Cilium 1.19: What to Verify Before You Upgrade#
If you are planning to move from 1.18 to 1.19.0 (2026-02-04), the value of this minor release is mostly in operational contract changes: Multi-Pool IPAM graduates from Beta, data-plane IPsec can be combined with BPF host routing, Ztunnel enters Beta, network policy and Cluster Mesh defaults tighten, and BGP v1 Peering Policy is removed. For platform engineers, what is worth keeping is not a slide-by-slide read-through but an upgrade checklist: whether policies span clusters, whether DNS uses **., whether BGP CRDs are still on v1, whether IPAM needs multiple pools, and whether observability should enable Option 136. This eCHO episode is a GitHub Release walkthrough with no live cluster demo; the sections below summarize actionable items by theme. Commands and Helm fields follow v1.19 documentation; spoken performance figures are called out separately.
Upgrade and Release Overview#
The release notes cite roughly 2934 commits and 1010+ contributors. Official guidance is explicit: if you use Network Policies, Cluster Mesh, LoadBalancer IPAM, or BGP, read the 1.19 Upgrade Notes before upgrading—otherwise you may hit surprises in policy semantics or BGP CRDs.
Select Clusters Explicitly (#40609): When a policy selector omits cluster, only the local cluster is allowed by default. Rules that previously relied on implicit cross-cluster reachability in Cluster Mesh must name clusters explicitly; otherwise cross-cluster services can stop working abruptly—this is one of the most important breaking behaviors to diff first in 1.19.
Actively Deny Connections (#41406): When egress is denied by a Network Policy, Cilium can return ICMPv4 Destination unreachable so clients fail fast instead of hitting a black-hole drop. The feature is experimental and applies only to IPv4 egress.
# Helm (v1.19, default none)
policyDenyResponse: icmp
Agent equivalent: --policy-deny-response=icmp. See Policy intro — Deny Response.
DNS multi-level wildcards: matchPattern supports a **.example.com prefix, matching multi-level subdomains such as foo.bar.example.com, but not the parent apex example.com itself; if policies must cover the apex, add a separate matchName (Policy language — DNS). Upgrade notes warn that existing **. rules may change semantics—replay DNS policies in a staging cluster before production.
Deprecations and engine refactors: Kafka protocol matching (beta) and the ToRequires / FromRequires fields are deprecated; the policy engine was refactored internally to pave the way for future minors (#39906, among others)—the user-facing impact is mainly migrating deprecated fields.
Data Plane: IPsec, Multi-Pool IPAM, Gateway#
BPF Host Routing + IPsec (#41997): With kube-proxy replacement, BPF masquerade, and IPsec enabled together, forwarding can use eBPF host routing and reduce traditional route lookup overhead. Upgrade Notes state that eBPF Host Routing is enabled automatically; node kernels must include the fix for CVE-2025-37959. The speaker mentioned roughly 30% improvement in short-connection CRR—this does not appear in the Release or docs; do not use it for capacity planning.
Multi-Pool IPAM (Stable, #40460): Set Helm ipam.mode=multi-pool; CiliumPodIPPool (cilium.io/v2alpha1) adds spec.podSelector so pools are chosen by Pod labels without changing the Pod spec. Documentation requires that each IP family must match exactly one pool or allocation fails. The Release states it can be used with IPsec + direct routing, suitable for carving address ranges per pool and encrypting cross-subnet traffic (multi-pool concepts). Pool-level annotations still include ipam.cilium.io/ip-pool, among others.
Gateway API: Cilium supports GRPCRoute in GAMMA scenarios (#41936), aligning with existing HTTPRoute capabilities; gRPC load balancing on the Cilium data plane is not new—1.19 mainly aligns the API surface. The Release cites Gateway API v1.4; the gateway-api documentation footer still lists v1.3.0—treat the Release and go.mod as authoritative.
Encryption strict mode: Both IPsec and WireGuard can enable strict mode to drop unencrypted inter-node traffic (#39239, among others)—the Release covers this; the episode did not go deep. If you already use WireGuard or IPsec transparent encryption, check Upgrade Notes for conflicts with kube-proxy replacement and masquerade mode during upgrade.
Ztunnel Beta (Namespace-Level Enrollment)#
Ztunnel is labeled Beta (#42766, among others): Cilium acts as the control plane for workload discovery and certificate issuance; inside the Pod netns, iptables redirect TCP to a local ztunnel for transparent encryption. Pod-level toggles are not supported—only namespace labels; not compatible with Cluster Mesh (ztunnel documentation).
encryption:
enabled: true
type: ztunnel
# Generate secrets per docs first, then enroll the namespace
kubectl label namespace <ns> io.cilium/mtls-enabled=true
Helm equivalent: --set encryption.enabled=true --set encryption.type=ztunnel. Mutual Authentication (out-of-band) is off by default in 1.19 (#42665); for workload mTLS, documentation tends to recommend trying Ztunnel first. In Beta, plan a rollback path and validate interaction with existing CiliumNetworkPolicy in a non-production cluster.
