1.14.0-snapshot.4

Summary of Changes

Major Changes:

• Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
• Added L2 announcement feature (#25471, @dylandreimerink)
• cilium: IPv4 BIG TCP support (#26172, @borkmann)
• Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
• Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
• Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)

Minor Changes:

• Add agent flag enable-ipsec-key-watcher to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (#25893, @pchaigno)
• Add helm value envoyConfig.enabled that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (#26005, @jrajahalme)
• Add option to remove query from HTTP flows (#25746, @ChrsMark)
• Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
• Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
• Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
• Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
• Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
• Added Gratuitous ARP Pod Announcements (#25482, @markpash)
• Adds peerPort field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans)
• Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
• bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
• clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
• daemon: don't allow egress gateway with KV store identity allocation (#26189, @jibi)
• Deprecate CNP Node status updates. (#24464, @marseel)
• envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
• etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
• Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
• hubble: Add GetNamespaces to observer API (#25563, @chancez)
• ingress: Default TLS certificate for ingress (#26065, @sathieu)
• ipam: Add ability to automatically create CiliumPodIPPool resources in multi-pool IPAM mode (#25991, @gandro)
• ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
• mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
• mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
• operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
• Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
• Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
• spire: Add identity GC capability (#25867, @sayboras)
• Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
• Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
• Support Gateway API v0.7.0 (#25711, @meyskens)
• The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)

Bugfixes:

• bpf: fix error handling for invoke_tailcall_if() (#26118, @julianwiedmann)
• bpf: lxc: fix one missing drop notification in CT lookup tail calls (#26115, @julianwiedmann)
• bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
• Envoy resource namespacing (#26037, @jrajahalme)
• Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (#25735, @pchaigno)
• Fix bug with toServices policy where service backend churn left stale CIDR identities (#25687, @christarazi)
• Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (#26093, @pchaigno)
• Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
• Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
• Fix leak of IPsec XFRM FWD policies in IPAM modes cluster-pool, kubernetes, and crd when nodes are deleted.
  Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (#25953, @pchaigno)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
• Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
• Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
• Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (#25936, @joamaki)
• Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (#25969, @jrajahalme)
• Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)

CI Changes:

• .github/workflows: add JUnit tag on workflows that have JUnits (#25930, @aanm)
• .github/workflows: let renovate update kind (#26312, @tklauser)
• .github: add cilium sysdump to test artifacts (#26143, @aanm)
• .github: add missing job to check for code changes (#25926, @aanm)
• .github: Fail if print-chart-version.sh fails or does not exist (#26086, @chancez)
• .github: simplify conformance-runtime workflow (#25955, @aanm)
• Add checker to verify if comments from ginkgo GH workflows are in sync (#25971, @aanm)
• Add schema validation for configuration-matrix files (#26081, @aanm)
• bgp,test: Properly wait for FRR container to be ready (#25777, @YutaroHayakawa)
• bgpv1: Avoid ports from common ip_local_port_range in unit tests (#26174, @rastislavs)
• bgpv1: Extend the timeout for the Test_NeighborAddDel test (#25970, @rastislavs)
• bpf unit tests: Run tests on changes to pks/bpf/** (#25911, @qmonnet)
• bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#26151, @julianwiedmann)
• bpf: tests: test EgressGW reply path with native routing (#25932, @julianwiedmann)
• CI: Add JUnit reports upload (#25801, @brlbil)
• ci: github actions job to run kubernetes upstream conformance tests (#25913, @aojea)
• CI: Stabilize ConformanceKindEnvoyDaemonSet (#26260, @mhofstetter)
• CI: Verifier tests: Keep generated object files and logs on test failure (#25862, @qmonnet)
• CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#25839, @learnitall)
• conformance-k8s-kind: Use Helm mode cilium-cli (#25916, @michi-covalent)
• conformance-runtime: Bump timeout to wait for images (#25947, @michi-covalent)
• datapath/linux/ethtool: deflake TestIsVirtualDriver (#26027, @tklauser)
• docs: add documentation for Ginkgo-based GHA (#26055, @aanm)
• Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#26188, @giorio94)
• egressgw: switch to Cilium CLI connectivity tests (#25719, @jibi)
• gha: Increase Ingress status wait time (#26219, @sayboras)
• gha: Move to helm mode for aws-cni, eks, gke (#25820, @sayboras)
• gha: use Cilium CLI Helm mode for conformance-clustermesh (#25834, @giorio94)
• Improved reliability of pkg/hive/job timer double trigger unit test (#26022, @dylandreimerink)
• Run all ginkgo tests on GitHub actions (#25713, @aanm)
• test/nat46x64: silence curl output (#26024, @tklauser)
• test: Cleanup ginkgo test artifacts (#25833, @pchaigno)

