Summary
The output of cilium-bugtool with the --envoy-dump flag set can contain sensitive data when run against Cilium deployments with the Envoy proxy enabled. Affected features include TLS inspection, Ingress with TLS termination, Gateway API with TLS termination, and Kafka network policies with API key filtering. The sensitive data covers CA certificates, certificate chains, private keys used by Cilium HTTP network policies and Ingress / Gateway API, and API keys used in Kafka-related network policy.
Impact
cilium-bugtool is a debugging tool typically invoked manually and does not run during normal cluster operation. However, archives produced with --envoy-dump from a cluster running Envoy expose secrets that the cluster operator likely treats as private — TLS private keys grant impersonation of TLS endpoints terminated by Cilium, and Kafka API keys grant access to topics protected by API-key-aware network policies. Any archive shared externally (uploaded to a ticket, sent to a vendor, or stored in shared cloud storage) should be treated as a credential disclosure.
Detection
Audit any previously-shared bugtool archives produced with --envoy-dump from Cilium clusters with Envoy enabled. Confirm whether your cluster runs Envoy and which features (TLS inspection, Ingress, Gateway API, Kafka network policies) are in use, since those determine which categories of secrets were exposed.
Mitigation
Upgrade to a patched version on the appropriate release line:
- Cilium v1.15.6 or later (for the 1.15 line)
- Cilium v1.14.12 or later (for the 1.14 line)
- Cilium v1.13.17 or later (for the 1.13 line)
There is no workaround for the underlying issue. Operators who have previously shared --envoy-dump archives from Envoy-enabled clusters should rotate the affected TLS certificates and private keys, regenerate Ingress / Gateway API TLS material, and rotate any Kafka API keys configured in Kafka network policies.