Networking

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended. Critical bugs affecting Ambient mesh traffic distribution and CNI stability have been fixed. Review Gateway API header validation changes and unmanaged Gateway SA behavior. 📝 Summary Istio 1.29.4 delivers crucial stability and correctness enhancements, particularly for Ambient mesh deployments and Gateway API users. This patch release resolves a critical bug where PreferSameZone or PreferSameNode traffic distribution, combined with publishNotReadyAddresses: true, could lead to traffic being routed to unready endpoints cluster-wide. Another significant fix addresses a concurrent map writes panic in the CNI agent, improving Ambient mesh robustness. Gateway API users benefit from new header validation logic, preventing silently dropped configurations and providing clearer feedback for invalid HTTPRoute and GRPCRoute header values. Multi-network Ambient ingress routing also sees improvements, ensuring correct waypoint traversal based on configuration. This release also streamlines HTTP/2 handling and includes numerous dependency updates, reinforcing overall platform reliability. Upgrade now to secure these vital fixes and bolster your Istio environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address critical security vulnerabilities related to authorization bypasses. Operations engineers should review the updated Ambient Mesh configurations for AWS deployments and consider tuning HBONE window sizes for performance. Review istioctl analyze output for new JWKS URI security warnings. 📝 Summary Istio 1.29.3 lands with crucial security fixes, fortifying your mesh against potential bypasses. This release tackles an authorization policy regex vulnerability, ensuring principal and namespace matching behaves as intended. It also tightens XDS debug endpoint access, preventing cross-namespace information exposure for non-system callers. Plus, leaf certificates now respect CA validity, preventing expired cert usage. AWS EKS users with Security Groups for Pods get a critical fix for kubelet health probe failures in Ambient Mesh, ensuring smoother operations. We’ve also added configurable HTTP/2 window sizes for HBONE, offering fine-tuned performance. Tooling improves with a new istioctl analyze warning for JWKS URI security, better handling of Helm webhook failurePolicy during upgrades, and enhanced proxy resource injection for null values. Several core bug fixes, including a multicluster secret controller deadlock and robust Kubernetes secret rotation, contribute to overall stability. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is strongly recommended to address critical security vulnerabilities, especially the JWKS private key leak and XDS debug endpoint authentication bypass. Review all updates to ensure smooth operation and leverage new features. 📝 Summary Istio 1.29.1 delivers crucial security fixes, fortifying your mesh against potential exploits. This release patches a critical JWKS private key leak, preventing attackers from forging JWT tokens, and tightens authentication on XDS debug endpoints. Gateway API users will appreciate enhanced CORS wildcard handling and robust backend policy dependency tracking. For ambient mode, a panic with cross-network WorkloadEntries has been resolved, along with a fix for TLS inspection on exclusively TLS ports, improving routing reliability. Deployments now correctly handle null or zero resource limits, eliminating validation errors. Additional improvements include IP allocator stability, SSRF protection in WasmPlugin image fetching, and various nil-pointer dereference fixes, ensuring a more resilient and secure Istio experience. Upgrade promptly to secure your environment. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users. 📝 Summary Istio 1.27.4 delivers a targeted release focused on bolstering the stability and reliability of the control plane, particularly for Gateway API users and those with multi-revision deployments. This update resolves critical issues such as route resource status conflicts in multi-revision setups, preventing inconsistent states. Users leveraging the experimental XListenerSet will find TLS secret access fixed, ensuring secure gateway configurations. Furthermore, a crucial bug where HTTPS servers could impede HTTP route creation on the same port but different bind addresses has been eliminated, enabling more flexible deployments. Networking stack improvements include fixes for nftables TPROXY rules and faster CNI repair for better packet capture and pod readiness. These 10+ targeted fixes enhance overall operational predictability and resource management for Istio users, improving the robustness of your service mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required Upgrade recommended for improved stability and corrected behavior, especially for users of Istio Gateway API and mixed IPv4/IPv6 environments. 📝 Summary Istio 1.26.4 is here, delivering essential bug fixes and stability enhancements for your service mesh deployments. This patch release addresses a critical istio-iptables issue that previously ignored IPv4 state in mixed environments, ensuring more robust traffic interception for all users. We’ve also resolved a significant bug in the tag watcher, which now correctly handles defaultRevision logic, leading to more reliable Kubernetes Gateway programming. This means your gateways will function as expected without unexpected configuration discrepancies. For HTTP/1.x traffic, a subtle but important fix prevents PreserveHttp1HeaderCase from overriding other vital protocol options, maintaining precise control over your traffic. Additionally, we’ve updated the Gateway Helm chart schema to ensure full compatibility with Helm v3.18.5 and beyond, smoothing out installation processes. Numerous dependency updates, including Kubernetes client libraries, further bolster the mesh’s foundational stability. This release focuses on refining existing functionality and ensuring a more predictable and stable Istio experience. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if you’re leveraging Kubernetes Gateway API or istioctl proxy-status. 📝 Summary Istio 1.27.1 delivers crucial bug fixes and valuable enhancements, bolstering operational stability and testing capabilities. This release notably improves Kubernetes Gateway API adoption by fixing a tag watcher issue that caused programming failures with revisioned installs. Users of istioctl proxy-status will find a more robust experience as its behavior when no proxies are found has been fixed to prevent breaking external tooling. We’ve also added comprehensive mTLS support to the Echo server, allowing for more detailed and accurate security testing. Core component reliability sees significant boosts with fixes for traffic policy validation (especially retry_budget) and improved istio-iptables logic that correctly handles IPv4/IPv6 states. Dependency updates ensure compatibility and security. These changes collectively enhance Istio’s stability and flexibility, making it even more dependable for your cloud-native deployments. ...

📋 Recommended Actions ⚠️ Action Required Review your Gateway API configurations, particularly AllowedRoutes.namespaces.from settings, as None is no longer supported and will cause validation errors. For pluginca users, ensure your cacerts bundle is complete to avoid istiod startup failures due to new, stricter validation. Upgrading is recommended for improved stability and security hardening. 📝 Summary Istio 1.26.1 lands with crucial updates, primarily focusing on robust Gateway API integration and enhanced security. This release promotes Gateway API to v1.3.0, alongside a critical fix that resolves istiod panics when processing complex Gateway API hostnames. Notably, a breaking change from upstream Gateway API means AllowedRoutes.namespaces.from: None is no longer valid, requiring configuration updates. ...