1.16.0-pre.3

Summary of Changes

Major Changes:

• BGP: New BGP APIs can be used to configure Cilium BGP Control Plane. (#32426, @harsimran-pabla)
• NAT source port metrics & table (#32152, @tommyp1ckles)

Minor Changes:

• Add CiliumNodeConfig CRD on API v2 (#31721, @doniacld)
• Added a new annotation ingress.cilium.io/loadbalancer-class to control the LoadBalancerClass of a dedicated LB via the ingress. (#31650, @Sh4d1)
• cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (#32119, @jrajahalme)
• CiliumEnvoyConfig CRDs now support an optional 'ports' field in services objects, limiting the redirected service frontends to the ones whose port is listed. (#32382, @jrajahalme)
• CiliumNetworkPolicies are now validated by the operator and the result set in the object's Status field. (#32727, @squeed)
• Do not include the unnecessary "localhost" SAN in autogenerated clustermesh admin certificates (#32662, @giorio94)
• gateway-api: ALPN support (#32486, @rauanmayemir)
• Generate SBOMs using Syft instead of bom (#32307, @ferozsalam)
• Helm: Add new value `.Values.clustermesh.apiserver.tls.enableSecrets. Setting this value to false will disable the creation of TLS certificate secrets for clustermesh, enabling out-of-band TLS certificate secret management. (#32196, @soggiest)
• Hubble peer's port number is inferred from the agent's configuration instead of assuming defaults (#32729, @AwesomePatrol)
• hubble: add SNAT IP flow field and filter (#32130, @kaworu)
• hubble: add support to filter Hubble flow by network interface. (#32286, @kaworu)
• hubble: add the cluster name to a flow's source and destination endpoints (#32313, @rolinh)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (#32577, @marseel)
• ingress: request timeout control via operator flag & annotation (#31693, @a5r0n)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (#32336, @giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (#32588, @marseel)
• KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (#32156, @giorio94)
• Make the overwriting behavior of install-plugins.sh configurable. (#32016, @jingyuanliang)
• Operator: expose remote clusters information through dedicated CLI command, and introduce troubleshoot commands (#32436, @giorio94)
• pkg/healthv2: reduce unecessary healthv2 debug log volume. (#32319, @tommyp1ckles)
• Report estimated expiry timers for connection-based FQDN entries (#32013, @joestringer)
• Runtime device detection and subsequent datapath reconfiguration is now the default and only mode of operation.
  The enableRuntimeDeviceDetection option is now a no-op and will be removed in v1.17. (#32153, @joamaki)
• Service connections that use Direct-Server-Return and were established prior to Cilium v1.13.3 will be disrupted, and need to be re-established. (#32642, @julianwiedmann)
• Simplify rate limit configuration options for the CiliumEndpointSlice controller. (#32523, @thorn3r)
• Starting cilium-agent with large numbers of network policies should be much faster. (#32703, @squeed)
• The StateDB in-memory database library was switched to github.com/cilium/statedb with a new much faster radix tree implementation. This is used internally in the cilium-agent for storing and accessing, among others, the network devices and local node IP addresses. This state can be inspected with the "cilium-dbg statedb" commands.
  cilium-dbg: Added "statedb ipsets" command
  cilium-dbg: "statedb sysctl-settings" is now "statedb sysctl" (#32125, @joamaki)
• Unconditionally require the clustermesh cluster configuration to be always present (#32505, @giorio94)

Bugfixes:

• Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (#32117, @giorio94)
• Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (#32155, @julianwiedmann)
• bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (#32536, @harsimran-pabla)
• Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (#32694, @dswaffordcw)
• cilium-agent: Fix crash due to skipped resource cleanup when agent is stopping due to failed start. (#32673, @joamaki)
• cilium-cni: Reserve ports that can conflict with transparent DNS proxy (#32128, @gandro)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (#32725, @gandro)
• cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (#32244, @learnitall)
• egressgw: Let the EGW manager relax rp_filter on egress device (#32679, @ysksuzuki)
• Fix bug where setting the k8sNetworkPolicy Helm value to false did not take effect (#32441, @hasan-alkama)
• Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (#31671, @foyerunix)
• Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (#32506, @joamaki)
• Fix PromQL query in Cilium Metrics dashboard (#32017, @mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (#32513, @giorio94)
• Fix selecting of endpoints by namespace labels in network policies (#30650, @Mugenor)
• Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (#31605, @christarazi)
• Fixed a bug where endpoint could become stuck due to outdated revision numbers during concurrent updates. (#32817, @ovidiutirla)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (#32548, @squeed)
• helm: remove CriticalAddonsOnly toleration in preflight DaemonSet (#32682, @HongChenTW)
• Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (#32671, @giorio94)
• ipsec: Safely delete Xfrm state (#32450, @jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (#32367, @sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (#32338, @stelucz)

CI Changes:

• .github: Add permissions for workflow telemetry (#32410, @joestringer)
• Add dispatch for fqdn_perf test (#32762, @marseel)
• Add fqdn perf test (#32514, @marseel)
• Add WireGuard configurations to automated network throughput tests (#32134, @learnitall)
• bpf: Cover IPsec+KPR in complexity and compile tests (#32316, @pchaigno)
• CI/ClusterMesh: enable CiliumEndpointSlice in Conformance Cluster Mesh (#32593, @thorn3r)
• ci/ipsec-upgrade: complete the switch to cilium-dbg (#32348, @julianwiedmann)
• CI: Add job name validation (#32462, @brlbil)
• CI: enable CiliumEndpointSlice in conformance-e2e (#32403, @thorn3r)
• ci: Filter supported versions of EKS (#32304, @marseel)
• ci: Filter supported versions of GKE (#32302, @marseel)
• ci: ginkgo: increase cilium readiness timeout from 240 to 360s (#32585, @mhofstetter)
• ci: increase wait duration after upgrade/downgrade in E2E upgrade test (#32528, @mhofstetter)
• ci: l4lb: gather more infos about docker-in-docker issues (#32570, @mhofstetter)
• ci: l4lb: restart docker-in-docker container on failure (#32600, @mhofstetter)
• ci: remove k8s version 1.26 from ci-aks (#32498, @mhofstetter)
• eks: Don't use spot instances (#32553, @michi-covalent)
• fqdn: Fix benchmarking for fqdn cache test (#32276, @joestringer)
• gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (#32347, @giorio94)
• gha: Correct number of connect retry param in LVH (#32598, @sayboras)
• gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (#32684, @giorio94)
• gha: Enable Ingress controller for more e2e test (#32572, @sayboras)
• gha: test certificate generation methods in conformance clustermesh (#32654, @giorio94)
• Improve BPF complexity test coverage, fix a verifier error after LLVM upgrade. (#32170, @gentoo-root)
• renovate: Don't remove images/cilium/download-hubble.sh yet (#32440, @michi-covalent)
• Scrape cilium metrics and add custom prometheus queries (#32254, @marseel)
• Use GH_RUNNER_EXTRA_POWER for CI image workflow (#32402, @michi-covalent)
• workflows: ignore "No egress gateway found" drops (#32564, @jibi)

Misc Changes:

