diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9029e71..b10e0a0 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -47,7 +47,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@2f2ebc6d914ab515939dc13f570f91baeb2c194c # 3.0.6
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@74606c30450304eee8660aae751818321754feb1 # 3.0.9
         with:
           allowlist: |
             aws-actions/
diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
index 909746d..01b1fe9 100644
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -1,5 +1,5 @@
 ---
-k3s_version: v1.29.2+k3s1
+k3s_version: v1.30.2+k3s2
 # this is the user that has ssh access to these machines
 ansible_user: ansibleuser
 systemd_dir: /etc/systemd/system
@@ -13,13 +13,13 @@ flannel_iface: "eth0"
 # uncomment calico_iface to use tigera operator/calico cni instead of flannel https://docs.tigera.io/calico/latest/about
 # calico_iface: "eth0"
 calico_ebpf: false           # use eBPF dataplane instead of iptables
-calico_tag: "v3.27.2"        # calico version tag
+calico_tag: "v3.28.0"        # calico version tag
 
 # uncomment cilium_iface to use cilium cni instead of flannel or calico
 # ensure v4.19.57, v5.1.16, v5.2.0 or more recent kernel
 # cilium_iface: "eth0"
 cilium_mode: "native"        # native when nodes on same subnet or using bgp, else set routed
-cilium_tag: "v1.15.2"        # cilium version tag
+cilium_tag: "v1.16.0"        # cilium version tag
 cilium_hubble: true          # enable hubble observability relay and ui
 
 # if using calico or cilium, you may specify the cluster pod cidr pool
@@ -72,7 +72,7 @@ extra_agent_args: >-
   {{ extra_args }}
 
 # image tag for kube-vip
-kube_vip_tag_version: "v0.7.2"
+kube_vip_tag_version: "v0.8.2"
 
 # tag for kube-vip-cloud-provider manifest
 # kube_vip_cloud_provider_tag_version: "main"
@@ -93,8 +93,8 @@ metal_lb_mode: "layer2"
 # metal_lb_bgp_peer_address: "192.168.30.1"
 
 # image tag for metal lb
-metal_lb_speaker_tag_version: "v0.14.3"
-metal_lb_controller_tag_version: "v0.14.3"
+metal_lb_speaker_tag_version: "v0.14.8"
+metal_lb_controller_tag_version: "v0.14.8"
 
 # metallb ip range for load balancer
 metal_lb_ip_range: "192.168.30.80-192.168.30.90"
diff --git a/molecule/cilium/overrides.yml b/molecule/cilium/overrides.yml
index 0b73920..9d25fc4 100644
--- a/molecule/cilium/overrides.yml
+++ b/molecule/cilium/overrides.yml
@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        cilium_iface: eth1
+        cilium_iface: eth0
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45
diff --git a/requirements.txt b/requirements.txt
index 998a02d..079e561 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,7 +6,7 @@
 #
 ansible-compat==4.1.11
     # via molecule
-ansible-core==2.17.0
+ansible-core==2.16.6
     # via
     #   -r requirements.in
     #   ansible-compat
diff --git a/roles/k3s_server_post/tasks/cilium.yml b/roles/k3s_server_post/tasks/cilium.yml
index 41c181c..7be937f 100644
--- a/roles/k3s_server_post/tasks/cilium.yml
+++ b/roles/k3s_server_post/tasks/cilium.yml
@@ -221,10 +221,9 @@
     - name: Configure Cilium BGP
       when: cilium_bgp
       block:
-
         - name: Copy BGP manifests to first master
           ansible.builtin.template:
-            src: "cilium.crs.j2"
+            src: "cilium-bgp.crs.j2"
             dest: /tmp/k3s/cilium-bgp.yaml
             owner: root
             group: root
@@ -247,6 +246,37 @@
           ansible.builtin.command: "{{ item }}"
           loop:
             - k3s kubectl get CiliumBGPPeeringPolicy.cilium.io
+          changed_when: false
+          loop_control:
+            label: "{{ item }}"
+
+    - name: Configure Cilium Load Balancer
+      when: cilium_iface
+      block:
+        - name: Copy Load Balancer manifests to first master
+          ansible.builtin.template:
+            src: "cilium-lb.crs.j2"
+            dest: /tmp/k3s/cilium-lb.yaml
+            owner: root
+            group: root
+            mode: 0755
+
+        - name: Apply LB manifests
+          ansible.builtin.command:
+            cmd: kubectl apply -f /tmp/k3s/cilium-lb.yaml
+          register: apply_cr
+          changed_when: "'configured' in apply_cr.stdout or 'created' in apply_cr.stdout"
+          failed_when: "'is invalid' in apply_cr.stderr"
+          ignore_errors: true
+
+        - name: Print error message if LB manifests application fails
+          ansible.builtin.debug:
+            msg: "{{ apply_cr.stderr }}"
+          when: "'is invalid' in apply_cr.stderr"
+
+        - name: Test for LB config resources
+          ansible.builtin.command: "{{ item }}"
+          loop:
             - k3s kubectl get CiliumLoadBalancerIPPool.cilium.io
           changed_when: false
           loop_control:
diff --git a/roles/k3s_server_post/tasks/metallb.yml b/roles/k3s_server_post/tasks/metallb.yml
index 07a23b0..7699fb4 100644
--- a/roles/k3s_server_post/tasks/metallb.yml
+++ b/roles/k3s_server_post/tasks/metallb.yml
@@ -83,9 +83,23 @@
   loop_control:
     label: "{{ item.description }}"
 
