Skip to main content
logoTetrate Service BridgeVersion: 1.14.x

Release Notes

Version 1.14.1

  • Fixed the following CVEs: CVE-2019-14993,CVE-2022-31045,CVE-2024-58251,CVE-2025-15281,CVE-2025-22872,CVE-2025-46394,CVE-2025-47912,CVE-2025-58185,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-60876,CVE-2025-61723,CVE-2025-61724,CVE-2025-61726,CVE-2025-61727,CVE-2025-61729,CVE-2025-61730,CVE-2025-67499,CVE-2025-68121,CVE-2025-71176,CVE-2026-0861,CVE-2026-0915,CVE-2026-0994,CVE-2026-22007,CVE-2026-22013,CVE-2026-22016,CVE-2026-22018,CVE-2026-22021,CVE-2026-2219,CVE-2026-25679,CVE-2026-2673,CVE-2026-27139,CVE-2026-28387,CVE-2026-28388,CVE-2026-28390,CVE-2026-29111,CVE-2026-32280,CVE-2026-32281,CVE-2026-32282,CVE-2026-32283,CVE-2026-32285,CVE-2026-32288,CVE-2026-32289,CVE-2026-32952,CVE-2026-33186,CVE-2026-33230,CVE-2026-33231,CVE-2026-33236,CVE-2026-33416,CVE-2026-33636,CVE-2026-33810,CVE-2026-33811,CVE-2026-33814,CVE-2026-33815,CVE-2026-33816,CVE-2026-33871,CVE-2026-33997,CVE-2026-34040,CVE-2026-34268,CVE-2026-34282,CVE-2026-34757,CVE-2026-35206,CVE-2026-35469,CVE-2026-39820,CVE-2026-39823,CVE-2026-39825,CVE-2026-39826,CVE-2026-39836,CVE-2026-39882,CVE-2026-39883,CVE-2026-40179,CVE-2026-40200,CVE-2026-40225,CVE-2026-40226,CVE-2026-4105,CVE-2026-41417,CVE-2026-42151,CVE-2026-42154,CVE-2026-42499,CVE-2026-42577,CVE-2026-42578,CVE-2026-42579,CVE-2026-42580,CVE-2026-42581,CVE-2026-42583,CVE-2026-42584,CVE-2026-42585,CVE-2026-42587,CVE-2026-44903,CVE-2026-4539,CVE-2026-4873,CVE-2026-4878,CVE-2026-5545,CVE-2026-5958,CVE-2026-6042,CVE-2026-6253,CVE-2026-6357,CVE-2026-6429,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6637,CVE-2026-6732,GHSA-fw8g-cg8f-9j28,GHSA-j88v-2chj-qfwx,GHSA-rf74-v2fm-23pw,CVE-2026-4046,CVE-2026-4437,CVE-2026-4438.

  • The IAM server no longer uses init containers to generate authentication tokens for the other MP components. It manages these tokens with a kubernetes reconciler in the main container instead. This allows the server to start faster and reduces the likelihood of startup failures due to issues with the init containers.

  • TSB now supports mutual TLS (mTLS) client certificate authentication when connecting to Elasticsearch or OpenSearch. Operators can supply a PEM-encoded client certificate and private key via the secrets.elasticsearch.clientcert and secrets.elasticsearch.clientkey Helm values (Control Plane and Management Plane). TSB stores these in the es-certs secret and mounts them into the relevant components (Envoy front-proxy and OAP) automatically.

  • The TSB cert issuer now supports custom cert-manager issuers and CA secrets, with the ability to configure different issuers for TSB TLS certificates and cluster intermediate CAs.

    The existing selfSigned API is deprecated but still supported. To migrate, update the management plane configuration from:

    spec:
      certIssuer:
        selfSigned: {}

    to

    spec:
      certIssuer:
        defaultIssuer:
          selfSigned: {}

  • The ControlPlane xcp component now supports a sharedGatewayEnabled field. When set to true, the shared gateway feature is enabled in the XCP edge configuration.

