CNI and managed data plane controller version 1.23.6-asm.28 is rolling out to allrelease channels.

While the managed data plane automatically updates Envoy Proxies by restartingworkloads, you must manually restart any StatefulSets and Jobs.

This patch includes the fix for the following CVEs:

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.6-asm.10 is rolling out to the rapid release channel.
• 1.20.8-asm.63 is rolling out to the regular release channel.
• 1.19.10-asm.57 is rolling out to the stable release channel.

These patch releases contain the fixes for the following managed Cloud Service Mesh CVEs:

1.28.2-asm.4 is now available for in-cluster Cloud Service Mesh.

You can now download 1.28.2-asm.4 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.28.0 subject to the list ofsupported features.

The following environment variables, fields, and annotations are not supported:

• PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY
• Additional attributes forHTTPCookie in the DestinationRule API
• caCertCredentialName field in ServerTLSSettings API
• OptionalNetworkPolicy for Istiod deployment
• Disable shadow host suffix
• MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP

Istio dual stack is not supported

Istio's experimental feature to enable lazy subset creation of envoy statisticsis not supported.

TheENABLE_AUTO_SNI flag is still supported to stay aligned with legacybehavior.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.28.2-asm.4 uses Envoy v1.36.5-dev.

1.27.5-asm.0 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.5-asm.0 for in-cluster Cloud Service Mesh. It includesthe features ofIstio 1.27.5subject to the list ofsupported features.Cloud Service Mesh version 1.27.5-asm.0 uses envoy v1.35.9-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.26.8-asm.1 is now available for in-cluster Cloud Service Mesh.

You can now download 1.26.8-asm.1 for in-cluster Cloud Service Mesh. It includesthe features ofIstio 1.26.8subject to the list ofsupported features.Cloud Service Mesh version 1.26.8-asm.1 uses envoy v1.34.11.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

In-cluster Cloud Service Mesh 1.25 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, seeSupported versions.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.6-asm.8 is rolling out to the rapid release channel.
• 1.20.8-asm.60 is rolling out to the regular release channel.
• 1.19.10-asm.55 is rolling out to the stable release channel.

These patch releases contain the fixes for the following managed Cloud Service Mesh CVEs:

Regional Cloud Service Mesh is now available as a public preview feature. SeeRegional Cloud Service Meshfor more information.

Managed Cloud Service Mesh will start using proxy versioncsm_mesh_proxy.20251121c_RC00 for Gateway API on GKE clusters. This proxyversion maps closest to Envoy version 1.37. This change is rolling out to allrelease channels and contains the fix for the managed Cloud Service Meshsecurity vulnerability listed in [GCP-2025-073](/service-mesh/docs/security-bulletins#gcp-2025-073.

1.25.6-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2025-073. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.25.6-asm.1 uses Envoy v1.33.13.

1.26.7-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2025-073. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.26.7-asm.1 uses Envoy v1.34.11.

1.27.4-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2025-073. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.27.4-asm.1 uses Envoy v1.35.7.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.6-asm.7 is rolling out to the rapid release channel.
• 1.20.8-asm.59 is rolling out to the regular release channel.
• 1.19.10-asm.54 is rolling out to the stable release channel.

These patch releases contain the fix for the managed Cloud Service Mesh security vulnerability listed inGCP-2025-073.

The following rollouts have completed for managed Cloud Service Mesh:

• 1.21.6-asm.4 has rolled out to the rapid release channel.
• 1.20.8-asm.56 has rolled out to the regular release channel.
• 1.19.10-asm.52 has rolled out to the stable release channel.
• CNI and MDPC version 1.20.8-asm.56 has rolled out to all release channels.

While the managed data plane automatically updates Envoy Proxies by restartingworkloads, you must manually restart any StatefulSets and Jobs.

1.25.5-asm.9 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2025-064. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.25.5-asm.9 uses Envoy v1.33.12.

1.26.5-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2025-064. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.26.5-asm.1 uses Envoy v1.34.10.

1.27.2-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2025-064. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.27.2-asm.1 uses Envoy v1.35.6.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.6-asm.4 is rolling out to the rapid release channel.
• 1.20.8-asm.56 is rolling out to the regular release channel.
• 1.19.10-asm.52 is rolling out to the stable release channel.

CNI/managed data plane controller version 1.20.8-asm.56 is rolling out to all release channels.

These patches contain fixes for the following CVEs:

1.21.6-asm.4

1.20.8-asm.55

1.19.10-asm.52

CNI & MDPC

The promotion of1.21 to the Rapid release channel included upstream breaking changes toExternalName andauto-sni when using theISTIODimplementation. After considering the impact on customers, we have decided to restore the previous behavior from 1.20 and earlier for managed Cloud Service Mesh clusters using theISTIOD implementation to match Rapid clusters using theTRAFFIC_DIRECTOR implementation. These changes are rolling out to the Rapid release channel in version 1.21.5-asm.55 or later.

• If you are using anExternalName service in the Rapid channel without a port description, theExternalName service will not be translated intoCluster in the Envoy configuration. If theExternalName service is a destination ofVirtualService orExternalName service is used withREGISTRY_ONLY mode, you must specify the port in the service like in 1.20 and earlier.

• If you have an external service multiplexing traffic based on SNI but the correspondingDestinationRule doesn't have an explicit SNI, you mustset SNI properly.

In-cluster Cloud Service Mesh 1.24 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, seeSupported versions.

1.26.4-asm.7 is now available for in-cluster Cloud Service Mesh.

You can now download 1.26.4-asm.7 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.26.4 subject to the list ofsupported features.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.26.4-asm.7 uses Envoy v1.34.8-dev.

1.25.5-asm.7 includes the fixes for the following CVEs:

1.27.1-asm.5 includes the fixes for the following CVEs:

1.27.1-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.1-asm.5 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.27.1 subject to the list ofsupported features.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.27.1-asm.5 uses Envoy v1.35.4-dev.

1.26.4-asm.7 includes the fixes for the following CVEs:

1.25.5-asm.7 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.5-asm.7 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.25.5 subject to the list ofsupported features. Cloud Service Mesh version 1.25.5-asm.7 uses envoy v1.33.10-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

You can now configure traffic routing usingCloud Service Mesh service routing APIs between Cloud Run and Cloud Run, Google Kubernetes Engine, and Google Compute Engine services. (GA).

Managed Cloud Service Mesh with a TD control plane in the Rapid release channel will start using proxy images with aninternal envoy version.

All features supported by Managed (TD) control planes are supported by this proxy. To identify which proxy version is used in a cluster, seeIdentify the proxy versions used in the cluster.

This release uses the versioncsm_istio_proxy_20250611.00_p0. More details about the proxy version can be found on theVersions page.

CNI/managed data plane controller version 1.23.6-asm.15 is rolling out to all release channels.

Support for the following features will end onMarch 17, 2027:

• GKE on AWS
• GKE on Azure
• EKS Attached Clusters on AWS
• Azure Attached Clusters with AKS

Note that there are no changes to the other features of GKE attached clusters or Google Distributed Cloud (software only or air-gapped),

You must migrate to an alternative service mesh solution or an alternative Istio-based solution using your existing CSM configuration files by March 17, 2027.

1.27.1-asm.2 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.1-asm.2 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.27.1 subject to the list ofsupported features.

The following environment variables and annotations are not supported:

• ENVOY_STATUS_PORT_ENABLE_PROXY_PROTOCOL
• PILOT_DNS_CARES_UDP_MAX_QUERIES
• PILOT_IP_AUTOALLOCATE_IPV4_PREFIX andPILOT_IP_AUTOALLOCATE_IPV6_PREFIX
• sidecar.istio.io/bootstrapOverride

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.27.1-asm.2 uses Envoy v 1.35.3-dev.

The following rollouts have completed for managed Cloud Service Mesh:

• 1.21.5-asm.55 has rolled out to the rapid release channel.
• 1.20.8-asm.48 has rolled out to the regular release channel.
• 1.19.10-asm.48 has rolled out to the stable release channel.

While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

1.25.4-asm.0 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.25.4 subject to the list ofsupported features. Cloud Service Mesh version 1.25.4-asm.0 uses envoy v1.33.8-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.24.6-asm.12 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.12 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.24.6 subject to the list ofsupported features. Cloud Service Mesh version 1.24.6-asm.12 uses envoy v1.33.8-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

These patches address the following CVEs:

1.26.4-asm.1 in-cluster Cloud Service Mesh already includes the fixes for these CVEs.

The managed Cloud Service Mesh rolloutspreviously announced address the following vulnerabilities. While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

1.21.5-asm.55

1.20.8-asm.48

1.19.10-asm.48

1.26.4-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains a fix for ause-after-free (UAF) vulnerability in the DNS cache. For more information, see thesecurity bulletin.

Only clusters running in-cluster Cloud Service Mesh version 1.26 are affected. If you are running an earlier in-cluster version or managed Cloud Service Mesh, you are not affected and do not need to take any action.

For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.5-asm.55 is rolling out to the rapid release channel.
• 1.20.8-asm.48 is rolling out to the regular release channel.
• 1.19.10-asm.48 is rolling out to the stable release channel.

Advanced load balancing for managed Cloud Service Mesh (TD) now generally available (GA).

Managed Cloud Service Mesh will start using proxy versioncsm_mesh_proxy.20250623b_RC00 for Gateway API on GKE clusters. This proxy version maps closest to Envoy version 1.35. This change is rolling out to all release channels.

1.25.3-asm.11 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.3-asm.11 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.25.3 subject to the list ofsupported features. Cloud Service Mesh version 1.25.3-asm.11 uses envoy v1.33.4-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.26.0-asm.11 is now available for in-cluster Cloud Service Mesh.

You can now download 1.26.0-asm.11 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.26.0 subject to the list ofsupported features.

The following environment variables and annotations are not supported:

• ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT
• RETRY_IGNORE_PREVIOUS_HOSTS
• ENABLE_CLUSTER_TRUST_BUNDLE_API
• OMIT_EMPTY_VALUES
• PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY
• MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP with the value 1
• Referencing ConfigMaps in a DestinationRule with TLS mode set to SIMPLE mode is not supported

TheENABLE_AUTO_SNI flag is still supported to stay aligned with the legacy behavior.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.26.0-asm.11 uses Envoy v1.34.2-dev.

