Release announcement for 1.9.1 (#9085)

* Initial announcement

* Code review comments

* Fix linting

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: Joshua Blatt <jblatt@google.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/security/istio-security-2021-001/index.md

Co-authored-by: Joshua Blatt <jblatt@google.com>

* Code review comments from Josh

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/security/istio-security-2021-001/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Additional docs review

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.9.x/announcing-1.9.1/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/security/istio-security-2021-001/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/security/istio-security-2021-001/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Add cvss score

* Fix spelling

* Update content/en/news/security/istio-security-2021-001/index.md

Co-authored-by: Oliver Liu <yonggangl@google.com>

* Fix link to istio.io

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Joshua Blatt <jblatt@google.com>
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: Oliver Liu <yonggangl@google.com>

.spelling

@@ -86,6 +86,7 @@ Airbnb
 AKS
 AKS-Engine
 Alibaba
+allow_missing
 alt
 analytics
 Anantheswaran
@@ -601,6 +602,7 @@ reimplement
 reimplemented
 reinject
 repurposed
+requires_any
 rethink
 reusability
 Reviewer1

content/en/news/releases/1.9.x/announcing-1.9.1/index.md

@@ -0,0 +1,79 @@
+---
+title: Announcing Istio 1.9.1
+linktitle: 1.9.1
+subtitle: Patch Release
+description: Istio 1.9.1 patch release.
+publishdate: 2021-03-01
+release: 1.9.1
+aliases:
+    - /news/announcing-1.9.1
+---
+
+This release fixes the security vulnerability described in [our March 1st, 2021 news post](/news/security/istio-security-2021-001)
+as well as bug fixes to improve robustness.
+
+This release note describes what’s different between Istio 1.9.0 and Istio 1.9.1.
+
+{{< warning >}}
+At the time of release publication, we have only completed 18 out of our typical 48 hours of stress testing. Given the
+zero-day nature of the vulnerability and our experience with these stress tests, we believe it's safe to release now. These
+tests will be concluded on Wednesday March 3, 2021. At such time we will either remove this warning or post known issues
+seen with this release. If you are not comfortable adopting Istio 1.9.1 before Wednesday, please read through the
+[security bulletin](/news/security/istio-security-2021-001) and follow the mitigation steps specified in it.
+{{< /warning >}}
+
+{{< relnote >}}
+
+## Security update
+
+A zero-day security vulnerability was fixed in the version of Envoy shipped with Istio 1.9.0.  This vulnerability was fixed on Friday February 26th, 2021. 1.9.0 is the only version of Istio that includes the vulnerable version of Envoy. This vulnerability can only be exploited
+on misconfigured systems.
+
+## Changes
+
+- **Improved** sidecar injection to automatically specify the `kubectl.kubernetes.io/default-logs-container`. This ensures `kubectl logs`
+  defaults to reading the application container's logs, rather than requiring explicitly setting the container.
+  ([Issue #26764](https://github.com/istio/istio/issues/26764))
+
+- **Improved** the sidecar injector to better utilize pod labels to determine if injection is required. This is not enabled
+  by default in this release, but can be tested using `--set values.sidecarInjectorWebhook.useLegacySelectors=false`.  ([Issue #30013](https://github.com/istio/istio/issues/30013))
+
+- **Updated** Prometheus metrics to include `source_cluster` and `destination_cluster` labels by default for all scenarios. Previously, this was only enabled for multi-cluster scenarios.
+  ([Issue #30036](https://github.com/istio/istio/issues/30036))
+
+- **Updated** default access log to include `RESPONSE_CODE_DETAILS` and `CONNECTION_TERMINATION_DETAILS` for proxy version >= 1.9.
+  ([Issue #27903](https://github.com/istio/istio/issues/27903))
+
+- **Updated** Kiali addon to the latest version `v1.29`.
+  ([Issue #30438](https://github.com/istio/istio/issues/30438))
+
+- **Added**  `enableIstioConfigCRDs` to `base` to allow users to specify whether the Istio CRDs will be installed.  ([Issue #28346](https://github.com/istio/istio/issues/28346))
+
+- **Added** support for `DestinationRule` inheritance for mesh/namespace level rules. Enable feature with the `PILOT_ENABLE_DESTINATION_RULE_INHERITANCE` environment variable.
+  ([Issue #29525](https://github.com/istio/istio/issues/29525))
+
+- **Added** support for applications that bind to their pod IP address, rather than wildcard or localhost address, through the `Sidecar` API.
+  ([Issue #28178](https://github.com/istio/istio/issues/28178))
+
+- **Added** flag to enable capture of DNS traffic to the `istio-iptables` script.
+  ([Issue #29908](https://github.com/istio/istio/issues/29908))
+
+- **Added** canonical service tags to Envoy-generated trace spans.
+  ([Issue #28801](https://github.com/istio/istio/issues/28801))
+
+- **Fixed** an issue causing the timeout header `x-envoy-upstream-rq-timeout-ms` to not be honored.
+  ([Issue #30885](https://github.com/istio/istio/issues/30885))
+
+- **Fixed** an issue where access log service causes Istio proxy to reject configuration.
+  ([Issue #30939](https://github.com/istio/istio/issues/30939))
+
+- **Fixed** an issue causing an alternative Envoy binary to be included in the Docker image. The binaries are functionally equivalent.
+  ([Issue #31038](https://github.com/istio/istio/issues/31038))
+
+- **Fixed** an issue where the TLS v2 version was enforced only on HTTP ports. This option is now applied to all ports.
+
+- **Fixed** an issue where Wasm plugin configuration update will cause requests to fail.
+  ([Issue #29843](https://github.com/istio/istio/issues/29843))
+
+- **Removed** support for reading Istio configuration over the Mesh Configuration Protocol (MCP).
+  ([Issue #28634](https://github.com/istio/istio/issues/28634))

