Breaking Change

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.4 is strongly recommended to address critical security vulnerabilities and enhance mesh stability. Operations engineers should review the new debug endpoint authorization policy (enabled by default) and consider its impact on existing monitoring or tooling that accesses Istiod debug endpoints from non-system namespaces. Enabling ambient.enableAmbientDetectionRetry in the CNI chart is also recommended for increased ambient mesh robustness against transient failures. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address critical security vulnerabilities. Operations engineers must also review their Helm chart configurations for nodeSelector behavior changes to avoid deployment disruptions. 📝 Summary cert-manager v1.19.2 is here, bringing crucial security updates and significant internal modernization. This release patches several identified vulnerabilities, including CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, and CVE-2025-58181 through updates to the Go runtime and core golang.org/x dependencies. This enhances overall security. A key change for Helm users is how nodeSelector values merge; component-specific selectors now merge with global ones, overriding specific keys, which requires a review of existing deployments. This release also removes the outdated autocert package, signaling a move towards modern, secure ACME challenge handling by deprecating insecure TLS-SNI-01/TLS-SNI-02 challenges and improving TLS-ALPN-01 for IP addresses. Upgrade promptly to secure your clusters and review Helm configurations. ...

📋 Recommended Actions ⚠️ Action Required Review your Gateway API configurations, particularly AllowedRoutes.namespaces.from settings, as None is no longer supported and will cause validation errors. For pluginca users, ensure your cacerts bundle is complete to avoid istiod startup failures due to new, stricter validation. Upgrading is recommended for improved stability and security hardening. 📝 Summary Istio 1.26.1 lands with crucial updates, primarily focusing on robust Gateway API integration and enhanced security. This release promotes Gateway API to v1.3.0, alongside a critical fix that resolves istiod panics when processing complex Gateway API hostnames. Notably, a breaking change from upstream Gateway API means AllowedRoutes.namespaces.from: None is no longer valid, requiring configuration updates. ...