Istio on Google Kubernetes Engine release notes

This page documents production updates to Istio on GKE. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/istio-release-notes.xml

February 22, 2022

1.4.x & 1.6.x

The Istio project recently disclosed a series of CVEs that can expose Istio on GKE to remotely exploitable vulnerabilities. For more information, see the security bulletin.

1.6.x

1.6.14-gke.9 is now available. This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-007. For more information, see Upgrading operator based 1.6 Istio to the latest patch release.

1.4.x

1.4.11-gke.4 and 1.4.10-gke.23 are now available. These patch releases contain the fixes for the security vulnerabilities listed in GCP-2022-007. For more information see Upgrading 1.4 Istio to the latest patch release.

August 24, 2021

1.4.x

1.4.10-gke.17 is now available. This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For more information see Upgrading 1.4 Istio to the latest patch release.

1.6.x

1.6.14-gke.5 is now available. This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For more information, see Upgrading operator based 1.6 Istio to the latest patch release.

1.4.x & 1.6.x

The Istio project recently disclosed a series of CVEs that can expose Istio on GKE to remotely exploitable vulnerabilities. For more information, see the security bulletin.

May 10, 2021

1.2.x & 1.0.x & 1.1.x & 1.4.x & 1.6.x

Google Support does not provide support for Istio installations. For more information, see the Istio support statement.

April 20, 2021

1.6.x

1.6.14-gke.1 is now available.

Fixes the security issue, ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Istio on Google Kubernetes Engine versions.

March 17, 2021

1.4.x

1.4.10-gke.8 is available.

Fixes known security issue of OpenSSL in base images.

November 25, 2020

1.4.x & 1.6.x

Upgrading the cluster to GKE versions 1.17 and higher causes the built-in ingress gateway to be unavailable for approximately 5 minutes during the upgrade process. We recommend installing and managing separate user-defined gateways to avoid this issue, as described in Adding gateways.

November 12, 2020

1.6.x

Migrations from the 1.6 version of the add-on to Anthos Service Mesh 1.7 or 1.6 using a Google-provided script is available. For details see Upgrading to Istio 1.6 with Operator

October 19, 2020

1.4.x

A fix for a known issue where custom resources created in the istio-system namespace were deleted when upgrading from GKE 1.16 to 1.17 and 1.18 is available in R33.

Upgrade to one of the following unaffected versions:

1.17.12-gke.1501 and higher
1.18.9-gke.1501 and higher

The issue only occurs during upgrades, so new clusters created in earlier versions are also unaffected.

October 06, 2020

1.4.x

There is a known issue with the upgrade from GKE 1.16 to 1.17. Any custom resources you created in the istio-system namespace are deleted during an upgrade to 1.17. These resources must be manually recreated. We recommend not upgrading clusters with the Istio addon to 1.17 until the fix is rolled out. The issue only occurs during upgrades, so new clusters are not affected.

The fix was not included in release R31 as previously reported

October 02, 2020

1.4.x

There is a known issue with the upgrade from GKE 1.16 to 1.17 versions lower than 1.17.9-gke.6300 (R30 or earlier). Any custom resources you created in the istio-system namespace are deleted during an upgrade to 1.17 (R30 or earlier). These resources must be manually recreated. We recommend that you upgrade only to R31 or a later version that doesn't have the issue. The issue only occurs during upgrades, so new clusters are not affected.

September 16, 2020

1.4.x

There is a known issue with the upgrade from GKE 1.16 to 1.17. Any custom resources you created in the istio-system namespace are deleted during an upgrade to 1.17 (R30 or earlier). These resources must be manually recreated. We recommend that you do not upgrade to GKE 1.17 until a patch release fixes the issue. The fix will be rolled out in GKE release R31.

August 20, 2020

1.4.x

Istio 1.4.10-gke.5

Fixes an issue with protocol detection connection timeouts.

August 05, 2020

1.4.x

Starting with version 1.6, the Istio on GKE add-on uses the Istio Operator for installation and configuration. When you upgrade your cluster to 1.17.7-gke.8+, 1.17.8-gke.6+, or higher, the Istio 1.6 Operator and control plane are installed alongside the existing 1.4.x Istio control plane. The upgrade requires user action and follows the dual control plane upgrade process (referred to as canary upgrades in the Istio documentation). With a dual control plane upgrade, you can migrate to the 1.6 version by setting a label on your workloads to point to the new control plane and performing a rolling restart. To learn more, see Upgrading to Istio 1.6 with Operator.

July 21, 2020

1.4.x

Istio 1.4.10-gke.4

Fixes known security issues with the same fixes as OSS Istio 1.4.10

March 27, 2020

1.4.x

Istio 1.4.6-gke.0 - This is the initial release of Istio 1.4 to Istio on GKE

March 13, 2020

1.2.x

Istio 1.2.10-gke.3 - Fixes known security issues with the same fixes as OSS Istio 1.4.6:

CVE-2020-8659, CVE-2020-8661, CVE-2020-8664, CVE-2020-8660: ISTIO-SECURITY-2020-003

February 19, 2020

1.2.x

Istio 1.2.10-gke.1 - Fixes the following known security issues:

CVE-2020-8595: ISTIO-SECURITY-2020-001
CVE-2020-8843: ISTIO-SECURITY-2020-002

December 13, 2019

1.1.x

Istio 1.1.16-gke.0 - This release has a known security issue that can leave clusters vulnerable. We recommend upgrading to a version of GKE that will install Istio 1.1.17.

Istio 1.1.17-gke.0 - Fixes a known security issue.

1.2.x

Istio 1.2.7-gke.0 - This release has a known security issue that can leave clusters vulnerable. We recommend upgrading to a version of GKE that will install Istio 1.2.10.

