WASM

📋 Recommended Actions ⚠️ Action Required Immediate action is required for users deploying Istio with Helm v4 (server-side apply) or those with newer Gateway API CRDs. Review the section on Helm failurePolicy to configure base.validationFailurePolicy: Fail as needed. Also, be aware of the new Gateway API CRD maximum version filter, which may ignore newer TLSRoute versions (v1.5.0+). All users should upgrade to benefit from critical security hardening and stability fixes. ...

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade are recommended to benefit from critical security hardening, traffic management improvements, and enhanced multi-cluster reliability. If using Helm with server-side apply, explicitly configure ‘base.validationFailurePolicy: Fail’ during initial installations or when templating for SSA to avoid potential webhook conflicts. During upgrades, the webhook’s ‘failurePolicy’ will be omitted from the template, preserving the runtime value. 📝 Summary Istio 1.29.2 fortifies your service mesh with significant stability, security, and multi-cluster resilience enhancements. This patch release addresses several critical bugs, including a fix for AuthorizationPolicy regex metacharacter handling and a robust improvement to JWKS URI CIDR blocking, preventing potential bypasses. Operations engineers will appreciate the improved Helm upgrade experience with server-side apply, which resolves a webhook ‘failurePolicy’ conflict and ensures smoother installations. A new CRD filter safeguards against issues with unsupported Gateway API versions, enhancing upgrade predictability. Traffic management sees key improvements: waypoints now support multiple VirtualServices for a single host, and DestinationRule ‘retryBudget’ configurations are more consistently applied. Multi-cluster deployments gain a crucial fallback mechanism for mesh configuration, ensuring continued operation even if remote mesh config is temporarily unreadable. Upgrade promptly to secure your mesh and leverage these vital operational improvements. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is strongly recommended to address critical security vulnerabilities, especially the JWKS private key leak and XDS debug endpoint authentication bypass. Review all updates to ensure smooth operation and leverage new features. 📝 Summary Istio 1.29.1 delivers crucial security fixes, fortifying your mesh against potential exploits. This release patches a critical JWKS private key leak, preventing attackers from forging JWT tokens, and tightens authentication on XDS debug endpoints. Gateway API users will appreciate enhanced CORS wildcard handling and robust backend policy dependency tracking. For ambient mode, a panic with cross-network WorkloadEntries has been resolved, along with a fix for TLS inspection on exclusively TLS ports, improving routing reliability. Deployments now correctly handle null or zero resource limits, eliminating validation errors. Additional improvements include IP allocator stability, SSRF protection in WasmPlugin image fetching, and various nil-pointer dereference fixes, ensuring a more resilient and secure Istio experience. Upgrade promptly to secure your environment. ...