Misc Changes:

• .github: add dedicated job to wait for images (#26184, @aanm)
• .github: Push Helm charts for hotfixes (#25836, @joestringer)
• .github: rebuild ginkgo tests in case of cache miss (#26263, @aanm)
• .github: refactor job matrix generation into YAML files (#26019, @aanm)
• Add detailed panic messages for slim ObjectMeta and ListMeta (#25107, @hemanthmalla)
• Add kvstoremesh Dockerfile and build images through the CI (#26106, @giorio94)
• Add microsoft as user to cilium (#25838, @tamilmani1989)
• Add Zero Hash to Cilium users (#25987, @eugenestarchenko)
• Added gARP capability to L2 announcer feature (#25933, @dylandreimerink)
• Added metrics for pkg/k8s/resource (#26269, @dylandreimerink)
• Adding Eficode to USERS.md (#25931, @punasusi)
• Agent: add support for watching kvstoremesh prefixes (#26154, @giorio94)
• Auth Map: Initial Garbage Collection (#25754, @mhofstetter)
• auth: add missing config values to helm values (#25973, @mhofstetter)
• auth: add missing stream package import (#26018, @giorio94)
• auth: feature flag for authentication (#26208, @mhofstetter)
• auth: fix initial k8s events sync in auth map gc (#26059, @mhofstetter)
• auth: implement re-authentication in case of rotated certificates (#25927, @mhofstetter)
• auth: policy based auth map GC (#26068, @mhofstetter)
• auth: streamline logging (#25965, @mhofstetter)
• auth: temporarily disable node-based auth gc (#26073, @mhofstetter)
• AWS CNI v1.12 Cilium install fixed. (#26084, @viktor-kurchenko)
• BGP CP: Updates docs for PeerPort (#25876, @danehans)
• bgpv1: Documentation update to reflect current architecture (#25954, @harsimran-pabla)
• bgpv1: graceful restart component test (#25914, @harsimran-pabla)
• bgpv1: Reset BGP session in UpdateNeighbor if necessary (#25827, @rastislavs)
• bpf: clean up some revalidate_data() users (#25337, @julianwiedmann)
• bpf: encap: send TO_OVERLAY trace before adding encapsulation (#25828, @julianwiedmann)
• bpf: fib: delay smac selection until fib_do_redirect() has picked the oif (#26290, @julianwiedmann)
• bpf: lb: minor cleanups (#26216, @julianwiedmann)
• bpf: minor HostFW cleanups (#25881, @julianwiedmann)
• bpf: misc CT cleanups (#26104, @julianwiedmann)
• bpf: nat: reduce CT lookup scope (#25917, @julianwiedmann)
• bpf: nat: remove unused ct_delete*() helpers (#26076, @julianwiedmann)
• bpf: nodeport: reduce CT lookup scope (#25826, @julianwiedmann)
• bpf: nodeport: wire up trace struct for IPv6 RevDNAT (#26047, @julianwiedmann)
• bpf: remove MapInfo, DumpParser and MapKey/Value DeepCopy (#25792, @ti-mo)
• bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough (#26211, @qmonnet)
• bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL (#25924, @julianwiedmann)
• bpf: xdp: use CT tuple hash for tunnel encap's source port (#26177, @julianwiedmann)
• bugtool: dump auth map related information (#26066, @mhofstetter)
• build(deps): bump requests from 2.28.2 to 2.31.0 in /Documentation (#25603, @dependabot[bot])
• build: Avoid cross compilation issue on Windows (#25904, @sayboras)
• Change enableEndpointCRD helm option type from string to boolean
  Fix operator panic that occurs when Endpoint CRD is disabled and CiliumEndpointSlice is enabled (#25798, @doniacld)
• chore(deps): update all github action dependencies (main) (minor) (#25850, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#25846, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#26054, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.14.7 (main) (#25847, @renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.11.6 (main) (#26041, @renovate[bot])
• chore(deps): update dependency go to v1.20.5 (main) (#26051, @renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26261, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.4 docker digest to 690e413 (main) (#25277, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.20.5 docker digest to 6b3fa4b (main) (#26050, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 (main) (#26284, @renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (main) (#25295, @renovate[bot])
• chore(deps): update go to v1.20.5 (main) (patch) (#25957, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.53.2 (main) (#25841, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.53.3 (main) (#26258, @renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (main) (#25996, @renovate[bot])
