Skip to content

stable-1.17-2.4.0
Compare
Choose a tag to compare
@joejulian joejulian released this 25 Sep 21:39
stable-1.17-2.4.0
7b37c7b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release Notes

stable-1.15-2.4.0, stable-1.16-2.4.0, stable-1.17-2.4.0

  • Istio:

    • The "kubernetes-service-monitor" service monitor has been removed. (#481, @gracedo)

    • Bumped Istio to v1.6.8:

      • Fixed security issues:
        • CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.
        • CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.
        • CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.
        • CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.
        • CVE-2020-15104: When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name to apply to multiple subdomains. For example, with a SAN of .example.com, Envoy incorrectly allows nested.subdomain.example.com, when it should only allow subdomain.example.com.
        • CVE-2020-16844: Callers to TCP services that have a defined Authorization Policies with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields will never be denied access.
      • Other changes:
        • Fixed return the proper source name after Mixer does a lookup by IP if multiple pods have the same IP.
        • Improved the sidecar injection control based on revision at a per-pod level (Issue 24801)
        • Improved istioctl validate to disallow unknown fields not included in the Open API specification (Issue 24860)
        • Changed stsPort to sts_port in Envoy’s bootstrap file.
        • Preserved existing WASM state schema for state objects to reference it later as needed.
        • Added targetUri to stackdriver_grpc_service.
        • Updated WASM state to log for Access Log Service.
        • Increased default protocol detection timeout from 100 ms to 5 s (Issue 24379)
        • Removed UDP port 53 from Istiod.
        • Allowed setting status.sidecar.istio.io/port to zero (Issue 24722)
        • Fixed EDS endpoint selection for subsets with no or empty label selector. (Issue 24969)
        • Allowed k8s.overlays on BaseComponentSpec. (Issue 24476)
        • Fixed istio-agent to create elliptical curve CSRs when ECC_SIGNATURE_ALGORITHM is set.
        • Improved mapping of gRPC status codes into HTTP domain for telemetry.
        • Fixed scaleTargetRef naming in HorizontalPodAutoscaler for Istiod (Issue 24809)
        • Optimized performance in scenarios with large numbers of gateways. (Issue 25116)
        • Fixed an issue where out of order events may cause the Istiod update queue to get stuck. This resulted in proxies with stale configuration.
        • Fixed istioctl upgrade so that it no longer checks remote component versions when using --dry-run. (Issue 24865)
        • Fixed long log messages for clusters with many gateways.
        • Fixed outlier detection to only fire on user configured errors and not depend on success rate. (Issue 25220)
        • Fixed demo profile to use port 15021 as the status port. (Issue #25626)
        • Fixed Galley to properly handle errors from Kubernetes tombstones.
        • Fixed an issue where manually enabling TLS/mTLS for communication between a sidecar and an egress gateway did not work. (Issue 23910)
        • Fixed Bookinfo demo application to verify if a specified namespace exists and if not, use the default namespace.
        • Added a label to the pilot_xds metric in order to give more information on data plane versions without scraping the data plane.
        • Added CA_ADDR field to allow configuring the certificate authority address on the egress gateway configuration and fixed the istio-certs mount secret name.
        • Updated Bookinfo demo application to latest versions of libraries.
        • Updated Istio to disable auto mTLS when sending traffic to headless services without a sidecar.
        • Fixed an issue which prevented endpoints not associated with pods from working. (Issue #25974) (#489, @shaneutt)

  • Traefik-forward-auth:

    • Update traefik-foward-auth to 0.2.14
    • Add an option to bypass tfa deployment (#456, @d2iq-dispatch)

  • Fixed an upgrade issue for several addons which would cause them to not be properly targeted for upgrade (#492, @shaneutt)

Assets 2