Cilium 1.19 Adds Ztunnel Encryption and Strict WireGuard Mode as eBPF Service Mesh Reaches Its Ten-Year Milestone
Cilium 1.19 introduces beta ztunnel integration for transparent mTLS encryption without sidecars, strict encryption modes for WireGuard and IPsec, and stable Multi Pool IPAM, as the CNCF-graduated eBPF networking project marks a decade of development.
Cilium 1.19, the latest release of the eBPF-based networking and security platform for Kubernetes, introduces transparent encryption through a new ztunnel integration, mandatory encryption modes for inter-node traffic, and a promotion of Multi Pool IPAM to stable status. The release, which drew 2,934 commits from over 1,010 developers, arrives as the project marks ten years since its first commit.
Cilium is the second-largest CNCF project by contributions after Kubernetes itself, and its data plane underpins managed Kubernetes offerings including Google Kubernetes Engine Dataplane V2 and Azure Kubernetes Service. According to the project’s annual report, more than 60 percent of surveyed deployments now run Cilium, with over 75 percent reliance on Cilium-based data planes when managed services are included.
Ztunnel Brings Sidecar-Free mTLS
The headline addition in 1.19 is a beta integration of ztunnel, a purpose-built per-node proxy that provides transparent Layer 4 mTLS encryption and authentication for pod-to-pod communication. When a namespace is enrolled through a Kubernetes label, ztunnel automatically redirects TCP traffic through an encrypted tunnel using the HBONE protocol on port 15008, with no changes required to application code.
The mechanism relies on SPIFFE-based identities, with Cilium’s certificate server generating ephemeral client certificates on demand within ztunnel. Both source and destination pods must be in enrolled namespaces for encryption to take effect. According to the Cilium documentation, the current beta supports TCP traffic only and does not yet work with Cluster Mesh deployments.
The ztunnel approach represents a middle ground in the service mesh encryption debate. Unlike traditional sidecar proxies, which inject a full Envoy instance alongside every pod, ztunnel runs as a single per-node process. Unlike Cilium’s existing IPsec and WireGuard encryption, which operate at the network layer and encrypt all inter-node traffic indiscriminately, ztunnel provides workload-level identity and mutual authentication.
Strict Encryption for Zero-Trust Environments
Cilium 1.19 also introduces strict modes for both IPsec and WireGuard encryption. In previous releases, encryption between nodes operated on a best-effort basis: if a peer had not yet established an encrypted tunnel, traffic could fall through unencrypted. Strict mode changes this behavior by dropping any inter-node traffic that cannot be encrypted.
The feature targets regulated industries and zero-trust architectures where unencrypted east-west traffic is a compliance violation. Financial institutions and public sector organizations that deploy Kubernetes at scale have cited the inability to guarantee encryption between nodes as a barrier to adoption in sensitive environments.
Alongside the strict modes, BPF Host Routing now works concurrently with IPsec encryption, removing a previous limitation that forced operators to choose between accelerated routing and encrypted transport.
Network Policy and Observability Improvements
Network policies receive several refinements in this release. Multi-level DNS wildcard matching now supports patterns with a *. prefix, allowing a single rule to cover all subdomains of a domain. The host firewall extends to VRRP and IGMP traffic, and denied egress connections now return ICMPv4 “Destination unreachable” messages rather than silently dropping packets, giving application developers clearer diagnostic signals.
Multi-cluster deployments default to local-cluster-only traffic in 1.19, a breaking change that requires explicit configuration to allow cross-cluster communication. The shift reflects a security-first posture: operators must now opt in to cross-cluster traffic rather than discovering it was silently permitted.
Hubble, Cilium’s observability layer, gains IP Options packet tracing for targeted flow analysis, flow log aggregation to reduce exported log volume, and the ability to filter flows by encryption status. Drop events are now tagged with the specific network policy that caused them, eliminating a common troubleshooting pain point.
IPAM and IPv6 Maturation
Multi Pool IPAM, which allows operators to allocate pod IP addresses from multiple address pools with label-based selectors, graduates from beta to stable. The feature now works alongside IPsec and direct routing and supports granular source NAT tuning for multi-subnet node traffic.
IPv6 support advances on multiple fronts: L2 announcements now support IPv6 via Neighbor Discovery Protocol, and a new IPv6 underlay option enables VXLAN and Geneve tunneling over IPv6 in dual-stack clusters, removing restrictions that previously limited IPv6-only deployments.
Deprecations and Migration
The release deprecates Kafka protocol match fields in network policies and the ToRequires and FromRequires policy fields. Mutual authentication, which predated the ztunnel integration, is now disabled by default pending community feedback on the transition path. CiliumBGPPeeringPolicy v1 API support has been removed, requiring operators to migrate to the v2 API.
Gateway API support has been upgraded to v1.4.0, adding native GRPCRoute handling alongside HTTPRoute and unifying north-south and east-west traffic routing through a single API surface.
Cilium 1.19.1, a patch release addressing initial stability issues, followed on February 17. The next major release, 1.20, is already in pre-release with Kubernetes Cluster Network Policy support on the roadmap.