istio(1.28.3): Enhanced Ambient Multicluster Reliability and Flexible Gateway Service Selectors

📋 Recommended Actions

⚠️ Action Required
For users leveraging Istio’s ambient multicluster, an immediate upgrade is highly recommended to address persistent informer errors and improve stability. All users should review the new gateway Helm chart feature for enhanced deployment flexibility.

📝 Summary

Istio 1.28.3 significantly bolsters ambient multicluster reliability, rectifying a critical issue where remote cluster informer errors previously necessitated an Istiod restart. This update means your multicluster deployments will operate with much greater resilience, ensuring smoother operations and reduced downtime. Additionally, the Istio Gateway Helm chart introduces new service.selectorLabels functionality. This empowers operators with granular control, simplifying complex deployment patterns like revision-based migrations by allowing custom labels on gateway service selectors. Core component updates for proxy and ztunnel alongside nftables ensure overall stability and security. This release focuses on crucial bug fixes for multicluster environments and key enhancements for gateway management, making it a valuable upgrade for improved operational robustness and deployment agility. Review the details to leverage these improvements.

🔒 Critical Fix: Ambient Multicluster Informer Reliability

A significant issue affecting Istio’s ambient multicluster deployments has been resolved in this release. Previously, informer errors in remote clusters could persist indefinitely, forcing an Istiod restart to restore functionality. This update introduces robust mechanisms to gracefully handle informer failures, ensuring that remote cluster resources are accurately reflected and processed without prolonged outages, drastically improving the stability and operational efficiency of your multicluster service mesh.

The fix involves several key changes across the ambient multicluster controller. The Cluster object’s RemoteClusterCollections now uses an atomic pointer, allowing for safe and dynamic updates to the collection of informers. Lifecycle management of informers has been tightened, with informer.Start(a.stop) calls ensuring informers respect the index’s stop channel. The ClusterStore now more intelligently tracks the sync status of remote clusters, filtering out unhealthy or unsynced clusters from computations via the new AllReady() method. Importantly, the process of adding secrets has been refined: remote clusters are now stored in the ClusterStore before their Run method is called. This ensures that even if a secret is initially ‘bad’ (e.g., malformed kubeconfig), the cluster object is present, allowing subsequent updates to that secret to properly trigger a shutdown and restart of the faulty cluster without blocking the system. Additionally, the namespace discovery filter can now be initialized without blocking, further preventing deadlocks during cluster bootstrapping.

Source:

• pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go (186-207)
• pilot/pkg/serviceregistry/kube/controller/ambient/multicluster/cluster.go (66-339)
• pilot/pkg/serviceregistry/kube/controller/ambient/multicluster/clusterstore.go (27-193)
• pilot/pkg/serviceregistry/kube/controller/ambient/remotesecrets.go (115-244)
• pkg/kube/namespace/filter.go (36-126)
• releasenotes/notes/58047.yaml (1-8)

✨ Gateway Helm Chart: Custom Service Selector Labels

For advanced deployment patterns, especially during revision-based migrations, the Istio Gateway Helm chart now offers enhanced flexibility. You can specify custom service.selectorLabels for your gateway service, granting you precise control over which pods are selected by the Kubernetes Service resource. This new capability streamlines blue/green or canary deployments of gateways, allowing you to gradually shift traffic by updating labels without modifying the core gateway deployment.

The new service.selectorLabels field can be added directly to your gateway’s values.yaml. Any labels defined here will be merged with the default selector labels, allowing you to add specific selectors for your unique deployment needs. For instance, to facilitate a canary rollout, you might add a revision label:

service:
  selectorLabels:
    istio.io/rev: canary
    custom-label: custom-value

This will ensure that the Kubernetes Service associated with your gateway targets only pods matching all specified labels, including app: istio-ingress and istio: ingress which are automatically included.

Source:

• manifests/charts/gateway/templates/service.yaml (72-75)
• manifests/charts/gateway/values.schema.json (178-184)
• manifests/charts/gateway/values.yaml (44-46)
• releasenotes/notes/gateway-service-selector-labels.yaml (1-9)

Minor Updates & Housekeeping

This release includes routine updates to the proxy and ztunnel components via their SHA bumps, an upgrade to the nftables package to version 1.1.1-r40 in the distroless base image for iptables, and internal build version bumps to 1.28-2026-01-13T19-03-16.