• .github/actions: enable passing kind config to lvh-kind action (#32398, @harsimran-pabla)
• .github: adding daemon/cmd/fqdn to sig/policy PRs (#32442, @vipul-21)
• .github: Auto-apply labels for sig/policy PRs (#32409, @joestringer)
• .github: Fix PR autolabeler (#32406, @joestringer)
• Add auto labeler for hubble-cli (#32343, @aanm)
• Add initial support for Multi-Cluster Services API in Cilium clustermesh (#32264, @MrFreezeex)
• Add Ænix to the cilium users (#32738, @kvaps)
• Added EKS-to-EKS Clustermesh Preparation guide (#32355, @network-charles)
• Always include symbols in the Agent debug image. (#32032, @EricMountain)
• api: Replace gocheck with built-in go test (#32217, @sayboras)
• background-sync: fix bootstrap issue and edge-case with 1 node (#32630, @marseel)
• BGP: Exporting peers, routes and route-policy states of BGPv2 via CLI. (#32474, @harsimran-pabla)
• bgpv2: Route policies for various reconcilers (#32383, @harsimran-pabla)
• bgpv2: Configuration guide for BGPv2 APIs (#32774, @harsimran-pabla)
• bgpv2: container labs for various types of advertisements (#32522, @harsimran-pabla)
• bgpv2: filter terminating backends from endpoint selection (#32537, @harsimran-pabla)
• bgpv2: fix pod ip pool cleanup (#32194, @harsimran-pabla)
• bgpv2: removing v2Enable feature flag (#32692, @harsimran-pabla)
• bgpv2: update multi-homing lab to use config overrides (#32775, @harsimran-pabla)
• bitlpm: Add ExactLookup Method (#32609, @nathanjsweet)
• bitlpm: Convert UintTrie to Struct (#32676, @nathanjsweet)
• bpf: ct: fix off-by-1 in ICMP packet statistics (#32393, @julianwiedmann)
• bpf: drop/trace: identify missing security identity / endpoint ID (#32562, @julianwiedmann)
• bpf: egw: delay SNAT for local client to actual egress interface (#32428, @julianwiedmann)
• bpf: host: consolidate drop notification code in to-netdev (#32422, @julianwiedmann)
• bpf: lxc: enrich trace event in cil_to_container (#32737, @julianwiedmann)
• bpf: nodeport: check for ClusterIP access earlier (#32344, @julianwiedmann)
• bpf: nodeport: clean up stale comment (#32734, @julianwiedmann)
• bpf: trace: identify ifindex 0 as TRACE_IFINDEX_UNKNOWN (#32526, @julianwiedmann)
• Bugtool commands list generation improvements (#32253, @pippolo84)
• bugtool: Deduplicate tc qdisc commands (#32455, @pippolo84)
• build(deps): bump jinja2 from 3.1.3 to 3.1.4 in /Documentation (#32390, @dependabot[bot])
• build(deps): bump requests from 2.31.0 to 2.32.0 in /Documentation (#32626, @dependabot[bot])
• bump cni plugins to v1.5.0 (#32629, @antonipp)
• Bump timeout of lint-build-commits.yaml (#32746, @YutaroHayakawa)
• bwmap: Reconcile cilium_throttle with StateDB reconciler (#32438, @joamaki)
• cec: support resource name qualification for HTTP HealthCheckFilter (#32308, @mhofstetter)
• chore(deps): update all github action dependencies (main) (#32360, @renovate[bot])
• chore(deps): update all github action dependencies (main) (#32491, @renovate[bot])
• chore(deps): update all github action dependencies (main) (#32620, @renovate[bot])
• chore(deps): update all github action dependencies (main) (#32718, @renovate[bot])
• chore(deps): update all github action dependencies (main) (#32834, @renovate[bot])
• chore(deps): update all github action dependencies (main) (patch) (#32565, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#31574, @renovate[bot])
• chore(deps): update all lvh-images main (main) (patch) (#32361, @renovate[bot])
• chore(deps): update all lvh-images main to bpf-next-20240521.012924 (main) (patch) (#32631, @renovate[bot])
• chore(deps): update all lvh-images main to bpf-next-20240529.013128 (main) (patch) (#32830, @renovate[bot])
• chore(deps): update all-dependencies (main) (#32359, @renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.7 (main) (#32394, @renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.7 (main) (#32771, @renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.18 (main) (#32566, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.8 (main) (#32779, @renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.9 (main) (#32831, @renovate[bot])
• chore(deps): update dependency go to v1.22.3 (main) (#32772, @renovate[bot])
• chore(deps): update dependency protocolbuffers/protobuf to v27 (main) (#32767, @renovate[bot])
• chore(deps): update docker.io/library/golang:1.22.3 docker digest to f43c6f0 (main) (#32579, @renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.14 (main) (#32832, @renovate[bot])
• chore(deps): update go to v1.22.3 (main) (#32416, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.58.0 (main) (#32363, @renovate[bot])
• chore(deps): update golangci/golangci-lint docker tag to v1.59.0 (main) (#32833, @renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.13.4 (main) (#32621, @renovate[bot])
• ci: GitHub action syntax fixes (#32507, @viktor-kurchenko)
