Introducing the TrafficExtension API
Istio 1.30 launches the TrafficExtension API, consolidating WasmPlugin and Lua-based extensibility into a single resource. The new API lets users embed inline Lua scripts or pull WebAssembly modules from OCI registries for sidecars, gateways, and waypoint proxies. It introduces unified targeting via label selectors or explicit targetRefs and adds phase and priority controls to order extensions. Existing WasmPlugin objects are automatically transformed, allowing a seamless migration path.
Simplifying Egress Routing to Wildcard Destinations
Istio has added native support for wildcard ServiceEntry resources using DYNAMIC_DNS resolution, allowing sidecar proxies to route HTTPS egress traffic to any matching subdomain without an intermediate egress gateway. The new model inspects the SNI field in the TLS handshake...
Istio Is Migrating Container Registries
Istio will retire its gcr.io/istio-release container registry on January 1 2027, moving all images to the new registry.istio.io domain. The change stems from a shift in Istio’s funding model and affects any clusters still pulling images from the Google Cloud mirror. While...
Security Considerations on Istio's CRDs with Namespace-Based Multi-Tenancy
Istio’s VirtualService resource, when configured as a mesh gateway, applies routing rules across the entire service mesh, not just the namespace where it is defined. This design flaw enables tenants with permission to create or modify Istio CRDs to launch...
Ambient Multi-Network Multicluster Support Is Now Beta
Istio 1.29 introduces beta‑level ambient multi‑network multicluster support, targeting production‑ready telemetry across distributed clusters. The release adds an enriched HBONE protocol with baggage headers, enabling waypoint and ztunnel proxies to exchange peer metadata across network boundaries. Telemetry gaps that previously...