Announcing Istio 1.27.6
Istio 1.27.6 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.27.5 and 1.27.6.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Changes
Added safeguards to the gateway deployment controller to validate object types, names, and namespaces, preventing creation of arbitrary Kubernetes resources through template injection. (Issue #58891)
Added namespace-based authorization for debug endpoints on port 15014. Non-system namespaces are now restricted to
config_dump/ndsz/edszendpoints and same-namespace proxies only. If needed for compatibility, this behavior can be disabled withENABLE_DEBUG_ENDPOINT_AUTH=false.Added
service.selectorLabelsfield to the gateway Helm chart for custom service selector labels during revision-based migrations.Fixed resource annotation validation to reject newline and control characters that could inject containers into pod specs via template rendering. (Issue #58889)
Fixed incorrect mapping of
meshConfig.tlsDefaults.minProtocolVersiontotls_minimum_protocol_versionin downstream TLS context.