Announcing Istio 1.9.1

Istio 1.9.1 patch release.

Mar 1, 2021

This release fixes the security vulnerability described in our March 1st, 2021 news post as well as bug fixes to improve robustness.

This release note describes what’s different between Istio 1.9.0 and Istio 1.9.1.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security update

A zero-day security vulnerability was fixed in the version of Envoy shipped with Istio 1.9.0. This vulnerability was fixed on February 26th, 2021. 1.9.0 is the only version of Istio that includes the vulnerable version of Envoy. This vulnerability can only be exploited on misconfigured systems.

Changes

Improved sidecar injection to automatically specify the kubectl.kubernetes.io/default-logs-container. This ensures kubectl logs defaults to reading the application container’s logs, rather than requiring explicitly setting the container. (Issue #26764)
Improved the sidecar injector to better utilize pod labels to determine if injection is required. This is not enabled by default in this release, but can be tested using --set values.sidecarInjectorWebhook.useLegacySelectors=false. (Issue #30013)
Updated Prometheus metrics to include source_cluster and destination_cluster labels by default for all scenarios. Previously, this was only enabled for multi-cluster scenarios. (Issue #30036)
Updated default access log to include RESPONSE_CODE_DETAILS and CONNECTION_TERMINATION_DETAILS for proxy version >= 1.9. (Issue #27903)
Updated Kiali addon to the latest version v1.29. (Issue #30438)
Added enableIstioConfigCRDs to base to allow users to specify whether the Istio CRDs will be installed. (Issue #28346)
Added support for DestinationRule inheritance for mesh/namespace level rules. Enable feature with the PILOT_ENABLE_DESTINATION_RULE_INHERITANCE environment variable. (Issue #29525)
Added support for applications that bind to their pod IP address, rather than wildcard or localhost address, through the Sidecar API. (Issue #28178)
Added flag to enable capture of DNS traffic to the istio-iptables script. (Issue #29908)
Added canonical service tags to Envoy-generated trace spans. (Issue #28801)
Fixed an issue causing the timeout header x-envoy-upstream-rq-timeout-ms to not be honored. (Issue #30885)
Fixed an issue where access log service causes Istio proxy to reject configuration. (Issue #30939)
Fixed an issue causing an alternative Envoy binary to be included in the Docker image. The binaries are functionally equivalent. (Issue #31038)
Fixed an issue where the TLS v2 version was enforced only on HTTP ports. This option is now applied to all ports.
Fixed an issue where Wasm plugin configuration update will cause requests to fail. (Issue #29843)
Removed support for reading Istio configuration over the Mesh Configuration Protocol (MCP). (Issue #28634)