Release Notes

Version 1.6.8

TSB 1.6.8 is a patch release that includes stability and reliability updates, along with fixes to CVEs in TSB's dependencies.

Bug Fixes and Improvements

• Fixed an issue were the name of some Istio objects created by TSB exceeded the allowed length.

Outstanding CVEs

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

• CVE-2016-2781 - No fix available
• CVE-2018-1000007 - No fix available
• CVE-2019-0190 - No fix available
• CVE-2019-10743 - No fix available
• CVE-2021-31879 - No fix available
• CVE-2022-27943 - No fix available
• CVE-2022-3219 - No fix available
• CVE-2022-3715 - No fix available
• CVE-2022-3857 - No fix available
• CVE-2022-4899 - No fix available
• CVE-2023-25165 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-29383 - No fix available
• CVE-2023-2953 - No fix available
• CVE-2023-33201 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-33202 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-34969 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-3635 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39326 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39804 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4039 - No fix available
• CVE-2023-42363 - No fix available
• CVE-2023-42364 - No fix available
• CVE-2023-42365 - No fix available
• CVE-2023-42366 - No fix available
• CVE-2023-42465 - No fix available
• CVE-2023-45285 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4641 - No fix available
• CVE-2023-4806 - No fix available
• CVE-2023-4813 - No fix available
• CVE-2023-48795 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-49290 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-50495 - No fix available
• CVE-2023-5156 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-52425 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-52426 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-5678 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6004 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6129 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6237 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6246 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6779 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6780 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6918 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-6992 - No fix available
• CVE-2023-7008 - No fix available
• CVE-2024-0553 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2024-0567 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2024-0727 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2024-0985 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2024-21664 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2024-22365 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.

Version 1.6.7

TSB 1.6.7 is a patch release that fixes CVEs in TSB's dependencies.

Outstanding CVEs

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

• CVE-2010-0834 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2018-6557 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2016-2781 - No fix available
• CVE-2018-1000007 - No fix available
• CVE-2019-0190 - No fix available
• CVE-2019-10743 - No fix available
• CVE-2021-31879 - No fix available
• CVE-2022-27943 - No fix available
• CVE-2022-3219 - No fix available
• CVE-2022-3715 - No fix available
• CVE-2022-3857 - No fix available
• CVE-2022-48522 - No fix available
• CVE-2022-4899 - No fix available
• CVE-2023-29383 - No fix available
• CVE-2023-2953 - No fix available
• CVE-2023-34969 - No fix available
• CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39326 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39804 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4039 - No fix available
• CVE-2023-42363 - No fix available
• CVE-2023-42364 - No fix available
• CVE-2023-42365 - No fix available
• CVE-2023-42366 - No fix available
• CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-45283 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-45284 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-45285 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-46218 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-47038 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-47108 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4806 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4813 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-48795 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-49290 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-5156 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-5678 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-5981 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.

Version 1.6.6

TSB 1.6.6 is a patch release that fixes CVEs in TSB's dependencies. Of particular note, CVE-2023-44487 has been fixed in Envoy, Istio and core TSB components. Some vulnerability scanners may still list the vulnerability as being present in some of TSBs packages, but in those instances the vulnerability is not exploitable.

Outstanding CVEs

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

• CVE-2016-2781 - No fix available
• CVE-2019-10743 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2021-31879 - No fix available
• CVE-2022-27943 - No fix available
• CVE-2022-3219 - No fix available
• CVE-2022-3715 - No fix available
• CVE-2022-3857 - No fix available
• CVE-2022-48522 - No fix available
• CVE-2022-4899 - No fix available
• CVE-2023-25165 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-28321 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-28322 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-29383 - No fix available
• CVE-2023-2953 - No fix available
• CVE-2023-2975 - No fix available
• CVE-2023-33201 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-3446 - No fix available
• CVE-2023-34969 - No fix available
• CVE-2023-36054 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-3817 - No fix available
• CVE-2023-38545 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-38546 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39318 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39319 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39323 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39325 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-3978 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4016 - No fix available
• CVE-2023-4039 - No fix available
• CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4586 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-4911 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.

Version 1.6.5

TSB 1.6.5 is a patch release that fixes CVEs in TSB's dependencies.

