Skip to content
home
2.10.x
Reference
Changelog
Solo distribution of Istio changelog
1.27

1.27.0

Page as Markdown
Solo build of Istio version 1.27.0 patch release.
This release note describes the changes of Solo builds of Istio version 1.27.
General

This version was built against upstream Istio release 1.27.0.
  • Added istiod support for per-service account mTLS egress via a single waypoint.
    • This is enabled by adding the environment variablePERMIT_CROSS_NAMESPACE_RESOURCE_ACCESS to istiod, the value is a comma-separated list of namespace/gateway pairs. Gateway is the name of the waypoint’s service account.
    • This also includes sample manifests under samples/solo-mtls-egress to demonstrate how to use this feature.
    • This feature requires a valid license capable of enabling our EnvoyFilter waypoint support.
  • Added the command istioctl multicluster check which will iterate through a few different checks on the status of multicluster for the current kube context. The following checks are performed:
    • Checks the license in use by each istiod and validates that it supports multicluster
    • Checks the health of all istiod, ztunnel, and eastwest gateway pods
    • Checks that the eastwest gateway is programmed
    • Checks that each remote gateway has a gloo.solo.io/PeeringSucceeded status of True
  • Added syncing of peer connection status to remote Gateways
  • Added to the istioctl multicluster check command, a flag to pass in multiple contexts and run checks against all of them.
  • Improved the istioctl multicluster check command to use the new gloo.solo.io/PeerConnected gateway condition which accurately reflects the current connected status of istiod to remote peers.
  • Fixed an issue where if a Service only existed in the remote cluster, the local cluster
would not be able to apply L7 policies via a local sidecar or waypoint, as long as the remote
Service properly declared an L7 protocol via the port name or appProtocol.
  • Fixed the istioctl multicluster check command’s pod check being inconsistently ordered.
  • Fixed an issue where locality information was not being propagated for peered
multi-cluster resources when the istio-remote Gateway’s
topology.kubernetes.io/zone and topology.kubernetes.io/region labels
were updated without restarting istiod. Now, the labels changing will trigger
an update without a restart.
  • Fixed an issue with locality weighting in multi-network cases.