This release includes several bug fixes and improvements to robustness. This release note describes what’s different between Istio 1.1.6 and Istio 1.1.7.
This release fixes CVE 2019-12243.
- Fix issue where two gateways with overlapping hosts, created at the same second, can cause Pilot to fail to generate routes correctly and lead to Envoy listeners stuck indefinitely at startup in a warming state.
- Improve the robustness of the SDS node agent: if Envoy sends a SDS request with an empty
ResourceNames, ignore it and wait for the next request instead of closing the connection (Issue 13853).
- In prior releases Pilot automatically injected the experimental
envoy.filters.network.mysql_proxyfilter into the outbound filter chain if the service port name is
mysql. This was surprising and caused issues for some operators, so Pilot will now automatically inject the
envoy.filters.network.mysql_proxyfilter only if the
PILOT_ENABLE_MYSQL_FILTERenvironment variable is set to
- Fix issue where Mixer policy checks were incorrectly disabled for TCP (Issue 13868).
--applicationPortsoption to the
ingressgatewayHelm charts. When set to a comma-delimited list of ports, readiness checks will fail until all the ports become active. When configured, traffic will not be sent to Envoys stuck in the warming state.
- Increase memory limit in the
ingressgatewayHelm chart to 1GB and add resource
limitsto the SDS node agent container to support HPA autoscaling.