diff --git a/.yamllint.yaml b/.yamllint.yaml
index 239f09b38..a47015b96 100644
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@@ -11,4 +11,6 @@ rules:
   line-length:
     max: 400
   truthy:
-    allowed-values: ['on', 'off', 'true', 'false']
\ No newline at end of file
+    allowed-values: ['on', 'off', 'true', 'false']
+  empty-lines: 
+    level: warning
\ No newline at end of file
diff --git a/README.md b/README.md
index 06faa5d7a..b17edc208 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ The following matrix shows the versions of common components used across differe
 
 | Component | Local Manifests Path | Upstream Revision |
 | - | - | - |
-| Istio | common/istio-1-24 | [1.24.2](https://github.com/istio/istio/releases/tag/1.24.2) |
+| Istio | common/istio-1-24 | [1.24.3](https://github.com/istio/istio/releases/tag/1.24.3) |
 | Knative | common/knative/knative-serving <br /> common/knative/knative-eventing | [v1.16.2](https://github.com/knative/serving/releases/tag/knative-v1.16.2) <br /> [v1.16.4](https://github.com/knative/eventing/releases/tag/knative-v1.16.4) |
 | Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) |
 
diff --git a/common/istio-1-24/README.md b/common/istio-1-24/README.md
index d64912b33..2e856321e 100644
--- a/common/istio-1-24/README.md
+++ b/common/istio-1-24/README.md
@@ -8,49 +8,35 @@ In this section, we explain how to upgrade our istio kustomize packages
 by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the
 old version is `X1.Y1.Z1`:
 
-1.  Make a copy of the old istio manifests tree, which will become the
+1. Make a copy of the old istio manifests tree, which will become the
     kustomization for the new Istio version:
 
-        $ export MANIFESTS_SRC=<path/to/manifests/repo>
-        $ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1
-        $ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y
-        $ cp -a $ISTIO_OLD $ISTIO_NEW
+        export MANIFESTS_SRC=<path/to/manifests/repo>
+        export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1
+        export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y
+        cp -a $ISTIO_OLD $ISTIO_NEW
 
-2.  Download `istioctl` for version `X.Y.Z`:
+2. Download `istioctl` for version `X.Y.Z`:
 
         $ ISTIO_VERSION="X.Y.Z"
         $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
         $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz
         # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl
 
-3.  Use `istioctl` to generate an `IstioOperator` resource, the
-    CustomResource used to describe the Istio Control Plane:
-
-        $ cd $ISTIO_NEW
-        $ istioctl profile dump default > profile.yaml
-
-    ---
-    **NOTE**
-
-    `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
-    (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default.
-
-    ---
-
-4.  Generate manifests and add them to their respective packages. We
+3. Generate manifests and add them to their respective packages. We
     will generate manifests using `istioctl`, the
     `profile.yaml` file from upstream and the
     `profile-overlay.yaml` file that contains our desired
     changes:
 
-        $ export PATH="$MANIFESTS_SRC/scripts:$PATH"
-        $ cd $ISTIO_NEW
-        $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml
-        $ ./split-istio-packages -f dump.yaml
-        $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
-        $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
-        $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
-        $ rm dump.yaml
+        export PATH="$MANIFESTS_SRC/scripts:$PATH"
+        cd $ISTIO_NEW
+        istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml
+        ./split-istio-packages -f dump.yaml
+        mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
+        mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
+        mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
+        rm dump.yaml
 
     ---
     **NOTE**
@@ -58,11 +44,9 @@ old version is `X1.Y1.Z1`:
     `split-istio-packages` is a python script in the same folder as this file.
     The `ruamel.yaml` version used is 0.16.12.
 
-    `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically 
-    detect default settings. Ensure you have a target cluster ready before running the above commands. 
-    We set this flag because `istioctl manifest generate` generates manifest files with resources that are no 
-    longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220
-    
+    `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically detect default settings. Ensure you have a target cluster ready before running the above commands.
+    We target Kubernetes 1.32+ for compatibility. The `--cluster-specific` flag helps ensure generated resources are compatible with your cluster version and configuration.
+
     ---
 
 ## Changes to Istio's upstream manifests
@@ -71,24 +55,23 @@ old version is `X1.Y1.Z1`:
 
 Changes to Istio's upstream profile `default` are the following:
 
--   Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59.
--   Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
+- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete <https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59>.
+- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
 
-Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
-file.
+These changes are captured in the [profile-overlay.yaml](profile-overlay.yaml) file.
 
 ### Changes to the upstream manifests using kustomize
 
 The Istio kustomizations make the following changes:
 
 - Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See:
-    - https://github.com/istio/istio/issues/12602
-    - https://github.com/istio/istio/issues/24000
+  - <https://github.com/istio/istio/issues/12602>
+  - <https://github.com/istio/istio/issues/24000>
 - Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway.
 - Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model).
 - Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions.
 - Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions.
 - Configure TCP KeepAlives.
 - Disable tracing as it causes DNS breakdown. See:
-  https://github.com/istio/istio/issues/29898
-- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane
+  <https://github.com/istio/istio/issues/29898>
+- Set ENABLE_DEBUG_ON_HTTP=false according to <https://istio.io/latest/docs/ops/best-practices/security/#control-plane>
diff --git a/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
index 149e7623c..84bb164bc 100644
--- a/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -26,8 +26,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -58,9 +58,9 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: istio-ingressgateway
         app.kubernetes.io/part-of: istio
-        app.kubernetes.io/version: 1.24.2
+        app.kubernetes.io/version: 1.24.3
         chart: gateways
-        helm.sh/chart: istio-ingress-1.24.2
+        helm.sh/chart: istio-ingress-1.24.3
         heritage: Tiller
         install.operator.istio.io/owning-resource: unknown
         istio: cluster-local-gateway
@@ -127,8 +127,7 @@ spec:
         - name: ISTIO_META_WORKLOAD_NAME
           value: cluster-local-gateway
         - name: ISTIO_META_OWNER
-          value: 
-            kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+          value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
         - name: ISTIO_META_MESH_ID
           value: cluster.local
         - name: TRUST_DOMAIN
@@ -141,7 +140,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.24.2
+        image: gcr.io/istio-release/proxyv2:1.24.2
         name: istio-proxy
         ports:
         - containerPort: 15020
@@ -258,8 +257,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -282,8 +281,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -308,8 +307,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -333,8 +332,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -367,8 +366,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
diff --git a/common/istio-1-24/istio-crds/base/crd.yaml b/common/istio-1-24/istio-crds/base/crd.yaml
index f194ef752..3785d495e 100644
--- a/common/istio-1-24/istio-crds/base/crd.yaml
+++ b/common/istio-1-24/istio-crds/base/crd.yaml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: authorizationpolicies.security.istio.io
 spec:
   group: security.istio.io
@@ -258,8 +258,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -293,8 +293,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -611,8 +611,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -646,8 +646,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -741,8 +741,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: destinationrules.networking.istio.io
 spec:
   group: networking.istio.io
@@ -1039,9 +1039,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -1159,7 +1157,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -1411,9 +1409,7 @@ spec:
                                           type: object
                                         type: array
                                       enabled:
-                                        description: enable locality load balancing,
-                                          this is DestinationRule-level and will override
-                                          mesh wide settings in entirety.
+                                        description: Enable locality load balancing.
                                         nullable: true
                                         type: boolean
                                       failover:
@@ -1535,7 +1531,7 @@ spec:
                                   minHealthPercent:
                                     description: Outlier detection will be enabled
                                       as long as the associated load balancing pool
-                                      has at least min_health_percent hosts in healthy
+                                      has at least `minHealthPercent` hosts in healthy
                                       mode.
                                     format: int32
                                     type: integer
@@ -1932,8 +1928,7 @@ spec:
                               type: object
                             type: array
                           enabled:
-                            description: enable locality load balancing, this is DestinationRule-level
-                              and will override mesh wide settings in entirety.
+                            description: Enable locality load balancing.
                             nullable: true
                             type: boolean
                           failover:
@@ -2047,7 +2042,7 @@ spec:
                         type: integer
                       minHealthPercent:
                         description: Outlier detection will be enabled as long as
-                          the associated load balancing pool has at least min_health_percent
+                          the associated load balancing pool has at least `minHealthPercent`
                           hosts in healthy mode.
                         format: int32
                         type: integer
@@ -2294,9 +2289,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -2414,7 +2407,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -2956,9 +2949,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -3076,7 +3067,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -3328,9 +3319,7 @@ spec:
                                           type: object
                                         type: array
                                       enabled:
-                                        description: enable locality load balancing,
-                                          this is DestinationRule-level and will override
-                                          mesh wide settings in entirety.
+                                        description: Enable locality load balancing.
                                         nullable: true
                                         type: boolean
                                       failover:
@@ -3452,7 +3441,7 @@ spec:
                                   minHealthPercent:
                                     description: Outlier detection will be enabled
                                       as long as the associated load balancing pool
-                                      has at least min_health_percent hosts in healthy
+                                      has at least `minHealthPercent` hosts in healthy
                                       mode.
                                     format: int32
                                     type: integer
@@ -3849,8 +3838,7 @@ spec:
                               type: object
                             type: array
                           enabled:
-                            description: enable locality load balancing, this is DestinationRule-level
-                              and will override mesh wide settings in entirety.
+                            description: Enable locality load balancing.
                             nullable: true
                             type: boolean
                           failover:
@@ -3964,7 +3952,7 @@ spec:
                         type: integer
                       minHealthPercent:
                         description: Outlier detection will be enabled as long as
-                          the associated load balancing pool has at least min_health_percent
+                          the associated load balancing pool has at least `minHealthPercent`
                           hosts in healthy mode.
                         format: int32
                         type: integer
@@ -4211,9 +4199,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -4331,7 +4317,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -4873,9 +4859,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -4993,7 +4977,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -5245,9 +5229,7 @@ spec:
                                           type: object
                                         type: array
                                       enabled:
-                                        description: enable locality load balancing,
-                                          this is DestinationRule-level and will override
-                                          mesh wide settings in entirety.
+                                        description: Enable locality load balancing.
                                         nullable: true
                                         type: boolean
                                       failover:
@@ -5369,7 +5351,7 @@ spec:
                                   minHealthPercent:
                                     description: Outlier detection will be enabled
                                       as long as the associated load balancing pool
-                                      has at least min_health_percent hosts in healthy
+                                      has at least `minHealthPercent` hosts in healthy
                                       mode.
                                     format: int32
                                     type: integer
@@ -5766,8 +5748,7 @@ spec:
                               type: object
                             type: array
                           enabled:
-                            description: enable locality load balancing, this is DestinationRule-level
-                              and will override mesh wide settings in entirety.
+                            description: Enable locality load balancing.
                             nullable: true
                             type: boolean
                           failover:
@@ -5881,7 +5862,7 @@ spec:
                         type: integer
                       minHealthPercent:
                         description: Outlier detection will be enabled as long as
-                          the associated load balancing pool has at least min_health_percent
+                          the associated load balancing pool has at least `minHealthPercent`
                           hosts in healthy mode.
                         format: int32
                         type: integer
@@ -6128,9 +6109,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -6248,7 +6227,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -6520,8 +6499,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: envoyfilters.networking.istio.io
 spec:
   group: networking.istio.io
@@ -6679,7 +6658,7 @@ spec:
                               additionalProperties:
                                 type: string
                               description: Match on the node metadata supplied by
-                                a proxy when connecting to Istio Pilot.
+                                a proxy when connecting to istiod.
                               type: object
                             proxyVersion:
                               description: A regular expression in golang regex format
@@ -6815,8 +6794,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               workloadSelector:
@@ -6926,8 +6905,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: gateways.networking.istio.io
 spec:
   group: networking.istio.io
@@ -7641,8 +7620,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: peerauthentications.security.istio.io
 spec:
   group: security.istio.io
@@ -7987,8 +7966,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: proxyconfigs.networking.istio.io
 spec:
   group: networking.istio.io
@@ -8137,8 +8116,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: requestauthentications.security.istio.io
 spec:
   group: security.istio.io
@@ -8322,8 +8301,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -8357,8 +8336,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -8609,8 +8588,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -8644,8 +8623,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -8739,8 +8718,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: serviceentries.networking.istio.io
 spec:
   group: networking.istio.io
@@ -8804,11 +8783,11 @@ spec:
                       type: string
                       x-kubernetes-validations:
                       - message: UDS must be an absolute path or abstract socket
-                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                          '/' || self.substring(7,8) == '@') : true"
+                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                          \ '/' || self.substring(7,8) == '@') : true"
                       - message: UDS may not be a dir
-                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :
-                          true"
+                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+                          \ true"
                     labels:
                       additionalProperties:
                         type: string
@@ -8853,8 +8832,8 @@ spec:
                   - message: Address is required
                     rule: has(self.address) || has(self.network)
                   - message: UDS may not include ports
-                    rule: "(has(self.address) && self.address.startsWith('unix://'))
-                      ? !has(self.ports) : true"
+                    rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                      \ ? !has(self.ports) : true"
                 maxItems: 4096
                 type: array
               exportTo:
@@ -8962,15 +8941,15 @@ spec:
               rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
             - message: CIDR addresses are allowed only for NONE/STATIC resolution
                 types
-              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
-                && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
-                != 'NONE'))"
+              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))\
+                \ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution\
+                \ != 'NONE'))"
             - message: NONE mode cannot set endpoints
-              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
-                : true"
+              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)\
+                \ : true"
             - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
-              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
-                ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')\
+                \ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
           status:
             properties:
               conditions:
@@ -9097,11 +9076,11 @@ spec:
                       type: string
                       x-kubernetes-validations:
                       - message: UDS must be an absolute path or abstract socket
-                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                          '/' || self.substring(7,8) == '@') : true"
+                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                          \ '/' || self.substring(7,8) == '@') : true"
                       - message: UDS may not be a dir
-                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :
-                          true"
+                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+                          \ true"
                     labels:
                       additionalProperties:
                         type: string
@@ -9146,8 +9125,8 @@ spec:
                   - message: Address is required
                     rule: has(self.address) || has(self.network)
                   - message: UDS may not include ports
-                    rule: "(has(self.address) && self.address.startsWith('unix://'))
-                      ? !has(self.ports) : true"
+                    rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                      \ ? !has(self.ports) : true"
                 maxItems: 4096
                 type: array
               exportTo:
@@ -9255,15 +9234,15 @@ spec:
               rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
             - message: CIDR addresses are allowed only for NONE/STATIC resolution
                 types
-              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
-                && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
-                != 'NONE'))"
+              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))\
+                \ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution\
+                \ != 'NONE'))"
             - message: NONE mode cannot set endpoints
-              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
-                : true"
+              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)\
+                \ : true"
             - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
-              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
-                ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')\
+                \ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
           status:
             properties:
               conditions:
@@ -9390,11 +9369,11 @@ spec:
                       type: string
                       x-kubernetes-validations:
                       - message: UDS must be an absolute path or abstract socket
-                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                          '/' || self.substring(7,8) == '@') : true"
+                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                          \ '/' || self.substring(7,8) == '@') : true"
