Release Notes
Version 1.7.2
TSB 1.7.2 is a patch release that fixes CVEs in TSB's dependencies. Of particular note, CVE-2023-44487 has been fixed in Envoy, Istio and core TSB components. Some vulnerability scanners may still list the vulnerability as being present in some of TSBs packages, but in those instances the vulnerability is not exploitable.
Outstanding CVEs
At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.
- CVE-2016-2781 - No fix available
- CVE-2019-10743 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2021-31879 - No fix available
- CVE-2022-27943 - No fix available
- CVE-2022-3219 - No fix available
- CVE-2022-3715 - No fix available
- CVE-2022-3857 - No fix available
- CVE-2022-48522 - No fix available
- CVE-2022-4899 - No fix available
- CVE-2023-29383 - No fix available
- CVE-2023-2953 - No fix available
- CVE-2023-2975 - No fix available
- CVE-2023-3446 - No fix available
- CVE-2023-34969 - No fix available
- CVE-2023-36054 - No fix available
- CVE-2023-3817 - No fix available
- CVE-2023-38545 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-38546 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-39318 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-39319 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-39323 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-39325 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-3978 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-4016 - No fix available
- CVE-2023-4039 - No fix available
- CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-4586 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-4911 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-38545 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-39323 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-39325 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-47108 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- CVE-2023-4911 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- GHSA-m425-mq94-257g - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
- GHSA-xpw8-rcwv-8f8p - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
Version 1.7.0
What’s New
-
Enabled TCP keepalive.
- At front envoy, by default. To disable, use
tctl install manifest management-plane-operator --registry gcr.io/mycompany/registry --set "operator.deployment.env[0].name=DISABLE_DOWSTREAM_KEEPALIVE,operator.deployment.env[0].value=true"
- At ingress gateways, by default. To disable, use
tctl install manifest control-plane-operator --registry gcr.io/mycompany/registry --set "operator.deployment.env[0].name=DISABLE_GATEWAY_DOWSTREAM_KEEPALIVE,operator.deployment.env[0].value=true"
when using TSB-managed Istio.
- At front envoy, by default. To disable, use
-
Added deletion protection for Organizations, Tenants, Workspaces and Groups:
- The
deletionProtectionEnabled
property has been added to prevent these resources from being deleted when set. - If a resource or any of its children resources is protected, deletion is not allowed.
- To delete a protected resource, the
deletionProtectionEnabled
property must be cleared, or the new--force
flag intctl
must be used.
- The
-
Metrics for API endpoints
- Metrics for API endpoints are enabled by default. To disable the option, set
spec.meshObservability.settings.apiEndpointMetricsEnabled
tofalse
. - As new metrics are added, an increase in ElasticSearch storage usage is expected.
- Metrics for API endpoints are enabled by default. To disable the option, set
-
Improved experience when pulling WASM extensions from private registries.
- Extensions that are hosted in private OCI registries can now be downloaded using an internal WASM download proxy that is part of the TSB ControlPlane.
This download proxy centrally caches the images to optimize downloads and centralizes the credentials used to pull them. When using the download proxy,
the
imagePullSecrets
references in the WASM extensions only have to be created in theistio-system
namespace. In addition, when using the download proxy, the image pull secrets are not needed anymore when pulling from the cloud provider registries. The download proxy is disabled by default in this release. To enable , just edit the ManagementPlane resource spec as follows:spec:
enableWasmDownloadProxy: true - Internal WASM extensions can be directly mounted in the Sidecar, Ingress and Egress gateway pods instead of being downloaded
from the image registries. This can improve pod availability and startup times. The feature is disabled by default.
To enable it, set the following configuration in the
istio
component of theControlPlane
resource:This feature is also available on onboarded VM workloads, and the internal WASM extensions are installed by thespec:
components:
istio:
mountInternalWasmExtensions: trueonboarding-agent
package. If your workloads were onboarded using the Manual Onboarding usingtctl
, you can install the onboarding agent package in your workloads and keep the WASM extensions located in/wasm-plugins
.
- Extensions that are hosted in private OCI registries can now be downloaded using an internal WASM download proxy that is part of the TSB ControlPlane.
This download proxy centrally caches the images to optimize downloads and centralizes the credentials used to pull them. When using the download proxy,
the
-
Moved from istio stats envoy filters to Telemetry API allowing greater control over metrics and telemetry.
-
Cluster Service Account auto-generated on cluster creation. Now, when a new Cluster is created a Service account with the name following the pattern
auto-cluster-<cluster-name>
is created, and returned along a new key pair ready to be used in the cluster onboard process. With this, cluster onboarding has been simplified to:- Create cluster in TSB:
tctl apply -f <new-cluster.yaml>
- Get the install template:
tctl x cluster-install-template <cluster-name> > cluster-values.yaml
- Apply Helm install:
helm install <repo>/controlplane <release-name> -n istio-system --version v1.7.0 -f cluster-values.yaml
The previous cluster onboarding flows are still valid and supported.
- Create cluster in TSB:
-
OAP supports basic PromQL, users can obtain metrics through PromQL Service to do integration such as building a Grafana dashboard.
Upgrade notes
- With the introduction of the new
Gateway
resource, there have been API modifications to maintain consistency within the TSB API. These changes were driven by our use of Protocol Buffers (protobuf), which has specific conventions for naming and managing collections. Here's what you need to know:- The service previously known as
Gateway
has been renamed toGateways
- If you interact with TSB using the gRPC API, it's essential to update your application with the latest gRPC client library.
- If you utilize tctl, please ensure you have the most recent version to seamlessly communicate with TSB.
- The service previously known as
Known Issues and Limitations
- ExternalServices health is reported as unacceptable in the topology UI.
- The
enableWasmDownloadProxy
is not fully supported yet on VMs. - There is a regression in the conversion of VirtualServices and DestinationRules in DIRECT mode that may cause the
resources to be deleted when they're modified in TSB. A workaround exists and can be mitigated by setting the
--concurrent-k8s-configs-push=0
(defaults to 50) in the MPC deployment startup flags. This will mitigate the issue but VirtualServices and DestinationRules will be deleted/recreated (instead of just updated) when they're updated in TSB, and that may have an impact o traffic when this happens. This issue is fixed in the next patch release.