cilium · jrajahalme · Apr 2, 2026 · May 4, 2026 · Apr 5, 2026 · Apr 4, 2026
@@ -43,6 +43,7 @@ git_repository(
         "@//patches:0004-thread_local-reset-slot-in-worker-threads-first.patch",
         "@//patches:0005-http-header-expose-attribute.patch",
         "@//patches:0006-test-integration-Defer-fake-upstream-read-enable-un.patch",
+        "@//patches:0007-config-add-grpc-mux-stream-event-callback.patch",
         "@//patches:0008-repo-Make-yq-dependency-optional-for-CI-config-parsi.patch",
     ],
     # // clang-format off: Envoy's format check: Only repository_locations.bzl may contains URL references

@@ -28,6 +28,17 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "versioned_lib",
+    hdrs = ["versioned.h"],
+    repository = "@envoy",
+    deps = [
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@envoy//source/common/common:assert_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "network_policy_lib",
     srcs = [
@@ -45,6 +56,7 @@ envoy_cc_library(
         "//cilium:conntrack_lib",
         "//cilium:grpc_subscription_lib",
         "//cilium:ipcache_lib",
+        "//cilium:versioned_lib",
         "//cilium/api:npds_cc_proto",
         "@envoy//envoy/singleton:manager_interface",
         "@envoy//source/common/common:logger_lib",

@@ -84,6 +84,6 @@ message BpfMetadata {
   // Cache is garbage collected at interval 10 times the ttl (default 30 ms).
   google.protobuf.Duration cache_gc_interval = 15;
 
-  // Configuration for the source of NPDS updates. Currently this field is not supported.
-  envoy.config.core.v3.ConfigSource npds_config = 16;
+  // Configuration for the source of Cilium xDS updates.
+  envoy.config.core.v3.ConfigSource config_source = 16;
 }
@@ -17,6 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Network policy management and NPDS]
 
 // Each resource name is a network policy identifier.
+// Deprecated: This service will be removed when Cilium 1.20 is the oldest supported release.
 service NetworkPolicyDiscoveryService {
   option (envoy.annotations.resource).type = "cilium.NetworkPolicy";
 
@@ -33,6 +34,32 @@ service NetworkPolicyDiscoveryService {
   }
 }
 
+// Policy and selector resource names are exact-match identifiers in delta NPDS.
+service NetworkPolicyResourceDiscoveryService {
+  option (envoy.annotations.resource).type = "cilium.NetworkPolicyResource";
+
+  rpc DeltaNetworkPolicyResources(stream envoy.service.discovery.v3.DeltaDiscoveryRequest)
+      returns (stream envoy.service.discovery.v3.DeltaDiscoveryResponse) {
+  }
+}
+
+// A delta NPDS resource that carries either an endpoint policy or a shared selector.
+message NetworkPolicyResource {
+  oneof resource {
+    NetworkPolicy policy = 1;
+    Selector selector = 2;
+  }
+}
+
+// A shared set of remote identities referenced by selector resource name.
+// Unlike the old state-of-the-world remote identity lists, an empty selector
+// matches nothing.
+message Selector {
+  // The set of numeric remote security IDs selected by this selector.
+  // If empty, this selector selects no remote identities.
+  repeated uint32 remote_identities = 1;
+}
+
 // A network policy that is enforced by a filter on the network flows to/from
 // associated hosts.
 message NetworkPolicy {
@@ -153,6 +180,12 @@ message PortNetworkPolicyRule {
   // Optional. If not specified, any remote host is matched by this predicate.
   repeated uint32 remote_policies = 7;
 
+  // Optional selector resource names that can be resolved to shared remote
+  // policy sets in delta NPDS.
+  // Selector references are matched by exact selector resource name.
+  // Optional. If not specified, any remote host is matched by this predicate.
+  repeated string selectors = 11;
+
   // Optional downstream TLS context. If present, the incoming connection must
   // be a TLS connection.
   TLSContext downstream_tls_context = 3;

@@ -26,6 +26,10 @@ service NetworkPolicyHostsDiscoveryService {
       body: "*"
     };
   }
+
+  rpc DeltaNetworkPolicyHosts(stream envoy.service.discovery.v3.DeltaDiscoveryRequest)
+      returns (stream envoy.service.discovery.v3.DeltaDiscoveryResponse) {
+  }
 }
 
