1.14.0-snapshot.4
Pre-releaseSummary of Changes
Major Changes:
- Add support for Kubernetes v1.27 (#25602, @nathanjsweet)
- Added L2 announcement feature (#25471, @dylandreimerink)
- cilium: IPv4 BIG TCP support (#26172, @borkmann)
- Implement BPF-based masquerading for IPv6 (#23165, @qmonnet)
- Introduce kvstoremesh, a clustermesh-apiserver companion component allowing to cache remote cluster information in the local kvstore for increased scalability and separation. (#26083, @giorio94)
- Module Health: Add Health Provider/Reporter (#25662, @tommyp1ckles)
Minor Changes:
- Add agent flag
enable-ipsec-key-watcher
to allow users to disable the IPsec key watcher and thus require an agent restart for the key rotation to take effect. (#25893, @pchaigno) - Add helm value
envoyConfig.enabled
that can be used to enable CiliumEnvoyConfig CRD independently of Cilium Ingress controller. (#26005, @jrajahalme) - Add option to remove query from HTTP flows (#25746, @ChrsMark)
- Add support for BGP graceful restart configuration via CiliumBGPPeeringPolicy CRD (#25660, @harsimran-pabla)
- Add support for eBGP-multihop configuration for CiliumBGPNeighbor in CiliumBGPPeeringPolicy CRD (#25708, @rastislavs)
- Add support for Hybrid mode when using DSR with Geneve dispatch. (#25553, @julianwiedmann)
- Add support for load-balancing encapsulated requests in a configuration with high-scale ipcache. (#25854, @julianwiedmann)
- Add support for load-balancing unencapsulated requests in a configuration with high-scale ipcache. (#25745, @julianwiedmann)
- Added Gratuitous ARP Pod Announcements (#25482, @markpash)
- Adds
peerPort
field to CiliumBGPPeeringPolicy for specifying the port of a BGP neighbor. If unspecified, port 179 is used. (#25809, @danehans) - Allow devices from local route table to be used for datapath programs. (#24608, @oblazek)
- bgpv1: Consolidate CRD API to follow K8s API Conventions (#26040, @rastislavs)
- clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25905, @giorio94)
- daemon: don't allow egress gateway with KV store identity allocation (#26189, @jibi)
- Deprecate CNP Node status updates. (#24464, @marseel)
- envoy: Bump envoy version to v1.25.7 (#25882, @mhofstetter)
- etcd: extend rate limiting to consider the number of inflight requests (#25817, @giorio94)
- Extend the Helm chart to allow configuring kvstoremesh. (#26109, @giorio94)
- hubble: Add GetNamespaces to observer API (#25563, @chancez)
- ingress: Default TLS certificate for ingress (#26065, @sathieu)
- ipam: Add ability to automatically create
CiliumPodIPPool
resources in multi-pool IPAM mode (#25991, @gandro) - ipmasq: Add support for ip-masq-agent with IPv6 (#23219, @qmonnet)
- mutual-auth: Avoid confusion on mTLS wording (#25761, @sayboras)
- mutual-auth: Support spire k8s service dns resolution (#26031, @sayboras)
- operator: Fix default API server addr in metrics subcommand (#26132, @pippolo84)
- Report the kernel error code in case of packet drops due to failures to create NAT map entries. (#25883, @julianwiedmann)
- Set BGP IdleHoldTimeAfterReset to 5 seconds, session reset can happen on BGP peer configuration change. (#26001, @harsimran-pabla)
- spire: Add identity GC capability (#25867, @sayboras)
- Support defining IPAM pools using CiliumPodIPPool CRD (#25824, @tklauser)
- Support externalTrafficPolicy=local for BGP CPlane service VIP advertisement (#25477, @YutaroHayakawa)
- Support Gateway API v0.7.0 (#25711, @meyskens)
- The deprecated pod-short context option in Hubble metrics is now removed (#26125, @lambdanis)
Bugfixes:
- bpf: fix error handling for invoke_tailcall_if() (#26118, @julianwiedmann)
- bpf: lxc: fix one missing drop notification in CT lookup tail calls (#26115, @julianwiedmann)
- bpf: nodeport: don't reset aggregate ID when revDNAT is called by bpf_lxc (#25929, @julianwiedmann)
- Envoy resource namespacing (#26037, @jrajahalme)
- Fix a bug that would cause connectivity drops of type XfrmOutPolBlock on upgrade when IPsec is enabled. (#25735, @pchaigno)
- Fix bug with
toServices
policy where service backend churn left stale CIDR identities (#25687, @christarazi) - Fix false error log message when IPsec is enabled with IPAM modes ENI or Azure and a remote node is deleted. (#26093, @pchaigno)
- Fix for Identities that can be deleted before CESs are reconciled (#25001, @dlapcevic)
- Fix issue where Cilium ServiceAPI would ignore backend changes to services with backends that were used in several services and updated at least once (#24474, @strudelPi)
- Fix leak of IPsec XFRM FWD policies in IPAM modes
cluster-pool
,kubernetes
, andcrd
when nodes are deleted.
