Ambient Mesh

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended. Critical bugs affecting Ambient mesh traffic distribution and CNI stability have been fixed. Review Gateway API header validation changes and unmanaged Gateway SA behavior. 📝 Summary Istio 1.29.4 delivers crucial stability and correctness enhancements, particularly for Ambient mesh deployments and Gateway API users. This patch release resolves a critical bug where PreferSameZone or PreferSameNode traffic distribution, combined with publishNotReadyAddresses: true, could lead to traffic being routed to unready endpoints cluster-wide. Another significant fix addresses a concurrent map writes panic in the CNI agent, improving Ambient mesh robustness. Gateway API users benefit from new header validation logic, preventing silently dropped configurations and providing clearer feedback for invalid HTTPRoute and GRPCRoute header values. Multi-network Ambient ingress routing also sees improvements, ensuring correct waypoint traversal based on configuration. This release also streamlines HTTP/2 handling and includes numerous dependency updates, reinforcing overall platform reliability. Upgrade now to secure these vital fixes and bolster your Istio environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address critical security vulnerabilities related to authorization bypasses. Operations engineers should review the updated Ambient Mesh configurations for AWS deployments and consider tuning HBONE window sizes for performance. Review istioctl analyze output for new JWKS URI security warnings. 📝 Summary Istio 1.29.3 lands with crucial security fixes, fortifying your mesh against potential bypasses. This release tackles an authorization policy regex vulnerability, ensuring principal and namespace matching behaves as intended. It also tightens XDS debug endpoint access, preventing cross-namespace information exposure for non-system callers. Plus, leaf certificates now respect CA validity, preventing expired cert usage. AWS EKS users with Security Groups for Pods get a critical fix for kubelet health probe failures in Ambient Mesh, ensuring smoother operations. We’ve also added configurable HTTP/2 window sizes for HBONE, offering fine-tuned performance. Tooling improves with a new istioctl analyze warning for JWKS URI security, better handling of Helm webhook failurePolicy during upgrades, and enhanced proxy resource injection for null values. Several core bug fixes, including a multicluster secret controller deadlock and robust Kubernetes secret rotation, contribute to overall stability. ...

📋 Recommended Actions ⚠️ Action Required Immediate action is required for users deploying Istio with Helm v4 (server-side apply) or those with newer Gateway API CRDs. Review the section on Helm failurePolicy to configure base.validationFailurePolicy: Fail as needed. Also, be aware of the new Gateway API CRD maximum version filter, which may ignore newer TLSRoute versions (v1.5.0+). All users should upgrade to benefit from critical security hardening and stability fixes. ...