• cilium/cmd: Deprecate cilium endpoint regenerate command (#25949, @christarazi)
• cilium: Improve IPv6 BIG TCP probing (#26303, @borkmann)
• cli: add "cilium bpf config list" (#26105, @mhofstetter)
• clustermesh-apiserver: add missing metrics and documentation (#26070, @giorio94)
• clustermesh-apiserver: don't wait for the presence of unused CRDs (#26220, @giorio94)
• clustermesh-apiserver: rework identities, endpoints and nodes synchronization to improve performance (#25049, @giorio94)
• clustermesh: ensure that the status of the remote clusters controller is correcty reported (#26271, @giorio94)
• clustermesh: Introduce ClusterID reservation mechanism (#26124, @marseel)
• clustermesh: split the generic logic from the specific part (#25921, @giorio94)
• clustermesh: unbreak test (#26294, @giorio94)
• conformance-runtime: remove optimizations and update little-vm-helper (#25825, @aanm)
• Controller clean up (#25579, @jrajahalme)
• Convert daemon ipcache usages to new ipcache async API (#25749, @christarazi)
• converted node manager dynamic metrics into modular metrics (#25887, @dylandreimerink)
• CRD List Generation (#25910, @dhawton)
• ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (#26197, @ti-mo)
• daemon, maps/ipcache: Replace usage of net.IP* for ingress IPs (#26045, @christarazi)
• daemon: Perform early (partial) local node info initialization (#24866, @joamaki)
• dnsproxy: stop using the regex lru in the dns proxy to avoid keeping large unused regex in memory when no longer needed (#22584, @odinuge)
• docker: Detect default "desktop-linux" builder (#25908, @jrajahalme)
• docs: Add APAC timezone meeting to README (#24902, @lizrice)
• docs: Add externalTrafficPolicy=Local description to BGP CPlane doc (#25960, @YutaroHayakawa)
• docs: add upgrade note about deletion of stale entries in clustermesh (#26067, @giorio94)
• docs: cleanup SPIRE & Envoy values in helm reference (#26039, @mhofstetter)
• docs: Deprecate cluster-pool-v2beta (#25767, @gandro)
• docs: remove clustermesh-apiserver gops port from system requirements (#26230, @giorio94)
• docs: Slack updates (#25723, @lizrice)
• Docs: Update BGP docs to reflect CRD consolidation (#26196, @rastislavs)
• docs: Update development setup with preferred kind-based approach (#25535, @christarazi)
• docs: Update governance voting templates (#25802, @joestringer)
• Document how to migrate from Ingress to Gateway API (#25599, @nvibert)
• Documentation: add CONFIG_SCHEDSTATS to required kconfigs (#26035, @ti-mo)
• Documentation: Document BGP timers & neighbor update behavior (#25906, @rastislavs)
• Documentation: include bgp cli commands in bgp-cp documentation (#25691, @harsimran-pabla)
• Dump maps and events for all lb4/6 v3 backends (#26108, @ti-mo)
• endpoint: fix policy map sync warning due to policymap authtype diffs (#26218, @mhofstetter)
• Fix and improve Conformance Ginkgo UX (#25950, @aanm)
• Fix CI image build cache (#26020, @aanm)
• Fix neighbor test flakes (#26156, @borkmann)
• fix(deps): pin dependencies (main) (#25539, @renovate[bot])
• fix(deps): pin dependencies (main) (#25849, @renovate[bot])
• fix(deps): update all go dependencies main (main) (minor) (#26286, @renovate[bot])
• fix(deps): update all go dependencies main (main) (patch) (#25542, @renovate[bot])
• fix(deps): update module github.com/docker/docker to v24 (main) (#26316, @renovate[bot])
• gateway-api: now function GatewayAPI also supports TLSRoute (#26060, @spacewander)
• gha: fix conformance-ginkgo base branch retrieval (#26085, @giorio94)
• helm: add extraArgs to clustermesh-apiserver (#25693, @rcanderson23)
• helm: Add flag to disable CRD check for mass server-side apply (#25956, @jcpunk)
• helm: address review comments regarding helm value docs (#26296, @tklauser)
• helm: Correct the flag names in validate.yaml (#26167, @sayboras)
• Improve Makefile to ease debugging (#26159, @pippolo84)
• Ingnore updating client-go fork in renovate dependencies (#26305, @marseel)
• install: Fail helm if kube-proxy-replacement is not valid (#25907, @jrajahalme)
• IPAM multipool followups (#26138, @tklauser)
• ipam/allocator: remove unused allocator types (#25963, @tklauser)