In-cluster Cloud Service Mesh 1.23 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, seeSupported versions.

1.24.6-asm.9 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.9 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.24.6 subject to the list ofsupported features. Cloud Service Mesh version 1.24.6-asm.9 uses envoy v1.32.7-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.23.6-asm.11 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.6-asm.11 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.23.6 subject to the list ofsupported features. Cloud Service Mesh version 1.23.6-asm.11 uses envoy v1.31.9-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.25.3-asm.8 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.3-asm.8 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.25.3 subject to the list ofsupported features. Cloud Service Mesh version 1.25.3-asm.8 uses envoy v1.33.4-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.24.6-asm.4 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.4 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.24.6 subject to the list ofsupported features. Cloud Service Mesh version 1.24.6-asm.4 uses envoy v1.32.7-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

You can now enforce cluster-local traffic for an individual service, all services in a particular namespace, or globally for all services in the mesh. For more information, seeKeeping traffic in-cluster.

DNS Proxy feature is now available in the Rapid release channel. This feature requires sidecar version1.21.5-asm.39 or later.

This change affects clusters using both theTRAFFIC_DIRECTOR andISTIOD control plane implementations.

When using Cloud Service Mesh with Istio APIs, configuring anunsupported field or value in an Istio Custom Resources will be reflected as an error in the Mesh status API.

In some cases, the validation webhook will also reject unsupported API usage with an error message indicating the specific unsupported API. For more information, seeCommon webhook error messages. You can mitigate these issues by amending the Istio Custom Resource to remove the specified unsupported API configuration.

Isolation support to prevent cross-region overflow is now available as a preview feature forTRAFFIC_DIRECTOR implementations of Cloud Service Mesh. For more information, seeIsolation for Cloud Service Mesh.

In-cluster Cloud Service Mesh 1.22 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, seeSupported versions.

1.25.2-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.2-asm.3 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.25.2 subject to the list ofsupported features. Cloud Service Mesh version 1.25.2-asm.3 uses envoy v1.33.1-dev..

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.23.6-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.6-asm.3 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.23.6 subject to the list ofsupported features. Cloud Service Mesh version 1.23.6-asm.3 uses envoy v1.31.6.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.24.5-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.5-asm.3 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.24.5 subject to the list ofsupported features. Cloud Service Mesh version 1.24.5-asm.3 uses envoy v1.32.6-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.5-asm.42 is rolling out to the rapid release channel.
• 1.20.8-asm.33 is rolling out to the regular release channel.
• 1.19.10-asm.33 is rolling out to the stable release channel.

A behavioral change regardinguser-provided credentials (private key and certificate) for TLS termination at ingress is now rolling out to the Rapid release channel. Subsequent announcements will appear for additional release channels.

The Kubernetes Secrets denoted byGateway.servers.port.tls.credentialName will be read by each ingress gateway pod directly instead of the Control Plane. This change enhances security because the user-provided secret is read directly by the workloads instead of passing any managed component.

This change is compatible with previous behavior aside from the propagation speed of the updated secrets. Previously, updated secrets would propagate immediately. Now, updated secrets will propagate within 60 minutes. If you need immediate secret rotation, restart the gateway pods.

Each gateway pod reads Kubernetes secrets, so the number of the gateway pods becomes a scalability factor. We recommend the following maximum number of gateway pods:

• If the GKE cluster is regional, 1500 or fewer pods
• If the GKE cluster is zonal or using autopilot, 500 or fewer pods

If this change in behavior doesn't work for you, consider using thedeployment with mounted credentials.

This change only affects clusters using Traffic Director and version 1.21.5-asm.42 or later.

In-cluster Cloud Service Mesh 1.21 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, seeSupported versions.

New troubleshooting tools for your service mesh are now available. You can get detailed error codes for your Istio resources and check the state of your mesh to identify and resolve configuration problems. Learn more aboutResolving configuration issues andUnderstanding Feature State Conditions.

1.25.0-asm.8 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.0-asm.8 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.25.0 subject to the list ofsupported features.

The following environment variables are not supported:

• PILOT_MX_ADDITIONAL_LABELS
• PILOT_DNS_CARES_UDP_MAX_QUERIES
• PILOT_DNS_JITTER_DURATION
• PILOT_SEND_UNHEALTHY_ENDPOINTS

The following annotations are not supported:

• networking.istio.io/traffic-distribution
• istio.io/reroute-virtual-interfaces

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.25.0-asm.8 uses Envoy v1.33.1-dev.

There is aknown issue where all gateway CRs will see a downtime for status updates when upgrading from 1.24.3 to 1.25.x .

1.22.8-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.8-asm.5 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.22.8 subject to the list ofsupported features. Cloud Service Mesh version 1.22.8-asm.5 uses envoy v1.30.10-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.21.5-asm.34 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.5-asm.34 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.21.5 subject to the list ofsupported features. Cloud Service Mesh version 1.21.5-asm.34 uses envoy v1.29.12-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.24.3-asm.6 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.3-asm.6 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.24.3 subject to the list ofsupported features. Cloud Service Mesh version 1.24.3-asm.6 uses envoy v1.32.4-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.23.5-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.5-asm.3 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.23.5 subject to the list ofsupported features. Cloud Service Mesh version 1.23.5-asm.3 uses envoy v1.31.6-dev.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

Cloud Service Mesh now supports dual-stack, extending IPv6 capability to both proxy-based Envoy and proxyless gRPC. For more information, seeConfigure IPv6 dual-stack for Cloud Service Mesh.

If you use the managed Cloud Service Mesh with theISTIOD control plane implementation, important changes have been made to how and when you'll receive notifications of upcoming modernization. For details, seeManaged control plane modernization.

You can now usecustom constraints with Organization Policy to provide more granular control over specific fields for some networksecurity and networkservices resources.

The rollout of managed Cloud Service Mesh version 1.20 to the rapid channel has completed.

Managed Cloud Service Mesh with the Traffic Director control plane now supportsconfiguring the network topology to useX-Forwarded-For andX-Forwarded-Client-Cert headers by MeshConfig or annotations of workloads.

If you're a user of managed Cloud Service Mesh with theISTIOD control plane implementation, you can now fine-tune your control plane modernization. See theManaged control plane modernization page for details.

Managed Cloud Service Mesh 1.20 isrolling out to the rapid channel.

Managed Cloud Service Mesh starts using Envoy.1.33 for Gateway API on GKE clusters with rapid channel.

A new version of the data plane for Gateway API is now generally available (GA) as a part of managed Cloud Service Mesh for clusters on GKE Rapid channel. The managed data plane helps you to trigger upgrades for data plane proxies. For more information seeData plan management considerations .

1.24.2-asm.1 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.2-asm.1 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.24.2 subject to the list ofsupported features.

• Istio's dual-stack is not supported
• Istio's experimental feature to enable lazy subset creation of envoy statistics is not supported.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh. Cloud Service Mesh version 1.24.2-asm.1 uses Envoy v1.32.3.

1.23.4-asm.7 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for a bug in envoy config where opencensus.proto.trace.v1.TraceConfig has been disabled by default and an issue causing VirtualService header name validation to reject valid header names.

This patch release also contains the fix for a security vulnerability wherean attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.23.4-asm.7 uses Envoy v1.31.5.

1.22.7-asm.4 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for a security vulnerability wherean attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.Cloud Service Mesh version 1.22.7-asm.4 uses envoy v1.30.9.

1.21.5-asm.21 is now available for in-cluster Cloud Service Mesh.

This patch release contains a fix for a bug wheremixed case hosts in Gateway and TLS redirect results in stale RDS.

This patch release also contains the fix for a security vulnerability wherean attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing.

For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.21.5-asm.21 uses Envoy v1.29.12.

The CVE fix forGCP-2024-065 has rolled out to all channels.

Advanced load balancing for managed Cloud Service Mesh (TD) is now available in preview.

1.22.7-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2024-065. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.22.7-asm.1 uses Envoy v1.30.9.

Upgrading the gRPC client may cause excessive streams to Traffic Director. Be cautious and do a gradual upgrade when upgrading to the following versions:

• gRPC Java 1.67.1
• gPRC Go 1.66
• gRPC C++ 1.63

1.23.4-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2024-065. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.23.4-asm.1 uses Envoy v1.31.5.

1.21.5-asm.17 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2024-065. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.21.5-asm.17 uses Envoy v1.29.12.

Routing traffic between Cloud Service Mesh workloads and Cloud Run Services is now available in preview. For more information, see the following pages:

• Route traffic from Cloud Service Mesh workloads to Cloud Run Services
• Route traffic from Cloud Run Services to Cloud Service Mesh workloads on GKE
• Migrate Istio ServiceEntry to GCPBackend for Cloud Run

Single Cluster Gateway for Mesh is now generally available. For more information, seePrepare to setup the Gateway API for Cloud Service Mesh.

As part of thePer-cluster entitlement to GKE Enterprise, a GKE cluster needs to have itscluster_tier set toENTERPRISE in order for that cluster to be considered GKE Enterprise.

Existing clusters and new clusters can followUpdate an existing cluster's tier andEnroll a new cluster respectively to make a cluster enterprise.

Clusters created or registered before November 2024 that use GKE Enterprise as part of their fleet membership are automatically enterprise-tier clusters. This is a billing announcement only, Cloud Service Mesh features don't change.

The rollout of managed Cloud Service Mesh version 1.19 to all channels has completed.

In-cluster Cloud Service Mesh 1.20 is no longer supported. For more information, seeSupported versions.

1.23.3-asm.2 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.3-asm.2 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.23.3 subject to the list ofsupported features. Cloud Service Mesh version 1.23.3-asm.2 uses envoy v1.31.2.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.22.6-asm.2 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.6-asm.2 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.22.6 subject to the list ofsupported features. Cloud Service Mesh version 1.22.6-asm.2 uses envoy v1.30.6.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.20.8-asm.10 is now available for in-cluster Cloud Service Mesh.

