Update module github.com/cilium/cilium to v1.18.8 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cilium/cilium	v1.18.6 → v1.18.8

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-33726

Impact

Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled.

Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, but not AKS BYOCNI), and some GKE deployments (gke.enabled; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment.

Patches

This issue was fixed by #​44693.

This issue affects:

• Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
• Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
• All versions of Cilium prior to v1.17.13

This issue is fixed in:

• Cilium v1.19.2
• Cilium v1.18.8
• Cilium v1.17.14

Workarounds

Disclaimer: There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.

Acknowledgements

The Cilium community has worked together with members of the Northflank and Isovalent teams to prepare these mitigations. Cilium thanks @​sudeephb and @​Champ-Goblem for reporting the issue and to @​smagnani96 and @​julianwiedmann for helping with the resolution.

For more information

Anyone who believes a vulnerability affecting Cilium has been found is strongly encouraged to report it to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and any such report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

---

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

CVE-2026-33726 / GHSA-hxv8-4j4r-cqgv

More information

Details

Impact

Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled.

Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, but not AKS BYOCNI), and some GKE deployments (gke.enabled; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment.

Patches

This issue was fixed by #​44693.

This issue affects:

• Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
• Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
• All versions of Cilium prior to v1.17.13

This issue is fixed in:

• Cilium v1.19.2
• Cilium v1.18.8
• Cilium v1.17.14

Workarounds

Disclaimer: There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.

Acknowledgements

The Cilium community has worked together with members of the Northflank and Isovalent teams to prepare these mitigations. Cilium thanks @​sudeephb and @​Champ-Goblem for reporting the issue and to @​smagnani96 and @​julianwiedmann for helping with the resolution.

For more information

Anyone who believes a vulnerability affecting Cilium has been found is strongly encouraged to report it to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and any such report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv
• https://github.com/cilium/cilium/pull/44693
• https://docs.cilium.io/en/stable/network/concepts/routing/#routing
• https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy
• https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management
• https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing
• https://github.com/cilium/cilium

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.18.8: 1.18.8

Compare Source

Known issues

• Users who deploy Cilium on GKE should skip this version or upgrade to 1.19.2 due to a known regression.

Summary of Changes

Minor Changes:

• Allow to attach Cilium's XDP program on network interfaces that have jumbo MTU configured and support xdp.frags program type. (Backport PR #​44499, Upstream PR #​41967, @​viktor-kurchenko)

Bugfixes:

• bpf: nodeport: use hairpin redirect for L7 LB on bridge devices (Backport PR #​44758, Upstream PR #​44658, @​smagnani96)
• cilium-dbg: fix seg-fault ip get -l reserved:host (Backport PR #​44519, Upstream PR #​44443, @​aanm)
• Enable Cilium upgrade and downgrade when existing XDP attach types differ from new XDP programs (Backport PR #​44499, Upstream PR #​44209, @​dylandreimerink)
• Fix a bug where node IPv6 updates and deletes were not correctly propagated to the Linux kernel neighbor subsystem. (Backport PR #​44592, Upstream PR #​44540, @​tklauser)
• Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name (Backport PR #​44021, Upstream PR #​43999, @​EmilyShepherd)
• Fix envoy admin socket being created as world-accessible (Backport PR #​44592, Upstream PR #​44512, @​0xch4z)
• Fixed an issue where wildcard FQDN network policy identities were not correctly pushed to Envoy when using SNI-based policies. (Backport PR #​44519, Upstream PR #​44462, @​liyihuang)
• Fixed VTEP ARP responses returning 00:00:00:00:00:00 MAC due to interface MAC missing from eBPF Overlay configuration. (Backport PR #​44700, Upstream PR #​44513, @​akos011221)
• gateway-api: Fix hostname intersection bug that was preventing cert-manager challenges from working correctly. (Backport PR #​44519, Upstream PR #​44492, @​youngnick)
• l7lb: fix bypassing ingress policies for local backends (Backport PR #​44804, Upstream PR #​44693, @​smagnani96)
• loadbalancer/healthserver: refresh ProxyRedirect per request (Backport PR #​44399, Upstream PR #​44286, @​mhofstetter)

CI Changes:

• gh: e2e-upgrade: don't hardcode IPsec encryption algorithm (Backport PR #​44519, Upstream PR #​44381, @​julianwiedmann)

Misc Changes:

• chore(deps): update all github action dependencies (v1.18) (#​44372, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44480, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44579, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44681, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44791, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​44369, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44580, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44678, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.8 (v1.18) (#​44810, @​cilium-renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.19.1 (v1.18) (#​44344, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.1 (v1.18) (#​44401, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.2 (v1.18) (#​44577, @​cilium-renovate[bot])
• chore(deps): update dependency sphinx-tabs to v3.5.0 (v1.18) (#​44679, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to d1e2e92 (v1.18) (#​44476, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to e3f9456 (v1.18) (#​44797, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f512d81 (v1.18) (#​44575, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.8 (v1.18) (#​44370, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.4.1 (v1.18) (#​44680, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770979049-232ed4a26881e4ab4f766f251f258ed424fff663 (v1.18) (#​44371, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1771585526-532310e626e42c7086de4ef3ea913736125bbd31 (v1.18) (#​44478, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773220507-ffc0948a7ec4868e6b552a71cf4d3860e78b53cc (v1.18) (#​44676, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773405792-4046425704636ea5b770460c20c065069cf572dc (v1.18) (#​44789, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773656288-7b052e66eb2cfc5ac130ce0a5be66202a10d83be (v1.18) (#​44807, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44252, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44479, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44677, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44790, @​cilium-renovate[bot])
• Docs: improve docs around ipsec upgrade in 1.18 (Backport PR #​44399, Upstream PR #​44302, @​darox)
• fix(deps): update k8s.io patch updates stable (v1.18) (#​44477, @​cilium-renovate[bot])
• fix(deps): update k8s.io patch updates stable to v0.33.9 (v1.18) (patch) (#​44578, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 0f775a3 (v1.18) (#​44576, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 15301c2 (v1.18) (#​44675, @​cilium-renovate[bot])
• loadbalancer/healthserver: stabilize proxy-redirect test (Backport PR #​44519, Upstream PR #​44323, @​mhofstetter)

Other Changes:

• [1.18] gha: Use eks 1.32 from us-west-2 (#​44753, @​sayboras)
• [v1.18] endpoint/bpf: remove change empty condition for updateEnvoy (#​44616, @​liyihuang)
• [v1.18] gh: verifier: disable RHEL8 (#​44317, @​julianwiedmann)
• [v1.18] loadbalancer: Fix flake in hybrid-dsr.txtar (#​44756, @​julianwiedmann)
• install: Update image digests for v1.18.7 (#​44326, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.8@​sha256:070a63cc414869cf6c53202cb50929a87adb7d5b25de0f2f40ab39eb6434b706

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.8@​sha256:5cb08daad7397f52ce5c36fcbfe83c56494f340d9b8f10f8bc7a3f2a812c33d5

docker-plugin

quay.io/cilium/docker-plugin:v1.18.8@​sha256:8e1c89bc4ef3bbc55a10edc96a9f2915af45181e46ff189c00f3d8fb7825a0b7

hubble-relay

quay.io/cilium/hubble-relay:v1.18.8@​sha256:dcf324aa35ab59c8fe6d002e3df6a63fff18280da464d09e4a97d58c085bb015

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.8@​sha256:36c1702c8afd0b0221e3d88ca08537100caef509de6a6bb7244d5fa4643a7252

operator-aws

quay.io/cilium/operator-aws:v1.18.8@​sha256:7ab154b269eae378456d63cc9085d96c4f472e11a1496ca4c62af68ff4b31da3

operator-azure

quay.io/cilium/operator-azure:v1.18.8@​sha256:a4027d349e817bda9168af1e27231be491a3026c748128a79026e366321f6332

operator-generic

quay.io/cilium/operator-generic:v1.18.8@​sha256:f9d1715932751b1454d0f59b492497cb1636dea6335beab0f9026fa8b5a6f62f

operator

quay.io/cilium/operator:v1.18.8@​sha256:cc3f7bdf9e443b807d3cb9b0bd30eddac5591c3f4b1e6fa053bfaa8697a7ee58

v1.18.7: 1.18.7

Compare Source

Summary of Changes

Minor Changes:

• Exclude topology.kubernetes.io labels from security labels by default (Backport PR #​43777, Upstream PR #​43725, @​moscicky)
• hubble-relay: Add hubble.relay.logOptions.format and hubble.relay.logOptions.level Helm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #​44004, Upstream PR #​43644, @​puwun)

Bugfixes:

• Add permissions to the cilium-operator so that it can create EndpointSlices when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43912, @​fgiloux)
• bpf: Correct refinement of inner packet L4 checksum detection (Backport PR #​43923, Upstream PR #​43868, @​br4243)
• bpf: Fix marker to skip nodeport when punting to proxy (Backport PR #​43886, Upstream PR #​43069, @​borkmann)
• clustermesh: correctly phase out not ready/not service endpoints from global services (Backport PR #​44056, Upstream PR #​43807, @​MrFreezeex)
• Fix a bug with local redirect service entries being created when backend pods weren't ready. (Backport PR #​43756, Upstream PR #​43095, @​aditighag)
• Fix ICMP error packet handling by adding the missing checksum recalculation performed during RevNAT for SNATed load-balanced traffic. (Backport PR #​43861, Upstream PR #​43196, @​yushoyamaguchi)
• Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated (Backport PR #​44034, Upstream PR #​43949, @​giorio94)
• helm: Fixed RBAC errors with operator.enabled=false by aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #​44281, Upstream PR #​44159, @​puwun)
• loadbalancer: Fix GetInstancesOfService to avoid removing an endpoint from Service A causes all requests to Service B to fail if the name of Service A is the prefix of Service B (Backport PR #​43777, Upstream PR #​43620, @​imroc)
• Reduces rtnl_mutex contention on SR-IOV nodes by not requesting VF information in netlink RTM_GETLINK operations (Backport PR #​44281, Upstream PR #​43517, @​pasteley)

