Announcing Istio 1.6.3

Istio 1.6.3 patch release.

Jun 18, 2020

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.6.2 and Istio 1.6.3.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Changes

Fixed an issue preventing the operator from recreating watched resources if they are deleted (Issue 23238).
Fixed an issue where Istio crashed with the message: proto.Message is *client.QuotaSpecBinding, not *client.QuotaSpecBinding(Issue 24624).
Fixed an issue preventing operator reconciliation due to improper labels on watched resources (Issue 23603).
Added support for the k8s.v1.cni.cncf.io/networks annotation (Issue 24425).
Updated the SidecarInjectionSpec CRD to read the imagePullSecret from .Values.global (Pull 24365).
Updated split horizon to skip gateways that resolve hostnames.
Fixed istioctl experimental metrics to only flag error response codes as errors (Issue 24322)
Updated istioctl analyze to sort output formats.
Updated gateways to use proxyMetadata
Updated the Prometheus sidecar to use proxyMetadata(Issue 24415).
Removed invalid configuration from PodSecurityContext when gateway.runAsRoot is enabled (Issue 24469).

Grafana addon security fixes

We’ve updated the version of Grafana shipped with Istio from 6.5.2 to 6.7.4. This addresses a Grafana security issue, rated high, that can allow access to internal cluster resources using the Grafana avatar feature. (CVE-2020-13379)