                       - message: UDS may not be a dir
-                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :
-                          true"
+                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+                          \ true"
                     labels:
                       additionalProperties:
                         type: string
@@ -9439,8 +9418,8 @@ spec:
                   - message: Address is required
                     rule: has(self.address) || has(self.network)
                   - message: UDS may not include ports
-                    rule: "(has(self.address) && self.address.startsWith('unix://'))
-                      ? !has(self.ports) : true"
+                    rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                      \ ? !has(self.ports) : true"
                 maxItems: 4096
                 type: array
               exportTo:
@@ -9548,15 +9527,15 @@ spec:
               rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
             - message: CIDR addresses are allowed only for NONE/STATIC resolution
                 types
-              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
-                && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
-                != 'NONE'))"
+              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))\
+                \ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution\
+                \ != 'NONE'))"
             - message: NONE mode cannot set endpoints
-              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
-                : true"
+              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)\
+                \ : true"
             - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
-              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
-                ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')\
+                \ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
           status:
             properties:
               conditions:
@@ -9646,8 +9625,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: sidecars.networking.istio.io
 spec:
   group: networking.istio.io
@@ -11286,8 +11265,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: telemetries.telemetry.istio.io
 spec:
   group: telemetry.istio.io
@@ -11443,11 +11422,11 @@ spec:
                               type: object
                               x-kubernetes-validations:
                               - message: value must be set when operation is UPSERT
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'UPSERT') ? self.value != '' : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'UPSERT') ? self.value != '' : true"
                               - message: value must not be set when operation is REMOVE
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'REMOVE') ? !has(self.value) : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'REMOVE') ? !has(self.value) : true"
                             description: Optional.
                             type: object
                         type: object
@@ -11523,8 +11502,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -11558,8 +11537,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               tracing:
@@ -11891,11 +11870,11 @@ spec:
                               type: object
                               x-kubernetes-validations:
                               - message: value must be set when operation is UPSERT
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'UPSERT') ? self.value != '' : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'UPSERT') ? self.value != '' : true"
                               - message: value must not be set when operation is REMOVE
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'REMOVE') ? !has(self.value) : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'REMOVE') ? !has(self.value) : true"
                             description: Optional.
                             type: object
                         type: object
@@ -11971,8 +11950,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -12006,8 +11985,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               tracing:
@@ -12210,8 +12189,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: virtualservices.networking.istio.io
 spec:
   group: networking.istio.io
@@ -15346,8 +15325,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: wasmplugins.extensions.istio.io
 spec:
   group: extensions.istio.io
@@ -15519,8 +15498,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -15554,8 +15533,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               type:
@@ -15574,9 +15553,9 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: url must have schema one of [http, https, file, oci]
-                  rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',
-                    'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme()
-                    in ['', 'http', 'https', 'oci', 'file'])"
+                  rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\
+                    \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\
+                    \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])"
               verificationKey:
                 type: string
               vmConfig:
@@ -15610,8 +15589,8 @@ spec:
                       type: object
                       x-kubernetes-validations:
                       - message: value may only be set when valueFrom is INLINE
-                        rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'
-                          || !has(self.value)"
+                        rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\
+                          \ || !has(self.value)"
                     maxItems: 256
                     type: array
                     x-kubernetes-list-map-keys:
@@ -15713,8 +15692,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: workloadentries.networking.istio.io
 spec:
   group: networking.istio.io
@@ -15758,8 +15737,8 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: UDS must be an absolute path or abstract socket
-                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
-                    || self.substring(7,8) == '@') : true"
+                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+                    \ || self.substring(7,8) == '@') : true"
                 - message: UDS may not be a dir
                   rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
               labels:
@@ -15806,8 +15785,8 @@ spec:
             - message: Address is required
               rule: has(self.address) || has(self.network)
             - message: UDS may not include ports
-              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
-                : true"
+              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+                \ : true"
           status:
             properties:
               conditions:
@@ -15914,8 +15893,8 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: UDS must be an absolute path or abstract socket
-                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
-                    || self.substring(7,8) == '@') : true"
+                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+                    \ || self.substring(7,8) == '@') : true"
                 - message: UDS may not be a dir
                   rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
               labels:
@@ -15962,8 +15941,8 @@ spec:
             - message: Address is required
               rule: has(self.address) || has(self.network)
             - message: UDS may not include ports
-              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
-                : true"
+              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+                \ : true"
           status:
             properties:
               conditions:
@@ -16070,8 +16049,8 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: UDS must be an absolute path or abstract socket
-                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
-                    || self.substring(7,8) == '@') : true"
+                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+                    \ || self.substring(7,8) == '@') : true"
                 - message: UDS may not be a dir
                   rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
               labels:
@@ -16118,8 +16097,8 @@ spec:
             - message: Address is required
               rule: has(self.address) || has(self.network)
             - message: UDS may not include ports
-              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
-                : true"
+              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+                \ : true"
           status:
             properties:
               conditions:
@@ -16207,8 +16186,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: workloadgroups.networking.istio.io
 spec:
   group: networking.istio.io
@@ -16380,8 +16359,8 @@ spec:
                     type: string
                     x-kubernetes-validations:
                     - message: UDS must be an absolute path or abstract socket
-                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                        '/' || self.substring(7,8) == '@') : true"
+                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                        \ '/' || self.substring(7,8) == '@') : true"
                     - message: UDS may not be a dir
                       rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
                   labels:
@@ -16426,8 +16405,8 @@ spec:
                 type: object
                 x-kubernetes-validations:
                 - message: UDS may not include ports
-                  rule: "(has(self.address) && self.address.startsWith('unix://'))
-                    ? !has(self.ports) : true"
+                  rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                    \ ? !has(self.ports) : true"
             required:
             - template
             type: object
@@ -16665,8 +16644,8 @@ spec:
                     type: string
                     x-kubernetes-validations:
                     - message: UDS must be an absolute path or abstract socket
-                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                        '/' || self.substring(7,8) == '@') : true"
+                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                        \ '/' || self.substring(7,8) == '@') : true"
                     - message: UDS may not be a dir
                       rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
                   labels:
@@ -16711,8 +16690,8 @@ spec:
                 type: object
                 x-kubernetes-validations:
                 - message: UDS may not include ports
-                  rule: "(has(self.address) && self.address.startsWith('unix://'))
-                    ? !has(self.ports) : true"
+                  rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                    \ ? !has(self.ports) : true"
             required:
             - template
             type: object
@@ -16950,8 +16929,8 @@ spec:
                     type: string
                     x-kubernetes-validations:
                     - message: UDS must be an absolute path or abstract socket
-                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                        '/' || self.substring(7,8) == '@') : true"
+                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                        \ '/' || self.substring(7,8) == '@') : true"
                     - message: UDS may not be a dir
                       rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
                   labels:
@@ -16996,8 +16975,8 @@ spec:
                 type: object
                 x-kubernetes-validations:
                 - message: UDS may not include ports
-                  rule: "(has(self.address) && self.address.startsWith('unix://'))
-                    ? !has(self.ports) : true"
+                  rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                    \ ? !has(self.ports) : true"
             required:
             - template
             type: object
diff --git a/common/istio-1-24/istio-install/base/install.yaml b/common/istio-1-24/istio-install/base/install.yaml
index 414a98dc4..6a3d1f603 100644
--- a/common/istio-1-24/istio-install/base/install.yaml
+++ b/common/istio-1-24/istio-install/base/install.yaml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-reader
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
     release: istio
   name: istio-reader-service-account
   namespace: istio-system
@@ -22,8 +22,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod
   namespace: istio-system
@@ -37,8 +37,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-reader
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istio-reader-clusterrole-istio-system
 rules:
@@ -151,8 +151,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-clusterrole-istio-system
 rules:
@@ -371,8 +371,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-gateway-controller-istio-system
 rules:
@@ -422,8 +422,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-reader
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istio-reader-clusterrole-istio-system
 roleRef:
@@ -444,8 +444,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-clusterrole-istio-system
 roleRef:
@@ -466,8 +466,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-gateway-controller-istio-system
 roleRef:
@@ -488,8 +488,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     istio: istiod
     istio.io/rev: default
     release: istio
@@ -548,8 +548,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -1832,6 +1832,9 @@ data:
                 {{- if .Values.global.logAsJson }}
                 - --log_as_json
                 {{- end }}
+                {{- if .Values.global.proxy.outlierLogPath }}
+                - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+                {{- end}}
                 env:
                 - name: ISTIO_META_SERVICE_ACCOUNT
                   valueFrom:
@@ -2410,7 +2413,7 @@ data:
           }
         },
         "externalIstiod": false,
-        "hub": "docker.io/istio",
+        "hub": "gcr.io/istio-release",
         "imagePullPolicy": "",
         "imagePullSecrets": [],
         "istioNamespace": "istio-system",
@@ -2524,8 +2527,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -2542,8 +2545,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -2700,8 +2703,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: pilot
     istio.io/rev: default
@@ -2729,8 +2732,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: istiod
         app.kubernetes.io/part-of: istio
-        app.kubernetes.io/version: 1.24.2
-        helm.sh/chart: istiod-1.24.2
+        app.kubernetes.io/version: 1.24.3
+        helm.sh/chart: istiod-1.24.3
         install.operator.istio.io/owning-resource: unknown
         istio: pilot
         istio.io/dataplane-mode: none
@@ -2748,6 +2751,8 @@ spec:
         - --keepaliveMaxServerConnectionAge
         - 30m
         env:
+        - name: ENABLE_NATIVE_SIDECARS
+          value: 'true'
         - name: REVISION
           value: default
         - name: PILOT_CERT_PROVIDER
@@ -2788,7 +2793,7 @@ spec:
               resource: limits.cpu
         - name: PLATFORM
           value: ''
-        image: docker.io/istio/pilot:1.24.2
+        image: gcr.io/istio-release/pilot:1.24.2
         name: discovery
         ports:
         - containerPort: 8080
@@ -2884,8 +2889,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: pilot
     istio.io/rev: default
@@ -2909,8 +2914,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod
   namespace: istio-system
@@ -2957,8 +2962,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod
   namespace: istio-system
@@ -2980,8 +2985,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -3012,8 +3017,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: pilot
     istio.io/rev: default
diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
index 45a37d7f8..2e12ccbc8 100644
--- a/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
+++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
@@ -107,7 +107,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.24.2
+        image: gcr.io/istio-release/proxyv2:1.24.3
         name: istio-proxy
         ports:
         - containerPort: 15021
diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml
index 71e491be0..c1508683d 100644
--- a/common/istio-1-24/istio-install/base/kustomization.yaml
+++ b/common/istio-1-24/istio-install/base/kustomization.yaml
@@ -17,5 +17,9 @@ patches:
 - path: patches/disable-debugging.yaml
 # - path: patches/istio-ingressgateway-remove-pdb.yaml
 - path: patches/istiod-remove-pdb.yaml
-# - path: patches/seccomp-istio-ingressgateway.yaml
+- path: patches/seccomp-istio-ingressgateway.yaml
 - path: patches/seccomp-istiod.yaml
+
+images:
+- name: busybox
+  newName: registry.k8s.io/busybox
diff --git a/common/istio-1-24/profile.yaml b/common/istio-1-24/profile.yaml
index 838edaf5f..55765c85f 100644
--- a/common/istio-1-24/profile.yaml
+++ b/common/istio-1-24/profile.yaml
@@ -12,7 +12,11 @@ spec:
       name: istio-ingressgateway
     pilot:
       enabled: true
-  hub: docker.io/istio
+      k8s:
+        env:
+        - name: ENABLE_NATIVE_SIDECARS
+          value: "true"
+  hub: gcr.io/istio-release
   profile: default
   tag: 1.24.2
   values:
@@ -23,4 +27,3 @@ spec:
     global:
       configValidation: true
       istioNamespace: istio-system
-
diff --git a/common/istio-cni-1-24/README.md b/common/istio-cni-1-24/README.md
index 89dba3c52..3408c67d9 100644
--- a/common/istio-cni-1-24/README.md
+++ b/common/istio-cni-1-24/README.md
@@ -1,7 +1,13 @@
 # Istio-CNI
 
