📋 Recommended Actions
✅ No Immediate Action Required
Upgrade recommended for improved stability and corrected behavior, especially for users of Istio Gateway API and mixed IPv4/IPv6 environments.
📝 Summary
Istio 1.26.4 is here, delivering essential bug fixes and stability enhancements for your service mesh deployments. This patch release addresses a critical istio-iptables issue that previously ignored IPv4 state in mixed environments, ensuring more robust traffic interception for all users. We’ve also resolved a significant bug in the tag watcher, which now correctly handles defaultRevision logic, leading to more reliable Kubernetes Gateway programming. This means your gateways will function as expected without unexpected configuration discrepancies. For HTTP/1.x traffic, a subtle but important fix prevents PreserveHttp1HeaderCase from overriding other vital protocol options, maintaining precise control over your traffic. Additionally, we’ve updated the Gateway Helm chart schema to ensure full compatibility with Helm v3.18.5 and beyond, smoothing out installation processes. Numerous dependency updates, including Kubernetes client libraries, further bolster the mesh’s foundational stability. This release focuses on refining existing functionality and ensuring a more predictable and stable Istio experience.
🐛 Critical iptables Fix: Accurate IPv4/IPv6 State Verification
A critical bug in istio-iptables has been squashed, ensuring the sidecar’s traffic interception logic correctly accounts for both IPv4 and IPv6 network states. Previously, in certain mixed network environments, the VerifyIptablesState function could incorrectly prioritize IPv6 state, potentially overlooking crucial IPv4 configurations and leading to unexpected traffic routing issues. This fix guarantees that istio-iptables now performs a thorough, independent verification for each IP family, resulting in more reliable and consistent traffic capture.
The VerifyIptablesState function has been refactored to independently evaluate and aggregate results for IPv4 and IPv6 states. This prevents one IP family’s state from inadvertently overshadowing or misrepresenting the other’s status. The updated logic robustly checks for residues and deltas across both configurations, providing a more accurate assessment of the iptables setup.
Source:
tools/istio-iptables/pkg/capture/helper.go(49-218)tools/istio-iptables/pkg/capture/run_linux_test.go(202-390)releasenotes/notes/56626.yaml(1-8)
✨ Enhanced Gateway Stability: Correct Default Revision Handling
Istio’s control plane stability gets a boost with a fix to the tagWatcher logic. This update ensures that the mesh correctly identifies and programs Kubernetes Gateways when using defaultRevision. Previously, a mismatch in how explicit default tags and the defaultRevision webhook configuration were interpreted could lead to scenarios where Kubernetes Gateways weren’t properly configured or reconciled. This improvement tightens the integration, ensuring your Gateway deployments are consistently managed by the correct Istio revision.
The tagWatcher now intelligently considers both explicit namespace labels (like istio.io/rev=default) and the defaultRevision specified in the validating webhook configuration. This prevents misinterpretations where a ‘default’ tag might be absent but a default revision is active. For example, a new test verifies that Gateway API resources are correctly handled even when defaultRevision is specified:
func TestRevisionedInstall(t *testing.T) {
values := map[string]interface{}{
"global": map[string]interface{}{},
"defaultRevision": "testrev",
"revision": "testrev",
}
revision := "testrev"
framework.
NewTest(t).
Run(baseSetup(values, false, DefaultNamespaceConfig, func(t framework.TestContext) {
crd.DeployGatewayAPI(t)
sampleGateway := `
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: sample
namespace: default
spec:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
`
t.ConfigIstio().Eval("default", nil, fmt.Sprint(sampleGateway)).ApplyOrFail(t)
selector := klabels.NewSelector()
req, _ := klabels.NewRequirement(label.IoK8sNetworkingGatewayGatewayName.Name, selection.Equals, []string{"sample"})
selector.Add(*req)
VerifyPodReady(t, t.Clusters().Default(), "default", selector.String())
if !t.Settings().NoCleanup {
t.ConfigIstio().Eval("default", nil, fmt.Sprint(sampleGateway)).DeleteOrFail(t)
}
}, revision))
}
Source:
pkg/revisions/tag_watcher.go(25-149)tests/integration/helm/install_test.go(44-71)releasenotes/notes/56767.yaml(1-8)
🚦 Traffic Management Precision: Preserve HTTP Header Case Fix
For services handling HTTP/1.x traffic, this release delivers a fine-grained fix that ensures more predictable behavior when using the PreserveHttp1HeaderCase option. Previously, enabling this setting could inadvertently override other critical Http1ProtocolOptions, such as AcceptHttp_10 support. Now, the configuration correctly applies only the header case preservation, leaving other HTTP/1.x settings untouched and allowing for precise control over your traffic protocols.
The buildHTTPConnectionManager function has been updated to specifically modify only the HeaderKeyFormat within Http1ProtocolOptions when PreserveHttp1HeaderCase is enabled. This prevents unintended side effects on other HTTP/1.x protocol settings:
// Preserve HTTP/1.x traffic header case
if lb.node.Metadata.ProxyConfigOrDefault(lb.push.Mesh.GetDefaultConfig()).GetProxyHeaders().GetPreserveHttp1HeaderCase().GetValue() {
// This value only affects HTTP/1.x traffic
if connectionManager.HttpProtocolOptions == nil {
connectionManager.HttpProtocolOptions = &core.Http1ProtocolOptions{}
}
connectionManager.HttpProtocolOptions.HeaderKeyFormat = preserveCaseFormatterConfig.HeaderKeyFormat
}
Source:
pilot/pkg/networking/core/listener_builder.go(322-325)pilot/pkg/networking/core/listener_builder_test.go(984-1033)releasenotes/notes/57528.yaml(1-8)
🔧 Helm Chart Compatibility: Gateway Schema Updates
Installing Istio’s Gateway using Helm is now more robust, especially with newer Helm versions. This release includes updates to the Gateway Helm chart’s JSON schema to ensure compatibility with stricter validators introduced in Helm v3.18.5. This prevents potential installation failures and ensures a smoother deployment experience, along with laying groundwork for future configuration options by expanding the schema.
The values.schema.json for the Gateway chart has been updated to comply with the validation requirements of newer Helm versions. This also includes the addition of new fields like _internal_defaults_do_not_set, envVarFrom, defaultRevision, profile, platform, pilot, initContainers, and additionalContainers to allow for more flexible and future-proof configuration of Gateway deployments.
{
"$schema": "http://json-schema.org/schema#",
"$defs": {
"values": {
"type": "object",
"additionalProperties": false,
"properties": {
"_internal_defaults_do_not_set": {
"type": "object"
},
"global": {
"type": "object"
},
"envVarFrom": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": { "type": "string" },
"valueFrom": { "type": "object" }
}
}
},
// ... other properties ...
"revision": {
"type": "string"
},
"defaultRevision": {
"type": "string"
},
"compatibilityVersion": {
"type": "string"
},
"profile": {
"type": "string"
},
"platform": {
"type": "string"
},
"pilot": {
"type": "object"
},
// ... other properties ...
"initContainers": {
"type": "array",
"items": { "type": "object" }
},
"additionalContainers": {
"type": "array",
"items": { "type": "object" }
},
// ... rest of the schema ...
}
}
}
}
Source:
Minor Updates & Housekeeping
This release incorporates various dependency updates, including bumps to kubernetes.io/api (v0.32.3 to v0.33.3) and helm.sh/helm/v3 (v3.17.3 to v3.18.5), alongside internal updates to Proxy and Ztunnel components, and build-tool image versions. Several legacy license files for removed dependencies have also been cleaned up.