1.20 is no longer supported. While the fix for the bug in the distroless proxy container has been backported to 1.20, you should upgrade to 1.21 or later.

You can now download 1.20.8-asm.10 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.20.8 subject to the list ofsupported features. Cloud Service Mesh version 1.20.8-asm.10 uses envoy v1.28.6.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

This release fixes a bug in the distroless proxy container. Before this fix, the distroless proxyproduced errors similar to the following when deployed in a Kubernetes cluster with in-clustercontrol plane that did not have Container Network Interface (CNI) installed.

xtables resource problem: can't open lock file /run/xtables.lock: No such file or directory

This fix applies to the following new versions:

• 1.20.8-asm.10
• 1.21.5-asm.12
• 1.22.6-asm.2
• 1.23.3-asm.2

1.21.5-asm.12 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.5-asm.12 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.21.5 subject to the list ofsupported features. Cloud Service Mesh version 1.21.5-asm.12 uses envoy v1.29.8.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.19.10-asm.21 is rolling out to the rapid release channel.
• 1.19.10-asm.21 is rolling out to the regular release channel.
• 1.19.10-asm.21 is rolling out to the stable release channel.

1.23.3-asm.1 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.3-asm.1 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.23.3 subject to the list ofsupported features. Cloud Service Mesh version 1.23.3-asm.1 uses envoy v1.31.2.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

Patches fixing a bug where the default user for distroless proxy was changed to root will be rolling out to all release channels. As a result of this fix, the default user is changing back to non-root. When you see the release note notifying that this rollout is complete, you must restart each affected workload to make the change effective.

1.21.5-asm.10 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.5-asm.10 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.21.5 subject to the list ofsupported features. Cloud Service Mesh version 1.21.5-asm.10 uses envoy v1.29.8.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

This release fixes a bug in the following versions where the default user for distroless proxy was changed to root; As a result of this fix, the default user is now back to non-root

• 1.20.8-asm.6
• 1.20.8-asm.7
• 1.21.5-asm.5
• 1.21.5-asm.7
• 1.22.3-asm.1
• 1.22.4-asm.0
• 1.22.5-asm.1

This change may affect some gateway deployments which rely on the root user to expose a privileged port for ingress or egress. To ensure your gateways continue to work correctly, you may need to apply additional security contexts to your deployments. For details, see thetroubleshooting guide.

1.20.8-asm.9 is now available for in-cluster Cloud Service Mesh.

You can now download 1.20.8-asm.9 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.20.8 subject to the list ofsupported features. Cloud Service Mesh version 1.20.8-asm.9 uses envoy v1.28.6.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

1.22.6-asm.1 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.6-asm.1 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.22.6 subject to the list ofsupported features. Cloud Service Mesh version 1.22.6-asm.1 uses envoy v1.30.6.

For details on upgrading Cloud Service Mesh, seeUpgrade Cloud Service Mesh.

The rollout of managed Cloud Service Mesh version 1.19 to the stable channel has completed.

In future releases, managed Cloud Service Mesh will use theGKE release channel to determine the data plane component and Istio API versions. For more information, seeProvision managed Cloud Service Mesh Requirements.

The following images are now rolling out for managed Cloud Service Mesh:

• 1.19.10-asm.19 is rolling out to the rapid release channel.
• 1.19.10-asm.19 is rolling out to the regular release channel.
• 1.19.10-asm.19 is rolling out to the stable release channel.

1.19.10-asm.19 contains the fixes for the security vulnerabilities listed inGCP-2024-052 and uses Envoy v1.27.7.

A known issue with asmcli for 1.23 is now fixed. Customers might have seen the following error when attempting to install in-cluster Cloud Service Mesh 1.23:

asmcli:DownloadingASM..gzip:stdin:notingzipformattar:Childreturnedstatus1tar:Errorisnotrecoverable:exitingnow

A new version of asmcli with the fix has released.

1.21.5-asm.7 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2024-052. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.21.5-asm.7 uses Envoy v1.29.8.

1.20.8-asm.7 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2024-052. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.20.8-asm.7 uses Envoy v1.28.6.

1.23.2-asm.2 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.2-asm.2 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.23.2 subject to the list ofsupported features.

• Istio'sdeferred cluster creation is not supported.

• Istio'soutlier log path configuration in mesh proxy config is not supported.

• Istio'scredentialName field in the DestinationRule API is not supported.

Cloud Service Mesh 1.23.2-asm.2 uses Envoy v1.31.1.

This release contains the fix for the security vulnerability listed inGCP-2024-052.

Managed Cloud Service Mesh 1.23 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout.

1.22.5-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed inGCP-2024-052. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.22.5-asm.1 uses Envoy v1.30.5.

Cloud Service Mesh with a Traffic Director control plane implementation isstill incompatible withEnvoy version v1.31.0.

If you manually control your Envoy version, do not upgrade to v1.31.0 as there is an existing issue with connecting to the Traffic Director API. Instead, upgrade toEnvoy version1.31.1 where this issue is fixed, or setGRPC_DNS_RESOLVER=native for v1.31.0 as a workaround.

If you do not manually control your Envoy version, you don't have to do anything. Google's data plane management will not select an incompatible version for you.

The onboarding path for Managed Cloud Service Mesh with asmcli is deprecated as of August 22, 2024, and support will end in February 2025. This change affects only Google Cloud clusters. Any off-Google Cloud clusters will continue to use asmcli.

To ensure this transition is as smooth as possible, use thegcloud or Cloud Console onboarding paths when creating new clusters before February 2025.

For clusters with existing Cloud Service Mesh deployments, no immediate action is required from you and those deployments remain fully supported.

1.22.4-asm.0 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.22.4 subject to the list ofsupported features. Cloud Service Mesh 1.22.4-asm.0 uses Envoy v1.30.4.

1.20.8-asm.6 is now available for in-cluster Cloud Service Mesh.

You can now download 1.20.8-asm.6 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.20.8 subject to the list ofsupported features. Cloud Service Mesh 1.20.8-asm.6 uses Envoy v1.28.5.

1.21.5-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.5-asm.5 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.21.5 subject to the list ofsupported features. Cloud Service Mesh 1.21.5-asm.5 uses Envoy v1.29.7.

Configuring Cloud Service Mesh for either proxyless gRPC or Envoy proxy deployments with the KubernetesGateway API is now available as a preview feature. For more information see, theOverview page.

Updated August 8, 2024

Cloud Service Mesh with a Traffic Director control plane implementation is incompatible withEnvoy version v1.31.0.

If you manually control your Envoy version, do not upgrade to this version as there is an existingissue with connecting to Traffic Director. If you run into issues with v1.31.0, setGRPC_DNS_RESOLVER=native.

If you do not manually control your Envoy version, you don't have to do anything. Google's data plane management will not select this version for you.

1.22.3-asm.1 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.3-asm.1 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.22.3 subject to the list ofsupported features.

• Path templating in Authorization Policy is not supported.
• Istio's Ambient mode is not supported.
• Kubernetes Gateway API for mesh is not supported. Gateway API for ingress continues to be supported in public preview. For more information, seeKubernetes Gateway API (preview) supported features.

Cloud Service Mesh 1.22.3-asm.1 uses Envoy v1.30.3.

1.22 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout.

1.20.8-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for an Envoy bug where theadditional cookie attributes are not properly sent to clients. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.20.8-asm.1 uses Envoy v1.28.5.

1.21.4-asm.5 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for an Envoy bug where theadditional cookie attributes are not properly sent to clients. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.21.4-asm.5 uses Envoy v1.29.7.

1.19.10-asm.9 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for an Envoy bug where theadditional cookie attributes are not properly sent to clients. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.19.10-asm.9 uses Envoy v1.27.7.

New fleets that provision managed Cloud Service Mesh in organizations that have existing fleets with the managedistiod control plane implementation will receive the Traffic Director control plane implementation by default.

If you received a Service Announcement, or requested an exception from your account team, then your organization's default control plane implementation for new fleets continues to beistiod.

1.21.4-asm.0 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for a security vulnerability where theDatadog tracer does not handle trace headers with unicode characters. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.21.4-asm.0 uses Envoy v1.29.6.

1.20.7-asm.2 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-032. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.20.7-asm.2 uses Envoy v1.28.4.

1.21.3-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.3-asm.3 for in-cluster Cloud Service Mesh. It includes the features ofIstio 1.21.3 subject to the list ofsupported features. Cloud Service Mesh 1.21.3-asm.3 uses Envoy v1.29.5.

This release contains the fixes for the security vulnerabilities listed inGCP-2024-032.

1.21 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout.

1.18.7-asm.26 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-032. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.18.7-asm.26 uses Envoy v1.26.8.

1.19.10-asm.6 is now available for in-cluster Cloud Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-032. For details on upgrading Cloud Service Mesh, refer toUpgrade Cloud Service Mesh. Cloud Service Mesh v1.19.10-asm.6 uses Envoy v1.27.6.

The following 3 changes break backwards compatibility in 1.21.

1. The default value of the feature flagENABLE_AUTO_SNI haschanged from false to true. To opt out, set the environment variable toENABLE_AUTO_SNI=false.

2. The default value of the feature flagVERIFY_CERT_AT_CLIENTchanged from false to true. To opt out, set the environment variable toVERIFY_CERT_AT_CLIENT=false.

3. There are additional changes inexternal name support. To opt out, set the environment variableENABLE_EXTERNAL_NAME_ALIAS=false.

Note that opting out is only possible for in-cluster installations. If you do opt out, you must restore the default values before upgrading to 1.22.

If you're using the Istio APIs with the Traffic Director control plane implementation, disabling multi-cluster load balancing is not supported.

Anthos Service Mesh and Traffic Director have converged into a single, unified product: Cloud Service Mesh. Cloud Service Mesh brings together features from both products:

• A fully managed, global, multi-tenant control plane
• Managed data plane and telemetry for Google Cloud
• A choice of APIs
  • Open APIs, Istio & Gateway for Kubernetes Engine
  • Service Routing APIs for Compute Engine and Kubernetes Engine
• Support for Kubernetes clusters on-prem and on other public clouds

For more information see theCloud Service Mesh overview.

1.19.10-asm.0 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-023. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh. Anthos Service Mesh v1.19.10-asm.0 uses Envoy v1.27.5.