CI Changes:

• fix(ctmap/gc): fix race conditions and flakiness in TestGCEnableRatchet (Backport PR #​44056, Upstream PR #​42009, @​AritraDey-Dev)
• gh: ariane: don't run cloud workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44109, @​julianwiedmann)
• gh: ariane: skip more workflows for LVH kernel updates (Backport PR #​44148, Upstream PR #​44115, @​julianwiedmann)
• gha: let CiliumEndpointSlice migration be run nightly on stable branches (Backport PR #​44004, Upstream PR #​43921, @​giorio94)
• gke: lower scope of ESP firewall rule (Backport PR #​43865, Upstream PR #​43691, @​marseel)

Misc Changes:

• .github/workflows: use proper directory structure for GH actions (#​43760, @​aanm)
• chore(deps): update all github action dependencies (v1.18) (#​43845, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​43984, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44099, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.18) (#​44253, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.18) (#​43839, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43840, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​43983, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.18) (#​44098, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.19.0 (v1.18) (#​43844, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/alpine docker tag to v3.22.3 (v1.18) (#​44096, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to b3255e7 (v1.18) (#​44249, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to e226d63 (v1.18) (#​43979, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:24.04 docker digest to cd1dba6 (v1.18) (#​43980, @​cilium-renovate[bot])
• chore(deps): update gcr.io/distroless/static:nonroot docker digest to f9f84bd (v1.18) (#​44250, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/certgen docker tag to v0.3.2 (v1.18) (#​43841, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768610924-2528359430c6adba1ab20fc8396b4effe491ed96 (v1.18) (#​43842, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1768828720-c6e4827ebca9c47af2a3a6540c563c30947bae29 (v1.18) (#​43981, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770265024-9828c064a10df81f1939b692b01203d88bb439e4 (v1.18) (#​44251, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de (v1.18) (#​44260, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43843, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​43982, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.18) (patch) (#​44097, @​cilium-renovate[bot])
• docs: add helm underlayProtocol value to documentation (Backport PR #​44056, Upstream PR #​43934, @​aanm)
• docs: adjust URL to latest stable Hubble CLI version (Backport PR #​43777, Upstream PR #​43745, @​tklauser)
• docs: Document hubble requirement on kernels with BPF_EVENTS compiled in (Backport PR #​44056, Upstream PR #​44042, @​EmilyShepherd)
• docs: Update docsearch to v4.5.4 (Backport PR #​44273, Upstream PR #​44233, @​joestringer)
• Documentation: Added Helm configuration instructions for enabling and customizing metrics. (Backport PR #​44056, Upstream PR #​43481, @​suunj)
• gitattributes: make install/kubernetes driver match more specific. (Backport PR #​44056, Upstream PR #​43943, @​tommyp1ckles)
• multicast: fix nil assignment to node configuration cell.Out map (Backport PR #​43865, Upstream PR #​40859, @​ldelossa)
• workflows: Add id-token permission to call-publish-helm job (Backport PR #​43777, Upstream PR #​43717, @​aanm)

Other Changes:

• .github/workflows: remove stable from v1.18 branch (#​44153, @​aanm)
• [v1.18] Backport setup gke cluster (#​43793, @​Artyop)
• install: Update image digests for v1.18.6 (#​43714, @​cilium-release-bot[bot])

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.7@​sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753c

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.7@​sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfa

docker-plugin

quay.io/cilium/docker-plugin:v1.18.7@​sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9

hubble-relay

quay.io/cilium/hubble-relay:v1.18.7@​sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.7@​sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0

operator-aws

quay.io/cilium/operator-aws:v1.18.7@​sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45

operator-azure

quay.io/cilium/operator-azure:v1.18.7@​sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728f

operator-generic

quay.io/cilium/operator-generic:v1.18.7@​sha256:244306c5e7c6b73dc7193424f46ed8a0530767b03f03baac80dd717a3a3f0ad7

operator

quay.io/cilium/operator:v1.18.7@​sha256:8aa2bb32df776b8e8f6cfb57ab3eaed5a451bc9f20f1d62a2393840fc072678f

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/cilium/ebpf	v0.19.0 -> v0.20.1-0.20260218191617-ee67e7f43dd9
github.com/vishvananda/netlink	v1.3.1 -> v1.3.2-0.20250926155043-cd3cb2e12c97

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.43%. Comparing base (c023298) to head (0c74121).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #548   +/-   ##
=======================================
  Coverage   73.43%   73.43%           
=======================================
  Files          19       19           
  Lines        2906     2906           
=======================================
  Hits         2134     2134           
  Misses        523      523           
  Partials      249      249           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.