• cilium-dbg: Reprint header line periodically with statedb (#32798, @joamaki)
• cilium-dbg: Use a tabwriter that remembers the widths (#32434, @joamaki)
• cleanup: Remove deprecated StringCounter (#32639, @sayboras)
• cleanup: Use context package from std libraries (#32795, @sayboras)
• clustermesh: Cleanup un-used endpoint related attributes (#32645, @sayboras)
• clustermesh: drop node observer global variables from tests (#32471, @giorio94)
• clustermesh: drop redundant OnClusterDelete from GlobalServiceCache (#32751, @giorio94)
• clustermesh: forbid connecting to cluster with same ID as local (#32753, @giorio94)
• ClusterMesh: improve validation of remote nodes and services (#32749, @giorio94)
• CODEOWNERS: add sig-scalability ownership of CiliumEndpointSlice (#32535, @thorn3r)
• common: remove unused MapStringStructToSlice (#32345, @tklauser)
• config: remove ingress & gateway api leftovers from global agent config (#32782, @mhofstetter)
• Consolidate regeneration metrics accounting (#32677, @christarazi)
• consolidate_go_stacktrace: Add '--filter lock' (#32273, @joestringer)
• contrib/scripts: remove check-assert-deep-equals (#32530, @tklauser)
• contrib: Clean up un-used scripts (#32456, @sayboras)
• contrib: Remove CHARTS_PATH dependency (#32328, @joestringer)
• contrib: Switch from 'hub' to 'gh' (#32326, @joestringer)
• daemon: Add rate-limiting to device reloading (#32527, @joamaki)
• daemon: Reserve Geneve tunnel port if enabled (#32421, @gandro)
• datapath: Remove LoadBalancerNodeAddresses & LocalAddresses methods (#30458, @joamaki)
• datapath: Replace gocheck with built-in go test (#32259, @sayboras)
• datapath: trivial cleanups for KPR config handling (#32453, @julianwiedmann)
• deps, renovate: Update GoBGP to v3.26.0 & re-enable updates by renovate (#32306, @rastislavs)
• devices: Fix panic in tests when logger used after stopping (#32551, @joamaki)
• devices: Use slog instead of logrus (#32469, @joamaki)
• doc: Added doc for ingress/GwAPI host network mode (#31839, @PhilipSchmid)
• docs: Add example for kube-apiserver entity policy (#32278, @joestringer)
• docs: add link to sig-policy meeting (#32340, @squeed)
• Docs: add note about AKS kube-apiserver entity (#32464, @darox)
• docs: Add user manual how to enable and configure multicast feature. (#32612, @fujitatomoya)
• docs: Clarify that --labels does not override default set (#32445, @christarazi)
• docs: Clean-up Host Firewall documentation, list known issues (#32267, @qmonnet)
• docs: Describe fqdn cache entry expiration timers (#32350, @joestringer)
• docs: Fix style pitfalls in the ClusterMesh guide (#32320, @network-charles)
• docs: Remove outdated note on IPv6 BPF masqerading being incompatible with the Host Firewall (#32685, @qmonnet)
• egressgw: remove gwc.ifaceName (#32321, @julianwiedmann)
• endpointmanager: Skip warning logs for endpoints being removed (#32619, @jrajahalme)
• envoy: Update to use original source address also for external destinations (#32331, @jrajahalme)
• Expose clustermesh global service cache and hooks in the operator to prepare for MCS-API support (#32287, @MrFreezeex)
• Expose clustermesh ServicesSynced method from endpointslicesync ClusterMesh (#32538, @MrFreezeex)
• Fix crash caused while deleting LRPs with skipRedirectFromBackend flag set to true. (#32822, @aditighag)
• Fix regression with ClusterMesh deployments failing to provision the clustermesh-apiserver Service in some cloud provider environments due to not support session affinity (#32657, @thorn3r)
• Fix threat model typo (#32752, @ferozsalam)
• fix(deps): update all go dependencies main (main) (#32362, @renovate[bot])
• fix(deps): update all go dependencies main (main) (#32490, @renovate[bot])
• fix(deps): update all go dependencies main (main) (#32509, @renovate[bot])
• fix(deps): update all go dependencies main (main) (#32622, @renovate[bot])
• fix(deps): update all go dependencies main (main) (#32717, @renovate[bot])
• fix(deps): update all go dependencies main (main) (#32743, @renovate[bot])
• fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.731 (main) (#32377, @renovate[bot])
• fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.748 (main) (#32736, @renovate[bot])
• fqdn: Change error log to warning (#32333, @jrajahalme)
• fqdn: Fix notifyOnDNSMsg benchmark (#32454, @pippolo84)
• fqdn: Fix Upgrade Issue Between PortProto Versions (#32325, @nathanjsweet)
• FQDN: some small performance optimizations around logging (#32049, @squeed)
• fqdn: updating the variable name in fqdn (#32298, @vipul-21)
• gha: Enable Envoy debug in default Cilium options (#32334, @jrajahalme)
• Grant the CiliumEndpointSlice controller a new Clientset to decouple it from the other Cilium Operator controllers. (#32353, @thorn3r)
• healthv2: Various fixes (#32549, @joamaki)