-This uses istio-cni as described here https://istio.io/latest/docs/setup/additional-setup/cni/.
-Please be aware of Kserve and initcontainers https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers. Either use runasuser : 1337 xor add the annotation traffic.sidecar.istio.io/excludeOutboundIPRanges: 0.0.0.0/0 for kserve inferenceservices.
+This uses istio-cni as described here <https://istio.io/latest/docs/setup/additional-setup/cni/>.
+
+This configuration also enables native sidecars for Istio through the `ENABLE_NATIVE_SIDECARS=true` environment variable in istiod. Native sidecars (introduced in Kubernetes 1.28 as an alpha feature) help address issues with init containers and application lifecycle management. Learn more about native sidecars at <https://istio.io/latest/blog/2023/native-sidecars/>.
+
+With native sidecars enabled, init containers should be able to access the network through the Istio proxy. However, if you still encounter issues with KServe and init containers, you can refer to <https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers> and either:
+
+1. Use `runAsUser: 1337` in your init containers, OR
+2. Add the annotation `traffic.sidecar.istio.io/excludeOutboundIPRanges: 0.0.0.0/0` to your KServe inferenceservices.
 
 ## Upgrade Istio Manifests
 
@@ -11,49 +17,35 @@ In this section, we explain how to upgrade our istio kustomize packages
 by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the
 old version is `X1.Y1.Z1`:
 
-1.  Make a copy of the old istio manifests tree, which will become the
+1. Make a copy of the old istio manifests tree, which will become the
     kustomization for the new Istio version:
 
-        $ export MANIFESTS_SRC=<path/to/manifests/repo>
-        $ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-cni-X1-Y1
-        $ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-cni-X-Y
-        $ cp -a $ISTIO_OLD $ISTIO_NEW
+        export MANIFESTS_SRC=<path/to/manifests/repo>
+        export ISTIO_OLD=$MANIFESTS_SRC/common/istio-cni-X1-Y1
+        export ISTIO_NEW=$MANIFESTS_SRC/common/istio-cni-X-Y
+        cp -a $ISTIO_OLD $ISTIO_NEW
 
-2.  Download `istioctl` for version `X.Y.Z`:
+2. Download `istioctl` for version `X.Y.Z`:
 
         $ ISTIO_VERSION="X.Y.Z"
         $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
         $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz
         # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl
 
-3.  Use `istioctl` to generate an `IstioOperator` resource, the
-    CustomResource used to describe the Istio Control Plane:
-
-        $ cd $ISTIO_NEW
-        $ istioctl profile dump default > profile.yaml
-
-    ---
-    **NOTE**
-
-    `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
-    (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default.
-
-    ---
-
-4.  Generate manifests and add them to their respective packages. We
+3. Generate manifests and add them to their respective packages. We
     will generate manifests using `istioctl`, the
     `profile.yaml` file from upstream and the
     `profile-overlay.yaml` file that contains our desired
     changes:
 
-        $ export PATH="$MANIFESTS_SRC/scripts:$PATH"
-        $ cd $ISTIO_NEW
-        $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml --set components.cni.enabled=true --set components.cni.namespace=kube-system > dump.yaml
-        $ ./split-istio-packages -f dump.yaml
-        $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
-        $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
-        $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
-        $ rm dump.yaml
+        export PATH="$MANIFESTS_SRC/scripts:$PATH"
+        cd $ISTIO_NEW
+        istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml --set components.cni.enabled=true --set components.cni.namespace=kube-system > dump.yaml
+        ./split-istio-packages -f dump.yaml
+        mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
+        mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base
+        mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base
+        rm dump.yaml
 
     ---
     **NOTE**
@@ -61,11 +53,9 @@ old version is `X1.Y1.Z1`:
     `split-istio-packages` is a python script in the same folder as this file.
     The `ruamel.yaml` version used is 0.16.12.
 
-    `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically 
-    detect default settings. Ensure you have a target cluster ready before running the above commands. 
-    We set this flag because `istioctl manifest generate` generates manifest files with resources that are no 
-    longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220
-    
+    `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically detect default settings. Ensure you have a target cluster ready before running the above commands.
+    We target Kubernetes 1.32+ for compatibility. The `--cluster-specific` flag helps ensure generated resources are compatible with your cluster version and configuration.
+
     ---
 
 ## Changes to Istio's upstream manifests
@@ -74,8 +64,8 @@ old version is `X1.Y1.Z1`:
 
 Changes to Istio's upstream profile `default` are the following:
 
--   Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59.
--   Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
+- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete <https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59>.
+- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity.
 
 Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml)
 file.
@@ -85,13 +75,13 @@ file.
 The Istio kustomizations make the following changes:
 
 - Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See:
-    - https://github.com/istio/istio/issues/12602
-    - https://github.com/istio/istio/issues/24000
+  - <https://github.com/istio/istio/issues/12602>
+  - <https://github.com/istio/istio/issues/24000>
 - Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway.
 - Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model).
 - Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions.
 - Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions.
 - Configure TCP KeepAlives.
 - Disable tracing as it causes DNS breakdown. See:
-  https://github.com/istio/istio/issues/29898
-- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane
+  <https://github.com/istio/istio/issues/29898>
+- Set ENABLE_DEBUG_ON_HTTP=false according to <https://istio.io/latest/docs/ops/best-practices/security/#control-plane>
diff --git a/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
index 149e7623c..84bb164bc 100644
--- a/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -26,8 +26,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -58,9 +58,9 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: istio-ingressgateway
         app.kubernetes.io/part-of: istio
-        app.kubernetes.io/version: 1.24.2
+        app.kubernetes.io/version: 1.24.3
         chart: gateways
-        helm.sh/chart: istio-ingress-1.24.2
+        helm.sh/chart: istio-ingress-1.24.3
         heritage: Tiller
         install.operator.istio.io/owning-resource: unknown
         istio: cluster-local-gateway
@@ -127,8 +127,7 @@ spec:
         - name: ISTIO_META_WORKLOAD_NAME
           value: cluster-local-gateway
         - name: ISTIO_META_OWNER
-          value: 
-            kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+          value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
         - name: ISTIO_META_MESH_ID
           value: cluster.local
         - name: TRUST_DOMAIN
@@ -141,7 +140,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.24.2
+        image: gcr.io/istio-release/proxyv2:1.24.2
         name: istio-proxy
         ports:
         - containerPort: 15020
@@ -258,8 +257,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -282,8 +281,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -308,8 +307,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: IngressGateways
@@ -333,8 +332,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
@@ -367,8 +366,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-ingressgateway
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istio-ingress-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istio-ingress-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: cluster-local-gateway
     istio.io/rev: default
diff --git a/common/istio-cni-1-24/istio-crds/base/crd.yaml b/common/istio-cni-1-24/istio-crds/base/crd.yaml
index f194ef752..3785d495e 100644
--- a/common/istio-cni-1-24/istio-crds/base/crd.yaml
+++ b/common/istio-cni-1-24/istio-crds/base/crd.yaml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: authorizationpolicies.security.istio.io
 spec:
   group: security.istio.io
@@ -258,8 +258,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -293,8 +293,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -611,8 +611,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -646,8 +646,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -741,8 +741,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: destinationrules.networking.istio.io
 spec:
   group: networking.istio.io
@@ -1039,9 +1039,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -1159,7 +1157,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -1411,9 +1409,7 @@ spec:
                                           type: object
                                         type: array
                                       enabled:
-                                        description: enable locality load balancing,
-                                          this is DestinationRule-level and will override
-                                          mesh wide settings in entirety.
+                                        description: Enable locality load balancing.
                                         nullable: true
                                         type: boolean
                                       failover:
@@ -1535,7 +1531,7 @@ spec:
                                   minHealthPercent:
                                     description: Outlier detection will be enabled
                                       as long as the associated load balancing pool
-                                      has at least min_health_percent hosts in healthy
+                                      has at least `minHealthPercent` hosts in healthy
                                       mode.
                                     format: int32
                                     type: integer
@@ -1932,8 +1928,7 @@ spec:
                               type: object
                             type: array
                           enabled:
-                            description: enable locality load balancing, this is DestinationRule-level
-                              and will override mesh wide settings in entirety.
+                            description: Enable locality load balancing.
                             nullable: true
                             type: boolean
                           failover:
@@ -2047,7 +2042,7 @@ spec:
                         type: integer
                       minHealthPercent:
                         description: Outlier detection will be enabled as long as
-                          the associated load balancing pool has at least min_health_percent
+                          the associated load balancing pool has at least `minHealthPercent`
                           hosts in healthy mode.
                         format: int32
                         type: integer
@@ -2294,9 +2289,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -2414,7 +2407,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -2956,9 +2949,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -3076,7 +3067,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -3328,9 +3319,7 @@ spec:
                                           type: object
                                         type: array
                                       enabled:
-                                        description: enable locality load balancing,
-                                          this is DestinationRule-level and will override
-                                          mesh wide settings in entirety.
+                                        description: Enable locality load balancing.
                                         nullable: true
                                         type: boolean
                                       failover:
@@ -3452,7 +3441,7 @@ spec:
                                   minHealthPercent:
                                     description: Outlier detection will be enabled
                                       as long as the associated load balancing pool
-                                      has at least min_health_percent hosts in healthy
+                                      has at least `minHealthPercent` hosts in healthy
                                       mode.
                                     format: int32
                                     type: integer
@@ -3849,8 +3838,7 @@ spec:
                               type: object
                             type: array
                           enabled:
-                            description: enable locality load balancing, this is DestinationRule-level
-                              and will override mesh wide settings in entirety.
+                            description: Enable locality load balancing.
                             nullable: true
                             type: boolean
                           failover:
@@ -3964,7 +3952,7 @@ spec:
                         type: integer
                       minHealthPercent:
                         description: Outlier detection will be enabled as long as
-                          the associated load balancing pool has at least min_health_percent
+                          the associated load balancing pool has at least `minHealthPercent`
                           hosts in healthy mode.
                         format: int32
                         type: integer
@@ -4211,9 +4199,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -4331,7 +4317,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -4873,9 +4859,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -4993,7 +4977,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -5245,9 +5229,7 @@ spec:
                                           type: object
                                         type: array
                                       enabled:
-                                        description: enable locality load balancing,
-                                          this is DestinationRule-level and will override
-                                          mesh wide settings in entirety.
+                                        description: Enable locality load balancing.
                                         nullable: true
                                         type: boolean
                                       failover:
@@ -5369,7 +5351,7 @@ spec:
                                   minHealthPercent:
                                     description: Outlier detection will be enabled
                                       as long as the associated load balancing pool
-                                      has at least min_health_percent hosts in healthy
+                                      has at least `minHealthPercent` hosts in healthy
                                       mode.
                                     format: int32
                                     type: integer
@@ -5766,8 +5748,7 @@ spec:
                               type: object
                             type: array
                           enabled:
-                            description: enable locality load balancing, this is DestinationRule-level
-                              and will override mesh wide settings in entirety.
+                            description: Enable locality load balancing.
                             nullable: true
                             type: boolean
                           failover:
@@ -5881,7 +5862,7 @@ spec:
                         type: integer
                       minHealthPercent:
                         description: Outlier detection will be enabled as long as
-                          the associated load balancing pool has at least min_health_percent
+                          the associated load balancing pool has at least `minHealthPercent`
                           hosts in healthy mode.
                         format: int32
                         type: integer
@@ -6128,9 +6109,7 @@ spec:
                                     type: object
                                   type: array
                                 enabled:
-                                  description: enable locality load balancing, this
-                                    is DestinationRule-level and will override mesh
-                                    wide settings in entirety.
+                                  description: Enable locality load balancing.
                                   nullable: true
                                   type: boolean
                                 failover:
@@ -6248,7 +6227,7 @@ spec:
                             minHealthPercent:
                               description: Outlier detection will be enabled as long
                                 as the associated load balancing pool has at least
-                                min_health_percent hosts in healthy mode.
+                                `minHealthPercent` hosts in healthy mode.
                               format: int32
                               type: integer
                             splitExternalLocalOriginErrors:
@@ -6520,8 +6499,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: envoyfilters.networking.istio.io
 spec:
   group: networking.istio.io
@@ -6679,7 +6658,7 @@ spec:
                               additionalProperties:
                                 type: string
                               description: Match on the node metadata supplied by
-                                a proxy when connecting to Istio Pilot.
+                                a proxy when connecting to istiod.
                               type: object
                             proxyVersion:
