istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[release-1.22] security adv, release notes 1.22.1 and 1.21.4 (#15358) 

* release notes

Signed-off-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/news/releases/1.22.x/announcing-1.22.2/index.md

Co-authored-by: Faseela K <k.faseela@gmail.com>

* Update content/en/news/releases/1.21.x/announcing-1.21.4/index.md

Co-authored-by: Faseela K <k.faseela@gmail.com>

---------

Signed-off-by: Daniel Hawton <daniel@hawton.org>
Co-authored-by: Faseela K <k.faseela@gmail.com>
This commit is contained in:
Daniel Hawton 2024-06-27 20:41:26 -06:00 committed by GitHub
parent 57ad27ff85
commit ef2d6f5699
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
16 changed files with 153 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.spelling
View File

@ -519,6 +519,7 @@ GCP_OPTS
gcr.io
gdb
Geneve
GHSA-8mq4-c2v5-3h39
GiB
git
GitHub

2
content/en/boilerplates/snips/args.sh
View File

@ -29,5 +29,5 @@ ENDSNIP
ENDSNIP
! IFS=$'\n' read -r -d '' bpsnip_args_istio_full_version <<\ENDSNIP
1.22.1
1.22.2
ENDSNIP

2
content/en/boilerplates/snips/revision-tags-middle.sh
View File

@ -27,6 +27,6 @@ istioctl tag list
! IFS=$'\n' read -r -d '' bpsnip_revision_tags_middle__1_out <<\ENDSNIP
TAG REVISION NAMESPACES
default 1-21-1 ...
prod-canary 1-22-1 ...
prod-canary 1-22-2 ...
prod-stable 1-21-1 ...
ENDSNIP

16
content/en/docs/ambient/install/helm-installation/snips.sh
View File

@ -55,10 +55,10 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_show_components_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.1 1.22.1
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.22.1 1.22.1
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.1 1.22.1
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.22.1 1.22.1
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.2 1.22.2
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.22.2 1.22.2
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.2 1.22.2
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.22.2 1.22.2
ENDSNIP
snip_check_pods() {
@ -78,10 +78,10 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_uninstall_1_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.1 1.22.1
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.22.1 1.22.1
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.1 1.22.1
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.22.1 1.22.1
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.2 1.22.2
istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.22.2 1.22.2
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.2 1.22.2
ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.22.2 1.22.2
ENDSNIP
snip_delete_ingress() {

6
content/en/docs/releases/supported-releases/index.md
View File

@ -70,9 +70,8 @@ Please keep up-to-date and use a supported version.
| Minor Releases | Patched versions with no known CVEs |
|----------------|-------------------------------------|
| 1.22.x | 1.22.1+ |
| 1.21.x | 1.21.3+ |
| 1.20.x | 1.20.7+ |
| 1.22.x | 1.22.2+ |
| 1.21.x | 1.21.4+ |
## Supported Envoy Versions
@ -84,6 +83,5 @@ The relationship between the two project's versions:
|---------------|----------------------|
| 1.22.x | release/v1.30 |
| 1.21.x | release/v1.29 |
| 1.20.x | release/v1.28 |
You can find the precise Envoy commit used by Istio [in the `istio/proxy` repository](https://github.com/istio/proxy/blob/{{< source_branch_name >}}/WORKSPACE#L26): look for the `ENVOY_SHA` variable.

2
content/en/docs/setup/additional-setup/getting-started/snips.sh
View File

@ -31,7 +31,7 @@ curl -L https://istio.io/downloadIstio | sh -
}
snip_download_istio_2() {
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.1 TARGET_ARCH=x86_64 sh -
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.2 TARGET_ARCH=x86_64 sh -
}
snip_download_istio_4() {

2
content/en/docs/setup/getting-started/snips.sh
View File

@ -26,7 +26,7 @@ curl -L https://istio.io/downloadIstio | sh -
}
snip_download_istio_2() {
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.1 TARGET_ARCH=x86_64 sh -
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.2 TARGET_ARCH=x86_64 sh -
}
snip_download_istio_4() {