    Example configuration:

    spec:
      components:
        xcp:
          sharedGatewayEnabled: true

  • Stopped reporting MPC and XCP status events for the internal WAF extension (internal/waf/tetrate-internal-waf-v060). The extension is synthesized by the Management Plane Controller and has no corresponding node in the bridge config graph, so status reports for it produced spurious error logs on the bridge side every time the controller reconnected.

  • The User resource's spec.loginName field is now honored at login. Previously only metadata.name was used to resolve principals from JWT subject claims; users whose login name differed from their resource name could not authenticate. Per-organization uniqueness validation is now enforced when creating or updating Users.

    Backwards compatibility is preserved for tokens issued before this change. If legacy data contains a collision — for example one user with spec.loginName: x and a different user with metadata.name: x — TSB treats the lookup as ambiguous and falls back to the previous metadata.name resolution, so existing sessions continue to work. Operators should resolve such collisions; new writes that would create one are now rejected with AlreadyExists.

  • Improved resilience and memory usage of cluster state updates between MPC and TSB. Stuck cluster state streams now recover automatically without requiring a pod restart, redundant updates are skipped to reduce database load, and MPC memory usage is significantly lower in deployments with many or large clusters. The persisted "last sync time" for a cluster may now lag real time by up to the configured cluster-state-dedup-ttl (default 60s) when XCP is sending heartbeats over unchanged state — UIs and alerts that read this field should account for the new bound. New metrics are exposed for the cluster-state pipeline: mpc_cluster_state_hash_errors_total (TSB), mpc_cluster_update_hash_errors_total (MPC), mpc_segmentation_exec_errors_total, mpc_segmentation_exec_migrating_total.

  • Fixed tctl experimental segmentation policyclasses reporting policy classes in the allowed-set field when access was denied by another policy class. The bridge handler was reading per-policy-class operations from the n2ac introspection response under the pre-v0.1.20 contract (filtered against the global intersection), but n2ac v0.1.20 changed those entries to be raw per-class grants. The handler now intersects per-class operations against the global allowed set explicitly before reporting them.

  • The control plane webhook port is now configurable via the operator.webhookPort Helm value (default: 9443). For example:

    operator:
      webhookPort: 9444

    Temurin 11 JRE to the latest patched build (April 2026 Oracle CPU).

  • Added DISABLE_SEGMENTATION environment variable on the TSB operator to control deployment of the N2AC (segmentation) component. When set to true, the operator skips deploying N2AC and sets TSB_DISABLE_SEGMENTATION=true on the bridge and web-ui deployments. Previously, N2AC was always deployed regardless of whether segmentation was enabled.

  • Added envoyMetricScrapingSelectors to the control plane collector component, allowing operators to fine-tune which Envoy data plane proxies are scraped for metrics. Each selector can target either an entire namespace (scraping all Istio-injected pods in that namespace) or a specific workload via namespace and label selectors. When no selectors are configured, the existing default scraping behavior is preserved.

  • Fixed a panic in MPC that caused a CrashLoopBackOff when Flagger was installed in the cluster. The canaries.flagger.app CRD triggered an informer whose list function called into a nil Flagger client. MPC now initializes a real Flagger client at startup and passes it to the combined kube client, preventing the nil-pointer dereference.

  • Fix a high cpu consumption issue when the --configwatch-service-account-debounce-interval=0s flag was set in the apiserver.

  • TSB now creates a dedicated promql user with a configurable password to access the /promql endpoint. The user is unprivileged in the scope of TSB permissions. To configure it, use the --tsb-promql-password flag with tctl install manifest management-plane or set the secrets.tsb.promqlPassword Helm value when installing the Management Plane chart. The password is stored in the admin-credentials Kubernetes Secret under the promql key in namespace tsb.

  • The busybox image has been removed from the TSB release. This image has been replaced with an smaller internal one holding only the necessary capabilities.

