kubernetes · ameukam · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025
diff --git a/docs/releases/1.33-NOTES.md b/docs/releases/1.33-NOTES.md
@@ -26,7 +26,7 @@ This is a document to gather the release notes prior to the release.
 
 # Other changes of note
 
-* TODO
+* Cilium has been upgraded to 1.17
 
 # Breaking changes
 

diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
@@ -1248,8 +1248,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 			allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Could not parse as semantic version"))
 		}
 
-		if version.Minor != 16 {
-			allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Only version 1.16 is supported"))
+		if version.Minor != 17 {
+			allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Only version 1.17 is supported"))
 		}
 
 		if v.Hubble != nil && fi.ValueOf(v.Hubble.Enabled) {

diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go
@@ -1204,7 +1204,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				Version: "v1.16.0",
+				Version: "v1.17.0",
 				Ingress: &kops.CiliumIngressSpec{
 					Enabled:                 fi.PtrTo(true),
 					DefaultLoadBalancerMode: "bad-value",
@@ -1214,7 +1214,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				Version: "v1.16.0",
+				Version: "v1.17.0",
 				Ingress: &kops.CiliumIngressSpec{
 					Enabled:                 fi.PtrTo(true),
 					DefaultLoadBalancerMode: "dedicated",
@@ -1223,7 +1223,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				Version: "v1.16.0",
+				Version: "v1.17.0",
 				Hubble: &kops.HubbleSpec{
 					Enabled: fi.PtrTo(true),
 				},

diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go
@@ -40,7 +40,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error {
 	}
 
 	if c.Version == "" {
-		c.Version = "v1.16.7"
+		c.Version = "v1.17.1"
 	}
 
 	if c.EnableEndpointHealthChecking == nil {

diff --git a/...tion/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/...tion/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content
@@ -212,7 +212,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: disabled
-      version: v1.16.7
+      version: v1.17.1
   nodeTerminationHandler:
     cpuRequest: 50m
     deleteSQSMsgIfNodeNotFound: false

diff --git a/.../minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/.../minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content
@@ -99,7 +99,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
-    manifestHash: 701616c03e4ad157a9db6cf3caa3a82fc8c200b7d0b838d50668603abe69e43a
+    manifestHash: 67d42bccab4bb55ae509a3a4138b1f81aada1f04b703b9a013dc3052f67a983c
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

diff --git a/.../data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content b/.../data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content
@@ -582,7 +582,7 @@ spec:
           value: api.internal.minimal-ipv6.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -665,6 +665,9 @@ spec:
           name: cilium-cgroup
         - mountPath: /var/run/cilium
           name: cilium-run
+        - mountPath: /var/run/cilium/netns
+          mountPropagation: HostToContainer
+          name: cilium-netns
         - mountPath: /host/etc/cni/net.d
           name: etc-cni-netd
         - mountPath: /var/lib/cilium/clustermesh
@@ -700,7 +703,7 @@ spec:
           value: api.internal.minimal-ipv6.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: config
         terminationMessagePolicy: FallbackToLogsOnError
@@ -719,7 +722,7 @@ spec:
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: mount-cgroup
         securityContext:
@@ -746,7 +749,7 @@ spec:
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: apply-sysctl-overwrites
         securityContext:
@@ -770,7 +773,7 @@ spec:
         - /bin/bash
         - -c
         - --
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: mount-bpf-fs
         securityContext:
@@ -805,7 +808,7 @@ spec:
           value: api.internal.minimal-ipv6.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         securityContext:
@@ -830,7 +833,7 @@ spec:
           name: cilium-run
       - command:
         - /install-plugin.sh
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: install-cni-binaries
         resources:
@@ -860,6 +863,10 @@ spec:
           path: /var/run/cilium
           type: DirectoryOrCreate
         name: cilium-run
+      - hostPath:
+          path: /var/run/netns
+          type: DirectoryOrCreate
+        name: cilium-netns
       - hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
@@ -993,7 +1000,7 @@ spec:
           value: api.internal.minimal-ipv6.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.16.7
+        image: quay.io/cilium/operator:v1.17.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

diff --git a/...er/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data b/...er/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data
@@ -153,7 +153,7 @@ ConfigServer:
   - https://kops-controller.internal.minimal-warmpool.example.com:3988/
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: 5uju3TyrpJia7EVXjpE80ZhpgiJ8lkHOSz6oHXR8ekE=
+NodeupConfigHash: OlbIZ+owUMoXRoRKpoP1iIbn6nG2V2M+fqkmvQnyNzs=
 