Istio 1.2.10-gke.0 - Fixes a known security issue with the same fixes as OSS Istio 1.2.10, as well as improvements and fixes from OSS Istio 1.2.8 and Istio 1.2.9.

November 12, 2019

1.2.x & 1.0.x & 1.1.x

For the following versions:

Istio 1.0.3-gke.0
Istio 1.0.3-gke.3a
Istio 1.0.3-gke.3b
Istio 1.0.6-gke.1
Istio 1.0.6-gke.3
Istio 1.0.9-gke.0
Istio 1.1.7-gke.0
Istio 1.1.10-gke.0
Istio 1.1.13-gke.0
Istio 1.1.16-gke.0
Istio 1.1.3-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

1.1.x

Istio 1.1.13-gke.0- Has the known issues addressed in these releases: https://istio.io/about/notes/1.1.8/, https://istio.io/about/notes/1.1.9/, https://istio.io/about/notes/1.1.10/

October 10, 2019

1.1.x

Istio 1.1.16-gke.0 - Fixes a known security issue with the same fixes as OSS Istio 1.1.16, as well as security updates from OSS Istio 1.1.14, and an Envoy crash bug fix from OSS Istio 1.1.15

1.2.x

Istio 1.2.7-gke.0 - Fixes a known security issue with the same fixes as OSS Istio 1.2.7, as well as bug fixes from OSS Istio 1.2.6.

August 13, 2019

1.1.x

Istio 1.1.13-gke-0 - Fixes a known security issue with the same fixes as OSS Istio version 1.1.13.

July 11, 2019

1.1.x

Istio 1.1.7-gke.0 - Has the known issues addressed in these releases: https://istio.io/about/notes/1.1.8/, https://istio.io/about/notes/1.1.9/, https://istio.io/about/notes/1.1.10/

Istio 1.1.7-gke.0 - Fixes known issues (https://istio.io/about/notes/1.1.8/, https://istio.io/about/notes/1.1.9/, https://istio.io/about/notes/1.1.10/) from version 1.1.7-gke.0.

1.0.x

Istio 1.0.9-gke.0 - Fixes known issues (https://istio.io/about/notes/1.0.7/, https://istio.io/about/notes/1.0.8/, https://istio.io/about/notes/1.0.9/) from version 1.0.6-gke.3.

Istio 1.0.6-gke.3 - Has the known issues addressed in these releases: https://istio.io/about/notes/1.0.7/, https://istio.io/about/notes/1.0.8/, https://istio.io/about/notes/1.0.9/

June 27, 2019

1.1.x

Istio 1.1.7-gke.0 - This version does not have a pod disruption budget. See notes on upgrading from Istio 1.1.3.

Istio 1.1.7-gke.0 - Google Cloud's operations suite tracing is disabled by default.

Istio 1.1.7-gke.0 - Fixes a known security issue from version 1.1.3-gke.0.

May 16, 2019

1.1.x

Istio 1.1.3-gke.0 - Upgrades Istio to version 1.1.3. See notes on upgrading from 1.0 versions of Istio.

April 05, 2019

1.0.x

Istio 1.0.6-gke.3 - Fixes a known security issue with the same fixes as OSS Istio version 1.0.7. New clusters will use this version by default when announced on the GKE security bulletins page, expected mid April 2019. If you create a new cluster with Istio on GKE before then, make sure to select a recommended GKE version to get this version of the add-on. Existing users should upgrade to the latest patched version of GKE as soon as possible.

Find out more in this security bulletin.

March 20, 2019

1.0.x

Istio 1.0.3-gke.3b - Fixes to all known issues in 1.0.3-gke.3a.

Istio 1.0.6-gke.1 - Fixes to all known issues in 1.0.3-gke.3a.

Istio 1.0.6-gke.1 - Upgrades Istio to version 1.0.6. See the Istio 1.0.6 release notes for more information.

January 28, 2019

1.0.x

Istio 1.0.3-gke.3a - Fixes to all known issues in 1.0.3-gke.0.

Istio 1.0.3-gke.3a - All ConfigMaps are now read-only, since these may change during upgrade.

Istio 1.0.3-gke.3a - Google Cloud's operations suite logging and tracing are enabled by default. However, please see the release issue below for current memory issues with tracing.

Istio 1.0.3-gke.3a - Istio on GKE's internal prometheus (used for internal metrics) is renamed to promsd to avoid confusion.

Istio 1.0.3-gke.3a - Google Cloud's operations suite tracing can consume too much memory in telemetry pods and should be disabled for now.

December 11, 2018

1.0.x

Istio 1.0.3-gke.0 - Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Istio 1.0.3-gke.0 - Updating an existing cluster Istio config between MTLS_STRICT and PERMISSIVE doesn't work.

Istio 1.0.3-gke.0 - Setting the --enable-stackdriver-kubernetes flag prevents the Istio Google Cloud's operations suite adapter from being installed, leading to no Google Cloud's operations suite metrics being published.

Istio 1.0.3-gke.0 - Mixer outputs logs to the local machine via the stdio adapter by default, which can consume large amounts of CPU.

Istio 1.0.3-gke.0 - If you are using Google Cloud's operations suite with Istio 1.0.3 (the version used in this release of Istio on GKE for initial Istio installation), you can only use a single instance of Istio-Telemetry in your control plane. If you use multiple instances, telemetry data can be lost. To make sure your Google Cloud's operations suite support continues to work smoothly, do the following:

Ensure only one instance of Istio-Telemetry is running by setting the Istio-Telemetry HorizontalPodAutoscaler maxReplicas value to 1.

kubectl edit -n istio-system HorizontalPodAutoscalers/istio-telemetry

Make sure that your Istio-Telemetry resources are sufficient for one instance to handle the load from the entire cluster

kubectl edit -n istio-system Deployments/istio-telemetry