  • Improved segmentation ACL resilience on the management plane. On startup, the bridge now blocks up to 30 seconds waiting for the first ACL batch from N2AC before returning rules, preventing config distribution from aborting with transient "no ACL rules received yet" errors during the N2AC ramp-up window. After the first batch has been received, transient N2AC errors are absorbed by returning the last-known-good ruleset instead of propagating the error, so management-plane config distribution keeps serving the last working rules during brief N2AC outages.

  • Added segmentation_acl_last_update_seconds, a gauge metric on the management-plane bridge that records the Unix timestamp of the last observed change to the ACL rules received from N2AC. The metric only advances when the ACL state actually changes, so operators can alert on staleness by comparing it to current time — if the value stops advancing, the bridge is serving cached rules because the N2AC ACL stream is stalled or disconnected.

  • Added tctl x segmentation describe command for troubleshooting segmentation access decisions. Given a source and target resource, the command traces the access decision back to the specific segmentation configuration responsible for it, showing zone assignments, access grants, and the SegmentationPolicy, SegmentationMembership, and SegmentationRules resources involved. Supports both text and YAML output formats.

  • Added tctl x segmentation policyclasses command and PolicyClasses RPC to inspect the policy classes derived from segmentation configuration. Supports table and YAML output formats.

  • Fixed Azure base group lookup in TeamSync to require an exact displayName match. Microsoft Graph search returns groups whose names contain the query string, so configuring a base group like HR could previously resolve to a different group such as HR Taskforce. TeamSync now filters search results to the exact display name and fails fast with a clear error if no group matches.

  • Add metrics and dashboard panels for various components.

    New metrics in XCP Central Operator:

    • xcp_central_operator_feature_enabled
    • xcp_central_operator_feature_value
    • xcp_central_operator_feature_value_seconds
    • xcp_central_operator_feature_value_string

    New metrics in XCP Edge Operator:

    • xcp_edge_operator_feature_enabled
    • xcp_edge_operator_feature_value
    • xcp_edge_operator_feature_value_seconds
    • xcp_edge_operator_feature_value_string

    New metrics in XCP Central:

    • xcp_central_config_status_server_streams_total
    • xcp_central_config_status_server_streams_open_count
    • xcp_central_aggregate_config_status_server_streams_total
    • xcp_central_aggregate_config_status_server_streams_open_count
    • xcp_central_resource_exchange_server_streams_total
    • xcp_central_resource_exchange_server_streams_open_count
    • xcp_central_cluster_state_server_streams_total
    • xcp_central_cluster_state_server_streams_open_count

    New metrics in XCP Edge:

    • xcp_edge_config_status_client_streams_total
    • xcp_edge_config_status_client_streams_open_count
    • xcp_edge_resource_exchange_client_streams_total
    • xcp_edge_resource_exchange_client_streams_open_count
    • xcp_edge_cluster_state_client_streams_total
    • xcp_edge_cluster_state_client_streams_open_count
    • xcp_edge_config_translation_attempts_total
    • xcp_edge_config_translation_attempts_failed_total
    • xcp_edge_unmanaged_resources_count

  • Fixes issues where XCP resources wouldn't update correctly. All resources created by the XCP operators now use server side apply instead of merge, and can be reverted to the old behavior by setting USE_SERVER_SIDE_APPLY to false on the XCP operator deployments.

  • Gateway deployments are no longer reconciled during upgrades when their spec hasn't changed. A new RECONCILIATION_DIRTY phase and DirtyStateDetected condition surface when the generated config would differ from what's applied, giving visibility into configuration drift. Users can force reconciliation by setting the install.tetrate.io/reconcile-before label with a future date.

  • Added a new feature to the XCP Edge operator that allows users to override the proxy configuration annotation proxy.istio.io/config for the gateway deployments.

  • Tier1 gateways now validate that the TrafficGroup and SecurityGroup are consistent across clusters.

  • Fixed an issue where shared components (CNI, OAP, meshExpansion) could be inconsistently assigned to different revisions across restarts or upgrades. The default revision is now always preferred when available, ensuring stable and predictable behavior in multi-revision deployments.

