Announcing Istio 1.6.1
Istio 1.6.1 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.6.0 and Istio 1.6.1.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- Fixed support for pod annotations to override mesh-wide proxy settings
EnvoyFilterto register all filter types in order to support
typed_configattributes (Issue 23909)
- Fixed handling of custom resource names for Gateways (Issue 23303)
- Fixed an issue where
istiodfails to issue certificates to a remote cluster.
Istiodnow has support for the cluster name and certificate to generate the
- Fixed remote cluster’s validation controller to check
istiod’s ready status endpoint (Issue 23945)
regexpfields validation to match Envoy’s validation (Issue 23436)
istioctl analyzeto validate
networking.istio.io/v1beta1resources (Issue 24064)
- Fixed typo of
ControlZdashboard log (Issue 24039)
- Fixed tar name to directory translation (Issue 23635)
- Improved certificate management for multi-cluster and virtual machine setup from
pilot-agent’s handling of client certificates when only a CA client certificate is present
istiocl upgradeto direct users to the
istio.iowebsite to migrate from
v1alpha1security policies to
- Fixed release URL name for
k8s.overlaysfor cluster resources
HTTP/HTTP2conflict at Gateway (Issue 24061 and Issue 19690)
- Fixed Istio operator to respect the
--operatorNamespaceargument (Issue 24073)
- Fixed Istio operator hanging when uninstalling Istio (Issue 24038)
- Fixed TCP metadata exchange for upstream clusters that specify
- Improved installation for replicated control planes (Issue 23871)
istioctl experimental precheckto report compatible versions of Kubernetes (1.14-1.18) (Issue 24132)
- Fixed Istio operator namespace mismatches that caused a resource leak when pruning resources (Issue 24222)
- Fixed SDS Agent failing to start when proxy uses file mounted certs for Gateways (Issue 23646)
- Fixed TCP over HTTP conflicts that caused invalid configuration to be generated (Issue 24084)
- Fixed the use of external name when remote Pilot address is a hostname (Issue 24155)
- Fixed Istio CNI node
DaemonSetstarting when Istio CNI and
cos_containerdare enabled on Google Kubernetes Engine (GKE) (Issue 23643)
- Fixed Istio CNI causing pod initialization to experience a 30-40 second delay on startup when DNS unreachable (Issue 23770)
- Improved Google Stackdriver telemetry use of UIDs with GCE VMs
- Improved telemetry plugins to not crash due invalid configuration (Issue 23865)
- Fixed a proxy sidecar segfault when the response to HTTP calls by WASM filters are empty (Issue 23890)
- Fixed a proxy sidecar segfault while parsing CEL expressions (Issue 497)
Bookinfo sample application security fixes
We’ve updated the versions of Node.js and jQuery used in the Bookinfo sample application. Node.js has been upgraded from version 12.9 to 12.18. jQuery has been updated from version 2.1.4 to version 3.5.0. The highest rated vulnerability fixed: HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)