The following critical/high severity CVEs (as rated by CVSS score) have been fixed since TSB 1.6.3, along with a number of low/medium severity issues:

• CVE-2022-48174
• CVE-2023-39533
• CVE-2023-39417

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2023-39318 - Only present in the Web UI container, which is not affected by the vulnerability
• CVE-2023-39319 - Only present in the Web UI container, which is not affected by the vulnerability
• CVE-2023-39320 - Only present in the Web UI container, which is not affected by the vulnerability
• CVE-2023-39321 - Only present in the Web UI container, which is not affected by the vulnerability
• CVE-2023-39322 - Only present in the Web UI container, which is not affected by the vulnerability
• PRISMA-2023-0056 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• PRISMA-2022-0270 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• GHSA-6xv5-86q9-7xr8 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-25165 - Requires the construction of a malicious helm chart in order to leak IP address information to a malicious DNS server. Customers using Tetrate provided helm charts are unaffected
• PRISMA-2023-0046 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• GHSA-2w8w-qhg4-f78j - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-33201 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-28321 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-28322 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• PRISMA-2021-0055 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2022-23471 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39319 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-39318 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2019-10743 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.

The following low/medium CVEs have no fix available from upstream projects and so cannot be fixed at this time:

• CVE-2022-48522
• CVE-2023-36054
• CVE-2023-4016
• CVE-2022-3715
• CVE-2023-2953
• CVE-2022-4899
• CVE-2023-34969
• CVE-2016-2781
• CVE-2022-27943
• CVE-2023-2975
• CVE-2023-29383
• CVE-2022-3219
• CVE-2021-31879
• CVE-2022-3857
• CVE-2022-27943
• CVE-2023-2975
• PRISMA-2021-0153
• CVE-2023-4813
• CVE-2023-4806

Version 1.6.4

TSB 1.6.4 is a patch release that includes a set of performance improvements and bug fixes when managing a large number of clusters.

• Improved the time it takes for configurations created in TSB to manifest in the final clusters.
• Improved the config status reporting loop, reducing teh average time needed to see status events.
• Reduced load on the TSB server and the Postgres database related to config distribution and config event processing.
• Improved TSB and MPC operational grafana dashboards to give better insights.
• Fixed an error that prevented adding NodePort to the multi-cluster port in data plane APIs.

Version 1.6.3

Security fixes

TSB 1.6.3 includes security content outlined in ISTIO-SECURITY-2023-003

It also includes fixes for a number of CVEs in libraries included in container base layers that were not exploitable but have been fixed as part of our software development life cycle.

At the time of shipping, the following CVEs had been identified by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2023-0056 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• PRISMA-2022-0270 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-25165 - Requires the construction of a malicious helm chart in order to leak IP address information to a malicious DNS server. Customers using Tetrate provided helm charts are unaffected
• GHSA-rm8v-mxj3-5rmq - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• PRISMA-2023-0046 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-29406 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• GHSA-2w8w-qhg4-f78j - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-2975 - No fix available from upstream project, severity too low
• CVE-2023-3446 - Not a security vulnerability
• CVE-2021-31879 - No fix available from upstream project
• CVE-2023-33201 - TSB does not use an LDAP CertStore from Bouncy Castle to validate X.509 certificates
• CVE-2022-3715 - No fix available from upstream project, severity too low
• CVE-2023-2953 - No fix available from upstream project, severity too low
• CVE-2022-4899 - No fix available from upstream project, severity too low
• CVE-2016-2781 - No fix available from upstream project, severity too low
• CVE-2023-28321 - Fix was published 8 days ago (at time of release). Low severity, will be fixed in a future version of TSB.
• CVE-2022-3857 - No fix available from upstream project, severity too low
• CVE-2023-28322 - Fix was published 8 days ago (at time of release). Low severity, will be fixed in a future version of TSB.
• CVE-2023-29383 - No fix available from upstream project, severity too low
• CVE-2022-3219 - No fix available from upstream project, severity too low
• PRISMA-2021-0055 - Not a security vulnerability. In addition, this library is not used by TSB and will be removed in a future release
• PRISMA-2021-0153 - No fix available from upstream project, severity too low
• CVE-2019-10743 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-25173 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2023-25153 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2022-31030 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
• CVE-2022-23471 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.

Image SHAs

Here are the SHA values for the container images that comprise this release of TSB. Container image tags are not immutable, so it is important to ensure that the correct images have been synced to your local repository before installation. Where the images are distributed as multiarchitecture manifests, the SHA value given is that of the AMD64 image:

• containers.dl.tetrate.io/bridge-migration:1.6.3: sha256:daa27d874b66694066089f552c5e105781aae5540cf8fd9c56753e547674051a
• containers.dl.tetrate.io/bridge-server:1.6.3: sha256:f2fa9db3c97b4bb5faca27e2775066bad96f09e7aa7371175715a491890050c4
• containers.dl.tetrate.io/busybox:1.36.1: sha256:8135583d97feb82398909c9c97607159e6db2c4ca2c885c0b8f590ee0f9fe90d
• containers.dl.tetrate.io/cert-manager-cainjector:v1.12.2-tetrate-v0: sha256:ab07d4610b633fb2d447232c4fbef4eeed1da168d6d08d82e39c04346178796b
• containers.dl.tetrate.io/cert-manager-controller:v1.12.2-tetrate-v0: sha256:29e45381b64faa110a4dc8d9ef3bc49b9a5ec653a98ab21fb5543e3d61802f25
• containers.dl.tetrate.io/cert-manager-ctl:v1.12.2-tetrate-v0: sha256:6e206e8f9cc0fc65d472e191217293cb2a215a6348487b7ded34da95c92f7059
• containers.dl.tetrate.io/cert-manager-webhook:v1.12.2-tetrate-v0: sha256:6afef4bb68bef3041ca5c525608df960ad05cb880d6e3d45710727fe01d022a5
• containers.dl.tetrate.io/coraza-proxy-wasm:0.0.2: sha256:46808dec50ba32455a7e2a02d092b425429f19980cf9614c0444d649e16a5627
• containers.dl.tetrate.io/elasticsearch:7.17.8: sha256:6b4df3b1f757e99cb6cee3818f1b9da9a47855741ef06d8b495283d3ad6d9cf2
• containers.dl.tetrate.io/genistio-watcher:1.6.3: sha256:fed48fe1143cdfc90b29a79673b1c998f743f56c3cb7a30cec36e549bf27b621
• containers.dl.tetrate.io/iam-jwt:1.6.3: sha256:399c15b598e7caf8de3390df8977bd0fb62fc03005f536818c2a4c9c7675dac1
• containers.dl.tetrate.io/iam-server:1.6.3: sha256:1c6736b992152cf104c45af73650b7404e7f088cb95eea3ac06e0a5e51edaf25
• containers.dl.tetrate.io/install-cni:1.15.7-c48edc9979: sha256:68fe5768c4fd72a56dbff24af06f2a4ecd26417552870b76ea2d3fd4015053bf
• containers.dl.tetrate.io/kubectl:v1.22.9-tetrate-v9: sha256:fdc8b7a5b5160b728fea6df78c88e7e22358da8a01c6378b75c32b1e4b8e023d
• containers.dl.tetrate.io/mpc-server:1.6.3: sha256:17dcd249ffc491705073416092740aaf03c7cbbec7be019583454f87d59d0f1b
• containers.dl.tetrate.io/ngac-agent:0.0.4: sha256:cfe3d09693aafa79b0b7132b39c034ee89638390445f125b8a91ea34c1a1781f
• containers.dl.tetrate.io/ngac-server:0.0.4: sha256:d178697bf06230147af6bf7708aed0f7f44d23415fe01737a6a6f6e82b2aa356
• containers.dl.tetrate.io/onboarding-agent:1.6.3: sha256:a07b0806421b261b31dae9b5b5f58d7b00568458dc315376fa32cfe2b8e48ffc
• containers.dl.tetrate.io/onboarding-operator-server:1.6.3: sha256:ce9ac1b2fc469f43fd5674e98a10e021144644528ec06d40bdd3b700d0b54a21
• containers.dl.tetrate.io/onboarding-package-istio-sidecar:1.15.7-c48edc9979: sha256:c1f8f2d38fa4471998b19bcabf09a2c491d8e93e8dfa0a265517708ba3fd03d9
