๐Ÿ“‹ Recommended Actions

โœ… No Immediate Action Required
No immediate action required. Review these updates to better support your users, especially regarding Gateway API status improvements and Ambient mesh enhancements.

๐Ÿ“ Summary

Istio 1.26.3 rolls out important stability and compatibility enhancements across the mesh. This patch release brings significant improvements to Gateway API status reporting, ensuring more reliable and deterministic updates for HTTPRoute resources, even in multi-controller environments. Operations engineers will appreciate the increased clarity and robustness here, simplifying Gateway API management. For Ambient mesh users, this release is critical. It fixes an edge case in CNI pod deletion, preventing orphaned entries in ztunnel and boosts multi-revision deployments with revision-aware configuration filtering for Ambient waypoints. This ensures policies like AuthorizationPolicy are correctly applied based on the Istio revision. Additionally, OpenShift users gain better TProxy compatibility through automated privileged SCC assignment for test environments, addressing a key platform-specific challenge. Internal fixes in Pilot’s telemetry reinitialization and status worker pools further enhance control plane stability. These targeted updates ensure a more resilient and predictable Istio experience for both traditional and Ambient mesh deployments.

โœจ Improved Gateway API Status Management

To enhance the reliability and clarity of Gateway API deployments, Istio 1.26.3 delivers crucial updates to how HTTPRoute status conditions are reported. This refinement ensures more deterministic and stable status updates, particularly in complex scenarios involving multiple gateway controllers. Users will now experience a more consistent and predictable view of their route configurations, simplifying troubleshooting and operational oversight.

The createRouteStatus function, central to HTTPRoute status generation, has been refactored. It now precisely identifies and manages RouteParentStatus entries owned by Istio’s controller (istio.io/gateway-controller) while carefully preserving status reported by other controllers. This update also stabilizes the ordering of parent references in the status output and introduces a mechanism to prune stale Istio-owned references, preventing lingering entries from inactive configurations. Additionally, the parentRefString helper function now defaults empty Group, Kind, and Namespace fields to standard Kubernetes Gateway API values, improving consistency. For development and testing workflows, a new AllowCRDsMismatch flag has been added to Gateway conformance tests, enabling them to run even when pre-installed Gateway API CRDs differ from the current version.

func createRouteStatus(
	parentResults []RouteParentResult,
	objectNamespace string,
	generation int64,
	currentParents []k8s.RouteParentStatus,
) []k8s.RouteParentStatus {
	// ... existing logic ...

	// new FilterInPlaceByIndex helper
	parents = FilterInPlaceByIndex(parents, func(i int) bool {
		_, f := toDelete[i]
		return !f
	})

	// ... rest of the function ...
}

// New GatewayConformanceAllowCRDsMismatch flag
flag.BoolVar(
	&settingsFromCommandLine.GatewayConformanceAllowCRDsMismatch,
	"istio.test.GatewayConformanceAllowCRDsMismatch",
	settingsFromCommandLine.GatewayConformanceAllowCRDsMismatch,
	"If set, gateway conformance tests will run even if the environment has pre-installed Gateway API CRDs that differ from the current Gateway API version.",
)

Source:

  • pilot/pkg/config/kube/gateway/conditions.go (42-181, 376-410)
  • pilot/pkg/config/kube/gateway/conversion.go (729-732, 2000-2007)
  • pilot/pkg/config/kube/gateway/route_collections.go (471)
  • pkg/test/framework/resource/flags.go (223-228)
  • pkg/test/framework/resource/settings.go (185-187, 268)
  • tests/integration/pilot/gateway_conformance_test.go (140-143)

๐Ÿš€ Ambient Mesh Stability & Configuration Filtering

Istio’s Ambient mesh continues to evolve, and this release focuses on bolstering its stability and multi-revision deployment capabilities. A critical CNI fix addresses an edge case in pod deletion, ensuring ztunnel remains healthy, while the introduction of revision-aware configuration filtering means your Ambient waypoints will now process only policies relevant to their specific Istio version. This ensures a more robust and predictable Ambient experience, especially in environments with rolling updates or canary deployments.

Two key areas see improvement for Ambient mesh:

  • CNI Pod Deletion Fix: An issue where the CNI might fail to remove pods from ztunnel’s internal snapshot during deletion, especially for partially enrolled or redirection-enabled pods, has been resolved. This fix prevents ztunnel from getting stuck in an unresponsive state by ensuring that all relevant pod states are cleaned up correctly upon deletion.

