Validation

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended to ensure certificate name constraints are correctly applied, enhancing the security and validity of issued certificates. cert-manager v1.17.4 is a targeted patch release addressing a critical bug in how URI name constraints are applied during certificate signing request (CSR) generation. Previously, Permitted.URIDomains were incorrectly treated as excluded, potentially leading to misconfigurations in certificate issuance policies. This fix ensures that your defined URI name constraints are honored as intended, bolstering the integrity and security of your issued certificates. ...

📋 Recommended Actions ⚠️ Action Required Review your Gateway API configurations, particularly AllowedRoutes.namespaces.from settings, as None is no longer supported and will cause validation errors. For pluginca users, ensure your cacerts bundle is complete to avoid istiod startup failures due to new, stricter validation. Upgrading is recommended for improved stability and security hardening. 📝 Summary Istio 1.26.1 lands with crucial updates, primarily focusing on robust Gateway API integration and enhanced security. This release promotes Gateway API to v1.3.0, alongside a critical fix that resolves istiod panics when processing complex Gateway API hostnames. Notably, a breaking change from upstream Gateway API means AllowedRoutes.namespaces.from: None is no longer valid, requiring configuration updates. ...

📋 Recommended Actions ⚠️ Action Required Immediate action is not universally required but highly recommended to review the default changes for promoted feature gates (like NameConstraints and UseDomainQualifiedFinalizer now defaulting to true) and the deprecation of ValidateCAA (now defaulting to false). Adjust your configurations as necessary to maintain desired behavior, especially if you rely on the previous implicit defaults. Consider leveraging the new literal keystore password option for simplified management. ...