Helm

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address critical security vulnerabilities related to authorization bypasses. Operations engineers should review the updated Ambient Mesh configurations for AWS deployments and consider tuning HBONE window sizes for performance. Review istioctl analyze output for new JWKS URI security warnings. 📝 Summary Istio 1.29.3 lands with crucial security fixes, fortifying your mesh against potential bypasses. This release tackles an authorization policy regex vulnerability, ensuring principal and namespace matching behaves as intended. It also tightens XDS debug endpoint access, preventing cross-namespace information exposure for non-system callers. Plus, leaf certificates now respect CA validity, preventing expired cert usage. AWS EKS users with Security Groups for Pods get a critical fix for kubelet health probe failures in Ambient Mesh, ensuring smoother operations. We’ve also added configurable HTTP/2 window sizes for HBONE, offering fine-tuned performance. Tooling improves with a new istioctl analyze warning for JWKS URI security, better handling of Helm webhook failurePolicy during upgrades, and enhanced proxy resource injection for null values. Several core bug fixes, including a multicluster secret controller deadlock and robust Kubernetes secret rotation, contribute to overall stability. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address CVE-2024-29018, a high-severity vulnerability in the gRPC dependency. Review updated E2E testing procedures if you maintain custom CI workflows. 📝 Summary cert-manager v1.19.5 delivers essential security and maintenance updates, crucial for maintaining a robust certificate management infrastructure. This release directly addresses CVE-2024-29018, a high-severity vulnerability in the gRPC dependency that could lead to CPU exhaustion. Upgrading promptly is vital to protect your systems. Beyond security, we’ve bumped the core Go runtime to version 1.25.9 and updated numerous transitive dependencies like golang.org/x/crypto and cel.dev/expr to ensure improved stability and performance. Internal CI/CD workflows also see significant enhancements, including support for Kubernetes 1.35 and a migration of upgrade E2E tests to leverage Helm OCI registries. Minor textual cleanups in CRD descriptions also enhance clarity. These updates balance critical security fixes with ongoing platform compatibility and foundational improvements. Upgrade to secure your deployments and benefit from these stability enhancements. ...

📋 Recommended Actions ⚠️ Action Required Immediate action is required for users deploying Istio with Helm v4 (server-side apply) or those with newer Gateway API CRDs. Review the section on Helm failurePolicy to configure base.validationFailurePolicy: Fail as needed. Also, be aware of the new Gateway API CRD maximum version filter, which may ignore newer TLSRoute versions (v1.5.0+). All users should upgrade to benefit from critical security hardening and stability fixes. ...

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade are recommended to benefit from critical security hardening, traffic management improvements, and enhanced multi-cluster reliability. If using Helm with server-side apply, explicitly configure ‘base.validationFailurePolicy: Fail’ during initial installations or when templating for SSA to avoid potential webhook conflicts. During upgrades, the webhook’s ‘failurePolicy’ will be omitted from the template, preserving the runtime value. 📝 Summary Istio 1.29.2 fortifies your service mesh with significant stability, security, and multi-cluster resilience enhancements. This patch release addresses several critical bugs, including a fix for AuthorizationPolicy regex metacharacter handling and a robust improvement to JWKS URI CIDR blocking, preventing potential bypasses. Operations engineers will appreciate the improved Helm upgrade experience with server-side apply, which resolves a webhook ‘failurePolicy’ conflict and ensures smoother installations. A new CRD filter safeguards against issues with unsupported Gateway API versions, enhancing upgrade predictability. Traffic management sees key improvements: waypoints now support multiple VirtualServices for a single host, and DestinationRule ‘retryBudget’ configurations are more consistently applied. Multi-cluster deployments gain a crucial fallback mechanism for mesh configuration, ensuring continued operation even if remote mesh config is temporarily unreadable. Upgrade promptly to secure your mesh and leverage these vital operational improvements. ...

📋 Recommended Actions ⚠️ Action Required Immediate action required for environments utilizing debug endpoints from non-system namespaces, or if you’re using sidecar.istio.io/proxy* annotations. Review upgrade notes carefully for the debug endpoint authorization feature. For all users, upgrading is strongly recommended to apply critical security fixes and enhancements. 📝 Summary Istio 1.27.6 rolls out critical security enhancements, significantly bolstering the control plane’s resilience against potential vulnerabilities. This patch release introduces robust safeguards to the gateway deployment controller, preventing unauthorized resource creation via template injection. Furthermore, a critical fix addresses a template injection vector in sidecar.istio.io/proxy* annotations, rejecting malicious control characters. Security around debug endpoints is tightened, with namespace-based authorization now enabled by default, restricting access from non-system namespaces. This change requires review if your tooling interacts with these endpoints. Lastly, a bug fix ensures correct application of minimum TLS protocol versions. These updates collectively enhance Istio’s security posture and gateway management, making this a vital upgrade for all deployments. ...

📋 Recommended Actions ⚠️ Action Required For users leveraging Istio’s ambient multicluster, an immediate upgrade is highly recommended to address persistent informer errors and improve stability. All users should review the new gateway Helm chart feature for enhanced deployment flexibility. 📝 Summary Istio 1.28.3 significantly bolsters ambient multicluster reliability, rectifying a critical issue where remote cluster informer errors previously necessitated an Istiod restart. This update means your multicluster deployments will operate with much greater resilience, ensuring smoother operations and reduced downtime. Additionally, the Istio Gateway Helm chart introduces new service.selectorLabels functionality. This empowers operators with granular control, simplifying complex deployment patterns like revision-based migrations by allowing custom labels on gateway service selectors. Core component updates for proxy and ztunnel alongside nftables ensure overall stability and security. This release focuses on crucial bug fixes for multicluster environments and key enhancements for gateway management, making it a valuable upgrade for improved operational robustness and deployment agility. Review the details to leverage these improvements. ...