  • Fixed accumulation of additionalOverlays which caused stale values to exist even after they were removed from EdgeXcp.

  • Fixed the status poller for GatewayDeployments which showed pending status for all gateways in the tsb namespace.

  • XCP operator now automatically skips wasmfetcher custom templates when native sidecars are enabled. With native sidecars (Istio >= 1.27 default), the wasmfetcher init container approach is unnecessary. Detection uses a three-layer approach: the SKIP_WASMFETCHER_CUSTOM_TEMPLATES operator env var override, explicit ENABLE_NATIVE_SIDECARS in EdgeXcp istiod env, and Istio version-based auto-detection (>= 1.27).

  • Fixed OpenShift HCP/HyperShift cluster detection. Worker nodes on hosted control plane clusters lack the machineconfiguration.openshift.io/state annotation (managed by the MachineConfig Operator on the management cluster), causing them to be detected as unknown provider. Detection now falls back to the hypershift.openshift.io/managed label for HCP worker nodes, and the node.openshift.io/os_id label as a general OpenShift catch-all.

  • Fix Ztunnel startup issue due to missing permissions for istio-cni-node.

  • Add endpointslices to XCP Central RBAC rules to fix webhook readiness check.

  • Removed a debug log from xcpd that would include authorization tokens in central when new connections were established. This log was only emitted when logging was set to the debug level.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2025-69720 - No fix available.
  • CVE-2026-27456 - No fix available.
  • CVE-2026-5450 - No fix available.
  • CVE-2026-5704 - No fix available.
  • CVE-2026-4437 - No fix available.
  • CVE-2026-4046 - No fix available.
  • CVE-2026-3184 - No fix available.
  • CVE-2026-6238 - No fix available.
  • CVE-2026-4438 - No fix available.
  • CVE-2026-34743 - No fix available.
  • CVE-2026-5435 - No fix available.
  • CVE-2026-27171 - No fix available.
  • CVE-2026-40228 - No fix available.
  • CVE-2025-6141 - No fix available.

Version 1.14.0

  • Fixed the following CVEs: CVE-2026-25679, CVE-2026-33186, CVE-2025-59530, CVE-2026-27142, CVE-2026-27171, CVE-2025-60876, GHSA-72hv-8253-57qq, CVE-2026-3731, CVE-2026-23865, CVE-2026-22184, CVE-2026-0861, CVE-2026-0915, CVE-2025-15281, CVE-2026-2219, CVE-2026-24051, CVE-2026-27139, CVE-2026-4427, GHSA-6g7g-w4f8-9c9x
  • Fixed a race condition that could prevent accurate gateway status reporting due to race condition, ensuring that gateway deployment status is correctly reflected.
  • Added support for OpenAPI 3.1 and 3.2 in payload validation.
  • Added PingAM 7.4 as a supported identity provider for users and groups retrieval in TeamSync.
  • Use core Envoy filters to replace the xfcc-guard WASM filter for XFCC header validation.
  • Fixed an issue where gateway pod annotations were not updated correctly. Gateway Deployment updates now use server side apply instead of merge, and can be reverted to the old behavior by setting USE_SERVER_SIDE_APPLY_FOR_GATEWAY_DEPLOYMENTS to false on the XCP edge operator deployment.
  • Updated Istio version to 1.28.

Upgrade:

  • At gateways, fix duplication of authentication configuration across hostnames and optimize memory consumption. From previous releases which have ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN, the env variable must be replaced with ENABLE_ENHANCED_REQUEST_AUTHENTICATION, which is a superset of functionality previously put behind ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN.

