Iptables

📋 Recommended Actions ⚠️ Action Required For users leveraging Istio’s ambient multicluster, an immediate upgrade is highly recommended to address persistent informer errors and improve stability. All users should review the new gateway Helm chart feature for enhanced deployment flexibility. 📝 Summary Istio 1.28.3 significantly bolsters ambient multicluster reliability, rectifying a critical issue where remote cluster informer errors previously necessitated an Istiod restart. This update means your multicluster deployments will operate with much greater resilience, ensuring smoother operations and reduced downtime. Additionally, the Istio Gateway Helm chart introduces new service.selectorLabels functionality. This empowers operators with granular control, simplifying complex deployment patterns like revision-based migrations by allowing custom labels on gateway service selectors. Core component updates for proxy and ztunnel alongside nftables ensure overall stability and security. This release focuses on crucial bug fixes for multicluster environments and key enhancements for gateway management, making it a valuable upgrade for improved operational robustness and deployment agility. Review the details to leverage these improvements. ...

📋 Recommended Actions ⚠️ Action Required Upgrade to Istio 1.28.2 after carefully reviewing the new minimum Kubernetes version requirement (1.30). Existing Ambient mode users planning nftables migration should be aware of the new safe fallback mechanism. 📝 Summary Istio 1.28.2 delivers crucial updates, enhancing stability and streamlining operations. Critically, the minimum required Kubernetes version has been bumped to 1.30, a change requiring pre-upgrade validation. For Ambient mode, a new intelligent fallback ensures smoother migrations from iptables to nftables, preventing network disruptions by detecting existing artifacts and temporarily sticking to iptables until node reboot. DNS resolution for headless services sees significant improvement, now correctly handling pods with multiple IPs and prioritizing local cluster endpoints for multi-cluster setups. Additionally, a long-standing bug preventing proxy startup when sidecar.istio.io/statsEvictionInterval was 60 seconds or more has been resolved. Updates to the KRT library also improve internal data processing, setting the stage for more robust configurations. Review these changes to ensure a seamless upgrade and optimized mesh. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially regarding istio-iptables compatibility. 📝 Summary Istio 1.27.3 delivers focused enhancements, prioritizing stability and compatibility for critical components. This release refines the istio-iptables tool, removing reliance on the comment iptables module for kernel capability checks. This small but significant change improves compatibility across diverse Linux kernel environments, reducing potential issues during proxy initialization. Additionally, the release incorporates a routine update to the underlying Envoy proxy, ensuring users benefit from the latest upstream fixes and performance improvements. While there are no breaking changes or critical security vulnerabilities identified in this specific patch, these regular dependency bumps are vital for maintaining the robust health of your service mesh. Users can anticipate greater operational resilience, particularly in environments with stricter kernel module policies. This version is a maintenance release, reinforcing the 1.27 branch with targeted, incremental improvements. Plan your upgrades to leverage these subtle yet impactful updates. ...

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required Upgrade recommended for improved stability and corrected behavior, especially for users of Istio Gateway API and mixed IPv4/IPv6 environments. 📝 Summary Istio 1.26.4 is here, delivering essential bug fixes and stability enhancements for your service mesh deployments. This patch release addresses a critical istio-iptables issue that previously ignored IPv4 state in mixed environments, ensuring more robust traffic interception for all users. We’ve also resolved a significant bug in the tag watcher, which now correctly handles defaultRevision logic, leading to more reliable Kubernetes Gateway programming. This means your gateways will function as expected without unexpected configuration discrepancies. For HTTP/1.x traffic, a subtle but important fix prevents PreserveHttp1HeaderCase from overriding other vital protocol options, maintaining precise control over your traffic. Additionally, we’ve updated the Gateway Helm chart schema to ensure full compatibility with Helm v3.18.5 and beyond, smoothing out installation processes. Numerous dependency updates, including Kubernetes client libraries, further bolster the mesh’s foundational stability. This release focuses on refining existing functionality and ensuring a more predictable and stable Istio experience. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if you’re leveraging Kubernetes Gateway API or istioctl proxy-status. 📝 Summary Istio 1.27.1 delivers crucial bug fixes and valuable enhancements, bolstering operational stability and testing capabilities. This release notably improves Kubernetes Gateway API adoption by fixing a tag watcher issue that caused programming failures with revisioned installs. Users of istioctl proxy-status will find a more robust experience as its behavior when no proxies are found has been fixed to prevent breaking external tooling. We’ve also added comprehensive mTLS support to the Echo server, allowing for more detailed and accurate security testing. Core component reliability sees significant boosts with fixes for traffic policy validation (especially retry_budget) and improved istio-iptables logic that correctly handles IPv4/IPv6 states. Dependency updates ensure compatibility and security. These changes collectively enhance Istio’s stability and flexibility, making it even more dependable for your cloud-native deployments. ...