Fix incorrect catch-all default-drop XFRM OUT policy for IPsec IPv6 traffic that could lead to leaking plain-text IPv6 traffic if combined with some other bug. (#25953, @pchaigno) - Fix missed deletion events when reconnecting to/disconnecting from remote clusters (identities) (#25677, @giorio94)
- Fix missed deletion events when reconnecting to/disconnecting from remote clusters (ipcache entries) (#25675, @giorio94)
- Fix panic due to nil-map assignment in l2announcer (#26315, @dylandreimerink)
- Fix three issues in the bug fix to attach IPsec BPF programs to ENI interfaces: do not fatal if loading unexpectedly fails (which may happen if the device is suddenly deleted), ignore veth device changes in order not to reinitialize when new endpoints appear and wait 1 second for further device state changes between reinitializations. (#25936, @joamaki)
- Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (#25969, @jrajahalme)
- Fixes an issue where SRv6 encapsulated packets are forwarded to the wrong layer 2 next hop. (#26136, @ldelossa)
CI Changes:
- .github/workflows: add JUnit tag on workflows that have JUnits (#25930, @aanm)
- .github/workflows: let renovate update kind (#26312, @tklauser)
- .github: add cilium sysdump to test artifacts (#26143, @aanm)
- .github: add missing job to check for code changes (#25926, @aanm)
- .github: Fail if print-chart-version.sh fails or does not exist (#26086, @chancez)
- .github: simplify conformance-runtime workflow (#25955, @aanm)
- Add checker to verify if comments from ginkgo GH workflows are in sync (#25971, @aanm)
- Add schema validation for configuration-matrix files (#26081, @aanm)
- bgp,test: Properly wait for FRR container to be ready (#25777, @YutaroHayakawa)
- bgpv1: Avoid ports from common ip_local_port_range in unit tests (#26174, @rastislavs)
- bgpv1: Extend the timeout for the Test_NeighborAddDel test (#25970, @rastislavs)
- bpf unit tests: Run tests on changes to pks/bpf/** (#25911, @qmonnet)
- bpf: test: fix pktgen for IPv6 NEXTHDR_DEST option (#26151, @julianwiedmann)
- bpf: tests: test EgressGW reply path with native routing (#25932, @julianwiedmann)
- CI: Add JUnit reports upload (#25801, @brlbil)
- ci: github actions job to run kubernetes upstream conformance tests (#25913, @aojea)
- CI: Stabilize ConformanceKindEnvoyDaemonSet (#26260, @mhofstetter)
- CI: Verifier tests: Keep generated object files and logs on test failure (#25862, @qmonnet)
- CI: wait for cilium to become ready in conformance-{aks,gke} before port forward relay (#25839, @learnitall)
- conformance-k8s-kind: Use Helm mode cilium-cli (#25916, @michi-covalent)
- conformance-runtime: Bump timeout to wait for images (#25947, @michi-covalent)
- datapath/linux/ethtool: deflake TestIsVirtualDriver (#26027, @tklauser)
- docs: add documentation for Ginkgo-based GHA (#26055, @aanm)
- Drop the GKE-based multicluster GitHub actions workflow in favor of the kind-based ones (stable branches) (#26188, @giorio94)
- egressgw: switch to Cilium CLI connectivity tests (#25719, @jibi)
- gha: Increase Ingress status wait time (#26219, @sayboras)
- gha: Move to helm mode for aws-cni, eks, gke (#25820, @sayboras)
- gha: use Cilium CLI Helm mode for conformance-clustermesh (#25834, @giorio94)
- Improved reliability of pkg/hive/job timer double trigger unit test (#26022, @dylandreimerink)
- Run all ginkgo tests on GitHub actions (#25713, @aanm)
