Installation

📋 Recommended Actions ⚠️ Action Required Immediate action is required for users deploying Istio with Helm v4 (server-side apply) or those with newer Gateway API CRDs. Review the section on Helm failurePolicy to configure base.validationFailurePolicy: Fail as needed. Also, be aware of the new Gateway API CRD maximum version filter, which may ignore newer TLSRoute versions (v1.5.0+). All users should upgrade to benefit from critical security hardening and stability fixes. ...

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade are recommended to benefit from critical security hardening, traffic management improvements, and enhanced multi-cluster reliability. If using Helm with server-side apply, explicitly configure ‘base.validationFailurePolicy: Fail’ during initial installations or when templating for SSA to avoid potential webhook conflicts. During upgrades, the webhook’s ‘failurePolicy’ will be omitted from the template, preserving the runtime value. 📝 Summary Istio 1.29.2 fortifies your service mesh with significant stability, security, and multi-cluster resilience enhancements. This patch release addresses several critical bugs, including a fix for AuthorizationPolicy regex metacharacter handling and a robust improvement to JWKS URI CIDR blocking, preventing potential bypasses. Operations engineers will appreciate the improved Helm upgrade experience with server-side apply, which resolves a webhook ‘failurePolicy’ conflict and ensures smoother installations. A new CRD filter safeguards against issues with unsupported Gateway API versions, enhancing upgrade predictability. Traffic management sees key improvements: waypoints now support multiple VirtualServices for a single host, and DestinationRule ‘retryBudget’ configurations are more consistently applied. Multi-cluster deployments gain a crucial fallback mechanism for mesh configuration, ensuring continued operation even if remote mesh config is temporarily unreadable. Upgrade promptly to secure your mesh and leverage these vital operational improvements. ...

📋 Recommended Actions ⚠️ Action Required Immediate review is required due to security enhancements for Gateway API TLS secret access. Operations engineers should update to ensure gateways continue to function correctly, especially if relying on previous implicit permissions. Also, review the new ENABLE_PROXY_FIND_POD_BY_IP flag for potential future impacts. 📝 Summary Istio 1.26.5 delivers crucial security and stability enhancements. This release significantly hardens Kubernetes Gateway API TLS secret access, now requiring both namespace and service account matching for referenced secrets—a vital update for secure operations. You’ll also find improved installation flexibility as the Istio CNI no longer depends directly on Pilot, streamlining deployments. For ambient mode users, ServiceEntry named port mapping logic is now correctly aligned with sidecar behavior, resolving previous inconsistencies. Additionally, a new feature flag, ENABLE_PROXY_FIND_POD_BY_IP, grants more control over pod-proxy association, with future versions defaulting it to ‘off’. Critical bug fixes address issues like XDS cache corruption during SDS config dumps and Gateway API meshconfig reconciliation, ensuring a more robust and predictable service mesh. Review these updates promptly to maintain a secure and efficient Istio environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...