Announcing Istio 1.27.4
Istio 1.27.4 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.27.3 and 1.27.4.
This release implements the security updates described in our 3rd of December post, ISTIO-SECURITY-2025-003.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Changes
Fixed status conflicts on Route resources when multiple istio revisions are installed. (Issue #57734)
Fixed an issue with waypoints where an
EnvoyFilterwithtargetRefkindGatewayClassand groupgateway.networking.k8s.ioin the root namespace would not work.Fixed a failure in
istio-initwhen using native nftables with TPROXY mode and had an emptytraffic.sidecar.istio.io/includeInboundPortsannotation. (Issue #58135)Fixed an issue where Envoy Secret resources could get stuck in
WARMINGstate when the same Kubernetes Secret is referenced from Istio Gateway objects using bothsecret-nameandnamespace/secret-nameformats. (Issue #58146)Fixed DNS name table creation for headless services where pods entries did not account for pods having multiple IPs. (Issue #58397)
Fixed an issue where HTTPS servers processed first prevented HTTP servers from creating routes on the same port with different bind addresses. (Issue #57706)
Fixed a bug causing the experimental
XListenerSetresources to not be able to access TLS Secrets.