Skip to main content
logoTetrate Service BridgeVersion: 1.14.x

Release Notes

Version 1.14.0

  • Fixed the following CVEs: CVE-2026-25679, CVE-2026-33186, CVE-2025-59530, CVE-2026-27142, CVE-2026-27171, CVE-2025-60876, GHSA-72hv-8253-57qq, CVE-2026-3731, CVE-2026-23865, CVE-2026-22184, CVE-2026-0861, CVE-2026-0915, CVE-2025-15281, CVE-2026-2219, CVE-2026-24051, CVE-2026-27139, CVE-2026-4427, GHSA-6g7g-w4f8-9c9x
  • Fixed a race condition that could prevent accurate gateway status reporting due to race condition, ensuring that gateway deployment status is correctly reflected.
  • Added support for OpenAPI 3.1 and 3.2 in payload validation.
  • Added PingAM 7.4 as a supported identity provider for users and groups retrieval in TeamSync.
  • Use core Envoy filters to replace the xfcc-guard WASM filter for XFCC header validation.
  • Fixed an issue where gateway pod annotations were not updated correctly. Gateway Deployment updates now use server side apply instead of merge, and can be reverted to the old behavior by setting USE_SERVER_SIDE_APPLY_FOR_GATEWAY_DEPLOYMENTS to false on the XCP edge operator deployment.
  • Updated Istio version to 1.28.

Upgrade:

  • At gateways, fix duplication of authentication configuration across hostnames and optimize memory consumption. From previous releases which have ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN, the env variable must be replaced with ENABLE_ENHANCED_REQUEST_AUTHENTICATION, which is a superset of functionality previously put behind ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN.

Features/Istio features enabled by default (previously disabled):

  • DNS proxying for ambient mesh (cni.ambient.dnsCapture) now enabled by default. (1.24 → 1.25)
  • IP auto-allocation for ServiceEntry (PILOT_ENABLE_IP_AUTOALLOCATE) now enabled by default. (1.24 → 1.25)
  • Native sidecars (ENABLE_NATIVE_SIDECARS) now enabled by default. (1.26 → 1.27)
  • Upstream spans for gateway requests (PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY) enabled by default. (1.27 → 1.28)
  • Shadow host suffixes disabled by default (DISABLE_SHADOW_HOST_SUFFIX=true). (1.27 → 1.28)

New Istio features disabled by default (opt-in):

  • Reconcile iptables on startup for ambient pods (cni.ambient.reconcileIptablesOnStartup). (introduced in 1.25)
  • Experimental Gateway API BackendTLSPolicy and XBackendTrafficPolicy (PILOT_ENABLE_ALPHA_GATEWAY_API). (introduced in 1.26)
  • ClusterTrustBundle API (v1alpha1) (ENABLE_CLUSTER_TRUST_BUNDLE_API). (introduced in 1.26)
  • Gateway API Inference Extension (SUPPORT_GATEWAY_API_INFERENCE_EXTENSION). (introduced in 1.27)
  • Native nftables for sidecar mode (values.global.nativeNftables=true). (introduced in 1.27)
  • Istio-owned CNI config file in ambient mode (cni.istioOwnedCNIConfig=true). (introduced in 1.27)
  • Native nftables for ambient mode (values.global.nativeNftables=true). (introduced in 1.28)
  • NetworkPolicy deployment for istiod (global.networkPolicy.enabled=true). (introduced in 1.28)

Important Istio changes:

  • CNI agent no longer requires hostNetwork; ambient.shareHostNetworkNamespace default changed to false (previously true). (1.26)
  • Default maximum connections per socket event changed to 1 (from 0) to improve performance. To revert, set MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP=0. (1.26)
  • Deprecated ISTIO_META_DNS_AUTO_ALLOCATE and traffic.sidecar.istio.io/kubevirtInterfaces. (1.25)
  • DNS proxying algorithm updated. (1.25)
  • Added ObservedGeneration to ambient status conditions. (1.25)
  • Support for preserving original case of HTTP/1.x headers. (1.25)
  • istio-cni-node now has DAC_OVERRIDE capability and unconfined AppArmor annotation. (1.25)
  • OpenCensus telemetry provider removed. (1.25)
  • GKE platform profile added for ambient mode. (1.25)
  • Improved iptables binary detection. (1.26)
  • Warning added for deprecated telemetry providers Lightstep and OpenCensus. (1.26)
  • ENABLE_AUTO_SNI flag removed. (1.26)
  • Lightstep tracing provider support removed. (1.27)
  • MD5 usage removed for non-cryptographic purposes (FIPS 140-3 compliance). (1.27)
  • Gateway API upgraded to v1.4 with BackendTLSPolicy v1 support. (1.28)
  • EndpointSlice used instead of Endpoints for remote istiod (Kubernetes 1.33+ compatibility). (1.28)
  • Post-Quantum Cryptography (PQC) option added to COMPLIANCE_POLICY. (1.27)
  • Certificate revocation list (CRL) support for plugged-in CAs. (1.27)
  • Dual-stack support promoted to beta. (1.28)
  • Support for InferencePool v1 (alpha/RC versions removed). (1.28)