 // The mapping of a network policy identifier to the IP addresses of all the

@@ -198,30 +198,6 @@ SINGLETON_MANAGER_REGISTRATION(cilium_bpf_conntrack);
 SINGLETON_MANAGER_REGISTRATION(cilium_host_map);
 SINGLETON_MANAGER_REGISTRATION(cilium_network_policy);
 
-namespace {
-
-std::shared_ptr<const Cilium::PolicyHostMap>
-createHostMap(Server::Configuration::ListenerFactoryContext& context,
-              envoy::config::core::v3::ConfigSource& npds_config) {
-  return context.serverFactoryContext().singletonManager().getTyped<const Cilium::PolicyHostMap>(
-      SINGLETON_MANAGER_REGISTERED_NAME(cilium_host_map), [&context, npds_config] {
-        auto map = std::make_shared<Cilium::PolicyHostMap>(context.serverFactoryContext());
-        map->startSubscription(context.serverFactoryContext(), npds_config);
-        return map;
-      });
-}
-
-std::shared_ptr<const Cilium::NetworkPolicyMap>
-createPolicyMap(Server::Configuration::FactoryContext& context,
-                envoy::config::core::v3::ConfigSource& npds_config) {
-  return context.serverFactoryContext().singletonManager().getTyped<const Cilium::NetworkPolicyMap>(
-      SINGLETON_MANAGER_REGISTERED_NAME(cilium_network_policy), [&context, npds_config] {
-        return std::make_shared<Cilium::NetworkPolicyMap>(context, npds_config, true);
-      });
-}
-
-} // namespace
-
 Config::Config(const ::cilium::BpfMetadata& config,
                Server::Configuration::ListenerFactoryContext& context)
     : so_linger_(config.has_original_source_so_linger_time()
@@ -239,8 +215,8 @@ Config::Config(const ::cilium::BpfMetadata& config,
       ipcache_entry_ttl_(
           PROTOBUF_GET_MS_OR_DEFAULT(config, cache_entry_ttl, DEFAULT_CACHE_ENTRY_TTL_MS)),
       random_(context.serverFactoryContext().api().randomGenerator()),
-      npds_config_(config.has_npds_config() ? config.npds_config()
-                                            : Cilium::CILIUM_XDS_API_CONFIG) {
+      config_source_(config.has_config_source() ? config.config_source()
+                                                : Cilium::CILIUM_XDS_API_CONFIG) {
   if (is_l7lb_ && is_ingress_) {
     throw EnvoyException("cilium.bpf_metadata: is_l7lb may not be set with is_ingress");
   }
@@ -259,7 +235,15 @@ Config::Config(const ::cilium::BpfMetadata& config,
                     config.ipv6_source_address()));
   }
   if (config.use_nphds()) {
-    hosts_ = createHostMap(context, npds_config_);
+    hosts_ =
+        context.serverFactoryContext().singletonManager().getTyped<const Cilium::PolicyHostMap>(
+            SINGLETON_MANAGER_REGISTERED_NAME(cilium_host_map),
+            [&context, config_source = config_source_] {
+              auto map = std::make_shared<Cilium::PolicyHostMap>(context.serverFactoryContext());
+              map->startSubscription(context.serverFactoryContext(), config_source);
+              return map;
+            });
+    hosts_->setConfigSource(config_source_);
   }
 
   // Note: all instances use the bpf root of the first filter with non-empty
@@ -296,7 +280,14 @@ Config::Config(const ::cilium::BpfMetadata& config,
   // instances!
   // Only created if either ipcache_ or hosts_ map exists
   if (ipcache_ || hosts_) {
-    npmap_ = createPolicyMap(context, npds_config_);
+    npmap_ =
+        context.serverFactoryContext().singletonManager().getTyped<const Cilium::NetworkPolicyMap>(
+            SINGLETON_MANAGER_REGISTERED_NAME(cilium_network_policy),
+            [&context, config_source = config_source_] {
+              return std::make_shared<Cilium::NetworkPolicyMap>(context, config_source, true);
+            });
+    // update desired config source on the map
+    npmap_->setConfigSource(config_source_);
   }
 }
 

@@ -173,7 +173,7 @@ class Config : public Cilium::PolicyResolver,
   std::string l7lb_policy_name_;
   std::chrono::milliseconds ipcache_entry_ttl_;
   Random::RandomGenerator& random_;
-  envoy::config::core::v3::ConfigSource npds_config_;
+  envoy::config::core::v3::ConfigSource config_source_;
 
   std::shared_ptr<const Cilium::NetworkPolicyMap> npmap_;
   Cilium::CtMapSharedPtr ct_maps_;