                               description: A regular expression in golang regex format
@@ -6815,8 +6794,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               workloadSelector:
@@ -6926,8 +6905,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: gateways.networking.istio.io
 spec:
   group: networking.istio.io
@@ -7641,8 +7620,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: peerauthentications.security.istio.io
 spec:
   group: security.istio.io
@@ -7987,8 +7966,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: proxyconfigs.networking.istio.io
 spec:
   group: networking.istio.io
@@ -8137,8 +8116,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: requestauthentications.security.istio.io
 spec:
   group: security.istio.io
@@ -8322,8 +8301,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -8357,8 +8336,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -8609,8 +8588,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -8644,8 +8623,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
             type: object
@@ -8739,8 +8718,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: serviceentries.networking.istio.io
 spec:
   group: networking.istio.io
@@ -8804,11 +8783,11 @@ spec:
                       type: string
                       x-kubernetes-validations:
                       - message: UDS must be an absolute path or abstract socket
-                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                          '/' || self.substring(7,8) == '@') : true"
+                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                          \ '/' || self.substring(7,8) == '@') : true"
                       - message: UDS may not be a dir
-                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :
-                          true"
+                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+                          \ true"
                     labels:
                       additionalProperties:
                         type: string
@@ -8853,8 +8832,8 @@ spec:
                   - message: Address is required
                     rule: has(self.address) || has(self.network)
                   - message: UDS may not include ports
-                    rule: "(has(self.address) && self.address.startsWith('unix://'))
-                      ? !has(self.ports) : true"
+                    rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                      \ ? !has(self.ports) : true"
                 maxItems: 4096
                 type: array
               exportTo:
@@ -8962,15 +8941,15 @@ spec:
               rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
             - message: CIDR addresses are allowed only for NONE/STATIC resolution
                 types
-              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
-                && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
-                != 'NONE'))"
+              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))\
+                \ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution\
+                \ != 'NONE'))"
             - message: NONE mode cannot set endpoints
-              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
-                : true"
+              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)\
+                \ : true"
             - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
-              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
-                ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')\
+                \ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
           status:
             properties:
               conditions:
@@ -9097,11 +9076,11 @@ spec:
                       type: string
                       x-kubernetes-validations:
                       - message: UDS must be an absolute path or abstract socket
-                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                          '/' || self.substring(7,8) == '@') : true"
+                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                          \ '/' || self.substring(7,8) == '@') : true"
                       - message: UDS may not be a dir
-                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :
-                          true"
+                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+                          \ true"
                     labels:
                       additionalProperties:
                         type: string
@@ -9146,8 +9125,8 @@ spec:
                   - message: Address is required
                     rule: has(self.address) || has(self.network)
                   - message: UDS may not include ports
-                    rule: "(has(self.address) && self.address.startsWith('unix://'))
-                      ? !has(self.ports) : true"
+                    rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                      \ ? !has(self.ports) : true"
                 maxItems: 4096
                 type: array
               exportTo:
@@ -9255,15 +9234,15 @@ spec:
               rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
             - message: CIDR addresses are allowed only for NONE/STATIC resolution
                 types
-              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
-                && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
-                != 'NONE'))"
+              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))\
+                \ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution\
+                \ != 'NONE'))"
             - message: NONE mode cannot set endpoints
-              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
-                : true"
+              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)\
+                \ : true"
             - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
-              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
-                ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')\
+                \ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
           status:
             properties:
               conditions:
@@ -9390,11 +9369,11 @@ spec:
                       type: string
                       x-kubernetes-validations:
                       - message: UDS must be an absolute path or abstract socket
-                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                          '/' || self.substring(7,8) == '@') : true"
+                        rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                          \ '/' || self.substring(7,8) == '@') : true"
                       - message: UDS may not be a dir
-                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :
-                          true"
+                        rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
+                          \ true"
                     labels:
                       additionalProperties:
                         type: string
@@ -9439,8 +9418,8 @@ spec:
                   - message: Address is required
                     rule: has(self.address) || has(self.network)
                   - message: UDS may not include ports
-                    rule: "(has(self.address) && self.address.startsWith('unix://'))
-                      ? !has(self.ports) : true"
+                    rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                      \ ? !has(self.ports) : true"
                 maxItems: 4096
                 type: array
               exportTo:
@@ -9548,15 +9527,15 @@ spec:
               rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
             - message: CIDR addresses are allowed only for NONE/STATIC resolution
                 types
-              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
-                && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
-                != 'NONE'))"
+              rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))\
+                \ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution\
+                \ != 'NONE'))"
             - message: NONE mode cannot set endpoints
-              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
-                : true"
+              rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)\
+                \ : true"
             - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
-              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
-                ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+              rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')\
+                \ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
           status:
             properties:
               conditions:
@@ -9646,8 +9625,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: sidecars.networking.istio.io
 spec:
   group: networking.istio.io
@@ -11286,8 +11265,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: telemetries.telemetry.istio.io
 spec:
   group: telemetry.istio.io
@@ -11443,11 +11422,11 @@ spec:
                               type: object
                               x-kubernetes-validations:
                               - message: value must be set when operation is UPSERT
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'UPSERT') ? self.value != '' : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'UPSERT') ? self.value != '' : true"
                               - message: value must not be set when operation is REMOVE
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'REMOVE') ? !has(self.value) : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'REMOVE') ? !has(self.value) : true"
                             description: Optional.
                             type: object
                         type: object
@@ -11523,8 +11502,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -11558,8 +11537,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               tracing:
@@ -11891,11 +11870,11 @@ spec:
                               type: object
                               x-kubernetes-validations:
                               - message: value must be set when operation is UPSERT
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'UPSERT') ? self.value != '' : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'UPSERT') ? self.value != '' : true"
                               - message: value must not be set when operation is REMOVE
-                                rule: "((has(self.operation) ? self.operation : '')
-                                  == 'REMOVE') ? !has(self.value) : true"
+                                rule: "((has(self.operation) ? self.operation : '')\
+                                  \ == 'REMOVE') ? !has(self.value) : true"
                             description: Optional.
                             type: object
                         type: object
@@ -11971,8 +11950,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -12006,8 +11985,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               tracing:
@@ -12210,8 +12189,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: virtualservices.networking.istio.io
 spec:
   group: networking.istio.io
@@ -15346,8 +15325,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: wasmplugins.extensions.istio.io
 spec:
   group: extensions.istio.io
@@ -15519,8 +15498,8 @@ spec:
                 x-kubernetes-validations:
                 - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                     gateway.networking.k8s.io/Gateway
-                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                    ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                  rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                    \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
               targetRefs:
                 description: Optional.
                 items:
@@ -15554,8 +15533,8 @@ spec:
                   x-kubernetes-validations:
                   - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
                       gateway.networking.k8s.io/Gateway
-                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
-                      ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+                    rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
+                      \ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
                 maxItems: 16
                 type: array
               type:
@@ -15574,9 +15553,9 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: url must have schema one of [http, https, file, oci]
-                  rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',
-                    'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme()
-                    in ['', 'http', 'https', 'oci', 'file'])"
+                  rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\
+                    \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\
+                    \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])"
               verificationKey:
                 type: string
               vmConfig:
@@ -15610,8 +15589,8 @@ spec:
                       type: object
                       x-kubernetes-validations:
                       - message: value may only be set when valueFrom is INLINE
-                        rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'
-                          || !has(self.value)"
+                        rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\
+                          \ || !has(self.value)"
                     maxItems: 256
                     type: array
                     x-kubernetes-list-map-keys:
@@ -15713,8 +15692,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: workloadentries.networking.istio.io
 spec:
   group: networking.istio.io
@@ -15758,8 +15737,8 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: UDS must be an absolute path or abstract socket
