Istio 1.28.0 Released: Advanced AI, Ambient Multicluster, and Enhanced Security

Cloud Native

Istio 1.28.0 arrives with significant advancements, including InferencePool v1 for AI workloads, enhanced ambient multicluster capabilities, native nftables support, beta dual-stack networking, and robust security improvements, simplifying cloud-native traffic management.

Istio 1.28.0 Released!

November 5, 2025

We are delighted to announce the official release of Istio 1.28.0! This achievement is a testament to the dedication of our incredible community of contributors, testers, users, and enthusiasts. We extend our sincerest gratitude to everyone who helped bring this release to fruition.

Special thanks go to our distinguished Release Managers for Istio 1.28:

  • Gustavo Meira (Microsoft)
  • Francisco Herrera (Red Hat)
  • Darrin Cecil (Microsoft)

Essential Resources

  • Change Notes: Get a detailed list of what's changed.
  • Before You Upgrade: Things to know and prepare before upgrading.
  • Download: Download and install this release.
  • Docs: Visit the documentation for this release.

Istio 1.28.0 officially supports Kubernetes versions 1.29 through 1.34.

What's New in Istio 1.28?

Inference Extension Support

Istio 1.28 significantly advances its Gateway API Inference Extension capabilities with the introduction of InferencePool v1. This powerful enhancement streamlines the management and routing of AI inference workloads, simplifying the deployment and scaling of Generative AI models on Kubernetes through intelligent traffic management. The InferencePool v1 API provides enhanced stability and functionality for managing inference endpoint pools, enabling sophisticated load balancing and robust failover strategies for demanding AI workloads.

Ambient Multicluster Enhancements

Istio 1.28 introduces substantial improvements to ambient multicluster deployments. Waypoints can now effectively route traffic to remote networks within ambient multicluster configurations, significantly expanding ambient mode capabilities. This crucial enhancement enables advanced features like outlier detection and other L7 policies for requests traversing different networks, simplifying the management of complex multi-network service mesh deployments.

Note: Ambient multicluster remains an alpha feature with ongoing development to address known issues in future releases. Should recent changes impact your ambient multicluster deployment negatively, you can disable the new waypoint behavior by setting the AMBIENT_ENABLE_MULTI_NETWORK_WAYPOINT pilot environment variable to false.

We actively encourage early adopters of ambient multicluster to provide feedback and report any bugs.

Native nftables Support in Ambient Mode

Istio 1.28 now offers native nftables support for ambient mode. This significant enhancement allows users to leverage nftables, a modern alternative to iptables, for more flexible network rule management. To activate nftables mode, simply include --set values.global.nativeNftables=true during your Istio installation. This new capability complements the existing nftables support in sidecar mode, keeping Istio aligned with contemporary Linux networking frameworks.

Dual-stack Support Promoted to Beta

Istio's dual-stack networking support has matured to beta in this release. This progression delivers robust IPv4/IPv6 networking capabilities, empowering organizations to deploy Istio seamlessly in modern network environments that necessitate both IP protocol versions.

Enhanced Security Features

This release introduces several critical security enhancements:

  • Enhanced JWT Authentication: The improved JWT filter configuration now supports custom space-delimited claims, alongside default claims like "scope" and "permission". This allows for proper validation of JWT tokens with custom claims using the spaceDelimitedClaims field in RequestAuthentication resources.
  • NetworkPolicy Support: An optional NetworkPolicy deployment is now available for istiod by setting global.networkPolicy.enabled=true.
  • Enhanced Container Security: Support for configuring seccompProfile in istio-validation and istio-proxy containers ensures better security compliance.
  • Gateway API Security: FrontendTLSValidation (GEP-91) is now supported, enabling robust mutual TLS ingress gateway configurations.
  • Improved Certificate Handling: Enhanced root certificate parsing filters out malformed certificates, preventing rejection of an entire certificate bundle.

Gateway API and Traffic Management Enhancements

  • BackendTLSPolicy v1: Achieves full Gateway API v1.4 support with expanded TLS configuration options.
  • ServiceEntry Integration: ServiceEntry can now be used as a targetRef in BackendTLSPolicy for streamlined external service TLS configuration.
  • Wildcard Host Support: ServiceEntry resources now support wildcard hosts with DYNAMIC_DNS resolution. (Note: This is for HTTP traffic only and requires ambient mode with a waypoint).

And Many More Innovations!

  • Persona-based Installations: A new resourceScope option in Helm charts provides flexible namespace or cluster-scoped resource management.
  • Improved Load Balancing: Consistent hash load-balancing now supports cookie attributes with critical security options such as SameSite, Secure, and HttpOnly.
  • Enhanced Telemetry: Dual B3/W3C header propagation support improves tracing interoperability across diverse systems.
  • istioctl Improvements: Enjoy automatic default revision detection and significantly enhanced debugging capabilities.

For an exhaustive list of all improvements and features, please consult the full release notes.

Upgrading to Istio 1.28

We highly value your feedback on your upgrade experience to Istio 1.28. Please share your insights and report any issues in the #release-1.28 channel within our Slack workspace.

Interested in contributing directly to Istio? Explore our Working Groups and join us in shaping the future of Istio.

Related Resources

  • Change Notes
  • Upgrade Notes