12
content/en/docs/setup/install/helm/snips.sh
View File

@ -35,7 +35,7 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_installation_steps_4_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.1 1.22.1
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.2 1.22.2
ENDSNIP
snip_install_discovery() {
@ -48,8 +48,8 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_installation_steps_6_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.1 1.22.1
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.1 1.22.1
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.2 1.22.2
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.2 1.22.2
ENDSNIP
snip_installation_steps_7() {
@ -93,7 +93,7 @@ kubectl get deployments -n istio-system --output wide
! IFS=$'\n' read -r -d '' snip_installation_steps_8_out <<\ENDSNIP
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
istiod 1/1 1 1 10m discovery docker.io/istio/pilot:1.22.1 istio=pilot
istiod 1/1 1 1 10m discovery docker.io/istio/pilot:1.22.2 istio=pilot
ENDSNIP
snip_install_ingressgateway() {
@ -107,8 +107,8 @@ helm ls -n istio-system
! IFS=$'\n' read -r -d '' snip_helm_ls_out <<\ENDSNIP
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.1 1.22.1
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.1 1.22.1
istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.22.2 1.22.2
istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.22.2 1.22.2
ENDSNIP
snip_delete_delete_gateway_charts() {

12
content/en/docs/setup/install/operator/snips.sh
View File

@ -153,11 +153,11 @@ istio-system example-istiocontrolplane1-21-0 HEALTHY 11m
ENDSNIP
snip_canary_upgrade_init() {
istio-1.22.1/bin/istioctl operator init --revision 1-22-1
istio-1.22.2/bin/istioctl operator init --revision 1-22-2
}
snip_cat_operator_yaml() {
cat example-istiocontrolplane-1-22-1.yaml
cat example-istiocontrolplane-1-22-2.yaml
}
! IFS=$'\n' read -r -d '' snip_cat_operator_yaml_out <<\ENDSNIP
@ -165,9 +165,9 @@ apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: example-istiocontrolplane-1-22-1
name: example-istiocontrolplane-1-22-2
spec:
revision: 1-22-1
revision: 1-22-2
profile: default
ENDSNIP
@ -177,7 +177,7 @@ kubectl get pod -n istio-system -l app=istiod
! IFS=$'\n' read -r -d '' snip_get_pods_istio_system_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
istiod-1-22-1-597475f4f6-bgtcz 1/1 Running 0 64s
istiod-1-22-2-597475f4f6-bgtcz 1/1 Running 0 64s
istiod-6ffcc65b96-bxzv5 1/1 Running 0 2m11s
ENDSNIP
@ -188,7 +188,7 @@ kubectl get services -n istio-system -l app=istiod
! IFS=$'\n' read -r -d '' snip_get_svc_istio_system_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istiod ClusterIP 10.104.129.150 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP 2m35s
istiod-1-22-1 ClusterIP 10.111.17.49 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 88s
istiod-1-22-2 ClusterIP 10.111.17.49 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 88s
ENDSNIP
snip_delete_example_istiocontrolplane() {

16
content/en/docs/setup/upgrade/canary/snips.sh
View File

@ -99,12 +99,12 @@ istioctl proxy-status | grep "\.test-ns "
snip_usage_1() {
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-21-1 --set profile=minimal --skip-confirmation
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-22-1 --set profile=minimal --skip-confirmation
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-22-2 --set profile=minimal --skip-confirmation
}
snip_usage_2() {
istioctl tag set prod-stable --revision 1-21-1
istioctl tag set prod-canary --revision 1-22-1
istioctl tag set prod-canary --revision 1-22-2
}
snip_usage_3() {
@ -128,13 +128,13 @@ istioctl ps
! IFS=$'\n' read -r -d '' snip_usage_5_out <<\ENDSNIP
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-78ff5975c6-62pzf.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-1-7f6fc6cfd6-s8zfg 1.22.1
sleep-78ff5975c6-62pzf.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-2-7f6fc6cfd6-s8zfg 1.22.2
sleep-78ff5975c6-8kxpl.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-21-1-bdf5948d5-n72r2 1.21.1
sleep-78ff5975c6-8q7m6.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-21-1-bdf5948d5-n72r2 1-21.1
ENDSNIP
snip_usage_6() {
istioctl tag set prod-stable --revision 1-22-1 --overwrite
istioctl tag set prod-stable --revision 1-22-2 --overwrite
}
snip_usage_7() {
@ -148,13 +148,13 @@ istioctl ps
! IFS=$'\n' read -r -d '' snip_usage_8_out <<\ENDSNIP
NAME CLUSTER CDS LDS EDS RDS ECDS ISTIOD VERSION
sleep-5984f48bc7-kmj6x.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-1-7f6fc6cfd6-jsktb 1.22.1
sleep-78ff5975c6-jldk4.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-1-7f6fc6cfd6-jsktb 1.22.1
sleep-7cdd8dccb9-5bq5n.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-1-7f6fc6cfd6-jsktb 1.22.1
sleep-5984f48bc7-kmj6x.app-ns-1 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-2-7f6fc6cfd6-jsktb 1.22.2
sleep-78ff5975c6-jldk4.app-ns-3 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-2-7f6fc6cfd6-jsktb 1.22.2
sleep-7cdd8dccb9-5bq5n.app-ns-2 Kubernetes SYNCED SYNCED SYNCED SYNCED NOT SENT istiod-1-22-2-7f6fc6cfd6-jsktb 1.22.2
ENDSNIP
snip_default_tag_1() {
istioctl tag set default --revision 1-22-1
istioctl tag set default --revision 1-22-2
}
snip_uninstall_old_control_plane_1() {

6
content/en/docs/setup/upgrade/helm/snips.sh
View File

@ -78,15 +78,15 @@ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system
snip_usage_1() {
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-21-1 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-22-1 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-22-2 -n istio-system | kubectl apply -f -
}
snip_usage_2() {
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-22-1 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-22-2 -n istio-system | kubectl apply -f -
}
snip_default_tag_1() {
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-22-1 -n istio-system | kubectl apply -f -
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-22-2 -n istio-system | kubectl apply -f -
}
snip_in_place_upgrade_1() {

33
content/en/news/releases/1.21.x/announcing-1.21.4/index.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Announcing Istio 1.21.4
linktitle: 1.21.4
subtitle: Patch Release
description: Istio 1.21.4 patch release.
publishdate: 2024-06-27
release: 1.21.4
---
This release implements the security updates described in our 27th of June post, [`ISTIO-SECURITY-2024-005`](/news/security/istio-security-2024-005) along with bug fixes to improve robustness.
This release note describes what is different between Istio 1.21.3 and 1.21.4.
{{< relnote >}}
## Changes
- **Added** `gateways.securityContext` to manifests to provide an option to customize the gateway `securityContext`.
([Issue #49549](https://github.com/istio/istio/issues/49549))
- **Fixed** an issue where `istioctl analyze` returned IST0162 false positives.
([Issue #51257](https://github.com/istio/istio/issues/51257))
- **Fixed** false positives in IST0128 and IST0129 when `credentialName` and `workloadSelector` were set.
([Issue #51567](https://github.com/istio/istio/issues/51567))
- **Fixed** an issue where JWKS fetched from URIs were not updated promptly when there are errors fetching other URIs.
([Issue #51636](https://github.com/istio/istio/issues/51636))
- **Fixed** 503 errors returned by `auto-passthrough` gateways created after enabling mTLS.
- **Fixed** `serviceRegistry` ordering of the proxy labels, so we put the Kubernetes registry in front.
([Issue #50968](https://github.com/istio/istio/issues/50968))

