Announcing Istio 1.20.4
Istio 1.20.4 patch release.
This release note describes what’s different between Istio 1.20.3 and 1.20.4.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Changes
Added an environment variable
COMPLIANCE_POLICY
to Istio components for enforcing TLS restriction for compliance with FIPS. When set tofips-140-2
on the Istiod container, the Istio Proxy container, and all other Istio components, the TLS version is restricted to v1.2. The cipher suites are limited to a subset ofECDHE-ECDSA-AES128-GCM-SHA256
,ECDHE-RSA-AES128-GCM-SHA256
,ECDHE-ECDSA-AES256-GCM-SHA384
,ECDHE-RSA-AES256-GCM-SHA384
, and ECDH curves toP-256
.These restrictions apply on the following data paths:
- mTLS communication between Envoy proxies;
- regular TLS on the downstream and the upstream of Envoy proxies (e.g. gateway);
- Google gRPC side requests from Envoy proxies (e.g. Stackdriver extensions);
- Istiod xDS server;
- Istiod injection and validation webhook servers.
The restrictions are not applied on the following data paths:
- Istiod to Kubernetes API server;
- JWK fetch from Istiod;
- Wasm image and URL fetch from Istio Proxy containers;
- ztunnel.
Note that Istio injector will propagate the value of
COMPLIANCE_POLICY
to the injected proxy container, when set. (Issue #49081)Fixed an issue where the local client contained incorrect entries in the local DNS name table. (Issue #47340)
Fixed a bug that made
PeerAuthentication
too restrictive in ambient mode.Fixed a bug where
VirtualService
containing wildcard hosts that aren’t present in the service registry are ignored. (Issue #49364)Fixed an issue where
istioctl precheck
inaccurately reports the IST0141 message related to resource permissions. (Issue #49379)Fixed a bug for IPv6 only clusters that prevented ServiceEntry-based listeners from having correct SNI matches. (Issue #49476)
Fixed a bug when there is more than one service with the same host name within the same namespace, a
STRICT_DNS cluster without endpoints
error could occur. (Issue #49489)Fixed an issue that when using a delegate in a
VirtualService
, the effectiveVirtualService
may not be consistent with expectations due to a sorting error. (Issue #49539)Fixed a bug where specifying a URI regex
.*
match within aVirtualService
HTTP route did not short-circuit the subsequent HTTP routes.Fixed an issue where
Endpoint
andService
in the istiod-remote chart did not respect the revision value. (Issue #47552)