- test/nat46x64: silence curl output (#26024, @tklauser)
- test: Cleanup ginkgo test artifacts (#25833, @pchaigno)
Misc Changes:
- .github: add dedicated job to wait for images (#26184, @aanm)
- .github: Push Helm charts for hotfixes (#25836, @joestringer)
- .github: rebuild ginkgo tests in case of cache miss (#26263, @aanm)
- .github: refactor job matrix generation into YAML files (#26019, @aanm)
- Add detailed panic messages for slim ObjectMeta and ListMeta (#25107, @hemanthmalla)
- Add kvstoremesh Dockerfile and build images through the CI (#26106, @giorio94)
- Add microsoft as user to cilium (#25838, @tamilmani1989)
- Add Zero Hash to Cilium users (#25987, @eugenestarchenko)
- Added gARP capability to L2 announcer feature (#25933, @dylandreimerink)
- Added metrics for pkg/k8s/resource (#26269, @dylandreimerink)
- Adding Eficode to USERS.md (#25931, @punasusi)
- Agent: add support for watching kvstoremesh prefixes (#26154, @giorio94)
- Auth Map: Initial Garbage Collection (#25754, @mhofstetter)
- auth: add missing config values to helm values (#25973, @mhofstetter)
- auth: add missing stream package import (#26018, @giorio94)
- auth: feature flag for authentication (#26208, @mhofstetter)
- auth: fix initial k8s events sync in auth map gc (#26059, @mhofstetter)
- auth: implement re-authentication in case of rotated certificates (#25927, @mhofstetter)
- auth: policy based auth map GC (#26068, @mhofstetter)
- auth: streamline logging (#25965, @mhofstetter)
- auth: temporarily disable node-based auth gc (#26073, @mhofstetter)
- AWS CNI v1.12 Cilium install fixed. (#26084, @viktor-kurchenko)
- BGP CP: Updates docs for PeerPort (#25876, @danehans)
- bgpv1: Documentation update to reflect current architecture (#25954, @harsimran-pabla)
- bgpv1: graceful restart component test (#25914, @harsimran-pabla)
- bgpv1: Reset BGP session in UpdateNeighbor if necessary (#25827, @rastislavs)
- bpf: clean up some revalidate_data() users (#25337, @julianwiedmann)
- bpf: encap: send TO_OVERLAY trace before adding encapsulation (#25828, @julianwiedmann)
- bpf: fib: delay smac selection until fib_do_redirect() has picked the oif (#26290, @julianwiedmann)
- bpf: lb: minor cleanups (#26216, @julianwiedmann)
- bpf: minor HostFW cleanups (#25881, @julianwiedmann)
- bpf: misc CT cleanups (#26104, @julianwiedmann)
- bpf: nat: reduce CT lookup scope (#25917, @julianwiedmann)
- bpf: nat: remove unused ct_delete*() helpers (#26076, @julianwiedmann)
- bpf: nodeport: reduce CT lookup scope (#25826, @julianwiedmann)
- bpf: nodeport: wire up trace struct for IPv6 RevDNAT (#26047, @julianwiedmann)
- bpf: remove MapInfo, DumpParser and MapKey/Value DeepCopy (#25792, @ti-mo)
- bpf: Use "fallthrough;", compile with -Wimplicit-fallthrough (#26211, @qmonnet)
- bpf: xdp: fix coccicheck warning about DROP_MISSED_TAIL_CALL (#25924, @julianwiedmann)
- bpf: xdp: use CT tuple hash for tunnel encap's source port (#26177, @julianwiedmann)
- bugtool: dump auth map related information (#26066, @mhofstetter)
- build(deps): bump requests from 2.28.2 to 2.31.0 in /Documentation (#25603, @dependabot[bot])
- build: Avoid cross compilation issue on Windows (#25904, @sayboras)
- Change enableEndpointCRD helm option type from string to boolean
Fix operator panic that occurs when Endpoint CRD is disabled and CiliumEndpointSlice is enabled (#25798, @doniacld) - chore(deps): update all github action dependencies (main) (minor) (#25850, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#25846, @renovate[bot])