• ipcache: fix not waiting for k8s caches to sync (#25975, @squeed)
• ipsec: Fix cleanup of XFRM states and policies (#26072, @pchaigno)
• jenkinsfiles: remove ginkgo-based Jenkinsfiles (#26171, @aanm)
• k8s / policy: allow all services for toServices when using highscale ipcache (#26127, @squeed)
• k8s: fix ciliumpodippools CRD controller-gen version (#25976, @mhofstetter)
• k8s: Update comment about rule preprocessing (#25864, @odinuge)
• k8s: Use Resource[*Pod] in pod watcher for the local pod watching (#26181, @joamaki)
• kvstore: limit keys attached to single lease, and react to expiration (#25966, @giorio94)
• MAINTAINERS: Add Nick Young (#25874, @joestringer)
• Makefile: Fix kind deployment in quiet mode (#25873, @joestringer)
• Makefile: remove -test.v from GOTEST_BASE (#25703, @ti-mo)
• Makefile: use CLI options to set local images for kind-install-cilium-clustermesh (#25810, @thorn3r)
• metrics: Metrics initial modularization (#25651, @dylandreimerink)
• metrics: provide the global services metric through the hive (#26157, @giorio94)
• node_ids: introduce GetNodeID (#26155, @mhofstetter)
• pkg/datapath: skip TestArpPingHandling due flakiness (#25840, @aanm)
• pkg/ipam: Update histogram buckets for trigger metrics (#25600, @hemanthmalla)
• policy: Add GetAuthTypes() (#26116, @jrajahalme)
• Prepare for release v1.14.0-snapshot.3 (#25830, @aanm)
• proxy: introduce initial proxy cell (#25779, @mhofstetter)
• README: Update for latest snapshot prerelease (#25845, @joestringer)
• Remove custom iproute2 fork (#26221, @ti-mo)
• Remove ip assignments for cilium_host from init.sh (#25771, @rgo3)
• Remove references to GOPATH in documentation (#25942, @JamesLaverack)
• renovate: exclude github.com/{cilium,vishvananda}/netlink (#26311, @tklauser)
• Replace client-go with private fork. (#26250, @marseel)
• Replaces K8s NewDeltaFIFO with NewDeltaFIFOWithOptions (#25606, @danehans)
• resource: Add Resource[Endpoints] and adapt existing watchers (#23977, @joamaki)
• resource: Fix flaky test due to missing Done call (#25646, @joamaki)
• resource: implement stream.Observable (#25934, @mhofstetter)
• statedb: Fix WriteJSON with multiple tables (#24970, @joamaki)
• stream: Improve function documentation (#25922, @joamaki)
• test/k8s: make kafka tests more reliable (#26121, @aanm)
• testutils: remove gocheck (#25684, @lmb)
• Update network attacker sections of the threat model (#25640, @ferozsalam)
• Update stable releases (#26272, @qmonnet)
• Update USERS.md for SIGHUP (#25982, @julianwiedmann)
• Updates informer pkg to use TransformFunc() (#25604, @danehans)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-snapshot.4@sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d
quay.io/cilium/cilium:v1.14.0-snapshot.4@sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-snapshot.4@sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620
quay.io/cilium/docker-plugin:v1.14.0-snapshot.4@sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-snapshot.4@sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1
quay.io/cilium/hubble-relay:v1.14.0-snapshot.4@sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1

kvstoremesh

docker.io/cilium/kvstoremesh:v1.14.0-snapshot.4@sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17
quay.io/cilium/kvstoremesh:v1.14.0-snapshot.4@sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f

operator-aws

docker.io/cilium/operator-aws:v1.14.0-snapshot.4@sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731
quay.io/cilium/operator-aws:v1.14.0-snapshot.4@sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731

operator-azure

docker.io/cilium/operator-azure:v1.14.0-snapshot.4@sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b
quay.io/cilium/operator-azure:v1.14.0-snapshot.4@sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b

operator-generic

docker.io/cilium/operator-generic:v1.14.0-snapshot.4@sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f
quay.io/cilium/operator-generic:v1.14.0-snapshot.4@sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f

operator

docker.io/cilium/operator:v1.14.0-snapshot.4@sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda
quay.io/cilium/operator:v1.14.0-snapshot.4@sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda