Kubernetes

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.5 is strongly recommended for all users due to critical security patches addressing JWT forgery, XDS debug endpoint authentication bypasses, and WasmPlugin SSRF vulnerabilities. Review changes to XDS debug endpoints if you rely on unauthenticated plaintext access, as this behavior now requires explicit configuration or authentication. 📝 Summary Istio 1.28.5 lands with crucial security updates and significant enhancements across the mesh. This release patches a critical vulnerability where Istio’s JWT authentication fallback mechanism could leak a private key, enabling attackers to forge tokens. A high-severity fix now secures XDS debug endpoints (like syncz and config_dump), preventing unauthenticated access on plaintext ports. Additionally, WasmPlugin image fetching is fortified with SSRF protection, closing another potential attack vector. Beyond security, the Gateway API sees improvements, specifically addressing issues where InferencePool configurations were lost during VirtualService merges. Ambient Mesh deployments get smarter port discovery for native sidecars, ensuring correct inbound listener configuration, and gain new flexibility with a ZtunnelNamespace flag. These updates combine critical fixes with valuable operational improvements, making 1.28.5 a vital upgrade for a more secure and robust service mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is highly recommended to address CVE-2024-24791 and benefit from the latest security patches in underlying dependencies. 📝 Summary cert-manager v1.18.6 delivers critical security enhancements, primarily addressing the CVE-2024-24791 vulnerability found in the Go standard library’s HTTP/2 implementation. This high-severity fix mitigates a potential denial-of-service risk, making an immediate upgrade essential for operational security. Beyond the Go toolchain bump to 1.24.13, this release also incorporates refreshed distroless base images (Debian 12). These updates bring the latest security patches from the Debian ecosystem, ensuring a more robust and secure runtime environment for your cert-manager deployments. No new features or breaking changes are introduced; this is a focused stability and security release. Operations engineers should prioritize this update to safeguard their Kubernetes clusters and maintain certificate issuance integrity. Review the release notes for full details. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address the OpenTelemetry security vulnerability (GO-2026-4394) and to benefit from the latest Go runtime and base image security updates. 📝 Summary Cert-manager v1.19.4 brings crucial security and maintenance updates, bolstering the reliability of your certificate management. This release addresses a medium-severity OpenTelemetry vulnerability (GO-2026-4394) related to sensitive data exposure in HTTP headers, making an upgrade vital for enhanced security posture. We’ve also updated the Go runtime to version 1.25.7, incorporating the latest performance improvements and bug fixes. Furthermore, all base images have been refreshed to Debian 12, ensuring cert-manager components run on the most current and secure foundations. These updates are essential for maintaining a stable and secure Kubernetes environment. Upgrade soon to protect your clusters and leverage these core improvements. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.4 is strongly recommended to address critical security vulnerabilities and enhance mesh stability. Operations engineers should review the new debug endpoint authorization policy (enabled by default) and consider its impact on existing monitoring or tooling that accesses Istiod debug endpoints from non-system namespaces. Enabling ambient.enableAmbientDetectionRetry in the CNI chart is also recommended for increased ambient mesh robustness against transient failures. ...