Features/Istio features enabled by default (previously disabled):

  • DNS proxying for ambient mesh (cni.ambient.dnsCapture) now enabled by default. (1.24 → 1.25)
  • IP auto-allocation for ServiceEntry (PILOT_ENABLE_IP_AUTOALLOCATE) now enabled by default. (1.24 → 1.25)
  • Native sidecars (ENABLE_NATIVE_SIDECARS) now enabled by default. (1.26 → 1.27)
  • Upstream spans for gateway requests (PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY) enabled by default. (1.27 → 1.28)
  • Shadow host suffixes disabled by default (DISABLE_SHADOW_HOST_SUFFIX=true). (1.27 → 1.28)

New Istio features disabled by default (opt-in):

  • Reconcile iptables on startup for ambient pods (cni.ambient.reconcileIptablesOnStartup). (introduced in 1.25)
  • Experimental Gateway API BackendTLSPolicy and XBackendTrafficPolicy (PILOT_ENABLE_ALPHA_GATEWAY_API). (introduced in 1.26)
  • ClusterTrustBundle API (v1alpha1) (ENABLE_CLUSTER_TRUST_BUNDLE_API). (introduced in 1.26)
  • Gateway API Inference Extension (SUPPORT_GATEWAY_API_INFERENCE_EXTENSION). (introduced in 1.27)
  • Native nftables for sidecar mode (values.global.nativeNftables=true). (introduced in 1.27)
  • Istio-owned CNI config file in ambient mode (cni.istioOwnedCNIConfig=true). (introduced in 1.27)
  • Native nftables for ambient mode (values.global.nativeNftables=true). (introduced in 1.28)
  • NetworkPolicy deployment for istiod (global.networkPolicy.enabled=true). (introduced in 1.28)

Important Istio changes:

  • CNI agent no longer requires hostNetwork; ambient.shareHostNetworkNamespace default changed to false (previously true). (1.26)
  • Default maximum connections per socket event changed to 1 (from 0) to improve performance. To revert, set MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP=0. (1.26)
  • Deprecated ISTIO_META_DNS_AUTO_ALLOCATE and traffic.sidecar.istio.io/kubevirtInterfaces. (1.25)
  • DNS proxying algorithm updated. (1.25)
  • Added ObservedGeneration to ambient status conditions. (1.25)
  • Support for preserving original case of HTTP/1.x headers. (1.25)
  • istio-cni-node now has DAC_OVERRIDE capability and unconfined AppArmor annotation. (1.25)
  • OpenCensus telemetry provider removed. (1.25)
  • GKE platform profile added for ambient mode. (1.25)
  • Improved iptables binary detection. (1.26)
  • Warning added for deprecated telemetry providers Lightstep and OpenCensus. (1.26)
  • ENABLE_AUTO_SNI flag removed. (1.26)
  • Lightstep tracing provider support removed. (1.27)
  • MD5 usage removed for non-cryptographic purposes (FIPS 140-3 compliance). (1.27)
  • Gateway API upgraded to v1.4 with BackendTLSPolicy v1 support. (1.28)
  • EndpointSlice used instead of Endpoints for remote istiod (Kubernetes 1.33+ compatibility). (1.28)
  • Post-Quantum Cryptography (PQC) option added to COMPLIANCE_POLICY. (1.27)
  • Certificate revocation list (CRL) support for plugged-in CAs. (1.27)
  • Dual-stack support promoted to beta. (1.28)
  • Support for InferencePool v1 (alpha/RC versions removed). (1.28)

Other changes:

  • When GatewayDeployment/IngressDeployment/EgressDeployment/Tier1Deployment resource has 1 as replicaCount and hpaSpec is not configured(values configured via kubeSpec), then PodDisruptionBudget is not created. Same when hpaSpec is configured and hpaSpec.minReplicas is not greater than 1, PDP is not created. This is to prevent the case when disruption gets stuck because of PDP when there is only 1 replica.
  • Fixed an existing race condition in event queue tests that was being triggered on Istio upgrade.
  • Fixed an issue where XCP would update some ServiceEntry, DestinationRule and AuthorizationPolicy resources repeatedly with different field ordering. This could cause unnecessary CPU usage and API server load.
  • Added support for ISTIO_MUTUAL mode for external authorization.
  • Add support for timeout and cors policy in HTTP route rules.
  • Fixed an issue with using gRPC 1.75 where the grpc client previously extracted certificate from tls.Config.ServerName for SAN now uses authority header. With gRPC 1.75, to consolidate the usage of SAN, the authority is used as source of truth now. We didn't set the authority and only set the Servername. This caused 1.75 gRPC client side verification to fail because new gRPC client ignored the ServerName. This fix ensures that the authority is explicitly set in gRPC client usage.
  • Egress gateways now support JWT authentication and authorization, aligning with ingress behavior; OIDC remains unsupported.
  • Added the ability to pause gateway deployment reconciliation. This is useful during upgrades to prevent the dataplane from being updated automatically.
    • Added a dry-run diff endpoint (/debug/gateway-reconcile-diff) on the edge operator admin server (port 8090) to preview what changes would be applied when reconciliation is resumed. The response shows per-gateway reconciliation state, pending changes to Deployments/Services/ServiceAccounts/HPAs, whether changes would cause pod restarts, and a unified YAML diff. Supports namespace and name query parameters for filtering (name requires namespace). The response summary includes total gateways, count with changes, count that will cause restarts, and count paused.
    • Gateway deployment config status now reports the RECONCILIATION_PAUSED phase as APPLIED_NOT_READY, with a ReconciliationPaused condition indicating the pause reason. The status includes current workload details (deployment readiness, replica counts, service type).
    • Gateway install objects (IngressDeployment, EgressDeployment, Tier1Deployment, GatewayDeployment) are now protected from accidental deletion. Deletion of managed gateway CRs is blocked when edge deletion protection is enabled. Non-managed gateway CRs are not affected.
    • Added two new metrics for gateway reconciliation observability:
      • gateway_reconcile_paused (gauge, labels: gateway_type, gateway_namespace, gateway_name): reports per-gateway pause state (1 = paused, 0 = active).
      • gateway_reconcile_skipped_total (counter, labels: gateway_type, reason, gateway_namespace, gateway_name): tracks the number of reconciliations skipped, with reason indicating the level that disabled it (object_label_disabled, namespace_api_disabled, revision_api_disabled).

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2026-29111 - No fix available.
  • CVE-2026-4046 - No fix available.
  • CVE-2025-69720 - No fix available.
  • PRISMA-2022-0168 - No fix available.
  • CVE-2026-33231 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2026-4105 - No fix available.
  • CVE-2025-45582 - No fix available.
  • CVE-2025-66382 - No fix available.
  • CVE-2026-4437 - No fix available.
  • CVE-2026-4438 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2026-22185 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2024-56433 - No fix available.
  • CVE-2019-1010023 - No fix available.
  • CVE-2025-14104 - No fix available.
  • CVE-2022-0563 - No fix available.
  • CVE-2019-1010022 - No fix available.
  • CVE-2026-3184 - No fix available.
  • CVE-2019-1010024 - No fix available.
  • CVE-2023-31439 - No fix available.
  • CVE-2025-6141 - No fix available.
  • CVE-2025-1352 - No fix available.
  • CVE-2005-2541 - No fix available.
  • CVE-2026-2673 - No fix available.
  • CVE-2011-3374 - No fix available.
  • CVE-2025-1376 - No fix available.
  • CVE-2025-70873 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2019-9192 - No fix available.
  • CVE-2025-27587 - No fix available.
  • TEMP-0628843-DBAD28 - No fix available.
  • CVE-2007-5686 - No fix available.
  • CVE-2023-31437 - No fix available.
  • CVE-2025-29481 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2017-18018 - No fix available.
  • CVE-2026-34743 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2019-1010025 - No fix available.
  • CVE-2025-5278 - No fix available.
  • CVE-2023-31438 - No fix available.
  • TEMP-0841856-B18BAF - No fix available.
  • CVE-2011-4116 - No fix available.
  • CVE-2013-4392 - No fix available.
  • CVE-2021-45346 - No fix available.
  • TEMP-0517018-A83CE6 - No fix available.
  • TEMP-0290435-0B57B5 - No fix available.