  • Revision-Aware Config Filtering: The Ambient index (ambientindex.go) now applies a crucial revision filter to various configurations, including AuthorizationPolicy, PeerAuthentication, ServiceEntry, and WorkloadEntry resources. This filter (a.inRevision) ensures that an Ambient waypoint proxy only considers configurations explicitly labeled with its Istio revision. This is vital for managing policies and traffic routing in multi-revision Istio deployments, where different control plane versions might coexist.

// In cni/pkg/nodeagent/informers.go
if util.PodFullyEnrolled(latestEventPod) || \
	util.PodPartiallyEnrolled(latestEventPod) || \
	util.PodRedirectionEnabled(ns, latestEventPod) {
	log.Debugf("pod is deleted and was or should be captured, removing from ztunnel")
	if err := s.dataplane.RemovePodFromMesh(s.ctx, latestEventPod, true); err != nil {
		// ... error handling ...
	}
}

// In pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go
configFilter := kclient.Filter{
	ObjectFilter: kubetypes.ComposeFilters(options.Client.ObjectFilter(), a.inRevision),
}

authzPolicies := kclient.NewDelayedInformer[*securityclient.AuthorizationPolicy](options.Client,
	gvr.AuthorizationPolicy, kubetypes.StandardInformer, configFilter)
// ... similar for PeerAuthentication, ServiceEntry, WorkloadEntry

func (a *index) inRevision(obj any) bool {
	object := controllers.ExtractObject(obj)
	if object == nil {
		return false
	}
	result := config.LabelsInRevision(object.GetLabels(), a.revision)
	return result
}

Source:

๐Ÿ” Enhanced ClusterTrustBundle Integration

Leveraging Kubernetes’ native ClusterTrustBundle API is now more flexible and robust for Istio users. This release enhances how root certificates are managed and distributed within the mesh, moving towards a more native and secure approach for handling trust anchors. This means easier and more consistent root certificate deployment across your Istio components.

The templating for clusterTrustBundle volume projections in the gateway-injection-template.yaml, grpc-agent.yaml, and injection-template.yaml files has been updated. The name field now dynamically uses {{ .Values.global.trustBundleName | default "root-cert" }}, allowing the ClusterTrustBundle resource name to be configured via Helm values. This provides greater deployment flexibility and standardization. Furthermore, the clusterrole.yaml for istio-discovery has been updated to include list, watch, and get verbs for certificates.k8s.io/clustertrustbundles. This ensures that Istiod possesses the necessary RBAC permissions to effectively interact with and manage ClusterTrustBundles within the Kubernetes API.

    projected:
      sources:
      - clusterTrustBundle:
          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
          path: root-cert.pem

# In clusterrole.yaml
  - apiGroups: ["certificates.k8s.io"]
    resources: ["clustertrustbundles"]
    verbs: ["update", "create", "delete", "list", "watch", "get"]

Source:

  • manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml (235-236)
  • manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml (286-287)
  • manifests/charts/istio-control/istio-discovery/files/injection-template.yaml (494-495)
  • manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml (120-121)
  • releasenotes/notes/cluster-trust-bundle.yaml (1-6)

โš™๏ธ OpenShift TProxy Service Account Enhancements

For users deploying Istio on OpenShift, this release brings targeted improvements to ensure the tproxy service account operates smoothly. By explicitly assigning the privileged Security Context Constraint (SCC) to TProxy service accounts within the test framework, we’re laying the groundwork for more reliable and consistent TProxy functionality in OpenShift environments. This helps to bypass common permission restrictions that can hinder TProxy’s operation.

A new ClusterRoleBinding template has been introduced within pkg/test/framework/components/echo/kube/templates/service.yaml. This binding is conditionally applied on OpenShift clusters when the tproxy service is deployed. Its purpose is to assign the system:openshift:scc:privileged ClusterRole to the service account associated with the TProxy service. This grants the necessary elevated permissions required for TProxy to function correctly on OpenShift, where default security policies are often more restrictive. This change primarily targets test environments but highlights a path forward for production deployments to ensure TProxy compatibility.