- chore(deps): update all github action dependencies (main) (patch) (#26054, @renovate[bot])
- chore(deps): update dependency cilium/cilium-cli to v0.14.7 (main) (#25847, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.11.6 (main) (#26041, @renovate[bot])
- chore(deps): update dependency go to v1.20.5 (main) (#26051, @renovate[bot])
- chore(deps): update docker.io/library/alpine docker tag to v3.18.2 (main) (#26261, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.4 docker digest to 690e413 (main) (#25277, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.5 docker digest to 6b3fa4b (main) (#26050, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 2a357c4 (main) (#26284, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ac58ff7 (main) (#25295, @renovate[bot])
- chore(deps): update go to v1.20.5 (main) (patch) (#25957, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.53.2 (main) (#25841, @renovate[bot])
- chore(deps): update golangci/golangci-lint docker tag to v1.53.3 (main) (#26258, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.11.6 (main) (#25996, @renovate[bot])
- cilium/cmd: Deprecate
cilium endpoint regenerate
command (#25949, @christarazi) - cilium: Improve IPv6 BIG TCP probing (#26303, @borkmann)
- cli: add "cilium bpf config list" (#26105, @mhofstetter)
- clustermesh-apiserver: add missing metrics and documentation (#26070, @giorio94)
- clustermesh-apiserver: don't wait for the presence of unused CRDs (#26220, @giorio94)
- clustermesh-apiserver: rework identities, endpoints and nodes synchronization to improve performance (#25049, @giorio94)
- clustermesh: ensure that the status of the remote clusters controller is correcty reported (#26271, @giorio94)
- clustermesh: Introduce ClusterID reservation mechanism (#26124, @marseel)
- clustermesh: split the generic logic from the specific part (#25921, @giorio94)
- clustermesh: unbreak test (#26294, @giorio94)
- conformance-runtime: remove optimizations and update little-vm-helper (#25825, @aanm)
- Controller clean up (#25579, @jrajahalme)
- Convert daemon ipcache usages to new ipcache async API (#25749, @christarazi)
- converted node manager dynamic metrics into modular metrics (#25887, @dylandreimerink)
- CRD List Generation (#25910, @dhawton)
- ctmap: right-shift kernel jiffies by BPF_MONO_SCALER (#26197, @ti-mo)
- daemon, maps/ipcache: Replace usage of
net.IP*
for ingress IPs (#26045, @christarazi) - daemon: Perform early (partial) local node info initialization (#24866, @joamaki)
- dnsproxy: stop using the regex lru in the dns proxy to avoid keeping large unused regex in memory when no longer needed (#22584, @odinuge)
- docker: Detect default "desktop-linux" builder (#25908, @jrajahalme)
- docs: Add APAC timezone meeting to README (#24902, @lizrice)
- docs: Add externalTrafficPolicy=Local description to BGP CPlane doc (#25960, @YutaroHayakawa)
- docs: add upgrade note about deletion of stale entries in clustermesh (#26067, @giorio94)
- docs: cleanup SPIRE & Envoy values in helm reference (#26039, @mhofstetter)
- docs: Deprecate
cluster-pool-v2beta
(#25767, @gandro) - docs: remove clustermesh-apiserver gops port from system requirements (#26230, @giorio94)
- docs: Slack updates (#25723, @lizrice)
- Docs: Update BGP docs to reflect CRD consolidation (#26196, @rastislavs)