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade are recommended to benefit from critical security hardening, traffic management improvements, and enhanced multi-cluster reliability. If using Helm with server-side apply, explicitly configure ‘base.validationFailurePolicy: Fail’ during initial installations or when templating for SSA to avoid potential webhook conflicts. During upgrades, the webhook’s ‘failurePolicy’ will be omitted from the template, preserving the runtime value. 📝 Summary Istio 1.29.2 fortifies your service mesh with significant stability, security, and multi-cluster resilience enhancements. This patch release addresses several critical bugs, including a fix for AuthorizationPolicy regex metacharacter handling and a robust improvement to JWKS URI CIDR blocking, preventing potential bypasses. Operations engineers will appreciate the improved Helm upgrade experience with server-side apply, which resolves a webhook ‘failurePolicy’ conflict and ensures smoother installations. A new CRD filter safeguards against issues with unsupported Gateway API versions, enhancing upgrade predictability. Traffic management sees key improvements: waypoints now support multiple VirtualServices for a single host, and DestinationRule ‘retryBudget’ configurations are more consistently applied. Multi-cluster deployments gain a crucial fallback mechanism for mesh configuration, ensuring continued operation even if remote mesh config is temporarily unreadable. Upgrade promptly to secure your mesh and leverage these vital operational improvements. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.5 is strongly recommended for all users due to critical security patches addressing JWT forgery, XDS debug endpoint authentication bypasses, and WasmPlugin SSRF vulnerabilities. Review changes to XDS debug endpoints if you rely on unauthenticated plaintext access, as this behavior now requires explicit configuration or authentication. 📝 Summary Istio 1.28.5 lands with crucial security updates and significant enhancements across the mesh. This release patches a critical vulnerability where Istio’s JWT authentication fallback mechanism could leak a private key, enabling attackers to forge tokens. A high-severity fix now secures XDS debug endpoints (like syncz and config_dump), preventing unauthenticated access on plaintext ports. Additionally, WasmPlugin image fetching is fortified with SSRF protection, closing another potential attack vector. Beyond security, the Gateway API sees improvements, specifically addressing issues where InferencePool configurations were lost during VirtualService merges. Ambient Mesh deployments get smarter port discovery for native sidecars, ensuring correct inbound listener configuration, and gain new flexibility with a ZtunnelNamespace flag. These updates combine critical fixes with valuable operational improvements, making 1.28.5 a vital upgrade for a more secure and robust service mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is strongly recommended to address critical security vulnerabilities, especially the JWKS private key leak and XDS debug endpoint authentication bypass. Review all updates to ensure smooth operation and leverage new features. 📝 Summary Istio 1.29.1 delivers crucial security fixes, fortifying your mesh against potential exploits. This release patches a critical JWKS private key leak, preventing attackers from forging JWT tokens, and tightens authentication on XDS debug endpoints. Gateway API users will appreciate enhanced CORS wildcard handling and robust backend policy dependency tracking. For ambient mode, a panic with cross-network WorkloadEntries has been resolved, along with a fix for TLS inspection on exclusively TLS ports, improving routing reliability. Deployments now correctly handle null or zero resource limits, eliminating validation errors. Additional improvements include IP allocator stability, SSRF protection in WasmPlugin image fetching, and various nil-pointer dereference fixes, ensuring a more resilient and secure Istio experience. Upgrade promptly to secure your environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.4 is strongly recommended to address critical security vulnerabilities and enhance mesh stability. Operations engineers should review the new debug endpoint authorization policy (enabled by default) and consider its impact on existing monitoring or tooling that accesses Istiod debug endpoints from non-system namespaces. Enabling ambient.enableAmbientDetectionRetry in the CNI chart is also recommended for increased ambient mesh robustness against transient failures. ...

📋 Recommended Actions ⚠️ Action Required For users leveraging Istio’s ambient multicluster, an immediate upgrade is highly recommended to address persistent informer errors and improve stability. All users should review the new gateway Helm chart feature for enhanced deployment flexibility. 📝 Summary Istio 1.28.3 significantly bolsters ambient multicluster reliability, rectifying a critical issue where remote cluster informer errors previously necessitated an Istiod restart. This update means your multicluster deployments will operate with much greater resilience, ensuring smoother operations and reduced downtime. Additionally, the Istio Gateway Helm chart introduces new service.selectorLabels functionality. This empowers operators with granular control, simplifying complex deployment patterns like revision-based migrations by allowing custom labels on gateway service selectors. Core component updates for proxy and ztunnel alongside nftables ensure overall stability and security. This release focuses on crucial bug fixes for multicluster environments and key enhancements for gateway management, making it a valuable upgrade for improved operational robustness and deployment agility. Review the details to leverage these improvements. ...

