RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Last 7 daysClear ×

Cilium

Networking & MessagingJul 16, 2026

Cilium v1.19.6 is a routine patch fixing multiple regressions in ClusterMesh affinity handling and host firewall configuration, along with policy and gateway-api issues. A minor gateway-api telemetry feature and dependency updates are included.

  • breakingClusterMesh affinity annotation traffic blackhole fixed

    When using the service.cilium.io/affinity: "none" annotation in ClusterMesh, all remote backends were incorrectly dropped if no local endpoints exist, causing a traffic blackhole. The fix ships in v1.19.6 and matters if ClusterMesh services rely on this annotation to manage traffic distribution across clusters.

  • breakingHost firewall disabled-state configuration sync fixed

    Disabling hostFirewall.enabled via Helm (toggling from true to false) left the host firewall in the live ConfigMap in enabled state, causing the firewall rules to remain active despite the configuration change. The fix ships in v1.19.6 and applies when toggling the host firewall setting.

Key changes (6)
  • ClusterMesh traffic blackhole when using service.cilium.io/affinity: "none" with no local endpoints fixed
  • Host firewall remained enabled in live ConfigMap after Helm disablement fixed
  • Policy denial regressions for L7 load-balanced services and pod network policy restoration during agent restart addressed
  • Stale hostport entries and gateway-api port listener assignment bugs corrected
  • Gateway-api adds configurable access logs via spec.telemetry.accessLogs in CiliumGatewayClassConfig
  • cilium/ebpf upgraded to v0.22.0; statedb bumped to v0.5.9
Source

Cilium

Networking & MessagingJul 16, 2026

Cilium v1.18.12 is a routine bugfix release that fixes a policy-denial regression, a kvstore-mode startup regression, and several other issues; it also adds a minor Gateway API feature for access logs configuration.

Key changes (7)
  • Gateway API: access logs field added to CiliumGatewayClassConfig
  • Policy denial regression fixed for L7 load-balanced services when remote identity changes
  • KVStore mode startup regression fixed when etcd is behind a Kubernetes service
  • Gateway API: validation added to flag Gateways with hostNetwork enabled
  • IPAM multi-pool: eliminated unnecessary wait on zero prealloc requests
  • Policy metric warning fixed (policy_change_total incorrect label value)
  • k8s.io/utils dependency updated
Source

Cilium

Networking & MessagingJul 16, 2026

Cilium v1.17.18 is a routine patch addressing three bugfixes: L7 policy denial for load-balanced services with identity changes, IPAM multi-pool prealloc waiting, and a policy metrics label error. No breaking changes.

Key changes (5)
  • L7 load-balanced service traffic: fixed incorrect policy denials when remote identity changes
  • IPAM multi-pool: eliminated unnecessary wait for zero prealloc requests
  • Policy metrics: corrected policy_change_total failure label value to prevent spurious warnings
  • Documentation: clarified ipv4-native-routing-cidr default value
  • Dependencies: k8s.io/utils digest updated
Source

Istio

Networking & MessagingJul 16, 2026

Istio v1.29.6 is a routine patch addressing ambient mesh bugs in pilot-agent drain counting, ztunnel CNI deadlock, Istiod memory accumulation, and east-west gateway RBAC filtering. Auto-registered WorkloadEntry resources gain HBONE capability, though existing entries require the networking.istio.io/tunnel=http label to activate encrypted tunneling.

  • breakingAuto-registered WorkloadEntry resources require label addition for HBONE tunneling

    WorkloadEntry resources created through auto-registration before upgrading to v1.29.6 continue to use plaintext tunneling until they re-register or the networking.istio.io/tunnel=http label is manually added to their existing WorkloadEntry. This is a transitional state affecting ambient mesh deployments that do not rebuild their auto-registered workload entries.

Key changes (5)
  • Fixed pilot-agent drain logic on ambient ingress gateways and waypoints to correctly count HBONE connections, eliminating unnecessary waits on graceful termination
  • Fixed ambient CNI agent deadlock where concurrent pod deletions and ztunnel reconnections could block the ZDS server
  • Fixed Istiod memory leak where failed pod IP entries were not cleaned up from resync state
  • Fixed east-west gateway RBAC filtering incorrectly blocking cross-network traffic when L7 AuthorizationPolicies are present
  • Auto-registered WorkloadEntry resources now support HBONE tunneling, with label-based opt-in for existing entries
Source

Istio

Networking & MessagingJul 16, 2026

Istio 1.30.3 is a routine patch focused on bug fixes and scalability improvements for ambient mode. No CVEs. One operator-visible change: auto-registered workloads in ambient mode fall back to plaintext HBONE until re-registered or explicitly labeled; deployments relying on HBONE encryption for such workloads may need to take action.

  • breakingPlaintext HBONE fallback for pre-registered workloads in ambient mode

    Workloads auto-registered with Istio before upgrading to 1.30.3 continue to be reached over plaintext HBONE until they either re-register or the operator adds the networking.istio.io/tunnel=http label to their existing WorkloadEntry resource. This applies in ambient mode when workloads were registered prior to this release.

