Announcing Istio 1.9.4
Patch Release
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.9.3 and Istio 1.9.4
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Changes
Fixed an issue where the Istio operator prunes all resources created by the operator, including itself. Now the operator will only remove resources belonging to the custom resource. (Issue #30833)
Fixed an issue ensuring lease duration is always greater than the user configured
RENEW_DEADLINE
for Istio operator manager. (Issue #27509)Fixed an issue where a certificate provisioned by sidecar proxy cannot be used by Prometheus. (Issue #29919)
Fixed an issue that creates an IOP under
istio-system
when installing Istio in another namespace. (Issue #31517)Fixed an issue when using
PeerAuthentication
to turn off mTLS while using multi-network. Now non-mTLS endpoints will be removed from cross-network load-balancing endpoints to prevent 500 errors. (Issue #28798)Fixed
istiod
never becoming ready when it fails to read resources from clusters configured via remote secrets. After a timeout configured byPILOT_REMOTE_CLUSTER_TIMEOUT
(default30s
),istiod
will become ready without syncing remote clusters. The statremote_cluster_sync_timeouts
will be incremented when this occurs. (Issue #30838)Fixed an issue where
istiod
will not create a self-signed root CA andistio-ca-root-cert
configmap whenvalues.global.pilotCertProvider
iskubernetes
. (Issue #32023)Improved the
istioctl x workload
command to configure VMs to disable inboundiptables
capture for admin ports, matching the behavior of Kubernetes Pods. (Issue #29412)Improved performance of
istiod
when running on clusters with thousands of namespaces. (Issue #32269Improved detection of Server Side Apply in Kubernetes. (Issue #32101)