π Recommended Actions
β No Immediate Action Required
No immediate action required. Review updates to better support your users.
π Summary
Istio 1.27.4 delivers a targeted release focused on bolstering the stability and reliability of the control plane, particularly for Gateway API users and those with multi-revision deployments. This update resolves critical issues such as route resource status conflicts in multi-revision setups, preventing inconsistent states. Users leveraging the experimental XListenerSet will find TLS secret access fixed, ensuring secure gateway configurations. Furthermore, a crucial bug where HTTPS servers could impede HTTP route creation on the same port but different bind addresses has been eliminated, enabling more flexible deployments. Networking stack improvements include fixes for nftables TPROXY rules and faster CNI repair for better packet capture and pod readiness. These 10+ targeted fixes enhance overall operational predictability and resource management for Istio users, improving the robustness of your service mesh.
π‘οΈ Gateway API: Conflict Resolution and Improved Listener Behavior
This release significantly improves the robustness of Istio’s Gateway API implementation, addressing several nuanced issues that could lead to unexpected behavior or resource conflicts. Notably, a fix prevents route resource status conflicts in multi-revision Istio installations, ensuring that different control planes don’t overwrite each other’s status updates. Additionally, a long-standing issue where HTTPS servers processed first could prevent HTTP servers from creating routes on the same port but with different bind addresses has been resolved, granting greater flexibility in gateway configurations.
The RegisterStatus function now incorporates a check using tagWatcher.IsMine, ensuring that status updates for Gateway API resources like HTTPRoute are only applied by the owning Istio revision. This prevents status flapping and incorrect reporting in multi-revision environments. The gateway merging logic has been refactored with an addPlainTextServer helper, which correctly handles the coexistence of HTTP and HTTPS servers on the same port with distinct bind addresses.
# Example: HTTPRoute status in a multi-revision setup will now be correctly managed
status:
parents:
- conditions:
- lastTransitionTime: fake
message: Route was valid
reason: Accepted
status: "True"
type: Accepted
controllerName: istio.io/gateway-controller
parentRef:
group: gateway.networking.k8s.io
kind: Gateway
name: test-gateway
Source:
pilot/pkg/status/collections.go(72-93)tests/integration/pilot/revisions/revisions_test.go(134-192)pilot/pkg/model/gateway.go(155-487)pilot/pkg/model/gateway_test.go(367-463)releasenotes/notes/57734.yaml(1-10)releasenotes/notes/gateway-merging-https-first-bug-fix.yaml(1-10)
π€ Cross-Namespace & Secret Management Enhancements
Working with Kubernetes Secrets and Gateway API resources across namespaces, particularly when using XListenerSet, is now more robust. This release fixes issues where XListenerSet resources might not properly access TLS secrets, and resolves collisions that could occur when referencing the same Kubernetes Secret using different naming conventions (e.g., secret-name vs. namespace/secret-name). These improvements ensure consistent and reliable secret consumption for your Istio-managed services.
The ListenerSet.ResourceName() method now returns a fully qualified namespaced name, ensuring uniqueness across different Kubernetes namespaces. Similarly, the SecretResource.Key() generation has been updated to include ResourceName, preventing caching conflicts in the SDS server when a secret is referenced in multiple ways. Furthermore, getDefaultName for service accounts now correctly extracts annotations from the parent Gateway object, addressing cross-namespace resolution issues for XListenerSet.
// Previously: returns just the name, causing collisions for same-named resources in different namespaces
// return config.NamespacedName(g.Config).Name
// Now: returns fully qualified name, ensuring uniqueness
return config.NamespacedName(g.Config).String()
Source:
pilot/pkg/config/kube/gateway/gateway_collection.go(63-66, 164-167)pilot/pkg/model/credentials/resource.go(61-61)pilot/pkg/model/credentials/resource_test.go(170-227)pilot/pkg/xds/sds_test.go(381-404)releasenotes/notes/58146.yaml(1-9)releasenotes/notes/xls-tls.yaml(1-6)
βοΈ NFTables TPROXY and CNI Repair Fixes
For users leveraging nftables for network packet capture, this release delivers an important fix that addresses istio-init failures when using TPROXY mode with an empty traffic.sidecar.istio.io/includeInboundPorts annotation. This ensures that even in scenarios with default or minimal port configurations, the sidecar injection process remains stable. Additionally, the CNI repair mechanism has been optimized, speeding up the time it takes to find the process’s network namespace, ultimately improving pod startup reliability.