Key changes (8)
  • Behavior change: auto-registered workloads in ambient mode fall back to plaintext HBONE until re-registered or labeled with networking.istio.io/tunnel=http
  • Performance: XDS pushes for workload/service address changes scoped to affected waypoints only (can disable via AMBIENT_SCOPED_ADDRESS_PUSHES=false)
  • Fix: metadata-only VirtualService changes no longer trigger unnecessary XDS pushes to all proxies
  • Fix: pilot-agent now reloads certificates on Kubernetes secret rotations after the first rotation
  • Fix: remote cluster secrets picked up by istiod without restart, preventing cluster registry deadlock
  • Fix: waypoint proxies exit gracefully on ambient ingress gateways (EXIT_ON_ZERO_ACTIVE_CONNECTIONS now fires correctly)
  • Enhancement: custom taint name support for pilot node untaint controller via PILOT_NODE_UNTAINT_CONTROLLERS_TAINT_NAME
  • Plus ~6 additional fixes: ambient CNI deadlock, istiod memory leak, WasmPlugin cross-namespace crash-loop, cross-network RBAC blocking, Telemetry namespace scope, default HTTP retries for waypoint inbound routes
Source

Envoy

Networking & MessagingJul 14, 2026

Envoy v1.39.0 is a major release combining several breaking behavior changes (mandatory keyUsage enforcement, disabled DLB balancer, stricter TLS inspector validation, changed OTel sampling behavior) with a large batch of roughly 20 medium-severity CVE fixes spanning HTTP/2, HTTP/3, ext_authz, ext_proc, OAuth2, DNS, and several other subsystems. It also ships extensive non-actionable feature and performance work, including dynamic-modules extension points and a new streaming JSON parser for AI protocols.

  • securityBroad CVE batch fixed across core protocol and extension code

    This release fixes roughly 20 CVEs across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression, all rated medium by the notes. Notable ones include HTTP/2 cookie-based header-limit bypass (CVE-2026-47774), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and Zstd decompression memory exhaustion (CVE-2026-48044). The fixes ship in v1.39.0.

  • securityOAuth2 cookie encryption moves to AES-256-GCM (opt-in migration)

    OAuth2 adds AES-256-GCM cookie encryption to address CVE-2026-47775, replacing the older CBC-based scheme. Migration is opt-in: enable oauth2_use_gcm_encryption, monitor the oauth_legacy_cbc_decrypt metric, then disable oauth2_legacy_cbc_decrypt_compat once legacy decryption is no longer observed.

  • breakingCertificate keyUsage enforcement is now mandatory

    Envoy now always enforces the certificate keyUsage extension; the enforce_rsa_key_usage field is deprecated and ignored. This applies unconditionally starting in v1.39.0, so certificates that previously relied on lax enforcement may now fail validation.

  • breakingDLB connection balancer disabled in all builds

    The Intel DLB connection balancer (envoy.network.connection_balance.dlb) is disabled in all builds because of a broken source archive. This applies wherever that extension is configured.

  • breakingTLS inspector now rejects out-of-range client TLS versions

    The TLS inspector now validates that client TLS versions fall between 1.0 and 1.3, rejecting anything outside that range. The check is unconditional in v1.39.0 but can be reverted with envoy.reloadable_features.tls_inspector_enforce_client_tls_version.

  • breakingOTel tracing now defers to Envoy's own sampling decision

    The OpenTelemetry tracer now honors Envoy's own request-entry sampling decision, including overall_sampling, even when a propagated trace context or configured sampler requests sampling. This applies to deployments relying on downstream or context-based sampling overriding Envoy's local config, and may reduce the volume of exported spans.

Key changes (8)
  • Roughly 20 medium-severity CVE fixes across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression; notable ones include CVE-2026-47774 (HTTP/2 cookie header-limit bypass), GHSA-p7c7-7c47-pwch (HTTP/3 QPACK DoS), and CVE-2026-48044 (Zstd memory exhaustion)
  • OAuth2 gains AES-256-GCM cookie encryption (CVE-2026-47775) with an opt-in, staged migration path off legacy CBC decryption
  • Certificate keyUsage enforcement is now mandatory (enforce_rsa_key_usage deprecated); TLS inspector now rejects client TLS versions outside 1.0-1.3
  • Intel DLB connection balancer extension disabled in all builds due to a broken source archive
  • OpenTelemetry tracer now defers to Envoy's own sampling decision (including overall_sampling), which may reduce exported spans
  • Unified DNS cluster implementation is now the default, enabling shared c-ares resolvers and qcache across clusters
  • HeaderMatcher now matches separately supplied header values individually rather than only their comma-joined form (revertible via feature gate)
  • Large non-actionable batch: dynamic-modules extension points and Rust SDK, new Wuffs-based streaming JSON parser for MCP/A2A/OpenAI/Anthropic, new bandwidth-sharing and sub-filter-chain HTTP filters, CNSA/post-quantum TLS policies, io_uring and SO_REUSEPORT BPF performance work, plus numerous bugfixes (connection-pool re-entrancy, DNS resolver leaks, Golang filter re-entry)
Source
Browse by month