Announcing Istio 1.28.1: Stability and Security Enhancements

service-mesh

Discover the Istio 1.28.1 patch release, focusing on critical bug fixes and robustness improvements for enhanced stability. This update addresses various issues including service entry conflicts, ambient mode behavior, and security vulnerabilities outlined in ISTIO-SECURITY-2025-003, ensuring a more reliable service mesh experience.

We are pleased to announce the release of Istio 1.28.1, a patch release focused on delivering critical bug fixes and enhancing the overall robustness of the Istio service mesh. This update specifically addresses several key areas, improving stability and security from version 1.28.0.

This release integrates the security updates detailed in our advisory, ISTIO-SECURITY-2025-003, published on December 3rd. Users are strongly encouraged to upgrade to ensure their deployments benefit from these crucial security enhancements.

Key Changes in Istio 1.28.1

This patch release introduces the following significant improvements and fixes:

Additions

  • Enhanced InferencePool Configuration: Added support for specifying multiple targetPorts within an InferencePool. This capability, originally introduced in GIE v1.1.0, provides greater flexibility in managing service endpoints. (Issue #57638)

Bug Fixes

  • Route Resource Conflict Resolution: Addressed status conflicts occurring on Route resources, particularly when multiple Istio revisions are installed in the same environment. (Issue #57734)
  • ServiceEntry Stability in Ambient Mode: Resolved unpredictable behavior in ambient mode caused by ServiceEntry resources with overlapping hostnames within the same namespace. (Issue #57291)
  • istio-init Failure Fix: Corrected a failure within istio-init when using native nftables with TPROXY mode, specifically when an empty traffic.sidecar.istio.io/includeInboundPorts annotation was present. (Issue #58135)
  • Accurate EDS Generation: Fixed an issue where the Endpoint Discovery Service (EDS) generation code failed to consider service scope, leading to the inclusion of inaccessible remote cluster endpoints in waypoint configurations. (Issue #58139)
  • Improved EDS Caching for Ambient Gateways: Rectified an issue in Pilot's EDS caching that resulted in ambient East/West gateways and waypoints being configured with unusable EDS endpoints. (Issue #58141)
  • Envoy Secret Resource State: Resolved a problem where Envoy Secret resources could become stuck in a WARMING state when a single Kubernetes Secret was referenced by Istio Gateway objects using both secret-name and namespace/secret-name formats. (Issue #58146)
  • IPv6 Nftables Rule Correction: Fixed an issue that caused IPv6 nftables rules to be programmed even when IPv6 was explicitly disabled in ambient mode. (Issue #58249)
  • DNS Name Table for Headless Services: Corrected the DNS name table creation process for headless services to properly account for pods with multiple IP addresses. (Issue #58397)
  • Ambient Multi-Network Connection Stability: Resolved an issue that caused ambient multi-network connections to fail when a custom trust domain was in use. (Issue #58427)
  • HTTP/HTTPS Server Route Creation: Fixed a bug where HTTPS servers processed first could prevent HTTP servers from creating routes on the same port but with different bind addresses. (Issue #57706)
  • XListenerSet TLS Secret Access: Addressed an issue preventing experimental XListenerSet resources from accessing TLS Secrets.

We encourage all users to review these changes and consider upgrading to Istio 1.28.1 for a more stable and secure service mesh environment.