-                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
-                    || self.substring(7,8) == '@') : true"
+                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+                    \ || self.substring(7,8) == '@') : true"
                 - message: UDS may not be a dir
                   rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
               labels:
@@ -15806,8 +15785,8 @@ spec:
             - message: Address is required
               rule: has(self.address) || has(self.network)
             - message: UDS may not include ports
-              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
-                : true"
+              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+                \ : true"
           status:
             properties:
               conditions:
@@ -15914,8 +15893,8 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: UDS must be an absolute path or abstract socket
-                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
-                    || self.substring(7,8) == '@') : true"
+                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+                    \ || self.substring(7,8) == '@') : true"
                 - message: UDS may not be a dir
                   rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
               labels:
@@ -15962,8 +15941,8 @@ spec:
             - message: Address is required
               rule: has(self.address) || has(self.network)
             - message: UDS may not include ports
-              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
-                : true"
+              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+                \ : true"
           status:
             properties:
               conditions:
@@ -16070,8 +16049,8 @@ spec:
                 type: string
                 x-kubernetes-validations:
                 - message: UDS must be an absolute path or abstract socket
-                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
-                    || self.substring(7,8) == '@') : true"
+                  rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
+                    \ || self.substring(7,8) == '@') : true"
                 - message: UDS may not be a dir
                   rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
               labels:
@@ -16118,8 +16097,8 @@ spec:
             - message: Address is required
               rule: has(self.address) || has(self.network)
             - message: UDS may not include ports
-              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
-                : true"
+              rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
+                \ : true"
           status:
             properties:
               conditions:
@@ -16207,8 +16186,8 @@ metadata:
     app.kubernetes.io/instance: istio
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
   name: workloadgroups.networking.istio.io
 spec:
   group: networking.istio.io
@@ -16380,8 +16359,8 @@ spec:
                     type: string
                     x-kubernetes-validations:
                     - message: UDS must be an absolute path or abstract socket
-                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                        '/' || self.substring(7,8) == '@') : true"
+                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                        \ '/' || self.substring(7,8) == '@') : true"
                     - message: UDS may not be a dir
                       rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
                   labels:
@@ -16426,8 +16405,8 @@ spec:
                 type: object
                 x-kubernetes-validations:
                 - message: UDS may not include ports
-                  rule: "(has(self.address) && self.address.startsWith('unix://'))
-                    ? !has(self.ports) : true"
+                  rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                    \ ? !has(self.ports) : true"
             required:
             - template
             type: object
@@ -16665,8 +16644,8 @@ spec:
                     type: string
                     x-kubernetes-validations:
                     - message: UDS must be an absolute path or abstract socket
-                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                        '/' || self.substring(7,8) == '@') : true"
+                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                        \ '/' || self.substring(7,8) == '@') : true"
                     - message: UDS may not be a dir
                       rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
                   labels:
@@ -16711,8 +16690,8 @@ spec:
                 type: object
                 x-kubernetes-validations:
                 - message: UDS may not include ports
-                  rule: "(has(self.address) && self.address.startsWith('unix://'))
-                    ? !has(self.ports) : true"
+                  rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                    \ ? !has(self.ports) : true"
             required:
             - template
             type: object
@@ -16950,8 +16929,8 @@ spec:
                     type: string
                     x-kubernetes-validations:
                     - message: UDS must be an absolute path or abstract socket
-                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
-                        '/' || self.substring(7,8) == '@') : true"
+                      rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
+                        \ '/' || self.substring(7,8) == '@') : true"
                     - message: UDS may not be a dir
                       rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
                   labels:
@@ -16996,8 +16975,8 @@ spec:
                 type: object
                 x-kubernetes-validations:
                 - message: UDS may not include ports
-                  rule: "(has(self.address) && self.address.startsWith('unix://'))
-                    ? !has(self.ports) : true"
+                  rule: "(has(self.address) && self.address.startsWith('unix://'))\
+                    \ ? !has(self.ports) : true"
             required:
             - template
             type: object
diff --git a/common/istio-cni-1-24/istio-install/base/install.yaml b/common/istio-cni-1-24/istio-install/base/install.yaml
index e9db53193..791814d36 100644
--- a/common/istio-cni-1-24/istio-install/base/install.yaml
+++ b/common/istio-cni-1-24/istio-install/base/install.yaml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Cni
@@ -25,8 +25,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-reader
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: base-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: base-1.24.3
     release: istio
   name: istio-reader-service-account
   namespace: istio-system
@@ -40,8 +40,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod
   namespace: istio-system
@@ -55,8 +55,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Cni
@@ -83,8 +83,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Cni
@@ -116,8 +116,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-reader
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istio-reader-clusterrole-istio-system
 rules:
@@ -230,8 +230,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-clusterrole-istio-system
 rules:
@@ -450,8 +450,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-gateway-controller-istio-system
 rules:
@@ -501,8 +501,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Cni
@@ -525,8 +525,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     k8s-app: istio-cni-repair
@@ -551,8 +551,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-reader
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istio-reader-clusterrole-istio-system
 roleRef:
@@ -573,8 +573,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-clusterrole-istio-system
 roleRef:
@@ -595,8 +595,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod-gateway-controller-istio-system
 roleRef:
@@ -617,8 +617,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     istio: istiod
     istio.io/rev: default
     release: istio
@@ -677,8 +677,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -709,8 +709,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Cni
@@ -1993,6 +1993,9 @@ data:
                 {{- if .Values.global.logAsJson }}
                 - --log_as_json
                 {{- end }}
+                {{- if .Values.global.proxy.outlierLogPath }}
+                - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+                {{- end}}
                 env:
                 - name: ISTIO_META_SERVICE_ACCOUNT
                   valueFrom:
@@ -2571,7 +2574,7 @@ data:
           }
         },
         "externalIstiod": false,
-        "hub": "docker.io/istio",
+        "hub": "gcr.io/istio-release",
         "imagePullPolicy": "",
         "imagePullSecrets": [],
         "istioNamespace": "istio-system",
@@ -2685,8 +2688,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -2703,8 +2706,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -2860,8 +2863,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istio-cni
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: cni-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: cni-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     k8s-app: istio-cni-node
@@ -2886,8 +2889,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: istio-cni
         app.kubernetes.io/part-of: istio
-        app.kubernetes.io/version: 1.24.2
-        helm.sh/chart: cni-1.24.2
+        app.kubernetes.io/version: 1.24.3
+        helm.sh/chart: cni-1.24.3
         istio.io/dataplane-mode: none
         k8s-app: istio-cni-node
         sidecar.istio.io/inject: 'false'
@@ -2930,7 +2933,7 @@ spec:
         envFrom:
         - configMapRef:
             name: istio-cni-config
-        image: docker.io/istio/install-cni:1.24.2
+        image: gcr.io/istio-release/install-cni:1.24.2
         name: install-cni
         ports:
         - containerPort: 15014
@@ -3012,8 +3015,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: pilot
     istio.io/rev: default
@@ -3041,8 +3044,8 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: istiod
         app.kubernetes.io/part-of: istio
-        app.kubernetes.io/version: 1.24.2
-        helm.sh/chart: istiod-1.24.2
+        app.kubernetes.io/version: 1.24.3
+        helm.sh/chart: istiod-1.24.3
         install.operator.istio.io/owning-resource: unknown
         istio: pilot
         istio.io/dataplane-mode: none
@@ -3060,6 +3063,8 @@ spec:
         - --keepaliveMaxServerConnectionAge
         - 30m
         env:
+        - name: ENABLE_NATIVE_SIDECARS
+          value: 'true'
         - name: REVISION
           value: default
         - name: PILOT_CERT_PROVIDER
@@ -3100,7 +3105,7 @@ spec:
               resource: limits.cpu
         - name: PLATFORM
           value: ''
-        image: docker.io/istio/pilot:1.24.2
+        image: gcr.io/istio-release/pilot:1.24.2
         name: discovery
         ports:
         - containerPort: 8080
@@ -3196,8 +3201,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: pilot
     istio.io/rev: default
@@ -3221,8 +3226,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod
   namespace: istio-system
@@ -3269,8 +3274,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     release: istio
   name: istiod
   namespace: istio-system
@@ -3292,8 +3297,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio.io/rev: default
     operator.istio.io/component: Pilot
@@ -3324,8 +3329,8 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: istiod
     app.kubernetes.io/part-of: istio
-    app.kubernetes.io/version: 1.24.2
-    helm.sh/chart: istiod-1.24.2
+    app.kubernetes.io/version: 1.24.3
+    helm.sh/chart: istiod-1.24.3
     install.operator.istio.io/owning-resource: unknown
     istio: pilot
     istio.io/rev: default
diff --git a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
index 45a37d7f8..2e12ccbc8 100644
--- a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
+++ b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
@@ -107,7 +107,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        image: docker.io/istio/proxyv2:1.24.2
+        image: gcr.io/istio-release/proxyv2:1.24.3
         name: istio-proxy
         ports:
         - containerPort: 15021
diff --git a/common/istio-cni-1-24/istio-install/base/kustomization.yaml b/common/istio-cni-1-24/istio-install/base/kustomization.yaml
index e905273b2..b2f9eaeda 100644
--- a/common/istio-cni-1-24/istio-install/base/kustomization.yaml
+++ b/common/istio-cni-1-24/istio-install/base/kustomization.yaml
@@ -15,5 +15,9 @@ patches:
 - path: patches/disable-debugging.yaml
 # - path: patches/istio-ingressgateway-remove-pdb.yaml
 - path: patches/istiod-remove-pdb.yaml
-# - path: patches/seccomp-istio-ingressgateway.yaml
+- path: patches/seccomp-istio-ingressgateway.yaml
 - path: patches/seccomp-istiod.yaml
+
+images:
+- name: busybox
+  newName: registry.k8s.io/busybox
diff --git a/common/istio-cni-1-24/profile.yaml b/common/istio-cni-1-24/profile.yaml
index 838edaf5f..55765c85f 100644
--- a/common/istio-cni-1-24/profile.yaml
+++ b/common/istio-cni-1-24/profile.yaml
@@ -12,7 +12,11 @@ spec:
       name: istio-ingressgateway
     pilot:
       enabled: true
-  hub: docker.io/istio
+      k8s:
+        env:
+        - name: ENABLE_NATIVE_SIDECARS
+          value: "true"
+  hub: gcr.io/istio-release
   profile: default
   tag: 1.24.2
   values:
@@ -23,4 +27,3 @@ spec:
     global:
       configValidation: true
       istioNamespace: istio-system
-
diff --git a/hack/synchronize-istio-cni-manifests.sh b/hack/synchronize-istio-cni-manifests.sh
index 293322012..9d436fdfc 100755
--- a/hack/synchronize-istio-cni-manifests.sh
+++ b/hack/synchronize-istio-cni-manifests.sh
@@ -16,9 +16,9 @@
 set -euxo pipefail
 IFS=$'\n\t'
 