1.18.7-asm.21 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-023. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh. Anthos Service Mesh v1.18.7-asm.21 uses Envoy v1.26.8.

1.20.6-asm.0 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-022. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh. Anthos Service Mesh v1.20.6-asm.0 uses Envoy v1.28.3.

The rollout of managed Anthos Service Mesh version 1.17 to the stable channelhas completed.

1.18.7-asm.11 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.7-asm.11 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.18.7-asm.11 subject to the list ofsupported features. Anthos Service Mesh 1.18.7-asm.11 uses Envoy v1.26.7.

1.20.4-asm.0 is now available for in-cluster Anthos Service Mesh.

You can now download 1.20.4-asm.0 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.20.4 subject to the list ofsupported features. Anthos Service Mesh 1.20.4-asm.0 uses Envoy v1.28.1.

There is a known issue where new installations of Managed Anthos Service Mesh in the rapid channel on GKE Autopilot clusters may fail. For affected versions and mitigation, see theGKE release note.

1.19.8-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.19.8-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.19.8 subject to the list ofsupported features. Anthos Service Mesh 1.19.8-asm.2 uses Envoy v1.27.3.

Managed Anthos Service Mesh 1.18 has completed its rollout in the rapid channel. SeeManaged Anthos Service Mesh release channels for more information.

1.17.8-asm.20 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-007. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

While these CVE fixes have been backported to 1.17, you should upgrade to a supported version, 1.18 or later.

1.20.3-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.20.3-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.20.3 subject to the list ofsupported features. Anthos Service Mesh 1.20.3-asm.4 uses Envoy v1.28.1.

This release contains the fix for the security vulnerability listed inGCP-2024-007.

After upgrading Anthos Service Mesh to version 1.20.3 for off-Google Cloud clusters, make sure to restart all Pods in order to trigger the re-injection of sidecars. Otherwise, the Anthos Service Mesh metric reports might become inconsistent between the old and new proxies in the cluster.

Managed Anthos Service Mesh 1.20 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. SeeSelect a managed Anthos Service Mesh release channel for more information.

Google has ended support for in-cluster Anthos Service Mesh 1.17 following the official policy. Managed Anthos Service Mesh will continue to support 1.17 until 1.18 is promoted to the regular and stable channels. For more information, seeSupported versions.

1.19.7-asm.3 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-007. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.18.7-asm.4 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2024-007. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

In February 2024, Managed Anthos Service Mesh will begin creating new Google Cloud backend resources that relate to upcoming control plane enhancements. These resources will have no impact on your traffic. The resources include but are not limited to the following:

• HealthChecks
• Gateways
• Meshes
• HTTPRoutes
• TCPRoutes
• TLSRoutes
• TrafficPolicies
• EndpointPolicies
• ServerTLSPolicies
• ClientTLSPolicies
• HTTPFilters
• TCPFilters
• ServiceLbPolicies

Managed Anthos Service Mesh 1.17is rolling out in the stable channel. SeeManaged Anthos Service Mesh release channels for more information.

1.19.6-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.19.6-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.19.6 subject to the list ofsupported features. Anthos Service Mesh 1.19.6-asm.2 uses Envoy v1.27.3.

1.18.7-asm.0 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.7-asm.0 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.18.7 subject to the list ofsupported features. Anthos Service Mesh 1.18.7-asm.0 uses Envoy v1.26.7.

1.17.8-asm.12 is now available for in-cluster Anthos Service Mesh.

You can now download 1.17.8-asm.12 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.17.8 subject to the list ofsupported features. Anthos Service Mesh 1.17.8-asm.12 uses Envoy v1.25.12.

Managed Anthos Service Mesh 1.17is rolling out in the regular channel. SeeManaged Anthos Service Mesh release channels for more information.

1.19.5-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.19.5-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.19.5 subject to the list ofsupported features. Anthos Service Mesh 1.19.5-asm.4 uses Envoy v1.27.3.

1.18.6-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.6-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.18.6 subject to the list ofsupported features. Anthos Service Mesh 1.18.6-asm.2 uses Envoy v1.26.7.

1.17.8-asm.8 is now available for in-cluster Anthos Service Mesh.

You can now download 1.17.8-asm.8 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.17.8 subject to the list ofsupported features. Anthos Service Mesh 1.17.8-asm.8 uses Envoy v1.25.12.

Google has ended support for in-cluster Anthos Service Mesh 1.16 following the official policy. Managed Anthos Service Mesh will continue to support 1.16 in the regular and stable channels until 1.17 is promoted to the regular and stable channels. For more information, seeSupported versions.

Theasmcli --channel option is no longer supported and your managed Anthos Service Mesh release channel is determined based on your cluster's Google Kubernetes Engine (GKE) release channel. However, using theasmcli --channel option will not break your configuration. Additionally, selecting a different managed Anthos Service Mesh release channel is no longer supported. If the cluster is using static versioning, then managed Anthos Service Mesh will default to the regular channel. For more information, seeManaged Anthos Service Mesh release channels.

Managed Anthos Service Mesh 1.18is rolling out in the rapid channel. SeeManaged Anthos Service Mesh release channels for more information.

If you use Gateway API Automated Deployment, note the following breaking change. With Anthos Service Mesh v1.18 rolled out to the rapid channel, upgrading gateways no longer requires restarting the Pods to trigger a re-injection. Instead, gateways are updated, via a rolling restart, when their revision changes. For more information, seeIstio's release note.

The rollout of managed Anthos Service Mesh version 1.17 to the rapid channelhas completed. Additionally, the rollout of managed Anthos Service Mesh version 1.16 to the stable channelhas completed.

SeeSelect a managed Anthos Service Mesh release channel for more information.

If you use Gateway API Automated Deployment, note the following upcoming change. When Anthos Service Mesh v1.18 is rolled out to the rapid channel, upgrading gateways will no longer require restarting the Pods to trigger a re-injection. Instead, gateways will be updated, via a rolling restart, when their revision changes. For more information, seeIstio's release note.

1.18.5-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.5-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.18.5 subject to the list ofsupported features. Anthos Service Mesh 1.18.5-asm.2 uses Envoy v1.26.5.

1.17.8-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.17.8-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.17.8 subject to the list ofsupported features. Anthos Service Mesh 1.17.8-asm.4 uses Envoy v1.25.12.

1.19.3-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.19.3-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.19.3 subject to the list ofsupported features. Anthos Service Mesh 1.19.3-asm.4 uses Envoy v1.27.2.

1.16.7-asm.14 is now available for in-cluster Anthos Service Mesh.

You can now download 1.16.7-asm.14 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.16.7 subject to the list ofsupported features. Anthos Service Mesh 1.16.7-asm.14 uses Envoy v1.24.11.

1.19.3-asm.0 is now available for in-cluster Anthos Service Mesh.

You can now download 1.19.3-asm.0 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.19.3 subject to the list ofsupported features. Anthos Service Mesh 1.19.3-asm.0 uses Envoy v1.27.1.

After upgrading Anthos Service Mesh to version 1.19.3 for off-Google Cloud clusters, make sure to restart all Pods in order to trigger the re-injection of sidecars. Otherwise, the Anthos Service Mesh metric reports might become inconsistent between the old and new proxies in the cluster.

Managed Anthos Service Mesh 1.19 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. SeeSelect a managed Anthos Service Mesh release channel for more information.

Managed Anthos Service Mesh 1.17is rolling out in the rapid channel.

Additionally, the rollout of managed Anthos Service Mesh version 1.16 to the regular channelhas completed.

SeeSelect a managed Anthos Service Mesh release channel for more information.

1.17.7-asm.0 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-031 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.18.4-asm.0 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-031 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.16.7-asm.10 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-031 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.16.7-asm.7 is now available for in-cluster Anthos Service Mesh.

You can now download 1.16.7-asm.7 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.16.7 subject to the list ofsupported features. Anthos Service Mesh 1.16.7-asm.7 uses Envoy v1.24.9.

1.18.2-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.2-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.18.2 subject to the list ofsupported features. Anthos Service Mesh 1.18.2-asm.4 uses Envoy v1.26.5.

1.17.5-asm.9 is now available for in-cluster Anthos Service Mesh.

You can now download 1.17.5-asm.9 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.17.5 subject to the list ofsupported features. Anthos Service Mesh 1.17.5-asm.9 uses Envoy v1.25.8.

Managed Anthos Service Mesh 1.16is rolling out in the stable channel. SeeManaged Anthos Service Mesh release channels for more information.

Anthos Service Mesh will begin creatingNetwork Endpoint Groups (NEGs) for all services. This rollout will proceed gradually over a period of several months, starting with the rapid channel. You may notice the following annotations on each of your services:cloud.google.com/neg andcloud.google.com/neg-status.

You can view NEGs with the following command:gcloud compute network-endpoint-groups list.

The rollout of managed Anthos Service Mesh version 1.15 to the stable channel has completed.

SeeSelect a managed Anthos Service Mesh release channel for more information.

1.18.2-asm.0 is now available for in-cluster Anthos Service Mesh.

You can now download 1.18.2-asm.0 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.18.2 subject to the list ofsupported features. Anthos Service Mesh 1.18.2-asm.0 uses Envoy v1.26.5.

Managed Anthos Service Mesh 1.18 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. SeeSelect a managed Anthos Service Mesh release channel for more information.

Google has ended support for in-cluster Anthos Service Mesh 1.15 following the official policy. Managed Anthos Service Mesh will continue to support 1.15 in the stable channel until 1.16 is promoted to the stable channel. For more information, seeSupported versions.

Anthos Service Mesh now supports setting up a mesh containing multiple Anthos clusters on AWS. For more information, seeSet up a multi-cluster mesh outside Google Cloud.

Updated:2023-07-26

1.16.7-asm.0 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-021 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

Updated:2023-07-26

1.17.5-asm.0 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-021 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

Updated:2023-07-26

1.15.7-asm.23 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-021 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.17.4-asm.2 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-019 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.16.6-asm.3 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-019 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.15.7-asm.21 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fix for the security vulnerability listed inGCP-2023-019 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.17.3-asm.1 is now available for in-cluster Anthos Service Mesh.

