📋 Recommended Actions
⚠️ Action Required
Upgrade to Istio 1.28.2 after carefully reviewing the new minimum Kubernetes version requirement (1.30). Existing Ambient mode users planningnftablesmigration should be aware of the new safe fallback mechanism.
📝 Summary
Istio 1.28.2 delivers crucial updates, enhancing stability and streamlining operations. Critically, the minimum required Kubernetes version has been bumped to 1.30, a change requiring pre-upgrade validation. For Ambient mode, a new intelligent fallback ensures smoother migrations from iptables to nftables, preventing network disruptions by detecting existing artifacts and temporarily sticking to iptables until node reboot. DNS resolution for headless services sees significant improvement, now correctly handling pods with multiple IPs and prioritizing local cluster endpoints for multi-cluster setups. Additionally, a long-standing bug preventing proxy startup when sidecar.istio.io/statsEvictionInterval was 60 seconds or more has been resolved. Updates to the KRT library also improve internal data processing, setting the stage for more robust configurations. Review these changes to ensure a seamless upgrade and optimized mesh.
✨ Ambient Mode: Safer iptables to nftables Migration
Migrating networking backends can be tricky, especially when transitioning between iptables and nftables. To prevent potential network disruptions during this switch, Istio’s Ambient mode now includes a robust detection mechanism. This update intelligently identifies existing iptables artifacts on the host when nftables is enabled, ensuring a graceful fallback to iptables if previous configurations are found. This makes your transition safer by avoiding a mixed state, allowing you to complete the migration with a node reboot.
The CNI node agent now performs a pre-flight check for Istio-related IPsets upon startup. If IPsets are detected, indicating an iptables-managed network, the agent logs a warning and temporarily overrides the NativeNftables configuration to continue using iptables. This prevents conflicts and ensures network continuity. Once the node is rebooted, these artifacts are typically cleared, allowing nftables to take over cleanly. Here’s a snippet showing the detection logic:
Source:
cni/pkg/nodeagent/detect_artifacts_linux.go(1-102)cni/pkg/nodeagent/server_linux.go(49-68)releasenotes/notes/58353.yaml(1-8)
⚠️ Minimum Kubernetes Version Bump to 1.30
Staying current with Kubernetes versions is essential for leveraging the latest features and security patches. This release of Istio now officially requires Kubernetes 1.30 as its minimum supported version. This update aligns Istio with the latest upstream Kubernetes APIs and behaviors, ensuring better compatibility and performance with modern clusters. Users currently running Kubernetes 1.29 or older will need to upgrade their clusters before installing or upgrading to Istio 1.28.2.
The istioctl CLI now enforces this minimum version check during installation and upgrades. Attempting to install Istio 1.28.2 on a Kubernetes cluster older than 1.30 will trigger a warning and prevent installation. This ensures that your Istio deployment operates within a fully supported environment. Always verify your cluster’s version before proceeding with the upgrade process.
Source:
istioctl/pkg/install/k8sversion/version.go(28-31)istioctl/pkg/install/k8sversion/version_test.go(264-269)
💡 Improved DNS Resolution for Headless Services
Correct DNS resolution is paramount for seamless service communication, especially in complex multi-cluster and headless service deployments. Previously, Istio could miss IP addresses for headless service nametable entries when pods had multiple IPs, and lacked clear preference for local cluster endpoints. This release fixes these issues, ensuring that DNS lookups for headless services with multi-IP pods are accurate and that local cluster IPs are prioritized over remote ones, enhancing reliability and performance.
The pkg/dns/server/name_table.go logic has been enhanced to collect all valid IP addresses for multi-IP pods associated with headless services. Crucially, it now populates the DNS nametable by first adding local cluster IP addresses and then, if no local entry exists, adding remote cluster IP addresses. This ensures that DNS queries from a local proxy will resolve to local endpoints whenever possible. For example, if ‘mysql-0.headless-svc.testns.svc.cluster.local’ exists in both cluster1 (local) and cluster2 (remote), the local IPs will be returned.
Source:
pkg/dns/server/name_table.go(62-151)pkg/dns/server/name_table_test.go(695-812)releasenotes/notes/58397.yaml(1-8)
🧩 Enhanced Kubernetes Resource Topology (KRT) Library
Istio’s internal Kubernetes Resource Topology (KRT) library is fundamental to how it processes and understands Kubernetes resources. This release brings significant enhancements to KRT’s JoinCollection and introduces a new JoinWithMergeCollection, providing more robust and flexible ways to combine data from multiple sources. These updates improve how Istio handles conflicting resource definitions and allows for custom merging logic, leading to more predictable and powerful configurations.
The JoinCollection now includes built-in conflict resolution, where items from earlier collections in the join list take precedence. If a higher-priority collection has a key, its value is used. When a higher-priority item is removed, it automatically falls back to the next available lower-priority item. Additionally, the new JoinWithMergeCollection allows you to define custom merge functions. This is particularly useful for scenarios like combining selectors from multiple sources, where you need specific logic to determine the final merged state.
Source:
pkg/kube/krt/join.go(16-391)pkg/kube/krt/join_test.go(15-207)pkg/kube/krt/mergejoin.go(18-380)pkg/kube/krt/mergejoin_test.go(1-328)
🐛 Telemetry: Fix for statsEvictionInterval in Proxies
Reliable telemetry is key to understanding your mesh’s health and performance. A bug was identified where Envoy proxies would fail to start if the sidecar.istio.io/statsEvictionInterval annotation was set to values greater than or equal to 60 seconds. This prevented users from configuring longer eviction intervals for their stats, leading to unexpected proxy restarts or deployment failures. This release resolves the issue, ensuring proxies initialize correctly regardless of the configured eviction interval.
The fix addresses the underlying issue in how Envoy’s JSON configuration parser handles duration formats. Previously, durationpb.Duration values were formatted in a way that Envoy didn’t always correctly parse when the duration was represented as XmYs. The envoyDurationConverter function has been introduced to ensure that the stats_eviction_interval is always formatted in fractional seconds with an ’s’ suffix (e.g., 300s, 10.500000000s), which Envoy can reliably interpret. This guarantees consistent proxy startup behavior.
Source:
pkg/bootstrap/config.go(343-350)pkg/bootstrap/option/convert.go(206-231)pkg/bootstrap/option/instances.go(308-311)pkg/bootstrap/option/instances_test.go(647-665)releasenotes/notes/58518.yaml(1-9)
Ambient Waypoint Proxy Interoperability Enhancements
For users leveraging Ambient mode with waypoint proxies, consistent and accurate xDS updates are critical for stable traffic management. A previous issue could lead to Envoy proxies either receiving redundant xDS updates or, worse, missing some updates entirely when communicating with waypoint proxies. This instability could result in transient routing problems or inconsistent policy enforcement. This release addresses these concerns, ensuring reliable and precise xDS signaling for waypoint-enabled services.
The sidecar_interop.go file now includes a new Equals method for the serviceEDS struct, which is used to compare waypoint service definitions. By providing a precise comparison logic and sorting workloads by UID, the system can more accurately detect when a waypoint service’s configuration truly changes. This prevents extraneous xDS updates and ensures that only necessary updates are propagated to Envoy proxies, leading to a more stable and efficient control plane.
Source:
pilot/pkg/serviceregistry/kube/controller/ambient/sidecar_interop.go(33-40, 93-109)releasenotes/notes/58525.yaml(1-7)
Minor Updates & Housekeeping
This release includes various dependency updates across proxy, client-go, and istio/api components, along with general build-tool and common file updates. A rare race condition that could cause ambient clients to lose traffic to a ServiceEntry after deletion has also been fixed.