content/en/news/security/istio-security-2021-001/index.md

@@ -0,0 +1,46 @@
+---
+title: ISTIO-SECURITY-2021-001
+subtitle: Security Bulletin
+description: JWT authentication can be bypassed when AuthorizationPolicy is misused.
+cves: [N/A]
+cvss: "8.2"
+vector: ""
+releases: ["1.9.0"]
+publishdate: 2021-03-01
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+This issue only affects Istio 1.9.0; previous versions of Istio are not affected. This issue has been given a CVSS score
+of 8.2 by the Istio product security working group.
+
+Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
+
+- [Envoy JWT filter bypass when using the allow_missing configuration under requires_any](https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0).
+
+You are subject to the vulnerability if you are using `RequestAuthentication` alone for JWT validation.
+
+You are **not** subject to the vulnerability if you use **both** `RequestAuthentication` and `AuthorizationPolicy` for JWT validation.
+
+{{< warning >}}
+Please note that `RequestAuthentication` is used to define a list of issuers that should be accepted. It does not reject
+a request without JWT token.
+{{< /warning >}}
+
+For Istio, this vulnerability only exists if your service:
+* Accepts JWT tokens (with `RequestAuthentication`)
+* Has some service paths without `AuthorizationPolicy` applied.
+
+For the service paths that both conditions are met, an incoming request with a JWT token, and the token issuer is not in
+`RequestAuthentication` will bypass the JWT validation, instead of getting rejected.
+
+## Mitigation
+
+For proper JWT validation, you should always use the `AuthorizationPolicy` as documented on istio.io for
+[specifying a valid token](/docs/tasks/security/authentication/authn-policy/#require-a-valid-token).
+To do this you will have to audit all of your `RequestAuthentication` and subsequent `AuthorizationPolicy` resources to
+make sure they align with the documented practice.
+
+{{< boilerplate "security-vulnerability" >}}