diff --git a/resources/cilium/cluster-role.yaml b/resources/cilium/cluster-role.yaml
index ca7ca66..bb393f6 100644
--- a/resources/cilium/cluster-role.yaml
+++ b/resources/cilium/cluster-role.yaml
@@ -70,6 +70,7 @@ rules:
   - ciliumlocalredirectpolicies
   - ciliumlocalredirectpolicies/status
   - ciliumlocalredirectpolicies/finalizers
+  - ciliumendpointslices
   verbs:
   - '*'
 - apiGroups:
@@ -134,6 +135,7 @@ rules:
   - list
   - watch
   - update
+  - delete
 - apiGroups:
   - ""
   resources:
@@ -182,6 +184,7 @@ rules:
   - ciliumlocalredirectpolicies/status
   - ciliumlocalredirectpolicies/finalizers
   - ciliumegressnatpolicies
+  - ciliumendpointslices
   verbs:
   - '*'
 
diff --git a/resources/cilium/config.yaml b/resources/cilium/config.yaml
index ca5a7d3..41cf93a 100644
--- a/resources/cilium/config.yaml
+++ b/resources/cilium/config.yaml
@@ -15,19 +15,14 @@ data:
   #   the kvstore by commenting out the identity-allocation-mode below, or
   #   setting it to "kvstore".
   identity-allocation-mode: crd
-
-  # identity-change-grace-period is the grace period that needs to pass
-  # before an endpoint that has changed its identity will start using
-  # that new identity. During the grace period, the new identity has
-  # already been allocated and other nodes in the cluster have a chance
-  # to whitelist the new upcoming identity of the endpoint.
-  identity-change-grace-period: "5s"
+  cilium-endpoint-gc-interval: "5m0s"
 
   # If you want to run cilium in debug mode change this value to true
   debug: "false"
-
-  # TCP liveness and readiness probes (prefer exec probe for now)
-  agent-health-port: "9876"
+  # The agent can be put into the following three policy enforcement modes
+  # default, always and never.
+  # https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes
+  enable-policy: "default"
 
   # Prometheus
   # enable-metrics: "true"
@@ -65,17 +60,16 @@ data:
   # Only effective when monitor aggregation is set to "medium" or higher.
   monitor-aggregation-flags: all
 
-  # bpf-policy-map-max specified the maximum number of entries in endpoint
-  # policy map (per endpoint)
-  bpf-policy-map-max: "16384"
-
-  # bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
-  # backend and affinity maps.
-  bpf-lb-map-max: "65536"
-
   # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
   # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
   bpf-map-dynamic-size-ratio: "0.0025"
+  # bpf-policy-map-max specified the maximum number of entries in endpoint
+  # policy map (per endpoint)
+  bpf-policy-map-max: "16384"
+  # bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
+  # backend and affinity maps.
+  bpf-lb-map-max: "65536"
+  bpf-lb-external-clusterip: "true"
 
   # Pre-allocation of map entries allows per-packet latency to be reduced, at
   # the expense of up-front memory allocation for the entries in the maps. The
@@ -94,15 +88,20 @@ data:
   # 1.4 or later, then it may cause one-time disruptions during the upgrade.
   preallocate-bpf-maps: "false"
 
+  # Name of the cluster. Only relevant when building a mesh of clusters.
+  cluster-name: default
+  # Unique ID of the cluster. Must be unique across all conneted clusters and
+  # in the range of 1 and 255. Only relevant when building a mesh of clusters.
+  cluster-id: ""
+
   # Encapsulation mode for communication between nodes
   # Possible values:
   #   - disabled
   #   - vxlan (default)
   #   - geneve
   tunnel: vxlan
-
-  # Name of the cluster. Only relevant when building a mesh of clusters.
-  cluster-name: default
+  # Enables L7 proxy for L7 policy enforcement and visibility
+  enable-l7-proxy: "true"
 
   auto-direct-node-routes: "false"
 
@@ -123,12 +122,11 @@ data:
   masquerade: "true"
   # bpfMasquerade enables masquerading with BPF instead of iptables
   enable-bpf-masquerade: "true"
-  bpf-lb-external-clusterip: "true"
 
   # kube-proxy
   kube-proxy-replacement:  "probe"
   kube-proxy-replacement-healthz-bind-address: ""
-  enable-session-affinity: "false"
+  enable-session-affinity: "true"
 
   # ClusterIPs from host namespace
   enable-host-reachable-services: "false"
@@ -145,8 +143,10 @@ data:
   cluster-pool-ipv4-mask-size: "24"
 
   # Health
+  agent-health-port: "9876"
   enable-health-checking: "true"
   enable-endpoint-health-checking: "true"
+  enable-health-check-nodeport: "true"
 
   # Identity
   enable-well-known-identities: "false"
@@ -155,6 +155,7 @@ data:
   # Misc
   enable-bandwidth-manager: "false"
   enable-local-redirect-policy: "false"
-  # enable-l7-proxy: "false"
   policy-audit-mode: "false"
   operator-api-serve-addr: "127.0.0.1:9234"
+  enable-l2-neigh-discovery: "true"
+  enable-k8s-terminating-endpoint: "true"
diff --git a/resources/cilium/daemonset.yaml b/resources/cilium/daemonset.yaml
index 08b1fad..c8dcb9d 100644
--- a/resources/cilium/daemonset.yaml
+++ b/resources/cilium/daemonset.yaml
@@ -40,7 +40,7 @@ spec:
         image: ${cilium_agent_image}
         command:
           - sh
-          - -c
+          - -ec
           # The statically linked Go program binary is invoked to avoid any
           # dependency on utilities like sh and mount that can be missing on certain
           # distros installed on the underlying host. Copy the binary to the
@@ -65,9 +65,6 @@ spec:
         command:
         - /init-container.sh
         securityContext:
-          capabilities:
-            add:
-            - NET_ADMIN
           privileged: true
         volumeMounts:
         - name: sys-fs-bpf
@@ -115,10 +112,6 @@ spec:
               command:
               - /cni-uninstall.sh
         securityContext:
-          capabilities:
-            add:
-            - NET_ADMIN
-            - SYS_MODULE
           privileged: true
         livenessProbe:
           exec:
diff --git a/resources/cilium/deployment.yaml b/resources/cilium/deployment.yaml
index 5230389..7cee15a 100644
--- a/resources/cilium/deployment.yaml
+++ b/resources/cilium/deployment.yaml
@@ -82,4 +82,3 @@ spec:
       - name: config
         configMap:
           name: cilium
-
diff --git a/variables.tf b/variables.tf
index 6ecad1d..e9413eb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -62,8 +62,8 @@ variable "container_images" {
   default = {
     calico                  = "quay.io/calico/node:v3.21.2"
     calico_cni              = "quay.io/calico/cni:v3.21.2"
-    cilium_agent            = "quay.io/cilium/cilium:v1.10.5"
-    cilium_operator         = "quay.io/cilium/operator-generic:v1.10.5"
+    cilium_agent            = "quay.io/cilium/cilium:v1.11.0"
+    cilium_operator         = "quay.io/cilium/operator-generic:v1.11.0"
     coredns                 = "k8s.gcr.io/coredns/coredns:v1.8.6"
     flannel                 = "quay.io/coreos/flannel:v0.15.1"
     flannel_cni             = "quay.io/poseidon/flannel-cni:v0.4.2"