 __EOF_KUBE_ENV
 

diff --git a/...gration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/...gration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content
@@ -204,7 +204,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.16.7
+      version: v1.17.1
   nodeTerminationHandler:
     cpuRequest: 50m
     deleteSQSMsgIfNodeNotFound: false

diff --git a/...minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content b/...minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content
@@ -99,7 +99,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
-    manifestHash: 1d069b812e49ee373c8c35c4a7c653e7c7690c8292f34025abd2c33db0064277
+    manifestHash: 77954aa17548c1404ee5ff147cd441f3ef0be5ad736123784dde238ace7b3f36
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

diff --git a/...a/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content b/...a/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content
@@ -583,7 +583,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -666,6 +666,9 @@ spec:
           name: cilium-cgroup
         - mountPath: /var/run/cilium
           name: cilium-run
+        - mountPath: /var/run/cilium/netns
+          mountPropagation: HostToContainer
+          name: cilium-netns
         - mountPath: /host/etc/cni/net.d
           name: etc-cni-netd
         - mountPath: /var/lib/cilium/clustermesh
@@ -701,7 +704,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: config
         terminationMessagePolicy: FallbackToLogsOnError
@@ -720,7 +723,7 @@ spec:
           value: /run/cilium/cgroupv2
         - name: BIN_PATH
           value: /opt/cni/bin
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: mount-cgroup
         securityContext:
@@ -747,7 +750,7 @@ spec:
         env:
         - name: BIN_PATH
           value: /opt/cni/bin
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: apply-sysctl-overwrites
         securityContext:
@@ -771,7 +774,7 @@ spec:
         - /bin/bash
         - -c
         - --
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: mount-bpf-fs
         securityContext:
@@ -806,7 +809,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         securityContext:
@@ -831,7 +834,7 @@ spec:
           name: cilium-run
       - command:
         - /install-plugin.sh
-        image: quay.io/cilium/cilium:v1.16.7
+        image: quay.io/cilium/cilium:v1.17.1
         imagePullPolicy: IfNotPresent
         name: install-cni-binaries
         resources:
@@ -861,6 +864,10 @@ spec:
           path: /var/run/cilium
           type: DirectoryOrCreate
         name: cilium-run
+      - hostPath:
+          path: /var/run/netns
+          type: DirectoryOrCreate
+        name: cilium-netns
       - hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
@@ -994,7 +1001,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.16.7
+        image: quay.io/cilium/operator:v1.17.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

diff --git a/...integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content b/...integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content
@@ -61,7 +61,7 @@ containerdConfig:
 usesLegacyGossip: false
 usesNoneDNS: false
 warmPoolImages:
-- quay.io/cilium/cilium:v1.16.7
-- quay.io/cilium/operator:v1.16.7
+- quay.io/cilium/cilium:v1.17.1
+- quay.io/cilium/operator:v1.17.1
 - registry.k8s.io/kube-proxy:v1.32.0
 - registry.k8s.io/provider-aws/cloud-controller-manager:v1.31.0
diff --git a/...gration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/...gration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content
@@ -200,7 +200,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.16.7
+      version: v1.17.1
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://tests/scw-minimal.k8s.local/secrets

diff --git a/...luster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content b/...luster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content
@@ -55,7 +55,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
-    manifestHash: cceac64c304516725d40231c9b73cff5e8299856760fb6cea3222f1c21d080f7
+    manifestHash: 304e50b6609a42e86ccc4985b37b035bd5a363b6c84023700f258b9f5f3caad8
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:
-Original file line number
+Diff line change
@@ Expand Up @@
     # Other changes of note
-    * TODO
+    * Cilium has been upgraded to 1.17
     # Breaking changes
@@ Expand Down @@