You can now download 1.17.3-asm.1 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.17.3 subject to the list ofsupported features. Anthos Service Mesh 1.17.3-asm.1 uses Envoy v1.25.7.

1.16.5-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.16.5-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.16.5 subject to the list ofsupported features. Anthos Service Mesh 1.16.5-asm.2 uses Envoy v1.24.8.

1.15.7-asm.16 is now available for in-cluster Anthos Service Mesh.

You can now download 1.15.7-asm.16 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.15.7 subject to the list ofsupported features. Anthos Service Mesh 1.15.7-asm.16 uses Envoy v1.23.7.

The following imagesare now rolling out for managed Anthos Service Mesh:

• The image for 1.16.4-asm.14 is rolling out to theregular release channel
• The image for 1.15.7-asm.14 is rolling out to thestable release channel

SeeSelect a managed Anthos Service Mesh release channel for more information.

1.16.4-asm.14 is now available for in-cluster Anthos Service Mesh.

You can now download 1.16.4-asm.14 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.16.4 subject to the list ofsupported features. Anthos Service Mesh 1.16.4-asm.14 uses Envoy v1.24.8.

Three images that contain a fix for FIPS compliance have successfully rolled out for managed Anthos Service Mesh:

• The image for 1.16.4-asm.8 is in therapid release channel
• The image for 1.15.7-asm.8 is in theregular release channel
• The image for 1.14.6-asm.16 is in thestable release channel

SeeSelect a managed Anthos Service Mesh release channel for more information.

The managed data plane is enabled on by default in the regular and rapid channels. To disable the managed data plane, follow the steps inDisable the managed data plane

Three images for managed Anthos Service Mesh are now rolling out and contain a fix for FIPS compliance:

• The image for 1.16.4-asm.8 is rolling out in therapid release channel
• The image for 1.15.7-asm.8 is rolling out in theregular release channel
• The image for 1.14.6-asm.16 is rolling out in thestable release channel

SeeSelect a managed Anthos Service Mesh release channel for more information.

1.15.7-asm.8 is now available for in-cluster Anthos Service Mesh.

Fixes build issues to achieve FIPS compliance. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.17.2-asm.8 is now available for in-cluster Anthos Service Mesh.

Fixes build issues to achieve FIPS compliance. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.16.4-asm.8 is now available for in-cluster Anthos Service Mesh.

Fixes build issues to achieve FIPS compliance. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.14.6-asm.11 is now available for managed Anthos Service Mesh.

The image for 1.14.6-asm.11 has rolled out in the stable release channel for managed Anthos Service Mesh. SeeSelect a managed Anthos Service Mesh release channel for more information.

In-cluster Anthos Service Mesh 1.14 is no longer supported. For more information, seeSupported versions.

1.15.7-asm.1 is now available for managed Anthos Service Mesh.

The image for 1.15.7-asm.1 has rolled out in the regular release channel for managed Anthos Service Mesh. SeeSelect a managed Anthos Service Mesh release channel for more information.

The Service dashboard now displays telemetry from external mesh services that have a canonical service label in the regular release channel. SeeDefining a Canonical Service for more information.

Enablingmesh.googleapis.com automatically enablestrafficdirector.googleapis.com,networkservices.googleapis.com, andnetworksecurity.googleapis.com. These APIs are required for managed Anthos Service Mesh. However, you can safely disable them on a project or fleet that has no managed Anthos Service Mesh clusters.

1.17.2-asm.1 is now available for in-cluster Anthos Service Mesh.

You can now download 1.17.2-asm.1 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.17.1 subject to the list ofsupported features. Anthos Service Mesh 1.17.2-asm.1 uses Envoy v1.25.2.

Managed Anthos Service Mesh 1.17 is rolling out to the rapid release channel soon. You can periodically check this page for the announcement of the rollout of managed Anthos Service Mesh to the rapid channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

The Envoy projects recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. The fixes for these CVEs are already included in 1.17.2-asm.1. For more information, see thesecurity bulletin.

1.16.4-asm.2 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2023-002. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.14.6-asm.11 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2023-002 For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.15.7-asm.1 is now available for in-cluster Anthos Service Mesh.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2023-002. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

Anthos Service Mesh now supports multi-cluster, multi-network meshes on Anthos clusters on Azure. SeeInstall Anthos Service Mesh for more information.

Theasmcli flag--option vm used by the now deprecated Compute Engine virtual machine feature has been removed.

Anthos clusters on AWS (previous generation) is deprecated as of April 1, 2023. Therefore, Anthos Service Mesh no longer supports Anthos clusters on AWS (previous generation). For more information, see thedeprecation announcement.

Thecontrol_plane field in the service mesh fleet feature API (for example,gcloud container fleet mesh update --control-plane ...) is deprecated. Instead, use themanagement field. For more information, seeProvision managed Anthos Service Mesh.

In April 2023, enablingmesh.googleapis.com will automatically enabletrafficdirector.googleapis.com,networkservices.googleapis.com, andnetworksecurity.googleapis.com. These APIs will be required for managed Anthos Service Mesh. You will be able to safely disable them on a project or fleet that has no managed Anthos Service Mesh clusters.

Configuring Certificate Authority connectivity through a HTTP CONNECT-based proxy is now generally available (GA). For more information, seeConfigure Certificate Authority connectivity through a proxy.

In Anthos Service Mesh versions 1.9 and earlier, the server-side minimum TLS version for Anthos Service Mesh workloads was 1.0. In Anthos Service Mesh versions 1.10 and later, the server-side minimum TLS version for Anthos Service Mesh workloads is configured to be 1.2 to improve TLS security. For better security, Anthos Service Mesh does not support configuring the minimum workload TLS version to be lower than 1.2.

With Envoy versions 1.22 and later, the default minimal TLS version for servers changed from 1.0 to 1.2. Therefore, for Anthos Service Mesh version 1.14 and later, the default minimum TLS version for gateway servers is 1.2. If you need to configure the minimal TLS version on an Anthos Service Mesh gateway server to be lower than 1.2, then you can configure theminProtocolVersion parameter.

Anthos clusters on AWS (previous generation) will be deprecated as of April 1, 2023. Therefore, Anthos Service Mesh will not support Anthos clusters on AWS (previous generation) starting April 1, 2023. For more information, see thedeprecation announcement.

1.14.6-asm.9 is now available for in-cluster Anthos Service Mesh.

You can now download 1.14.6-asm.9 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.14.6 subject to the list ofsupported features.

1.15.5-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.15.5-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.15.5 subject to the list ofsupported features.

1.16.2-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.16.2-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.16.2 subject to the list ofsupported features.

Managed Anthos Service Mesh 1.16 isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of managed Anthos Service Mesh to the rapid channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

Anthos Service Mesh 1.13 is no longer supported. For more information, seeSupported versions.

Anthos Service Mesh now supports Mesh CA on allsupported platforms.

Anthos Service Mesh now supports multi-cluster meshes on Amazon EKS and Microsoft AKS. SeeInstall Anthos Service Mesh andSet up a multi-cluster mesh outside Google Cloud for more information.

Anthos Service Mesh now supportsAnthos Clusters on Azure as a preview feature.

1.15.4-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.15.4-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.15.4 subject to the list ofsupported features.

1.13.9-asm.10 is now available for in-cluster Anthos Service Mesh.

You can now download 1.13.9-asm.10 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.13.9 subject to the list ofsupported features.

1.14.6-asm.4 is now available for in-cluster Anthos Service Mesh.

You can now download 1.14.6-asm.4 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.14.6 subject to the list ofsupported features.

1.15.4-asm.2 is now available for in-cluster Anthos Service Mesh.

You can now download 1.15.4-asm.2 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.15.4 subject to the list ofsupported features.

1.13.9-asm.9 is now available for in-cluster Anthos Service Mesh.

You can now download 1.13.9-asm.9 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.13.9 subject to the list ofsupported features.

Service mesh cloud gateway is now available as a preview feature for managed Anthos Service Mesh in the rapid release channel. With service mesh cloud gateway, you can configure Anthos Service Mesh ingress gateway with Cloud Load Balancing through the Kubernetes Gateway API. For more information, seeConfigure external HTTP(S) Load Balancing for managed Anthos Service Mesh.

1.15.3-asm.6 is now available for in-cluster Anthos Service Mesh.

You can now download 1.15.3-asm.6 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.15.3 subject to the list ofsupported features.

1.14.5-asm.8 is now available for in-cluster Anthos Service Mesh.

You can now download 1.14.5-asm.8 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.14.5 subject to the list ofsupported features.

1.13.9-asm.3 is now available for in-cluster Anthos Service Mesh.

You can now download 1.13.9-asm.3 for in-cluster Anthos Service Mesh. It includes the features ofIstio 1.13.9 subject to the list ofsupported features.

The rollout of version 1.15 for managed Anthos Service Mesh has completed in all regions.

1.15.3-asm.1 is now available.

Anthos Service Mesh 1.15.3-asm.1 includes the features ofIstio 1.15.3 subject to the list ofAnthos Service Mesh supported features. If you've installed in-cluster 1.15.2,please update to 1.15.3 right away. Google will automatically upgrade customers running managed Anthos Service Mesh.

VPC-SC for managed Anthos Service Mesh is generally available (GA) in the rapid channel.

Version 1.15 is now available for managed Anthos Service Mesh and is rolling out to the Rapid Release Channel.

Upon rollout completion, the managed Anthos Service Mesh channels will contain the following versions:

• Rapid Release Channel - Version 1.15
• Regular Release Channel - Version 1.14
• Stable Release Channel - Version 1.13

Note that regions will have mixed availability during the 1.15 rollout.Additionally, stable and regular channel promotion occurs before 1.15 rolls out to rapid channel.

SeeSelect a managed Anthos Service Mesh release channel for more information.

End-user authentication is being made available to managed Anthos Service Mesh in the rapid release channel. See the preceding release note for rollout timelines.

1.15.2-asm.6 is now available.

Anthos Service Mesh 1.15.2-asm.6 includes the features ofIstio 1.15.2 subject to the list ofAnthos Service Mesh supported features.

1.13.9-asm.1 is now available.