📋 Recommended Actions ✅ No Immediate Action Required Upgrade recommended for improved stability and corrected behavior, especially for users of Istio Gateway API and mixed IPv4/IPv6 environments. 📝 Summary Istio 1.26.4 is here, delivering essential bug fixes and stability enhancements for your service mesh deployments. This patch release addresses a critical istio-iptables issue that previously ignored IPv4 state in mixed environments, ensuring more robust traffic interception for all users. We’ve also resolved a significant bug in the tag watcher, which now correctly handles defaultRevision logic, leading to more reliable Kubernetes Gateway programming. This means your gateways will function as expected without unexpected configuration discrepancies. For HTTP/1.x traffic, a subtle but important fix prevents PreserveHttp1HeaderCase from overriding other vital protocol options, maintaining precise control over your traffic. Additionally, we’ve updated the Gateway Helm chart schema to ensure full compatibility with Helm v3.18.5 and beyond, smoothing out installation processes. Numerous dependency updates, including Kubernetes client libraries, further bolster the mesh’s foundational stability. This release focuses on refining existing functionality and ensuring a more predictable and stable Istio experience. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if you’re leveraging Kubernetes Gateway API or istioctl proxy-status. 📝 Summary Istio 1.27.1 delivers crucial bug fixes and valuable enhancements, bolstering operational stability and testing capabilities. This release notably improves Kubernetes Gateway API adoption by fixing a tag watcher issue that caused programming failures with revisioned installs. Users of istioctl proxy-status will find a more robust experience as its behavior when no proxies are found has been fixed to prevent breaking external tooling. We’ve also added comprehensive mTLS support to the Echo server, allowing for more detailed and accurate security testing. Core component reliability sees significant boosts with fixes for traffic policy validation (especially retry_budget) and improved istio-iptables logic that correctly handles IPv4/IPv6 states. Dependency updates ensure compatibility and security. These changes collectively enhance Istio’s stability and flexibility, making it even more dependable for your cloud-native deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review these updates to better support your users, especially regarding Gateway API status improvements and Ambient mesh enhancements. 📝 Summary Istio 1.26.3 rolls out important stability and compatibility enhancements across the mesh. This patch release brings significant improvements to Gateway API status reporting, ensuring more reliable and deterministic updates for HTTPRoute resources, even in multi-controller environments. Operations engineers will appreciate the increased clarity and robustness here, simplifying Gateway API management. For Ambient mesh users, this release is critical. It fixes an edge case in CNI pod deletion, preventing orphaned entries in ztunnel and boosts multi-revision deployments with revision-aware configuration filtering for Ambient waypoints. This ensures policies like AuthorizationPolicy are correctly applied based on the Istio revision. Additionally, OpenShift users gain better TProxy compatibility through automated privileged SCC assignment for test environments, addressing a key platform-specific challenge. Internal fixes in Pilot’s telemetry reinitialization and status worker pools further enhance control plane stability. These targeted updates ensure a more resilient and predictable Istio experience for both traditional and Ambient mesh deployments. ...

📋 Recommended Actions ⚠️ Action Required Immediate review of your cert-manager Helm chart deployment is required due to a significant RBAC reversion. Users relying on the ‘disableHTTPChallengesRole’ flag must update their manifests. Review the certificate name constraints fix to ensure correct certificate issuance. 📝 Summary cert-manager v1.18.2 lands with critical updates, most notably a significant reversion of RBAC changes introduced in v1.18.1. This patch release removes the global.rbac.disableHTTPChallengesRole Helm value, consolidating HTTP-01 and DNS-01 challenge-related ClusterRoles into a single, unified controller role. If your deployments relied on disableHTTPChallengesRole to limit permissions, you must immediately review and update your Helm manifests. This reversion effectively means that HTTP-01 challenge permissions, such as creating pods and services, are now always included within the primary challenge controller role, potentially granting broader permissions than you previously configured or intended. Beyond RBAC, this release also delivers a crucial bug fix. It corrects an issue where certificate name constraints for URI domains were being mistakenly interpreted as ExcludedURIDomains instead of PermittedURIDomains in generated Certificate Signing Requests. This fix ensures that your certificates are issued with the exact URI name constraints you specify, preventing unexpected validation failures. Operations engineers should promptly examine their Helm values and RBAC configurations to prevent unintended permission shifts and ensure correct certificate issuance behavior. ...

📋 Recommended Actions ⚠️ Action Required Review your Gateway API configurations, particularly AllowedRoutes.namespaces.from settings, as None is no longer supported and will cause validation errors. For pluginca users, ensure your cacerts bundle is complete to avoid istiod startup failures due to new, stricter validation. Upgrading is recommended for improved stability and security hardening. 📝 Summary Istio 1.26.1 lands with crucial updates, primarily focusing on robust Gateway API integration and enhanced security. This release promotes Gateway API to v1.3.0, alongside a critical fix that resolves istiod panics when processing complex Gateway API hostnames. Notably, a breaking change from upstream Gateway API means AllowedRoutes.namespaces.from: None is no longer valid, requiring configuration updates. ...

📋 Recommended Actions ⚠️ Action Required Immediate action is not universally required but highly recommended to review the default changes for promoted feature gates (like NameConstraints and UseDomainQualifiedFinalizer now defaulting to true) and the deprecation of ValidateCAA (now defaulting to false). Adjust your configurations as necessary to maintain desired behavior, especially if you rely on the previous implicit defaults. Consider leveraging the new literal keystore password option for simplified management. ...