56
content/en/news/releases/1.22.x/announcing-1.22.2/index.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Announcing Istio 1.22.2
linktitle: 1.22.2
subtitle: Patch Release
description: Istio 1.22.2 patch release.
publishdate: 2024-06-27
release: 1.22.2
---
This release implements the security updates described in our 27th of June post, [`ISTIO-SECURITY-2024-005`](/news/security/istio-security-2024-005) along with bug fixes to improve robustness.
This release note describes what is different between Istio 1.22.1 and 1.22.2.
{{< relnote >}}
## Changes
- **Improved** waypoint proxies to no longer run as root.
- **Added** `gateways.securityContext` to manifests to provide an option to customize the gateway `securityContext`.
([Issue #49549](https://github.com/istio/istio/issues/49549))
- **Added** a new option in ztunnel to completely disable IPv6, to enable running on kernels with IPv6 disabled.
- **Fixed** an issue where `istioctl analyze` returned IST0162 false positives.
([Issue #51257](https://github.com/istio/istio/issues/51257))
- **Fixed** `ENABLE_ENHANCED_RESOURCE_SCOPING` not being part of helm compatibility profiles for Istio 1.20/1.21.
([Issue #51399](https://github.com/istio/istio/issues/51399))
- **Fixed** Kubernetes job pod IPs may not be fully unenrolled from ambient despite being in a terminated state.
- **Fixed** false positives in IST0128 and IST0129 when `credentialName` and `workloadSelector` were set.
([Issue #51567](https://github.com/istio/istio/issues/51567))
- **Fixed** an issue where JWKS fetched from URIs were not updated promptly when there are errors fetching other URIs.
([Issue #51636](https://github.com/istio/istio/issues/51636))
- **Fixed** an issue causing `workloadSelector` policies to apply to the wrong namespace in ztunnel.
([Issue #51556](https://github.com/istio/istio/issues/51556))
- **Fixed** a bug causing `discoverySelectors` to accidentally filter out all `GatewayClasses`.
- **Fixed** certificate chains parsing avoid unnecessary parsing errors by trimming unnecessary intermediate certificates.
- **Fixed** a bug in ambient mode causing requests at the start of a Pod lifetime to be rejected with `unknown source`.
- **Fixed** an issue in ztunnel where some expected connection terminations were reported as errors.
- **Fixed** an issue in ztunnel when connecting to a service with a `targetPort` that exists only on a subset of pods.
- **Fixed** an issue when deleting a `ServiceEntry` when there are duplicate hostnames across multiple `ServiceEntries`.
- **Fixed** an issue where ztunnel would send directly to pods when connecting to a `LoadBalancer` IP, instead of going through the `LoadBalancer`.
- **Fixed** an issue where ztunnel would send traffic to terminating pods.

24
content/en/news/security/istio-security-2024-005/index.md Normal file
View File

@ -0,0 +1,24 @@
---
title: ISTIO-SECURITY-2024-005
subtitle: Security Bulletin
description: CVEs reported by Envoy.
cves: []
cvss: "7.5"
vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
releases: ["1.21.0 to 1.21.3", "1.22.0 to 1.22.1"]
publishdate: 2024-06-27
keywords: [CVE]
skip_seealso: true
---
{{< security_bulletin >}}
## CVE
### Envoy CVEs
- __[GHSA-8mq4-c2v5-3h39](https://github.com/envoyproxy/envoy/security/advisories/GHSA-8mq4-c2v5-3h39)__: (CVSS Score 7.5, Moderate): Datadog: Datadog tracer does not handle trace headers with Unicode characters.
## Am I Impacted?
You are impacted if you are using Istio 1.21.0 to 1.21.3 or 1.22.0 to 1.22.1 and have enabled the Datadog tracer.

2
data/args.yml
View File

@ -2,7 +2,7 @@
version: "1.22"
# The full Istio version identifier the docs describe
full_version: "1.22.1"
full_version: "1.22.2"
# The previous Istio version identifier the docs describe, used for upgrade documentation
previous_version: "1.21"

2
data/compatibility/supportStatus.yml
View File

@ -22,7 +22,7 @@
- version: "1.20"
supported: "Yes"
releaseDate: "Nov 14, 2023"
eolDate: "~Jul 2024 (Expected)"
eolDate: "Jun 25, 2024"
k8sVersions: ["1.25", "1.26", "1.27", "1.28", "1.29"]
testedK8sVersions: ["1.23", "1.24"]
- version: "1.19"