LoadBalancer vs. port-forward: The former exposes a VIP via the cloud or Cilium BGP/LB data plane; the latter goes through the kube-apiserver proxy and suits debugging. Both can reach the same Service, but the path and observability differ completely—see K8s port-forward and LoadBalancer Service (the LB path on Cilium is summarized by the speaker).
Host Firewall: VRRP / IGMP#
keepalived VIPs, IGMP multicast, and similar traffic have no TCP/UDP ports; older host firewall behavior often dropped unknown L4 traffic. 1.19 supports VRRP / IGMP in host rules (#39872, #41949), requiring --enable-extended-ip-protocols on the cluster.
# v1.19.0 examples/policies/host/allow-extended-protocols.yaml
toPorts:
- protocol: VRRP # or IGMP
The spoken port: "0" does not appear in official examples—confirm CRD acceptance with cilium policy validate or cluster testing before deployment.
Observability: IP Tracing and Hubble Filters#
IPv4 Option 136 (Stream ID) marks flows on the path; Hubble correlates using the same ID (#41306):
helm install cilium oci://quay.io/cilium/charts/cilium --version 1.19.0 \
--namespace kube-system \
--set bpf.monitorTraceIPOption=136
hubble observe --ip-trace-id <id>
hubble observe --encrypted # #43096
hubble observe --unencrypted
The install field is bpf.monitorTraceIPOption (not the spoken bpfMonitor.trace). For IP tracing on the CLI use --ip-trace-id; --trace-id is a different filter type (Hubble CLI). “Still traceable after NAT” is speaker commentary; official tutorials do not guarantee that scenario.
FlowLog aggregation (#42011): Configure fieldAggregate, aggregationInterval, fieldMask, and related fields on dynamic export to send aggregated events to a SIEM while Hubble keeps full flows—the capability is documented in CHANGELOG/Helm comments but there is no standalone tutorial at the same level as Release highlights. Typical motivation is reducing Elasticsearch/Splunk write volume while using includeFilters to export only verdicts or namespaces you care about; aggregationInterval must be non-empty and greater than zero together with fieldAggregate to take effect (see Helm hubble.export and valid-flowlogs-config.yaml in the repo).
PLPMTUD, Helm OCI, BGP, and Other Networking Items#
PLPMTUD (#42012): Uses TCP inside the endpoint netns to probe path MTU; Helm keys include pmtuDiscovery.packetizationLayerPMTUDMode. The Release does not provide a unified minimum kernel version table—check the PR or test on target nodes.
Helm distribution: In addition to helm repo add cilium https://helm.cilium.io, you can use OCI:
helm install cilium oci://quay.io/cilium/charts/cilium --version 1.19.0 \
--namespace kube-system
See Helm installation—both sources coexist; documentation does not announce deprecation of the classic repo.
BGP breaking change: CiliumBGPPeeringPolicy (v1) is removed; migrate to cilium.io/v2 resources such as CiliumBGPClusterConfig, CiliumBGPPeerConfig, and CiliumBGPAdvertisement (Upgrade Notes). 1.19 also adds operator-focused capabilities—Interface-type advertisements, overridable BGP session source addresses, route withdrawal when there is no endpoint, and more (Release BGP section)—but if GitOps still references v1 Peering Policy YAML, upgrade will fail outright; fix manifests first. On the same page, also note BIG TCP in tunnels (#43416), IPv6 underlay (#40324), L2 Announcements IPv6 ND, and IPv6 Service loopback—all per the Release.
Open Boundaries#
| Claim | Status |
|---|---|
| BPF+IPsec “~30% TCP CRR” | Speaker commentary; no official benchmark |
hubble observe --trace-id for IP tracing | Should be --ip-trace-id |
Host policy port: "0" | Partially verified; follow example YAML + live testing |
| PLPMTUD / BIG TCP kernel requirements | Check PR/capabilities per node |
The Release pairs v1.19 with Cilium’s tenth anniversary; contribution entry points: slack.cilium.io, Contributing. KubeCon Amsterdam agenda: Cilium at KubeCon EU 2026. Book launch date and next episode’s 1.20 guests are spoken asides—not technical contracts.
Further reading: v1.19.0 Release · Documentation home · Upgrade Notes · IP packet tracing tutorial