• containers.dl.tetrate.io/onboarding-plane-server:1.6.3: sha256:a69cedc28fbd06e78df682f4468c6a09b314943142f22f1f112d8dddf81c74f5
• containers.dl.tetrate.io/onboarding-repository-server:1.6.3: sha256:694e62fb65c16b24732b0416781553abf1b05d11863bc03c59527d3a98f2fb4e
• containers.dl.tetrate.io/operator:1.15.7-c48edc9979-distroless: sha256:18c103d761849e01017a4af146ddd8ac3f1b3d9e8fffb6bbd399283899a43210
• containers.dl.tetrate.io/otelcol:0.81.0: sha256:0718aabed27f29baf0ced0070dc62f3ef1652174231e901440e548c801ecfbf3
• containers.dl.tetrate.io/pilot:1.15.7-c48edc9979-distroless: sha256:0113661e3652d95198e83ec2dcdca628961f6d8f90a5f4bb5a5a7b318964c745
• containers.dl.tetrate.io/postgres:14.6-alpine: sha256:420ebe47268652b5d3959041bea851a612e8c1e457669335d6664be2cf68f86a
• containers.dl.tetrate.io/proxyv2:1.15.7-c48edc9979-distroless: sha256:638047e840d1a59bf99e13f4a77647545a55ba0055f01756042c4b956b3af992
• containers.dl.tetrate.io/ratelimit:e059638d: sha256:51f205d7dda850f1d20c284903237023e04442d67eb28b9febbaadf4103515dc
• containers.dl.tetrate.io/redis:7.0.7-alpine3.17: sha256:26b875a60c631487f9cb12c9a562e1074703fc43deae890d819bb97922159600
• containers.dl.tetrate.io/satellite:v35bfaff6352b4dc351a706772796a1f79b651c14: sha256:7111b2c7204c3e6f56df0fb26e374b9511d1d1f4c134811e1929e2db3f7ee1f1
• containers.dl.tetrate.io/spm-central:8dd15f31f204ff07749d3f6ebf277706666b623c: sha256:1d2282587eb60db276be50e75718c6a104de7a122811cb31227299ccd8d9d36b
• containers.dl.tetrate.io/spm-user:8dd15f31f204ff07749d3f6ebf277706666b623c: sha256:3e535ca7f73daddee41c39e67e9ad596f64fe4973011b5d7095ed51484dc6944
• containers.dl.tetrate.io/swck:502610b: sha256:762cb96d458e079e156044ae50ae4f14647144da97212c098752860ef576c869
• containers.dl.tetrate.io/tcc-web-ui:1.6.3: sha256:4f7b4590d0f44a1e19a5a9b33176036370592b209cd4b6ce861f5817dae7c525
• containers.dl.tetrate.io/tctl:1.6.3: sha256:0d44ad20786a5ba10409c02a5e8f5c940eeee82edf67a246f69b2b1da7d5ef19
• containers.dl.tetrate.io/teamsync-job:1.6.3: sha256:a7da755292eb34f5706fc762c0af60cf6427bd9bb76b7818988308fa69ee8df8
• containers.dl.tetrate.io/tetrate-openldap:2.6.4: sha256:b6f65ab8b584b1b4d2986c1367683b5c44b0160a84640d83983a6bec5ec273a1
• containers.dl.tetrate.io/tetrate-troubleshoot:1.6.3: sha256:30acede8cf6d459fead2d222ec1e238bcaf1636c2f189536e9d7383980ec9e60
• containers.dl.tetrate.io/tsboperator-server:1.6.3: sha256:07d72098a9c93407a4dccc0c497b762183933561305e65d15c4cc05a02489ed4
• containers.dl.tetrate.io/xcp-guard:v1.6.29: sha256:8b219f9f1252631d9ad4d60388bcfccac4c7a7315639ad5f79cdcecbb2c17b32
• containers.dl.tetrate.io/xcp-operator:v1.6.29: sha256:e0e4b50e70764c0012f61b153dfec7f50b96121207de154fa193e63696196877
• containers.dl.tetrate.io/xcpd:v1.6.29: sha256:9949ce6ce08947bb1212df7338858ed1697ebeea2b473cee5a79ce738ba476e6