📋 Recommended Actions ⚠️ Action Required Immediate action required for environments utilizing debug endpoints from non-system namespaces, or if you’re using sidecar.istio.io/proxy* annotations. Review upgrade notes carefully for the debug endpoint authorization feature. For all users, upgrading is strongly recommended to apply critical security fixes and enhancements. 📝 Summary Istio 1.27.6 rolls out critical security enhancements, significantly bolstering the control plane’s resilience against potential vulnerabilities. This patch release introduces robust safeguards to the gateway deployment controller, preventing unauthorized resource creation via template injection. Furthermore, a critical fix addresses a template injection vector in sidecar.istio.io/proxy* annotations, rejecting malicious control characters. Security around debug endpoints is tightened, with namespace-based authorization now enabled by default, restricting access from non-system namespaces. This change requires review if your tooling interacts with these endpoints. Lastly, a bug fix ensures correct application of minimum TLS protocol versions. These updates collectively enhance Istio’s security posture and gateway management, making this a vital upgrade for all deployments. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended to address a high-severity DNS-01 solver stability issue (GHSA-gx3x-vq4p-mhhv) and ensure robust certificate issuance validation. 📝 Summary Cert-manager v1.18.5 delivers critical updates. It fixes a high-severity DNS-01 solver panic (GHSA-gx3x-vq4p-mhhv), preventing service disruptions. It also adds robust validation for issued certificates, ensuring public keys match CSRs, and improves HTTP-01 IPv6 handling. Upgrade now for enhanced stability and security! 🔒 High-Severity Fix: ACME DNS-01 Solver Panic (GHSA-gx3x-vq4p-mhhv) A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been addressed in this release, preventing potential denial-of-service scenarios for the ACME DNS-01 solver. Previously, the solver would incorrectly assume that DNS SOA records would always be the first entry in a DNS query response. If a DNS provider returned the SOA record at a different position, cert-manager’s DNS-01 solver could panic and crash, making it unable to process new challenges and disrupting certificate issuance. ...

📋 Recommended Actions ⚠️ Action Required Immediate review recommended for all users. Upgrade promptly to benefit from critical security hardening, fix potential denial-of-service vectors, and enhance certificate issuance reliability. 📝 Summary cert-manager v1.19.3 delivers crucial security enhancements and improved issuance robustness. This release directly addresses GHSA-gx3x-vq4p-mhhv, preventing a potential panic in the ACME DNS solver that could lead to denial-of-service. This high-severity fix solidifies the reliability of your ACME challenges. We’ve also introduced a vital new check: certificate issuance will now fail if the public key in the signed certificate doesn’t match the original Certificate Signing Request (CSR). This prevents infinite re-issuance loops with misconfigured external issuers, ensuring cryptographic integrity. Furthermore, the HTTP-01 solver gained more robust handling of IPv6 address literals, improving compliance and reliability for diverse network configurations. Essential tooling updates, including Go 1.25.6 and Kind 0.31.0, round out this focused release. Upgrade to boost the security and stability of your certificate management. ...

📋 Recommended Actions ⚠️ Action Required For users leveraging Istio’s ambient multicluster, an immediate upgrade is highly recommended to address persistent informer errors and improve stability. All users should review the new gateway Helm chart feature for enhanced deployment flexibility. 📝 Summary Istio 1.28.3 significantly bolsters ambient multicluster reliability, rectifying a critical issue where remote cluster informer errors previously necessitated an Istiod restart. This update means your multicluster deployments will operate with much greater resilience, ensuring smoother operations and reduced downtime. Additionally, the Istio Gateway Helm chart introduces new service.selectorLabels functionality. This empowers operators with granular control, simplifying complex deployment patterns like revision-based migrations by allowing custom labels on gateway service selectors. Core component updates for proxy and ztunnel alongside nftables ensure overall stability and security. This release focuses on crucial bug fixes for multicluster environments and key enhancements for gateway management, making it a valuable upgrade for improved operational robustness and deployment agility. Review the details to leverage these improvements. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if using headless services with multiple IPs in a multicluster setup. 📝 Summary Istio 1.27.5 delivers a crucial bug fix, significantly improving DNS resolution for headless services. This update addresses an issue where pods with multiple IP addresses in headless service configurations, especially across multicluster setups, were not always correctly represented in the DNS name table. Now, Istio ensures all relevant IP addresses are correctly aggregated and prioritized for local clusters, providing more reliable service discovery. This means your applications will experience more robust connectivity to headless services. Additionally, this release includes important dependency bumps for core components like proxy, ztunnel, istio.io/api, and istio.io/client-go, along with updated build tools. These maintenance updates ensure stability, performance, and compatibility within the Istio ecosystem. Review these changes to understand their impact on your deployments. ...