- docs: Update development setup with preferred kind-based approach (#25535, @christarazi)
- docs: Update governance voting templates (#25802, @joestringer)
- Document how to migrate from Ingress to Gateway API (#25599, @nvibert)
- Documentation: add CONFIG_SCHEDSTATS to required kconfigs (#26035, @ti-mo)
- Documentation: Document BGP timers & neighbor update behavior (#25906, @rastislavs)
- Documentation: include bgp cli commands in bgp-cp documentation (#25691, @harsimran-pabla)
- Dump maps and events for all lb4/6 v3 backends (#26108, @ti-mo)
- endpoint: fix policy map sync warning due to policymap authtype diffs (#26218, @mhofstetter)
- Fix and improve Conformance Ginkgo UX (#25950, @aanm)
- Fix CI image build cache (#26020, @aanm)
- Fix neighbor test flakes (#26156, @borkmann)
- fix(deps): pin dependencies (main) (#25539, @renovate[bot])
- fix(deps): pin dependencies (main) (#25849, @renovate[bot])
- fix(deps): update all go dependencies main (main) (minor) (#26286, @renovate[bot])
- fix(deps): update all go dependencies main (main) (patch) (#25542, @renovate[bot])
- fix(deps): update module github.com/docker/docker to v24 (main) (#26316, @renovate[bot])
- gateway-api: now function GatewayAPI also supports TLSRoute (#26060, @spacewander)
- gha: fix conformance-ginkgo base branch retrieval (#26085, @giorio94)
- helm: add extraArgs to clustermesh-apiserver (#25693, @rcanderson23)
- helm: Add flag to disable CRD check for mass server-side apply (#25956, @jcpunk)
- helm: address review comments regarding helm value docs (#26296, @tklauser)
- helm: Correct the flag names in validate.yaml (#26167, @sayboras)
- Improve Makefile to ease debugging (#26159, @pippolo84)
- Ingnore updating client-go fork in renovate dependencies (#26305, @marseel)
- install: Fail helm if kube-proxy-replacement is not valid (#25907, @jrajahalme)
- IPAM multipool followups (#26138, @tklauser)
- ipam/allocator: remove unused allocator types (#25963, @tklauser)
- ipcache: fix not waiting for k8s caches to sync (#25975, @squeed)
- ipsec: Fix cleanup of XFRM states and policies (#26072, @pchaigno)
- jenkinsfiles: remove ginkgo-based Jenkinsfiles (#26171, @aanm)
- k8s / policy: allow all services for toServices when using highscale ipcache (#26127, @squeed)
- k8s: fix ciliumpodippools CRD controller-gen version (#25976, @mhofstetter)
- k8s: Update comment about rule preprocessing (#25864, @odinuge)
- k8s: Use Resource[*Pod] in pod watcher for the local pod watching (#26181, @joamaki)
- kvstore: limit keys attached to single lease, and react to expiration (#25966, @giorio94)
- MAINTAINERS: Add Nick Young (#25874, @joestringer)
- Makefile: Fix kind deployment in quiet mode (#25873, @joestringer)
- Makefile: remove -test.v from GOTEST_BASE (#25703, @ti-mo)
- Makefile: use CLI options to set local images for kind-install-cilium-clustermesh (#25810, @thorn3r)
- metrics: Metrics initial modularization (#25651, @dylandreimerink)
- metrics: provide the global services metric through the hive (#26157, @giorio94)
- node_ids: introduce GetNodeID (#26155, @mhofstetter)
- pkg/datapath: skip TestArpPingHandling due flakiness (#25840, @aanm)
- pkg/ipam: Update histogram buckets for trigger metrics (#25600, @hemanthmalla)
- policy: Add GetAuthTypes() (#26116, @jrajahalme)
- Prepare for release v1.14.0-snapshot.3 (#25830, @aanm)
- proxy: introduce initial proxy cell (#25779, @mhofstetter)
