @cilium-renovate[bot])
chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260123105127-470c3a315f3a (v1.19) (cilium/cilium#43974, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.19) (cilium/cilium#43836, @cilium-renovate[bot])
chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.19) (cilium/cilium#43975, @cilium-renovate[bot])
endpoint/restore: remove special handling for host endpoint in case of ipsec (Backport PR cilium/cilium#43922, Upstream PR cilium/cilium#43757, @mhofstetter)
Fix BPF IPv6 neighbor discovery code to fully pull in skb data into linear section. (Backport PR cilium/cilium#43922, Upstream PR cilium/cilium#43873, @borkmann)