• helm: Remove CILIUM_BRANCH variable (#32776, @michi-covalent)
• hive: cast ModuleID to string (#32392, @bimmlerd)
• hubble, policy: shuffle types to reduce imports (#32378, @squeed)
• images/builder: let renovate update protoc and proto plugins (#32739, @rolinh)
• images/cilium: Move Envoy reference away from builder and runtime (#32452, @jrajahalme)
• ingress: Correct FromGroups rule Parsing (#32231, @Alex-Waring)
• Introduce clustermesh source to differentiate data retrieved from remote clusters (#32688, @giorio94)
• ipam: lower loglevel from error to warn if eni link list can't be listed (#32602, @mhofstetter)
• ipcache: Introduce the ability to inherit CIDR prefixes (#32578, @gandro)
• ipcache: Only update policy maps for new identities (#32628, @gandro)
• ipsec: minor cleanups (#31390, @julianwiedmann)
• iptables: Do not set no-track rules with empty native routing CIDR (#32648, @pippolo84)
• k8s/watcher: remove always-nil error return values (#32663, @tklauser)
• k8s: Add new fields into slim Service/Endpoint/EndpointSlice structs (#32754, @sayboras)
• k8s: cleanup k8s watcher (#32790, @mhofstetter)
• k8s: remove unused policyRepository from k8swatcher (#32773, @mhofstetter)
• k8s: use netip.IPv{4,6}Unspecified (#32818, @tklauser)
• k8s: use cilium slices sort utility to sort Pod IP's from status (#32697, @mhofstetter)
• kvstore: Replace gocheck with built-in go test (#32261, @sayboras)
• l2announcer: Fix delete entry if no origins left (#32279, @wutz)
• loader: do ELF substitutions in memory (#32059, @lmb)
• loader: don't disable rp-filter for IPsec (#32546, @julianwiedmann)
• loader: fetch iface just once in patchHostNetdevDatapath() (#32541, @julianwiedmann)
• loader: misc fixes (#32520, @lmb)
• loader: refactor replaceDatapath to loadDatapath (#32518, @ti-mo)
• loader: Remove out-of-band data access (#32706, @joamaki)
• loader: Replace gocheck with built-in go test (#32220, @sayboras)
• makefile: check for $(CILIUM_CLI) dependency (#32424, @msune)
• Makefile: Replace release target (#32322, @joestringer)
• metallb bgp: introduce hive cell (#32806, @mhofstetter)
• Misc build system improvements (#32408, @joestringer)
• Miscellaneous improvements to the clustermesh troubleshooting guide (#32552, @giorio94)
• node-manager: fix race-condition (#32606, @marseel)
• operator/bgpv2: Fix CiliumBGPNodeConfig OwnerReference & job health reporting (#32000, @rastislavs)
• Output the etcd cluster ID as part of the remote cluster status information (#32341, @giorio94)
• pkg/cgroups: Cache pod metadata on datapath events (#32615, @aditighag)
• pkg/cgroups: Remove noisy log (#32613, @aditighag)
• pkg/clustermesh: Replace gocheck with built-in go test (#32221, @sayboras)
• pkg/egressgateway: Replace gocheck with built-in go test (#32295, @sayboras)
• pkg/endpoint: clean up DatapathRegenerationLevel (#32604, @lmb)
• pkg/endpoint: do not rely on bpf_host.o to detect host endpoint (#32521, @lmb)
• pkg/endpoint: make state synchronization atomic (#32439, @lmb)
• pkg/fqdn: Replace gocheck with built-in go test (#32281, @sayboras)
• pkg/policy: Replace gocheck with built-in go test (#32223, @sayboras)
• pkg: Fix Deny Insert Fuzz Test (#32656, @nathanjsweet)
• policy: Add Port Range Support for Policies Part 1 (#32430, @nathanjsweet)
• policy: Add Port Range Support for Policies Part 2/3 (#32675, @nathanjsweet)
• policy: fix client side validation of policies in policy import/validate command (#31924, @oblazek)
• policy: fix flaky unit test (#32808, @squeed)
• Prepare for release v1.16.0-pre.2 (#32324, @joestringer)
• README: Update releases (#32329, @joestringer)
• README: Update releases (#32554, @nebril)
• refactor: config options combined into DNS proxy config struct (#32777, @vipul-21)
• reinstate hive health metrics (#32603, @bimmlerd)
• renovate: fix config (missing comma) (#32765, @rolinh)
• renovate: ignore dependency github.com/google/go-licenses (#32848, @rolinh)
• Replace pkg/rand by standard library math/rand/v2 (#32542, @tklauser)
• restoration: checkpoint local allocator state, utilize on restoration (#32310, @squeed)
• srv6: Some cleanups for SRv6 maps (#31960, @YutaroHayakawa)
• Store zone information alongside lb{4,6}_backend entries (based on mapping from fixed-zone-mapping and values from EndpointSlices) (#31838, @AwesomePatrol)
• test: Re-enable few test suites missed as part of recent migration (#32687, @sayboras)
• test: Replace gocheck with built-in go test (#32297, @sayboras)
• test: Replace gocheck with built-in go test (#32401, @sayboras)
• test: Update Go test helpers for renamed cilium-dbg (#32661, @joestringer)
• update list of SIGs (#32477, @katiestruthers)
• Use ebpf.PossibleCPU to determine number of possible CPUs (#32323, @tklauser)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.16.0-pre.3@sha256:9918241403727d99cdba7067134dc99024c8f367fc8dbeec7aa5a7c84260d8f6