{{- if (and .OpenShift (eq .Service "tproxy")) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: privileged-scc-{{ .Service }}-{{ .Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
  name: {{ .Service }}
  namespace: {{ .Namespace }}
---
{{- end }}

Source:

  • pkg/test/framework/components/echo/kube/templates/service.yaml (4-21)
  • pkg/test/framework/components/echo/kube/templates/deployment.yaml (76-78)
  • pkg/test/framework/components/echo/kube/deployment.go (395)
  • pkg/test/framework/components/echo/deployment/builder.go (311)

๐Ÿ› Pilot Telemetry and Status System Robustness

This release brings critical internal fixes to Pilot’s telemetry and status update mechanisms, significantly enhancing the control plane’s overall stability and reliability. These behind-the-scenes improvements address potential issues that could lead to stale data or unnecessary resource consumption, ensuring that your Istio deployment remains responsive and accurate.

Two key areas have been targeted for robustness improvements:

  • Telemetry Reinitialization: Pilot’s PushContext now intelligently triggers telemetry reinitialization not only when telemetry configuration itself changes but also when services referenced by telemetry resources are updated. This resolves a bug where access logs might become stale if a service that a Telemetry resource depends on was created or modified after the Telemetry resource itself was processed.

  • Status Worker Pool Fix: A regression fix addresses a potential busy-loop in the status worker pool (resourcelock.go). Previously, if the queue of items to process became empty while workers were still active, the worker pool could enter an inefficient loop attempting to pop non-existent targets. The corrected logic ensures that workers correctly cease processing when no work is available, preventing unnecessary CPU utilization and improving system efficiency.

// In pilot/pkg/model/push_context.go
if telemetryChanged || servicesChanged {
	// TODO: find a way to avoid reinitializing telemetry
	// if the services are not related to telemetry provider.
	ps.initTelemetry(env)
} else {
	ps.Telemetry = oldPushContext.Telemetry
}

// In pilot/pkg/status/resourcelock.go
			if target == (Resource{}) {
				// could have been deleted, or could be no items in queue not currently worked on
				wp.lock.Unlock()
				return // Exit the loop when no work is available
			}

Source:

  • pilot/pkg/model/push_context.go (1457-1463)
  • releasenotes/notes/56827.yaml (1-8)
  • pilot/pkg/status/resourcelock.go (194-198)
  • pilot/pkg/status/resourcelock_test.go (18-64)

๐ŸŒ Enhanced Ingress Address Resolution for Integration Tests

To make integration tests more reliable and robust across diverse environments, this release includes an enhancement to how ingress addresses are resolved. This is particularly beneficial in test setups where ingress hostnames might take a moment to propagate via DNS, preventing test failures due to transient resolution issues. Your tests will now wait for full DNS resolution before proceeding, ensuring stability.

The getAddressesInner function within the ingress component has been updated to include an explicit DNS lookup for ingress hostnames. Before returning an address, the function now attempts net.LookupHost to resolve any provided hostnames. This introduces a waiting mechanism, ensuring that if the ingress is exposed via a DNS name, the system waits until that name is resolvable. If the address is already an IP, the DNS resolution step is skipped. This prevents test flakiness caused by eventual consistency in DNS propagation, making integration tests more deterministic.

// In pkg/test/framework/components/istio/ingress.go
// Check and wait for resolvable ingress DNS name. Skip if IP.
if err == nil && completed {
	// ... snipped for brevity ...
	host, _, splitErr := net.SplitHostPort(v)
	if splitErr != nil || net.ParseIP(host) != nil {
		// If address is malformed or is already an IP, skip DNS resolution
		return rawAddrs, completed, err
	}
	if _, lookupErr := net.LookupHost(host); lookupErr != nil {
		scopes.Framework.Infof("waiting for DNS to resolve for host %q", host)
		return nil, false, fmt.Errorf("the DNS for %q not ready: %v", host, lookupErr)
	}
}

Source:

  • pkg/test/framework/components/istio/ingress.go (96-141)
  • tests/integration/ambient/baseline_test.go (2123-2133, 2262-2272)

Minor Updates & Housekeeping

This patch release includes several dependency bumps, notably istio.io/api and istio.io/client-go to their 1.26.3 versions, along with updates to the PROXY_REPO_SHA and ZTUNNEL_REPO_SHA for internal components. The build tool images and Kind Kubernetes version have also been updated, and an internal assertion mechanism for the KRT collection has been added to aid development and debugging.