Anthos Service Mesh 1.13.9-asm.1 includes the features ofIstio 1.13.9 subject to the list ofAnthos Service Mesh supported features.

Anthos Service Mesh 1.12 is no longer supported. For more information, seeSupported versions.

1.14.5-asm.3 is now available.

Anthos Service Mesh 1.14.5-asm.3 includes the features ofIstio 1.14.5 subject to the list ofAnthos Service Mesh supported features.

Docker images for in-cluster Anthos Service Mesh v1.15 and later support the Arm architecture.

Managed Anthos Service Mesh 1.15 isn't rolling out to the rapid release channel at this time.You can periodically check this page for the announcement of the rollout ofManaged Anthos Service Mesh to the rapid channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

Anthos Service Mesh now supports configuring Mesh CA and Google CA Service connectivity through an HTTPS proxy when direct connectivity from the sidecar-injected workloads is not available (for example, due to firewalls or other restrictive features). SeeConfigure Certificate Authority connectivity through a proxy for more information.

VPC-SC for managed Anthos Service Mesh will soon be generally available (GA) in the rapid channel. Older versions of theistioctl support tool may not be compatible with the enhanced security checks. To ensure compatibility, download the latest version ofistioctl.

The Istio and Go projects recently disclosed a CVE that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see thesecurity bulletin.

1.12.9-asm.3 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-020. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.13.8-asm.3 and 1.13.8-asm.4 are now available.

These patch releases contain the fixes for the security vulnerabilities listed inGCP-2022-020. If your environment uses managed Anthos Service Mesh, then 1.13.8-asm.3 was rolled out to theRegular release channel and you do not need to take additional steps. If your environment uses in-cluster Anthos Service Mesh, then youmust upgrade to 1.13.8-asm.4. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.14.4-asm.2 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-020. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.13.8-asm.1 is now available.

Anthos Service Mesh 1.13.8-asm.1 includes the features ofIstio 1.13.8 subject to the list of Anthos Service Meshsupported features.

1.14.4-asm.0 is now available.

Anthos Service Mesh 1.14.4-asm.0 includes the features ofIstio 1.14.4 subject to the list of Anthos Service Meshsupported features.

Managed Anthos Service Mesh support for GKE Autopilot is now generally available in the Regular and Rapid channels. For more information, seeConfigure managed Anthos Service Mesh with fleet API orConfigure managed Anthos Service Mesh withasmcli.

Automatically configuring managed Anthos Service Mesh using the Fleet Feature API is now generally available in the rapid, regular, and stable release channels. With this feature, Google will automatically configure your control plane, data plane, and multi-cluster endpoint visibility. This is the preferred method to provision managed Anthos Service Mesh on GKE. For more information, seeConfigure managed Anthos Service Mesh with fleet API.

The Google-managed data plane is now generally available (GA) as a part of managed Anthos Service Mesh. The managed data plane helps you upgrade data plane proxies automatically. For more information seeConfigure managed Anthos Service Mesh.

1.13.7-asm.3 is now available.

This patch release contains a fix for an issue whereistiod starts up very slowly when connectivity to the Google Cloud metadata service is partially broken. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

Anthos Service Mesh 1.13.7-asm.3 includes the features ofIstio 1.13.7 subject to the list of Anthos Service Meshsupported features.

1.13.7-asm.0 is now available.

Anthos Service Mesh 1.13.7-asm.0 includes the features ofIstio 1.13.7 subject to the list of Anthos Service Meshsupported features.

1.14.3-asm.1 is now available.

This patch release contains a fix for the known issue with the signatures of the revisions released August 11, 2022.

Anthos Service Mesh 1.14.3-asm.1 includes the features ofIstio 1.14.3 subject to the list of Anthos Service Meshsupported features.

1.12.9-asm.0 is now available.

Anthos Service Mesh 1.12.9-asm.0 includes the features ofIstio 1.12.9 subject to the list of Anthos Service Meshsupported features.

1.14.3-asm.0 is now available.

Anthos Service Mesh 1.14.3-asm.0 includes the features ofIstio 1.14.3 subject to the list of Anthos Service Meshsupported features.

The Mesh Config API (meshconfig.googleapis.com) now enables theConnect Gateway API (connectgateway.googleapis.com) and theGKE Hub API (gkehub.googleapis.com). This change does not incur any additional cost.

Version 1.14 is now available for managed Anthos Service Mesh and is rolling out to the Rapid Release Channel.

The managed Anthos Service Mesh channels are now mapped to the following versions:

• Rapid Release Channel - Version 1.14
• Regular Release Channel - Version 1.13
• Stable Release Channel - Version 1.12

SeeSelect a managed Anthos Service Mesh release channel for more information.

1.14.1-asm.3 is now available.

Anthos Service Mesh 1.14 includes the features ofIstio 1.14 subject to the list of Anthos Service Meshsupported features.

Anthos Service Mesh allows you to configure the minimum TLS version for your Istio workloads. SeeConfigure minimum TLS version for your workloads for more information.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time.You can periodically check this page for the announcement of the rollout ofManaged Anthos Service Mesh to the rapid channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

1.13.5-asm.1 is now available.

Anthos Service Mesh 1.13 includes the features ofIstio 1.13.5 subject to the list ofAnthos Service Mesh Supported features.

1.12.8-asm.2 is now available.

Anthos Service Mesh 1.12 includes the features ofIstio 1.12.8 subject to the list ofAnthos Service Mesh Supported features.

Anthos Service Mesh 1.11 is no longer supported. For more information, seeSupported versions.

TheFleet Feature API (mesh.googleapis.com) now enables theConnect Gateway API (connectgateway.googleapis.com). This change does not incur any additional cost.

1.12.7-asm.2 is now available.

This patch release contains a fix for the known issue with the signatures of the revisions releasedJune 9, 2022 as well as the fixes for the security vulnerabilities listed inGCP-2022-015. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

There is a known issues with the signatures of the revisions releasedJune 9, 2022. To avoid this issue, upgrade to one of the following versions instead:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

1.13.4-asm.4 is now available.

This patch release contains a fix for the known issue with the signatures of the revisions releasedJune 9, 2022 as well as the fixes for the security vulnerabilities listed inGCP-2022-015. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.11.8-asm.4 is now available.

This patch release contains a fix for the known issue with the signatures of the revisions releasedJune 9, 2022 as well as the fixes for the security vulnerabilities listed inGCP-2022-015. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.13.4-asm.3 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-015. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.11.8-asm.3 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-015. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.12.7-asm.1 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-015. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

The Istio and Envoy projects recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see thesecurity bulletin.

Enabling endpoint discovery multi-cluster installations with declarative API is now available as a preview feature in all release channels. For more information, seeEnable endpoint discovery between public clusters with declarative API.

1.13.2-asm.5 is now available.

This patch release contains the features ofIstio 1.13.2 subject to the list ofAnthos Service Mesh Supported features. Anthos Service Mesh version 1.13.2-asm.5 uses envoy v1.21.2.

1.11.8-asm.1 is now available.

This patch release includes the features ofIstio 1.11.8 subject to the list ofAnthos Service Mesh Supported features. Anthos Service Mesh version 1.11.8-asm.1 uses envoy v1.19.3.

1.12.6-asm.3 is now available.

This patch release contains the features ofIstio 1.12.6 subject to the list ofAnthos Service Mesh Supported features. Anthos Service Mesh version 1.12.6-asm.3 uses envoy v1.20.3.

In addition to the existing labels, you can now use the "istio-injection" label as an alias. For more information, seeInjection labels.

Version 1.13 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel.

Version 1.12 is being promoted to the Regular Release Channel, and version 1.11 is being promoted to the Stable Release Channel.

SeeSelect a managed Anthos Service Mesh release channel for more information.

1.13.2-asm.2 is now available.

Anthos Service Mesh 1.13 includes the features ofIstio 1.13.2 subject to the list ofAnthos Service Mesh Supported features.

1.13.1-asm.1 is now available.

Anthos Service Mesh 1.13 includes the features ofIstio 1.13 subject to the list of Anthos Service Meshsupported features.

Anthos Service Mesh 1.10 is no longer supported. For more information, seeSupported versions.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time.You can periodically check this page for the announcement of the rollout ofManaged Anthos Service Mesh to the rapid channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

Anthos Service Mesh now supports Google Kubernetes Engine on Google Cloud and On-premise combined in a hybrid mesh as a public preview feature. SeeInstall Anthos Service Mesh andSet up a multi-cluster mesh for more information.

Anthos Service Mesh now supports Google Kubernetes Engine on Google Cloud and Amazon EKS combined in a multi-cloud mesh as a public preview feature. SeeInstall Anthos Service Mesh andSet up a multi-cluster mesh for more information.

Enabled a single Cloud API (mesh.googleapis.com), which automatically enablesall required Cloud APIs for Anthos Service Mesh.

In general, the Service dashboards support all current versions of Anthos Service Mesh. Historically, the Anthos Service Mesh release notes attempted to announce each of these dashboard updates. Going forward, the Anthos Service Mesh release notes will no longer explicitly announce dashboard updates but reserve the space for significant new feature announcements.

The Istio project recentlydisclosed a CVE that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see thesecurity bulletin.

1.12.5-asm.0 is now available.

This patch release contains the fixes for the security vulnerability listed inGCP-2022-010. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.11.8-asm.0 is now available.

This patch release contains the fixes for the security vulnerability listed inGCP-2022-010. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.10.6-asm.2 is now available.

This patch release contains the fixes for the security vulnerability listed inGCP-2022-010. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.12.4-asm.2 is now available.

Anthos Service Mesh includes the features ofIstio 1.12 subject to the list of Anthos Service Meshsupported features.

Anthos Service Mesh now supportscertificate templates with the Certificate Authority Service integration. SeeInstall default features and CA Service for more information.

The Istio project recentlydisclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see thesecurity bulletin.

1.12.4-asm.1 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-007. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.11.7-asm.1 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-007. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

1.10.6-asm.1 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2022-007. For details on upgrading Anthos Service Mesh, refer toUpgrade Anthos Service Mesh.