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.16.0-pre.3@sha256:9348958f91942d81481878e57e6bda75463658240b51fedc9547c2024d848066

docker-plugin

quay.io/cilium/docker-plugin:v1.16.0-pre.3@sha256:446abb18b76590edb4ad35c8c410acae308030d611cb8809b58c53547afc0733

hubble-relay

quay.io/cilium/hubble-relay:v1.16.0-pre.3@sha256:41964978c06687d3db7afd29ed8205a3472c5de1d9c71a7a39b9640c651d4487

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.16.0-pre.3@sha256:0fbbf357ae5e62f1d0777ce34c1fb6d19e1f7b5a25c5100346d34f8cf6ad1730

operator-aws

quay.io/cilium/operator-aws:v1.16.0-pre.3@sha256:843d6c5094655448e8d1e81b46d334e00444f58bbb9e95575bd042af6871e1f0

operator-azure

quay.io/cilium/operator-azure:v1.16.0-pre.3@sha256:5682ca7ad8eea47abacad4dae2ff62d98f8f1938dcd7f17a403b673599b8b258

operator-generic

quay.io/cilium/operator-generic:v1.16.0-pre.3@sha256:565c92df436f801fa5ff3bbb8becac65114818c43e3bcaecf956c0d4c120b5a6

operator

quay.io/cilium/operator:v1.16.0-pre.3@sha256:2f114fc9627a43b435160d587e0128e0fe9256d5c0ff2dde4f703ddd807d9717