Announcing Istio 1.20.3
Istio 1.20.3 patch release.
This release implements the security updates described in our February 8th post,
ISTIO-SECURITY-2024-001 along with bug fixes to improve robustness.
This release note describes what’s different between Istio 1.20.2 and 1.20.3.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
Improved graceful termination abort logic when the Envoy process terminates early. (Issue #36686)
Fixed an issue where updating a service’s
TargetPortdoes not trigger an xDS push. (Issue #48580)
Fixed an issue where in-cluster analysis was unnecessarily performed when there’s no configuration change. (Issue #48665)
Fixed an issue where the webhook generated with
istioctl tag setis unexpectedly removed by the installer. (Issue #47423)
Fixed a bug that results in the incorrect generation of configurations for pods without associated services, which includes all services within the same namespace. This can occasionally lead to conflicting inbound listeners error.
Fixed a bug that made
PeerAuthenticationtoo restrictive in ambient mode.
Fixed an issue causing Istio CNI to stop functioning on minimal/locked down nodes (such as no
shbinary). The new logic runs with no external dependencies, and will attempt to continue if errors are encountered (which could be caused by things like SELinux rules). In particular, this fixes running Istio on Bottlerocket nodes. (Issue #48746)