Other changes:

  • When GatewayDeployment/IngressDeployment/EgressDeployment/Tier1Deployment resource has 1 as replicaCount and hpaSpec is not configured(values configured via kubeSpec), then PodDisruptionBudget is not created. Same when hpaSpec is configured and hpaSpec.minReplicas is not greater than 1, PDP is not created. This is to prevent the case when disruption gets stuck because of PDP when there is only 1 replica.
  • Fixed an existing race condition in event queue tests that was being triggered on Istio upgrade.
  • Fixed an issue where XCP would update some ServiceEntry, DestinationRule and AuthorizationPolicy resources repeatedly with different field ordering. This could cause unnecessary CPU usage and API server load.
  • Added support for ISTIO_MUTUAL mode for external authorization.
  • Add support for timeout and cors policy in HTTP route rules.
  • Fixed an issue with using gRPC 1.75 where the grpc client previously extracted certificate from tls.Config.ServerName for SAN now uses authority header. With gRPC 1.75, to consolidate the usage of SAN, the authority is used as source of truth now. We didn't set the authority and only set the Servername. This caused 1.75 gRPC client side verification to fail because new gRPC client ignored the ServerName. This fix ensures that the authority is explicitly set in gRPC client usage.
  • Egress gateways now support JWT authentication and authorization, aligning with ingress behavior; OIDC remains unsupported.
  • Added the ability to pause gateway deployment reconciliation. This is useful during upgrades to prevent the dataplane from being updated automatically.
    • Added a dry-run diff endpoint (/debug/gateway-reconcile-diff) on the edge operator admin server (port 8090) to preview what changes would be applied when reconciliation is resumed. The response shows per-gateway reconciliation state, pending changes to Deployments/Services/ServiceAccounts/HPAs, whether changes would cause pod restarts, and a unified YAML diff. Supports namespace and name query parameters for filtering (name requires namespace). The response summary includes total gateways, count with changes, count that will cause restarts, and count paused.
    • Gateway deployment config status now reports the RECONCILIATION_PAUSED phase as APPLIED_NOT_READY, with a ReconciliationPaused condition indicating the pause reason. The status includes current workload details (deployment readiness, replica counts, service type).
    • Gateway install objects (IngressDeployment, EgressDeployment, Tier1Deployment, GatewayDeployment) are now protected from accidental deletion. Deletion of managed gateway CRs is blocked when edge deletion protection is enabled. Non-managed gateway CRs are not affected.
    • Added two new metrics for gateway reconciliation observability:
      • gateway_reconcile_paused (gauge, labels: gateway_type, gateway_namespace, gateway_name): reports per-gateway pause state (1 = paused, 0 = active).
      • gateway_reconcile_skipped_total (counter, labels: gateway_type, reason, gateway_namespace, gateway_name): tracks the number of reconciliations skipped, with reason indicating the level that disabled it (object_label_disabled, namespace_api_disabled, revision_api_disabled).

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2026-29111 - No fix available.
  • CVE-2026-4046 - No fix available.
  • CVE-2025-69720 - No fix available.
  • PRISMA-2022-0168 - No fix available.
  • CVE-2026-33231 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2026-4105 - No fix available.
  • CVE-2025-45582 - No fix available.
  • CVE-2025-66382 - No fix available.
  • CVE-2026-4437 - No fix available.
  • CVE-2026-4438 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2026-22185 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2024-56433 - No fix available.
  • CVE-2019-1010023 - No fix available.
  • CVE-2025-14104 - No fix available.
  • CVE-2022-0563 - No fix available.
  • CVE-2019-1010022 - No fix available.
  • CVE-2026-3184 - No fix available.
  • CVE-2019-1010024 - No fix available.
  • CVE-2023-31439 - No fix available.
  • CVE-2025-6141 - No fix available.
  • CVE-2025-1352 - No fix available.
  • CVE-2005-2541 - No fix available.
  • CVE-2026-2673 - No fix available.
  • CVE-2011-3374 - No fix available.
  • CVE-2025-1376 - No fix available.
  • CVE-2025-70873 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2019-9192 - No fix available.
  • CVE-2025-27587 - No fix available.
  • TEMP-0628843-DBAD28 - No fix available.
  • CVE-2007-5686 - No fix available.
  • CVE-2023-31437 - No fix available.
  • CVE-2025-29481 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2017-18018 - No fix available.
  • CVE-2026-34743 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2019-1010025 - No fix available.
  • CVE-2025-5278 - No fix available.
  • CVE-2023-31438 - No fix available.
  • TEMP-0841856-B18BAF - No fix available.
  • CVE-2011-4116 - No fix available.
  • CVE-2013-4392 - No fix available.
  • CVE-2021-45346 - No fix available.
  • TEMP-0517018-A83CE6 - No fix available.
  • TEMP-0290435-0B57B5 - No fix available.