Announcing Istio 1.24.2
Istio 1.24.2 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.24.1 and Istio 1.24.2.
This release implements the security updates described in our 18th of December post, ISTIO-SECURITY-2024-007.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Changes
Added the
DAC_OVERRIDEcapability to theistio-cni-nodeDaemonSet. This fixes issues when running in environments where certain files are owned by non-root users. Note: prior to Istio 1.24, theistio-cni-noderan asprivileged. Istio 1.24 removed this, but removed some required privileges which are now added back. Relatively to Istio 1.23,istio-cni-nodestill has fewer privileges than it does with this change.Fixed Helm rendering to properly apply annotations on Pilot’s
ServiceAccount. (Issue #51289)Fixed an issue where
istioddid not handleRequestAuthenticationcorrectly for cross-namespace waypoint proxies. (Issue #54051)Fixed an issue where non-default revisions controlled gateways lacked
istio.io/revlabels. (Issue #54280)Fixed an issue where
ExternalNameservices failed to resolve when using ambient mode and DNS proxying.Fixed an issue preventing the
PodDisruptionBudgetmaxUnavailablefield from being configured. (Issue #54087)Fixed an issue where injection config errors were being silenced (i.e. logged and not returned) when the sidecar injector was unable to process the sidecar config. This change will now propagate the error to the user instead of continuing to process a faulty config. (Issue #53357)