The nftables_builder_test.go and run.go files in tools/istio-nftables now correctly handle rule insertion when the chain is empty or the index is out of bounds, converting these cases to append operations. This prevents errors when includeInboundPorts is not specified. The CNI repair logic in cni/pkg/repair/netns_linux.go has been streamlined by switching from net.Interfaces() to net.InterfaceAddrs(), which is more efficient for simply checking IP address matches.
# Before (example of potential failure with empty includeInboundPorts and TPROXY)
# istio-init might fail to set up network rules.
# After fix: `istio-init` will correctly configure nftables rules
# without error, even if the includeInboundPorts annotation is empty.
Source:
tools/istio-nftables/pkg/builder/nftables_builder_test.go(52-57)tools/istio-nftables/pkg/capture/run.go(819-824)tools/istio-nftables/pkg/capture/run_test.go(165-171)tools/istio-nftables/pkg/capture/testdata/inbound-ports-empty-tproxy.golden(1-32)releasenotes/notes/58135.yaml(1-8)cni/pkg/repair/netns_linux.go(47-66)
π Core Control Plane Reliability Improvements
This release includes several fixes aimed at enhancing the overall reliability and resource management of the Istio control plane. A significant improvement to leader election ensures greater stability in Lease mode, which is crucial for high-availability deployments. Additionally, various resource cleanup mechanisms have been implemented across multicluster setups and CRD watchers to prevent goroutine leaks and reduce memory footprint over time. EnvoyFilter matching for GatewayClass in the root namespace is also now correctly applied, ensuring consistent policy enforcement.
The LeaseLock implementation for leader election now explicitly manages a LeaseHolderKey annotation, ensuring HolderKey is correctly handled during Create and Update operations for Lease mode. This prevents potential leader stealing issues.
Memory and resource leaks are mitigated by calling ShutdownHandlers in various controllers (crdclient, kube/controller, multicluster/cluster, multicluster/secretcontroller, namespace/filter) when they stop. Furthermore, StripPodUnusedFields now removes the annotation.ProxyOverrides.Name from pod annotations, reducing the size of cached pod objects. EnvoyFilters targeting GatewayClass in the root namespace now use WithRootNamespace in PolicyMatcherForProxy, correctly applying filters.
--- a/pilot/pkg/leaderelection/k8sleaderelection/k8sresourcelock/leaselock.go
+++ b/pilot/pkg/leaderelection/k8sleaderelection/k8sresourcelock/leaselock.go
@@ -44,7 +44,7 @@ func (ll *LeaseLock) Get(ctx context.Context) (*LeaderElectionRecord, []byte, er
if err != nil {
return nil, nil, err
}
- record := LeaseSpecToLeaderElectionRecord(&ll.lease.Spec)
+ record := LeaseToLeaderElectionRecord(ll.lease)
recordByte, err := json.Marshal(*record)
if err != nil {
return nil, nil, err
Source:
pilot/pkg/leaderelection/k8sleaderelection/k8sresourcelock/leaselock.go(44-140)pilot/pkg/leaderelection/leaderelection.go(189-194)pilot/pkg/config/kube/crdclient/client.go(176-182)pilot/pkg/serviceregistry/kube/controller/controller.go(637-640)pkg/kube/multicluster/cluster.go(79-84)pkg/kube/multicluster/secretcontroller.go(290-292)pkg/kube/namespace/filter.go(54-68)pkg/kube/util.go(392-393)pilot/pkg/model/push_context.go(2347-2347)releasenotes/notes/58032.yaml(1-7)
Minor Updates & Housekeeping
This release also includes several housekeeping changes, such as updating fully qualified names for various images in samples (Prometheus, Skywalking, Zipkin, Curl, Alpine, Redis, OpenTelemetry Collector) to enhance reliability, and a fix for workload entry label comparison logic that was impacting status updates. The PROXY_REPO_SHA and BASE_VERSION have been updated to reflect the latest upstream changes.