- README: Update for latest snapshot prerelease (#25845, @joestringer)
- Remove custom iproute2 fork (#26221, @ti-mo)
- Remove ip assignments for cilium_host from init.sh (#25771, @rgo3)
- Remove references to GOPATH in documentation (#25942, @JamesLaverack)
- renovate: exclude github.com/{cilium,vishvananda}/netlink (#26311, @tklauser)
- Replace client-go with private fork. (#26250, @marseel)
- Replaces K8s NewDeltaFIFO with NewDeltaFIFOWithOptions (#25606, @danehans)
- resource: Add Resource[Endpoints] and adapt existing watchers (#23977, @joamaki)
- resource: Fix flaky test due to missing Done call (#25646, @joamaki)
- resource: implement stream.Observable (#25934, @mhofstetter)
- statedb: Fix WriteJSON with multiple tables (#24970, @joamaki)
- stream: Improve function documentation (#25922, @joamaki)
- test/k8s: make kafka tests more reliable (#26121, @aanm)
- testutils: remove gocheck (#25684, @lmb)
- Update network attacker sections of the threat model (#25640, @ferozsalam)
- Update stable releases (#26272, @qmonnet)
- Update USERS.md for SIGHUP (#25982, @julianwiedmann)
- Updates informer pkg to use TransformFunc() (#25604, @danehans)
Docker Manifests
cilium
docker.io/cilium/cilium:v1.14.0-snapshot.4@sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d
quay.io/cilium/cilium:v1.14.0-snapshot.4@sha256:dd75919c7b81d06289ffa1dcc0e238f77294a45c57212a87634f277f28835e7d
clustermesh-apiserver
docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.4@sha256:2b844061901af8bd3da5bb99d893694c915e2ceee05e661131e2d684fb0de68c
docker-plugin
docker.io/cilium/docker-plugin:v1.14.0-snapshot.4@sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620
quay.io/cilium/docker-plugin:v1.14.0-snapshot.4@sha256:0282b913a1fecd2088d64296e492a1a786a3f839551bf00679ae469a4558b620
hubble-relay
docker.io/cilium/hubble-relay:v1.14.0-snapshot.4@sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1
quay.io/cilium/hubble-relay:v1.14.0-snapshot.4@sha256:5a04cc8b09a00a254466b09f8ff77b9e4e56954aa5ac13f43c8a7c05a5725cd1
kvstoremesh
docker.io/cilium/kvstoremesh:v1.14.0-snapshot.4@sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17
quay.io/cilium/kvstoremesh:v1.14.0-snapshot.4@sha256:a6c5a3f0f420fde69d4e60fdda82bd78c244fb2c12d09a6041a636840a02cc17
operator-alibabacloud
docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.4@sha256:86e40be4fac515ec3aae3f54bad8b7112ed0001a860c86092342dfd49fb5b97f
operator-aws
docker.io/cilium/operator-aws:v1.14.0-snapshot.4@sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731
quay.io/cilium/operator-aws:v1.14.0-snapshot.4@sha256:449e30b7bf5492adfc605c50a1a0f5fc822af20ec6787fa93070a22fd5524731
operator-azure
docker.io/cilium/operator-azure:v1.14.0-snapshot.4@sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b
quay.io/cilium/operator-azure:v1.14.0-snapshot.4@sha256:72055583294266a78a2262d17fba2129f568946ba61708ee89e2bf74f7da693b
operator-generic
docker.io/cilium/operator-generic:v1.14.0-snapshot.4@sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f
quay.io/cilium/operator-generic:v1.14.0-snapshot.4@sha256:1bfe879fff900180000265743afde223c809e3189c8dd704b1c10fb0ccedba6f
operator
docker.io/cilium/operator:v1.14.0-snapshot.4@sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda
quay.io/cilium/operator:v1.14.0-snapshot.4@sha256:2d47129ebb7bfca3b65e628c0eaaf02d1708ae4aedd29d70ea0f9dc282a7ebda