📋 Recommended Actions ⚠️ Action Required Upgrade to Istio 1.28.2 after carefully reviewing the new minimum Kubernetes version requirement (1.30). Existing Ambient mode users planning nftables migration should be aware of the new safe fallback mechanism. 📝 Summary Istio 1.28.2 delivers crucial updates, enhancing stability and streamlining operations. Critically, the minimum required Kubernetes version has been bumped to 1.30, a change requiring pre-upgrade validation. For Ambient mode, a new intelligent fallback ensures smoother migrations from iptables to nftables, preventing network disruptions by detecting existing artifacts and temporarily sticking to iptables until node reboot. DNS resolution for headless services sees significant improvement, now correctly handling pods with multiple IPs and prioritizing local cluster endpoints for multi-cluster setups. Additionally, a long-standing bug preventing proxy startup when sidecar.istio.io/statsEvictionInterval was 60 seconds or more has been resolved. Updates to the KRT library also improve internal data processing, setting the stage for more robust configurations. Review these changes to ensure a seamless upgrade and optimized mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address critical security vulnerabilities. Operations engineers must also review their Helm chart configurations for nodeSelector behavior changes to avoid deployment disruptions. 📝 Summary cert-manager v1.19.2 is here, bringing crucial security updates and significant internal modernization. This release patches several identified vulnerabilities, including CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, and CVE-2025-58181 through updates to the Go runtime and core golang.org/x dependencies. This enhances overall security. A key change for Helm users is how nodeSelector values merge; component-specific selectors now merge with global ones, overriding specific keys, which requires a review of existing deployments. This release also removes the outdated autocert package, signaling a move towards modern, secure ACME challenge handling by deprecating insecure TLS-SNI-01/TLS-SNI-02 challenges and improving TLS-ALPN-01 for IP addresses. Upgrade promptly to secure your clusters and review Helm configurations. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users. 📝 Summary Istio 1.27.4 delivers a targeted release focused on bolstering the stability and reliability of the control plane, particularly for Gateway API users and those with multi-revision deployments. This update resolves critical issues such as route resource status conflicts in multi-revision setups, preventing inconsistent states. Users leveraging the experimental XListenerSet will find TLS secret access fixed, ensuring secure gateway configurations. Furthermore, a crucial bug where HTTPS servers could impede HTTP route creation on the same port but different bind addresses has been eliminated, enabling more flexible deployments. Networking stack improvements include fixes for nftables TPROXY rules and faster CNI repair for better packet capture and pod readiness. These 10+ targeted fixes enhance overall operational predictability and resource management for Istio users, improving the robustness of your service mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is highly recommended for all users to benefit from critical stability fixes, especially concerning multi-revision deployments and Gateway API status reporting. Review new InferencePool capabilities to enhance AI/ML workloads. 📝 Summary Istio 1.28.1 delivers essential stability fixes and powerful Gateway API enhancements. This patch release addresses critical issues in multi-revision environments, preventing status conflicts for Gateway API resources like HTTPRoutes. It also resolves a persistent SDS (Secret Discovery Service) WARMING state bug, crucial for secure certificate management. Ambient Mesh users will find significant improvements in service overlap resolution, ensuring Kubernetes Services take precedence over ServiceEntries, and more accurate endpoint discovery within scoped networks. A long-standing bug preventing HTTP servers from routing on the same port as an HTTPS server (but with different binds) has been fixed, enhancing gateway flexibility. Furthermore, the Gateway API Inference Extension now supports multiple targetPorts, a key feature for modern AI/ML workloads. Multiple dependency bumps and cleanup items are also included. Upgrading is a straightforward step to ensure a more robust and predictable Istio deployment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade recommended to incorporate the latest proxy stability and potential security enhancements. 📝 Summary Istio 1.26.6 delivers a crucial stability and performance update. This patch primarily refreshes the underlying Envoy proxy, incorporating the latest fixes and improvements from the Envoy ‘release-1.26’ branch. While this is a focused update with no new features, it’s vital for ensuring your service mesh benefits from enhanced proxy robustness and potential upstream security patches. Operations engineers should review this release promptly and plan for a timely upgrade to maintain optimal performance and security posture. This release reinforces Istio’s foundation, ensuring your applications run on the most stable and secure proxy available in the 1.26 series. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially regarding istio-iptables compatibility. 📝 Summary Istio 1.27.3 delivers focused enhancements, prioritizing stability and compatibility for critical components. This release refines the istio-iptables tool, removing reliance on the comment iptables module for kernel capability checks. This small but significant change improves compatibility across diverse Linux kernel environments, reducing potential issues during proxy initialization. Additionally, the release incorporates a routine update to the underlying Envoy proxy, ensuring users benefit from the latest upstream fixes and performance improvements. While there are no breaking changes or critical security vulnerabilities identified in this specific patch, these regular dependency bumps are vital for maintaining the robust health of your service mesh. Users can anticipate greater operational resilience, particularly in environments with stricter kernel module policies. This version is a maintenance release, reinforcing the 1.27 branch with targeted, incremental improvements. Plan your upgrades to leverage these subtle yet impactful updates. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. This release primarily provides stability and quality-of-life improvements. Review the updates to leverage enhanced certificate handling and improve your troubleshooting experience. 📝 Summary cert-manager(v1.18.3) boosts reliability and user experience. It now supports significantly larger certificates and chains, crucial for complex deployments with many SANs. A critical fix prevents unnecessary certificate re-issuance stemming from IssuerRef defaulting. Plus, clearer error messages for malformed PEM data greatly simplify troubleshooting. Upgrade for a more stable and robust certificate management experience. ...