Using thefleet feature API to set upmanaged Anthos Service Mesh with automatic control plane management is now available as a preview feature in the rapid, regular, and stablerelease channels. For more information, seeConfigure managed Anthos Service Mesh with fleet API.

The Anthos Service Mesh dashboard in the Cloud Console now supports cross-project clusters, Anthos on GKE-on-vSphere (on-prem), and Anthos on Bare Metal. For more information, seeObservability overview.

1.12.2-asm.0 is now available.

This patch release contains the same bug fixes that are inIstio 1.12.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using asmcli
• Upgrading on Anthos clusters on VMware

1.10.6-asm.0 is now available.

This patch release contains the same bug fixes that are inIstio 1.10.6. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using the install_asm script
• Upgrading on Anthos clusters on VMware

Version 1.12 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel.

Version 1.11 has been promoted to the Regular Release Channel, and version 1.10 has been promoted to the Stable Release Channel.

SeeSelect a managed Anthos Service Mesh release channelfor more information.

Managed Anthos Service Mesh now supports deploying a proxy built on the distroless base image. Note that distroless proxy images do not work with managed data plane.

The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners. SeeDistroless proxy image for more information.

Managed Anthos Service Mesh now supports GKE Autopilot in the Regular and Rapid channels. For more information, seeConfigure managed Anthos Service Mesh.

Managed Anthos Service Mesh control plane now displays its provisioning status in the ControlPlaneRevision API. For more information, seeVerify the control plane has been provisioned.

Anthos Service Mesh now supports Locality Load Balancing and Consistent Hash Load Balancing.

1.12.0-asm.4 is now available.

Anthos Service Mesh includes the features ofIstio 1.12 subject to the list of Anthos Service Meshsupported features.

Fixed a compatibility issue in the previous release between GKE 1.22, the Anthos Service Mesh Certificate Authority (Mesh CA), and Certificate Authority Service (CA Service).

Managed Anthos Service Mesh now supports Locality Load Balancing and Consistent Hash Load Balancing in the regular and rapid channels.

This release note was updated on December 16, 2021. Managed Anthos Service Mesh still supports 1.9 in the Stable Release Channel.

Anthos Service Mesh 1.7-1.9 are no longer supported. For more information, seeSupported versions.

Managed Anthos Service Mesh now supportsVPC Service Controls (VPC-SC) as a preview feature in the rapid channel. For more information, seeConfigure VPC Service Control for Managed Anthos Service Mesh.

1.11.5-asm.3 is now available.

Anthos Service Mesh 1.11 includes the features ofIstio 1.11 subject to the list of Anthos Service Meshsupported features.

1.12.0-asm.3 is now available.

Anthos Service Mesh 1.12 includes the features ofIstio 1.12 subject to the list of Anthos Service Meshsupported features.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time.You can periodically check this page for the announcement of the rollout ofManaged Anthos Service Mesh to the rapid channel. SeeSelect a managed Anthos Service Mesh release channelfor more information.

Anthos Service Mesh now supportsinstallations andupgrades on Microsoft Azure Kubernetes Service (AKS) clusters.

Anthos Service Mesh now supports theCertificate Authority Service integration on on-premises platforms (both Anthos on VMware and bare metal). Seeinstall andupgrade with default features and CA Service.

Anthos Service Mesh now supports deploying a proxy built on the distroless base image. The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners. SeeDistroless proxy image for more information.

For unmanaged Anthos Service Mesh installations, the installer will automatically set up thedefault tag (theistio-revision-tag-default andistio-default-validator webhooks). When the default tag exists, it is possible to use theistio-injection=enabled namespace label and thesidecar.istio.io/inject workload label to enable sidecar injection for that revision.

1.11.4-asm.5 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

Managed Anthos Service Mesh now supportsCertificate Authority (CA) Service. To install managed Anthos Service Mesh with CA Service, seeConfigure managed Anthos Service Mesh.

Managed Anthos Service Mesh now supportsGKE Autopilot as a preview feature in the Rapid Channel. For more information, seeConfigure managed Anthos Service Mesh withasmcli x.

Managed Anthos Service Mesh now supports private GKE clusters with private control plane. This means that all types ofprivate GKE clusters are supported. For more information, seeEnvironments on the Supported features page.

Managed Anthos Service Mesh now supports Multi-project with shared VPC in the Rapid Release Channel. For more information, seeConfigure managed Anthos Service Mesh.

Version 1.11 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel. SeeSelect a managed Anthos Service Mesh release channel for more information.

1.11.2-asm.17 is now available.

Anthos Service Mesh 1.11 includes the features ofIstio 1.11subject to the list of Anthos Service Meshsupported features.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time.You can periodically check this page for the announcement of the rollout ofManaged Anthos Service Mesh to the rapid channel. SeeSelect a Managed Anthos Service Mesh release channelfor more information.

asmcliis generally available for new installations and upgrades of AnthosService Mesh. You can useasmcli to:

• Install theAnthos Service Mesh in-cluster control plane

• Configure managed Anthos Service Mesh

• Add Compute Engine virtual machines to Anthos Service Mesh

• Set up a multi-cluster mesh on non-private GKE clusters

• Set up a multi-cluster mesh outside Google Cloud

The in-cluster control plane is supported on the on the following platformsusingasmcli:

• GKE clusters in a single project
• GKE clusters in multiple projects
• Anthos clusters on VMware
• Anthos on bare metal
• Anthos clusters on AWS
• Amazon EKS

Note: Upgrades from Anthos Service Mesh 1.7 on EKS to Anthos Service Mesh 1.11 aren't supported. You will need to set up a new EKS cluster to install Anthos Service Mesh 1.11.

asmcli requires clusters to be registered with a fleet.asmcli can automatically register a cluster as long as it meets the requirements specified infleet requirements.asmcli does not support automatic fleet registration for GKE 1.22 clusters, which must be registered manually before installation.

Usinginstall_asm andistioctl install is deprecated and support for thesetools for installations and upgrades of Anthos Service Mesh will be removed whenAnthos Service Mesh 1.12 is released. Please update your scripts and tools touseasmcli. For more information seeTransitioning to asmcli.

Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Anthos Service Mesh 1.11 proxy is based on Envoy v1.19.1.

The Anthos Service Mesh integration withCertificate Authority Service(CA Service) is generally available. You can use CA Service as the certificateauthority for signing mutual TLS certificates. SeeConfigure Anthos Service Mesh to use CA Service for details.

1.9.8-asm.6 and 1.10.4-asm.14 are now available.

These patch releases fix a potential memory leak in the control plane.

1.9.8-asm.3 and 1.10.4-asm.9 are now available.

These patch releases:

• Introduced a rate limit to improve control plane availability under load spikes.
• Fixed a memory leak and proxy count issue in the control plane.

The Istio project recentlydisclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see thesecurity bulletin.

1.10.4-asm.6 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE or On-premises using theasmcli script.
• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

1.8.6-asm.8 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE or On-premises using theasmcli script (preview)
• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

1.7.8-asm.10 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE or On-premises using theasmcli script (preview)
• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

Theasmcli script is now available inpreview. With this script you can install and upgrade Anthos Service Mesh on GKE and On-premises. For more information, seeAbout theasmcli.

1.9.8-asm.1 is now available.

This patch release contains the fixes for the security vulnerabilities listed inGCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE or On-premises using theasmcli script (preview)
• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

Anthos Service Mesh now supports skip-version upgrades for single-project clusters on GKE running versions 1.7 and higher. This means you can now upgrade 1.7 and 1.8 installations directly to 1.10. For more information, seeUpgrading Anthos Service Mesh to the latest version.

Anthos Service Mesh for Compute Engine VMs now usesgcloud commands and supports Google-managed control planes. For more information, seeAdd Compute Engine virtual machines to Anthos Service Mesh.

Google-managed data plane is now available inpreview as a part of managed Anthos Service Mesh. Google-managed data plane helps you upgrade data plane proxies automatically. For more information seeConfigure managed Anthos Service Mesh.

1.8.6-asm.7 is now available. This patch release:

• Fixes a bug that could lead to memory leaks in the proxy.
• Fixes a bug causing invalidcipherSuites in the Gateway configuration that could cause broken traffic.

The 1.x version ofkpt breaks Anthos Service Mesh installations and upgrades. Anthos Service Mesh requires a pre -1.x version ofkpt. The latest version of thegcloud command-line tool includes the 1.xkpt that breaks installs and upgrades.

Make sure that you are running a pre 1.x version ofkpt:

kpt version

The output should be similar to the following:

0.39.2

If you havekpt version 1.x or higher, use thecurl command inSetting up your environment to download the required version for your operating system.

If you are installing or upgrading Anthos Service Mesh using theinstall_asm script, make sure to download the most recent version of the script. The updated version ofinstall_asm checks yourkpt version. If needed,install_asm downloads and uses the requiredkpt version. Runinstall_asm --version to make sure you have a version ofinstall_asm that has the workaround. You need the followinginstall_asm versions or higher:

• 1.10: 1.10.2-asm.3+config1 or higher.Get the latest 1.10 install_asm.

• 1.9: 1.9.6-asm.2+config1 or higher.Get the latest 1.9 install_asm.

• 1.8 1.8.6-asm.5+config1 or higher.Get the latest 1.8 install_asm.

• 1.7 Download the requiredkpt version as described above.

1.10.2-asm.3 is now available and includes a fix for the known issue with control plane metric reporting reported onJune 25, 2021.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

Anthos Service Mesh user authentication is now generally available (GA). This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, seeConfiguring Anthos Service Mesh user authentication.

There is a breaking change in 1.10 with inbound forwarding that affects applications that bind solely to thelocalhost interface.

For more information, see the1.10 Istio upgrading notes.

There is a known issue in 1.10.2-asm.2 where control plane metric reporting to Cloud Monitoring is not functioning properly and reports excessive error logs in the Istiod container.

1.10.2-asm.2 is now available.

This patch release contains the same bug fixes that are inIstio 1.10.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

Google-managed control plane release channels are available.

Anthos Service Mesh releases updates often, to deliver security updates, fix known issues, and introduce new features. Release channels offer you the ability to balance between stability and the feature set of the Anthos Service Mesh version. Google automatically manages the version and upgrade cadence for each release channel. To learn more, see the following:

• 1.9x Google-managed control plane

• 1.10x Google-managed control plane

Anthos clusters on-premises support Mesh CA.

