Announcing Istio 1.1.7
Patch Release
We’re pleased to announce the availability of Istio 1.1.7. Please see below for what’s changed.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security update
This release fixes CVE 2019-12243.
Bug fixes
- Fix issue where two gateways with overlapping hosts, created at the same second, can cause Pilot to fail to generate routes correctly and lead to Envoy listeners stuck indefinitely at startup in a warming state.
- Improve the robustness of the SDS node agent: if Envoy sends a SDS request with an empty
ResourceNames
, ignore it and wait for the next request instead of closing the connection (Issue 13853). - In prior releases Pilot automatically injected the experimental
envoy.filters.network.mysql_proxy
filter into the outbound filter chain if the service port name ismysql
. This was surprising and caused issues for some operators, so Pilot will now automatically inject theenvoy.filters.network.mysql_proxy
filter only if thePILOT_ENABLE_MYSQL_FILTER
environment variable is set to1
(Issue 13998). - Fix issue where Mixer policy checks were incorrectly disabled for TCP (Issue 13868).
Small enhancements
- Add
--applicationPorts
option to theingressgateway
Helm charts. When set to a comma-delimited list of ports, readiness checks will fail until all the ports become active. When configured, traffic will not be sent to Envoys stuck in the warming state. - Increase memory limit in the
ingressgateway
Helm chart to 1GB and add resourcerequest
andlimits
to the SDS node agent container to support HPA autoscaling.