+- name: Set metallb webhook service name
+  set_fact:
+    metallb_webhook_service_name: >-
+      {{
+        (
+          (metal_lb_controller_tag_version | regex_replace('^v', ''))
+          is
+          version('0.14.4', '<', version_type='semver')
+        ) | ternary(
+          'webhook-service',
+          'metallb-webhook-service'
+        )
+      }}
+
 - name: Test metallb-system webhook-service endpoint
   command: >-
-    k3s kubectl -n metallb-system get endpoints webhook-service
+    k3s kubectl -n metallb-system get endpoints {{ metallb_webhook_service_name }}
   changed_when: false
   with_items: "{{ groups[group_name_master | default('master')] }}"
   run_once: true
diff --git a/roles/k3s_server_post/templates/cilium.crs.j2 b/roles/k3s_server_post/templates/cilium-bgp.crs.j2
similarity index 70%
rename from roles/k3s_server_post/templates/cilium.crs.j2
rename to roles/k3s_server_post/templates/cilium-bgp.crs.j2
index 5745a3b..6deda22 100644
--- a/roles/k3s_server_post/templates/cilium.crs.j2
+++ b/roles/k3s_server_post/templates/cilium-bgp.crs.j2
@@ -19,16 +19,3 @@ spec: # CiliumBGPPeeringPolicySpec
    serviceSelector:
       matchExpressions:
          - {key: somekey, operator: NotIn, values: ['never-used-value']}
----
-apiVersion: "cilium.io/v2alpha1"
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: "01-lb-pool"
-spec:
-  blocks:
-{% if "/" in cilium_bgp_lb_cidr %}
-  - cidr: {{ cilium_bgp_lb_cidr }}
-{% else %}
-  - start: {{ cilium_bgp_lb_cidr.split('-')[0] }}
-    stop: {{ cilium_bgp_lb_cidr.split('-')[1] }}
-{% endif %}
diff --git a/roles/k3s_server_post/templates/cilium-lb.crs.j2 b/roles/k3s_server_post/templates/cilium-lb.crs.j2
new file mode 100644
index 0000000..b8dc5a3
--- /dev/null
+++ b/roles/k3s_server_post/templates/cilium-lb.crs.j2
@@ -0,0 +1,13 @@
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "01-lb-pool"
+spec:
+  blocks:
+{% if "/" in cilium_bgp_lb_cidr %}
+  - cidr: {{ cilium_bgp_lb_cidr }}
+{% else %}
+  - start: {{ cilium_bgp_lb_cidr.split('-')[0] }}
+    stop: {{ cilium_bgp_lb_cidr.split('-')[1] }}
+{% endif %}