📋 Recommended Actions ⚠️ Action Required ⚠️ Action Required Review your IssuerRef configurations and any external tooling that interacts with cert-manager APIs. The Kubernetes API server no longer injects default kind (‘Issuer’) and group (‘cert-manager.io’) for IssuerRef fields in CRDs. While cert-manager itself handles these internally, external clients might need updates to handle potentially empty kind or group fields. 📝 Summary This release for cert-manager v1.19.1 delivers crucial API consistency and stability improvements, primarily revolving around IssuerReference defaulting. We’ve reverted the behavior where the Kubernetes API server would automatically inject default kind and group values for IssuerRef in CRDs. This means that if you omit these fields, the API server will now store them as empty. While this is an important change for external tooling relying on API server-side defaulting, cert-manager’s internal controllers have been enhanced to seamlessly handle these empty fields at runtime, maintaining expected behavior. We’ve also updated the RequestMatchesSpec logic to prevent unnecessary certificate re-issuances when only default IssuerRef values change. Key dependency updates include sigs.k8s.io/controller-runtime to v0.22.3, github.com/Venafi/vcert/v5 to v5.12.2, and Go to 1.25.3. This update ensures better API predictability and internal stability. Review your workflows, especially if external tools process cert-manager resources and expect API-injected defaults. Immediate action isn’t required for core functionality, but client-side adjustments might be. ...

📋 Recommended Actions ⚠️ Action Required Immediate review is required due to security enhancements for Gateway API TLS secret access. Operations engineers should update to ensure gateways continue to function correctly, especially if relying on previous implicit permissions. Also, review the new ENABLE_PROXY_FIND_POD_BY_IP flag for potential future impacts. 📝 Summary Istio 1.26.5 delivers crucial security and stability enhancements. This release significantly hardens Kubernetes Gateway API TLS secret access, now requiring both namespace and service account matching for referenced secrets—a vital update for secure operations. You’ll also find improved installation flexibility as the Istio CNI no longer depends directly on Pilot, streamlining deployments. For ambient mode users, ServiceEntry named port mapping logic is now correctly aligned with sidecar behavior, resolving previous inconsistencies. Additionally, a new feature flag, ENABLE_PROXY_FIND_POD_BY_IP, grants more control over pod-proxy association, with future versions defaulting it to ‘off’. Critical bug fixes address issues like XDS cache corruption during SDS config dumps and Gateway API meshconfig reconciliation, ensuring a more robust and predictable service mesh. Review these updates promptly to maintain a secure and efficient Istio environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...