Envoy

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.4 is strongly recommended to address critical security vulnerabilities and enhance mesh stability. Operations engineers should review the new debug endpoint authorization policy (enabled by default) and consider its impact on existing monitoring or tooling that accesses Istiod debug endpoints from non-system namespaces. Enabling ambient.enableAmbientDetectionRetry in the CNI chart is also recommended for increased ambient mesh robustness against transient failures. ...

📋 Recommended Actions ⚠️ Action Required Upgrade to Istio 1.28.2 after carefully reviewing the new minimum Kubernetes version requirement (1.30). Existing Ambient mode users planning nftables migration should be aware of the new safe fallback mechanism. 📝 Summary Istio 1.28.2 delivers crucial updates, enhancing stability and streamlining operations. Critically, the minimum required Kubernetes version has been bumped to 1.30, a change requiring pre-upgrade validation. For Ambient mode, a new intelligent fallback ensures smoother migrations from iptables to nftables, preventing network disruptions by detecting existing artifacts and temporarily sticking to iptables until node reboot. DNS resolution for headless services sees significant improvement, now correctly handling pods with multiple IPs and prioritizing local cluster endpoints for multi-cluster setups. Additionally, a long-standing bug preventing proxy startup when sidecar.istio.io/statsEvictionInterval was 60 seconds or more has been resolved. Updates to the KRT library also improve internal data processing, setting the stage for more robust configurations. Review these changes to ensure a seamless upgrade and optimized mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is highly recommended for all users to benefit from critical stability fixes, especially concerning multi-revision deployments and Gateway API status reporting. Review new InferencePool capabilities to enhance AI/ML workloads. 📝 Summary Istio 1.28.1 delivers essential stability fixes and powerful Gateway API enhancements. This patch release addresses critical issues in multi-revision environments, preventing status conflicts for Gateway API resources like HTTPRoutes. It also resolves a persistent SDS (Secret Discovery Service) WARMING state bug, crucial for secure certificate management. Ambient Mesh users will find significant improvements in service overlap resolution, ensuring Kubernetes Services take precedence over ServiceEntries, and more accurate endpoint discovery within scoped networks. A long-standing bug preventing HTTP servers from routing on the same port as an HTTPS server (but with different binds) has been fixed, enhancing gateway flexibility. Furthermore, the Gateway API Inference Extension now supports multiple targetPorts, a key feature for modern AI/ML workloads. Multiple dependency bumps and cleanup items are also included. Upgrading is a straightforward step to ensure a more robust and predictable Istio deployment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade recommended to incorporate the latest proxy stability and potential security enhancements. 📝 Summary Istio 1.26.6 delivers a crucial stability and performance update. This patch primarily refreshes the underlying Envoy proxy, incorporating the latest fixes and improvements from the Envoy ‘release-1.26’ branch. While this is a focused update with no new features, it’s vital for ensuring your service mesh benefits from enhanced proxy robustness and potential upstream security patches. Operations engineers should review this release promptly and plan for a timely upgrade to maintain optimal performance and security posture. This release reinforces Istio’s foundation, ensuring your applications run on the most stable and secure proxy available in the 1.26 series. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if you’re leveraging Kubernetes Gateway API or istioctl proxy-status. 📝 Summary Istio 1.27.1 delivers crucial bug fixes and valuable enhancements, bolstering operational stability and testing capabilities. This release notably improves Kubernetes Gateway API adoption by fixing a tag watcher issue that caused programming failures with revisioned installs. Users of istioctl proxy-status will find a more robust experience as its behavior when no proxies are found has been fixed to prevent breaking external tooling. We’ve also added comprehensive mTLS support to the Echo server, allowing for more detailed and accurate security testing. Core component reliability sees significant boosts with fixes for traffic policy validation (especially retry_budget) and improved istio-iptables logic that correctly handles IPv4/IPv6 states. Dependency updates ensure compatibility and security. These changes collectively enhance Istio’s stability and flexibility, making it even more dependable for your cloud-native deployments. ...

📋 Recommended Actions ⚠️ Action Required Review your Gateway API configurations, particularly AllowedRoutes.namespaces.from settings, as None is no longer supported and will cause validation errors. For pluginca users, ensure your cacerts bundle is complete to avoid istiod startup failures due to new, stricter validation. Upgrading is recommended for improved stability and security hardening. 📝 Summary Istio 1.26.1 lands with crucial updates, primarily focusing on robust Gateway API integration and enhanced security. This release promotes Gateway API to v1.3.0, alongside a critical fix that resolves istiod panics when processing complex Gateway API hostnames. Notably, a breaking change from upstream Gateway API means AllowedRoutes.namespaces.from: None is no longer valid, requiring configuration updates. ...