Announcing Istio 1.20.1
Istio 1.20.1 patch release.
This release implements the security updates described in our Dec 12th post, ISTIO-SECURITY-2023-005 along with bug fixes to improve robustness.
This release note describes what’s different between Istio 1.20.0 and 1.20.1.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Changes
Fixed an issue where the webhook generated by
istioctl tag setwas unexpectedly being removed by the installer. (Issue #47423)Fixed an issue where the
istioctl tag listcommand did not accept the--outputflag. (Issue #47696)Fixed an issue where custom injection of the
istio-proxycontainer was not working on OpenShift, due to how OpenShift sets the pod’sSecurityContext.RunAsfield.Fixed an issue where
VirtualServiceHTTP header present match was not working whenheader-name: {}was set. (Issue #47341)Fixed multi-cluster leader election not being able to prioritize local over remote leaders. (Issue #47901)
Fixed a memory leak when
hostNetworkpods scaled up and down. (Issue #47893)Fixed a memory leak when
WorkloadEntrieschanged their IP address. (Issue #47893)Fixed a memory leak when a
ServiceEntrywas removed. (Issue #47893)Improved
istioctl bug-reportperformance by reducing the number of calls to the Kubernetes API. The included pod/node details in the report remain comprehensive but will be presented differently.Removed the
--rps-limitflag foristioctl bug-reportand added the--rq-concurrencyflag. This change enables the bug reporter to limit request concurrency rather than the request rate to the Kubernetes API.
Security update
- Changes to Istio CNI Permissions as described in
ISTIO-SECURITY-2023-005.