Announcing Istio 1.5.1
This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in our March 25th, 2020 news post. This release note describes what’s different between Istio 1.5.0 and Istio 1.5.1.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- ISTIO-SECURITY-2020-004 Istio uses a hard coded
CVE-2020-1764: Istio uses a default
signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 release.
- Fixed an issue where Istio Operator instance deletion hangs for in-cluster operator (Issue 22280)
- Fixed istioctl proxy-status should not list differences if just the order of the routes have changed (Issue 21709)
- Fixed Incomplete support for array notation in “istioctl manifest apply —set” (Issue 20950)
- Fixed Add possibility to add annotations to services in Kubernetes service spec (Issue 21995)
- Fixed Enable setting ILB Gateway using istioctl (Issue 20033)
- Fixed istioctl does not correctly set names on gateways (Issue 21938)
- Fixed OpenID discovery does not work with beta request authentication policy (Issue 21954)
- Fixed Issues related to shared control plane multicluster (Issue 22173)
- Fixed Ingress port displaying target port instead of actual port (Issue 22125)
- Fixed Issue where endpoints were being pruned automatically when installing the Istio Controller (Issue 21495)
- Fixed Add istiod port to gateways for mesh expansion(Issue 22027)
- Fixed Multicluster secret controller silently ignoring updates to secrets (Issue 18708)
- Fixed Autoscaler for mixer-telemetry always being generated when deploying with istioctl or Helm (Issue 20935)
- Fixed Prometheus certificate provisioning is broken (Issue 21843)
- Fixed Segmentation fault in Pilot with beta mutual TLS (Issue 21816)
- Fixed Operator status enumeration not being rendered as a string (Issue 21554)
- Fixed in-cluster operator fails to install control plane after having deleted a prior control plane (Issue 21467)
- Fixed TCP metrics for BlackHole clusters does not work with Telemetry v2 (Issue 21566)
- Improved Add option to enable V8 runtime for telemetry V2 (Issue 21846)
- Improved compatibility of Helm gateway chart (Issue 22295)
- Improved operator by adding a Helm installation chart (Issue 21861)
- Improved Support custom CA on istio-agent (Issue 22113)
- Improved Add a flag that supports passing GCP metadata to STS (Issue 21904)