📋 Recommended Actions ⚠️ Action Required Upgrade to Istio 1.28.2 after carefully reviewing the new minimum Kubernetes version requirement (1.30). Existing Ambient mode users planning nftables migration should be aware of the new safe fallback mechanism. 📝 Summary Istio 1.28.2 delivers crucial updates, enhancing stability and streamlining operations. Critically, the minimum required Kubernetes version has been bumped to 1.30, a change requiring pre-upgrade validation. For Ambient mode, a new intelligent fallback ensures smoother migrations from iptables to nftables, preventing network disruptions by detecting existing artifacts and temporarily sticking to iptables until node reboot. DNS resolution for headless services sees significant improvement, now correctly handling pods with multiple IPs and prioritizing local cluster endpoints for multi-cluster setups. Additionally, a long-standing bug preventing proxy startup when sidecar.istio.io/statsEvictionInterval was 60 seconds or more has been resolved. Updates to the KRT library also improve internal data processing, setting the stage for more robust configurations. Review these changes to ensure a seamless upgrade and optimized mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is highly recommended for all users to benefit from critical stability fixes, especially concerning multi-revision deployments and Gateway API status reporting. Review new InferencePool capabilities to enhance AI/ML workloads. 📝 Summary Istio 1.28.1 delivers essential stability fixes and powerful Gateway API enhancements. This patch release addresses critical issues in multi-revision environments, preventing status conflicts for Gateway API resources like HTTPRoutes. It also resolves a persistent SDS (Secret Discovery Service) WARMING state bug, crucial for secure certificate management. Ambient Mesh users will find significant improvements in service overlap resolution, ensuring Kubernetes Services take precedence over ServiceEntries, and more accurate endpoint discovery within scoped networks. A long-standing bug preventing HTTP servers from routing on the same port as an HTTPS server (but with different binds) has been fixed, enhancing gateway flexibility. Furthermore, the Gateway API Inference Extension now supports multiple targetPorts, a key feature for modern AI/ML workloads. Multiple dependency bumps and cleanup items are also included. Upgrading is a straightforward step to ensure a more robust and predictable Istio deployment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review is required due to security enhancements for Gateway API TLS secret access. Operations engineers should update to ensure gateways continue to function correctly, especially if relying on previous implicit permissions. Also, review the new ENABLE_PROXY_FIND_POD_BY_IP flag for potential future impacts. 📝 Summary Istio 1.26.5 delivers crucial security and stability enhancements. This release significantly hardens Kubernetes Gateway API TLS secret access, now requiring both namespace and service account matching for referenced secrets—a vital update for secure operations. You’ll also find improved installation flexibility as the Istio CNI no longer depends directly on Pilot, streamlining deployments. For ambient mode users, ServiceEntry named port mapping logic is now correctly aligned with sidecar behavior, resolving previous inconsistencies. Additionally, a new feature flag, ENABLE_PROXY_FIND_POD_BY_IP, grants more control over pod-proxy association, with future versions defaulting it to ‘off’. Critical bug fixes address issues like XDS cache corruption during SDS config dumps and Gateway API meshconfig reconciliation, ensuring a more robust and predictable service mesh. Review these updates promptly to maintain a secure and efficient Istio environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if you’re leveraging Kubernetes Gateway API or istioctl proxy-status. 📝 Summary Istio 1.27.1 delivers crucial bug fixes and valuable enhancements, bolstering operational stability and testing capabilities. This release notably improves Kubernetes Gateway API adoption by fixing a tag watcher issue that caused programming failures with revisioned installs. Users of istioctl proxy-status will find a more robust experience as its behavior when no proxies are found has been fixed to prevent breaking external tooling. We’ve also added comprehensive mTLS support to the Echo server, allowing for more detailed and accurate security testing. Core component reliability sees significant boosts with fixes for traffic policy validation (especially retry_budget) and improved istio-iptables logic that correctly handles IPv4/IPv6 states. Dependency updates ensure compatibility and security. These changes collectively enhance Istio’s stability and flexibility, making it even more dependable for your cloud-native deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review these updates to better support your users, especially regarding Gateway API status improvements and Ambient mesh enhancements. 📝 Summary Istio 1.26.3 rolls out important stability and compatibility enhancements across the mesh. This patch release brings significant improvements to Gateway API status reporting, ensuring more reliable and deterministic updates for HTTPRoute resources, even in multi-controller environments. Operations engineers will appreciate the increased clarity and robustness here, simplifying Gateway API management. For Ambient mesh users, this release is critical. It fixes an edge case in CNI pod deletion, preventing orphaned entries in ztunnel and boosts multi-revision deployments with revision-aware configuration filtering for Ambient waypoints. This ensures policies like AuthorizationPolicy are correctly applied based on the Istio revision. Additionally, OpenShift users gain better TProxy compatibility through automated privileged SCC assignment for test environments, addressing a key platform-specific challenge. Internal fixes in Pilot’s telemetry reinitialization and status worker pools further enhance control plane stability. These targeted updates ensure a more resilient and predictable Istio experience for both traditional and Ambient mesh deployments. ...