Version 1.6.2

Bug fixes and Improvements

• GitOps is now supported in the management plane cluster.
• GitOps webhook is now removed whenever the GitOps component is deactivated.
• By default, the synchronization of TelemetrySources and TelemetryMetrics is disabled to enhance resource consumption efficiency.
• Added functionality for North/South gateway to handle exposed host HTTPS multicluster calls from mesh clients, assisting in the migration process to ISTIO_MTLS.
• Addressed UI bugs and introduced improvements to enhance the user experience.
• Added the ability to delete AccessBindings using tctl or GitOps.
• Added support to detect minikube as a cluster provider.
• Added inline authz support for HTTP external server in Tier1 gateway.
• Improved propagation strategy behavior that the propagation strategy set for a resource will now only be enforced for the resource's descendants, rather than the resource itself.
• Fixed race condition in tsb-migrations job.

Security fixes

We shipped the releases with no CVEs at the time of release, new CVEs will emerge, and those will be fixed and documented in the following release notes.

There are currently some known not exploitable vulnerabilities:

• CVE-2023-29402 - Only exploitable at build time, and all the TSB build process only uses go get which is not affected
• CVE-2023-29403 - setuid / setguid is not used
• CVE-2023-29404 and CVE-2023-29405 - Only exploitable at build time and go is not used in the TSB build
• “PRISMA-2022-0227” - Not exploitable as the library is imported as indirect, it will be fixed in the next release based on Istio 1.17.

Version 1.6.1

What's New

• Subset based routing is now supported when cross cluster east-west failover is enabled.
• Zero traffic disruption for cross cluster communication during downscaling or node draining.
• TSB now supports K8s 1.25.

Bug fixes and Improvements

• IsolationBoundaries improvements.
  • Improvements in resource clean-up while disabling or removing an Istio revision under IsolationBoundaries.
  • Ability to operate and upgrade the Istio CNI component under a user-specified revision.
• Improved the XCP edge-to-central exchange of configurations and cluster states sync for enhanced performance.
• Fixed an upstream issue related to the IstioOperator cache not being properly updated while switching revisions.
• Fixed an issue related to helm uninstall timeout.
• Fixed an issue related to OAP to keep required security context properties as default.
• Improvement to handling of internal webhook certs.
• Fixed bug related to AuthZ policies at gateway when envoy proxy protocol is enabled.
• Optimizations to eastwest communication resource needs.
• Allow ISTIO_MUTUAL TLS setting in direct mode gateways.
• Addressed user interface (UI) issues to improve overall usability.
  • Fixed namespace scope in workspace group cards and topology view
  • Fixed issues related to topology view slider and date selector.
  • New Zipkin Lens ui enhancements.

Security fixes

• Update TSB component images to address CVEs.

Version 1.6.0

What’s New

• Security Rules extended to provide significantly more flexibility and specificity, by:
  • SecurityDomains (feature status: alpha) and Tenant sources and destinations for Allow and Deny rules to make it easier to map high-level intent to security policies.
  • ServiceSecuritySetting (feature status: alpha) policies to allow operators to specify rules for selected target services.
  • Identity Propagation (feature status: alpha) through gateway hops to make fine-grained, cross-cluster security rules possible.
• High Availability capabilities added to further improve efficiency and failover:
  • EastWestGateway makes service failover between clusters automatic and transparent, without needing to expose services through external gateways.
  • Allow Tier 1 gateways and Tier 2 gateways to be deployed in the same cluster, by removing the limitation that Tier 1 gateways required a dedicated cluster.
  • New cluster-external-addresses annotation for gateway services, where it is necessary to specify external IP address in, for example, a GSLB environment.
• User Interface enhancements to empower TSB users to visualize and monitor platform and service activity:
  • Add Log streaming viewers to UI dashboard, capturing logs from services and Istio proxies.
  • Support multiple rule binding in Role UI.
  • Add Users and Teams view in Setting UI.
  • Improved time range slider in Topology view.
  • UI now offers a new Dark Mode.
• Investigate Application Performance:
  • New troubleshooting tools tctl collect and tctl troubleshoot empower App Developers to troubleshoot performance issues without requiring privileged access to clusters.
• Platform Additions and Changes:
  • Support for multi-Istio environments within clusters, enabling Isolation Boundaries and Istio Revisions (feature status: alpha) for security-sensitive applications and for Istio canary upgrades.
  • To use revisions in Workload Onboarding, you need to add revision in Agent configuration. For example:

    apiVersion: config.agent.onboarding.tetrate.io/v1alpha1
    kind: AgentConfiguration
    sidecar:
      istio:
        revision: canary
  • Availability on Red Hat OpenShift through the Red Hat Ecosystem Catalog.
  • Optional delay hook to manage the downscaling of gateway pods, allowing for service discovery changes to propagate to remote clusters.
  • TSB data plane operator no longer defaults the replica count for the gateways to 1. This means the user can do scaling operations in the gateway deployment as long as the replicaCount for the deployment is kept to 0, or unset. This will not affect gateways that are already deployed.
  • Global defaultKubeSpec can be applied to all TSB components in both Management Plane and Control Plane. Use component kubeSpec to override global defaultKubeSpec.
  • Support operator configuration in Helm installation for Management Plane, Control Plane and Data Plane
• Traffic Control:
  • ServiceRoute now supports advanced traffic shifting subset sections for HTTP and TCP services.
• Extensibility:
  • Support for WASM Extensions across gateways and service proxies, with WASM catalog and admin-defined defaults for WASM extensions.
• Security:
  • Web Application Firewall (WAF) (feature status: alpha) capability across gateways and service proxies to detect and block attack traffic using the industry-standard OWASP Core Rule Set (CRS) detection rules.
• Reduce footprint by removing Zipkin dependency and using OAP Skywalking for tracing. Improve efficiency and scalability of SkyWalking storage:
  • Removed the Zipkin Backend and replaced it with OAP for collecting and querying traces. Use SkyWalking receiver-zipkin to collect traces from Zipkin trace reporter, and zipkin-query to provide Zipkin trace query API.
  • OAP support merges all metrics/meter and records(without super datasets) indices into one physical index template metrics-all and records-all. Provide oap component setting storageIndexMergingEnabled to "true" to merge indices into one physical index template. Metrics/meter and records indices are sharded into multi-physical indices as in the previous versions (Notice This is enabled by default in the SPM). Refer to SkyWalking new-elasticsearch-storage-option and SkyWalking-storage-elasticsearch
  • OAP supports per index template settings to scale out the storage to your needs. Regardless of the oap component's storageIndexMergingEnabled value, users can choose to adjust ElasticSearch's shard number(by adjusting the SW_STORAGE_ES_INDEX_SHARDS_NUMBER env var of the oap component) or provide per index the concrete number of shards and replicas. For instance, if storageIndexMergingEnabled is enabled, we can increase the number of shards from the metrics-all index template:

      oap:
        storageIndexMergingEnabled: true
        storageSpecificIndexSettings:
        - indexName: "metrics-all"
          numberOfShards: 4
          numberOfReplicas: 1
  • OAP supports enabling URIs/APIs(Endpoint) analysis by setting apiEndpointMetricsEnabled to "true". By default, this setting is "false", URIs/APIs(Endpoint) analysis is disabled. If the variable value needs to be modified, it should be configured in both the OAP management plane deployment and the control plane deployment. For example, if you need to enable it, you could update both the ManagementPlane resource and ControlPlane resource:

      spec:
        meshObservability:
          settings:
            apiEndpointMetricsEnabled: true
• Added --apikey-stdin to provide API Key when doing image synchronization. For example: echo myAPIKey | tctl install image-sync --username myuser --registry gcr.io/mycompany/registry --apikey-stdin.

Upgrade notes

• Due to Zipkin Backend being replaced by OAP, after the upgrade the Zipkin deployment needs to be removed, including TSB Control Plane (automatically) and Management Plane (deployment, cronjob zipkin-cleanup, config in CRD managementplanes.install.tetrate.io). The Elasticsearch indexes zipkin-span and zipkin-autocomplete can be removed too.
• Due to a fix introduced in Istio 1.14, when both replicaCount and autoscaleEnabled are set, replicaCount will be ignored and only autoscale configuration will be applied. This can lead to issues where the tier1gateways and ingressgateways scale down to 1 replica temporarily during the upgrade until the autoscale configuration is applied. In order to avoid this issue, edit the tier1gateway or ingressgateway spec and remove the replicas field. Since the current deployment will already be managed by the HPA controller, this will allow you to upgrade the pods with the desired configuration.
• If you enable Isolation Boundary on existing environment, you need to scale down TSB data plane operator before adding isolation boundaries in the control plane resource. See Non-revisioned to Revisioned upgrade for more details.

Deprecation Notices

• Removed the Zipkin Backend.

Known Issues and Limitations

For full details on production readiness and supportability of TSB features, refer to the Feature Status matrix. In addition:

• WAF plugin image is pulled from Tetrate public registry oci://ghcr.io/tetrateio instead of leveraging customer container registry defined within control plane.
• securityContext defined in TSB control plane CR is not applied to vmgateway component.
• Subset based routing is not supported in EastWestGateway failover.
• WasmExtension will be applied to all the traffic without ability to select specific traffic by its direction or port.
• If you use private registry for your WasmExtension, Wasm imagePullSecret has to exist in the target namespace.
• To use Identity Propagation, You have to set imagePullSecret for your TSB images registry in istio-system namespace.
• Identity Propagation only supports HTTP traffic.
• Port 15443 is not allowed in Istio Gateway in Tier 2 DIRECT mode and tls modes ISTIO_MUTUAL and AUTO_PASSTHROUGH are not allowed in Istio Gateway in DIRECT mode.
• Workload Onboarding only support single isolation boundary.