-COMMIT="1.23.2"
-CURRENT_VERSION="1-22" 
-NEW_VERSION="1-23" # Must be a release
+COMMIT="1.24.3"
+CURRENT_VERSION="1-24" 
+NEW_VERSION="1-24" # Must be a release
 
 SRC_DIR=${SRC_DIR:=/tmp/istio-cni}
 BRANCH=${BRANCH:=istio-cni-${COMMIT?}}
@@ -63,10 +63,7 @@ fi
 
 ISTIOCTL=$SRC_DIR/istio-${COMMIT}/bin/istioctl
 cd $ISTIO_NEW
-$ISTIOCTL profile dump default > profile.yaml
 
-# cd $ISTIO_NEW
-# export PATH="$MANIFESTS_DIR/scripts:$PATH"
 $ISTIOCTL manifest generate -f profile.yaml -f profile-overlay.yaml --set components.cni.enabled=true --set components.cni.namespace=kube-system > dump.yaml
 ./split-istio-packages -f dump.yaml
 mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base
diff --git a/hack/synchronize-istio-manifests.sh b/hack/synchronize-istio-manifests.sh
index e2e1e9762..779c17f73 100755
--- a/hack/synchronize-istio-manifests.sh
+++ b/hack/synchronize-istio-manifests.sh
@@ -15,9 +15,9 @@
 set -euxo pipefail
 IFS=$'\n\t'
 
-COMMIT="1.23.2"
-CURRENT_VERSION="1-22" 
-NEW_VERSION="1-23" # Must be a release
+COMMIT="1.24.3"
+CURRENT_VERSION="1-24" 
+NEW_VERSION="1-24" # Must be a release
 
 SRC_DIR=${SRC_DIR:=/tmp/istio} # Must be a release
 BRANCH=${BRANCH:=istio-${COMMIT?}}
@@ -62,10 +62,7 @@ fi
 
 ISTIOCTL=$SRC_DIR/istio-${COMMIT}/bin/istioctl
 cd $ISTIO_NEW
-$ISTIOCTL profile dump default > profile.yaml
 
-# cd $ISTIO_NEW
-# export PATH="$MANIFESTS_DIR/scripts:$PATH"
 $ISTIOCTL manifest generate -f profile.yaml -f profile-overlay.yaml > dump.yaml
 ./split-istio-packages -f dump.yaml
 mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base