New installations of Anthos Service Mesh 1.10x on Anthos clusters on VMWare and bare metal support the Anthos Service Mesh certificate authority (Mesh CA). For details on the installation, seeInstalling Anthos Service Mesh on-premises.

When you install Anthos Service Mesh on-premises with Mesh CA, this enablesCloud Monitoring and Cloud Logging by default. Additionally, you can use Cloud Trace (which youenable separately) as needed for troubleshooting.

Migrating to Mesh CA from Istio CA with little or no downtime.

Migrating to Anthos Service Mesh certificate authority (Mesh CA) from Istio CA (also known as Citadel) requires migrating the root of trust. Prior to Anthos Service Mesh 1.10, if you wanted to migrate from Istio on to Anthos Service Mesh with Mesh CA, you needed to schedule downtime because Anthos Service Mesh was not able to load multiple root certificates, which interrupted mutual TLS (mTLS) traffic during the migration.

With Anthos Service Mesh 1.10 and higher, you can install a new in-cluster control plane with an option that distributes the Mesh CA root of trust to all proxies. After switching to the new control plane and restarting workloads, all proxies are configured with both the Istio CA and Mesh CA root of trust. Next, you install a new in-cluster control plane that has Mesh CA enabled. As you switch workloads over to the new control plane, mTLS traffic isn't interrupt. For details, seeMigrating to Mesh CA.

1.8.6-asm.4 and 1.9.6-asm.1 are now available. This release updates the envoy versions for the following Anthos Service Mesh versions:

• 1.8.6-asm.2 uses Envoy v1.16.3.
• 1.9.6-asm.1 uses Envoy v1.17.2.

These patch releases contains a fix forCVE-2021-34824. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Anthos Service Mesh 1.8.x
  • Upgrading on GKE
  • Upgrading on Anthos clusters on VMware
• Anthos Service Mesh 1.9.x
  • Upgrading on GKE
  • Upgrading on Anthos clusters on VMware

The Istio project recentlyannounced a security vulnerability (CVE-2021-34824) where where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

For more information, see theGCP-2021-012 security bulletin.

Google-managed control plane is now a generally available (GA) feature. This feature lets you move from managing Istiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.

In addition, it offers these new features:

• Support forCNI
• Support for private clusters with apublic IP address/endpoint access for the control plane
• Support for private clusters withMaster Authorized Network (MAN)

Using the Google-managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information seeConfiguring the Google-managed control plane.

Anthos Service Mesh 1.6 is no longer supported. For more information seeSupported versions.

1.9.5-asm.2, 1.8.6-asm.3, and 1.7.8-asm.8 are now available.

This release fixes the following security vulnerabilities:

• GCP-2021-008
• GCP-2021-007

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE
• Upgrading on-premises

Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Envoy version that the Anthos Service Mesh proxy uses differs by Anthos Service Mesh version, as follows:

• 1.9.5-asm.2:Envoy v1.17.1
• 1.8.6-asm.3:Envoy v1.16.3
• 1.7.8-asm.8:Envoy v1.15.4

1.9.3-asm.2, 1.8.5-asm.2, 1.7.8-asm.1, and 1.6.14-asm.2 are now available.

Fixes the security issue,ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Anthos Service Mesh versions.

This release updates the envoy versions for the following Anthos Service Mesh versions:

• Anthos Service Mesh version 1.9.3-asm.2 usesenvoy v1.17.2.
• Anthos Service Mesh version 1.8.5-asm.2 usesenvoy v1.16.3.
• Anthos Service Mesh version 1.7.8-asm.1 usesenvoy v1.15.4.
• Anthos Service Mesh version 1.6.14-asm.2 usesenvoy v1.14.7.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Anthos Service Mesh 1.9.x
  • Upgrading on GKE using theinstall_asm script
  • Upgrading on Anthos clusters on VMware
• Anthos Service Mesh 1.8.x
  • Upgrading on GKE
  • Upgrading on Anthos clusters on VMware
• Anthos Service Mesh 1.7.x
  • Upgrading on GKE
  • Upgrading on Anthos clusters on VMware
• Anthos Service Mesh 1.6.x
  • Upgrading on GKE
  • Upgrading on Anthos clusters on VMware

Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a generally available (GA) feature.

Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a publicpreview feature.

Anthos Service Mesh user authentication is now available as a publicpreview feature on installations of 1.9. This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, seeConfiguring Anthos Service Mesh user authentication.

1.9.2-asm.1 is now available.

This patch release contains the same bug fixes that are inIstio 1.9.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

The Anthos Service Mesh Topology (beta) page in Cloud Console won't display properly ifunsupported versions, including versions earlier than Anthos Service Mesh 1.6.8, are installed on your clusters or if you have disabled the Canonical Service controller in clusters in your project.

Note that the Canonical Service controller is enabled by default on version 1.6.8 and higher. If you did not disable the Canonical Service controller on a supported version, no action is required.

What should I do?

• Upgrade to Anthos Service Mesh 1.6.8 or higher.
• Enable the Canonical Service controller.

1.9.1-asm.1 is now available. Anthos Service Mesh 1.9 includes the features ofIstio 1.9 subject to the list ofAnthos Service Mesh supported features.

Anthos Service Mesh for Compute Engine VMs is now available as a publicpreview feature. With this new feature you can manage, observe, and secure services running on both Compute Engine Managed Instance Groups and Kubernetes Engine clusters in the same mesh. You can mix and choose the best environment to run your services while enjoying the benefits of Anthos Service Mesh.

This feature also improves security and usability by letting you use Compute Engine service accounts for mTLS authentication to other Compute Engine VMs and Kubernetes Engine Pods. For more information see thedocumentation.

Google-managed control plane is now available as a publicpreview feature. This feature lets you move from managingistiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.

Using the managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information seeConfiguring the Google-managed control plane.

Anthos Service Mesh 1.5 is no longer supported. For more information seeSupported versions.

1.8.3-asm.2 is now available.

This patch release contains the same bug fixes that are inIstio 1.8.3. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

1.6.14-asm.1 is now available.

This patch release contains a fix forCVE-2021-3156. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading Anthos Service Mesh on GKE
• Upgrading on Anthos clusters on VMware

1.8.2-asm.2 is now available.

This patch release contains the same bug fixes that are inIstio 1.8.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

Theinstall_asm script lets you reinstall the same version

You can use theinstall_asm script when you need to reinstall the same Anthos Service Mesh version to change the control plane configuration. For more information, see the following:

• 1.8:Reinstalling the same version

• 1.7:Reinstalling the same version

1.7.6-asm.1 is now available.

This patch release contains the same bug fixes that are inIstio 1.7.6. For details on upgrading Anthos Service Mesh, refer to the following Anthos Service Mesh upgrade guides:

• Upgrading on GKE using theinstall_asm script
• Upgrading on Anthos clusters on VMware

1.6.14-asm.0 is now available.

This patch release contains the same bug fixes that are inIstio 1.6.14. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

• Upgrading Anthos Service Mesh on GKE
• Upgrading Anthos clusters on VMware

1.8.1-asm.5 is now available.

New flags for the install_asm script

Theinstall_asm script was enhanced to provide you with more granular controlover the changes that the script makes on your project and GKE on Google Cloudcluster. For more information, see theEnablement flagssection in the documentation for the script.

Multi-cluster support for GKE on-premBeta

Anthos Service Mesh now supports multi-cluster meshes when running on GKEon-prem. For more information, seeAdd clusters to Anthos Service Mesh on-prem.

Third-party add-ons removed from all profiles

The Prometheus, Grafana, and Kiali add-ons were removed from all Anthos ServiceMesh profiles. For information on why the add-ons were removed, seeReworking our Addon Integrations. Installation of these third-party add-ons was removed from the 1.8IstioOperator API, which means that they can't be installed with theistioctl install command.For information on installing a demo version of the add-ons, seeIntegrating with third-party add-ons.

Note that by default,metrics are still exported to Prometheus in theasm-multicloud profile. You can optionally enable metrics export to Prometheus in theasm-gcp-multiproject profile.

Anthos Service Mesh 1.8 isn't supported on Anthos attached clusters and GKE on AWS

Anthos Service Mesh 1.8 currently isn't supported on Anthosattached clusters (Microsoft AKS and Amazon EKS) and GKE on AWS (Amazon EC2).Anthos Service Mesh 1.7 and 1.6 are supported for these environments. For moreinformation, see the following guides:

• Anthos Service Mesh 1.7
  • Installing Anthos Service Mesh 1.7 on attached clusters
  • Installing Anthos Service Mesh 1.7 on GKE on AWS
• Anthos Service Mesh 1.6
  • Installing Anthos Service Mesh 1.6 on attached clusters
  • Installing Anthos Service Mesh 1.6 on GKE on AWS

Reduced permissions required for installation

The permissions required for installation have been scaled back. Testing hasshown that the Project Editor role can be replaced with more granular roles. Forthe complete list, seePermissions required to install Anthos Service Mesh.

Anthos Service Mesh, Mesh CA and the Anthos Service Mesh dashboards in Google Cloud Console are now available for any GKE customer and do not require the purchase of Anthos. Seepricing for details.

Added a shell script to automate Anthos Service Mesh installation and migration from Istio and the Istio on GKE add-on. For details, see the following guides:

• 1.6:Installation and migration on GKE

• 1.7:Installation, migration, and upgrades on GKE

There are slight changes to the behavior of Google Cloud Console for customers who use Anthos Service Mesh without an Anthos subscription. See detailshere.

1.7.3-asm.6 is now available

Anthos Service Mesh 1.7 is compatible with and has the feature set ofIstio 1.7, subject to the list ofAnthos Service Mesh supported features.

Addedrevision label support to sidecar injection for greater control over various scenarios, such as canary upgrades and more.

Added support for on-premises secure key management, provided byThales Luna HSM 7+ and Hashicorp Vault.

Added a shell script to automate Anthos Service Mesh installation and migration from Istio 1.6. See theinstallation guide for details.

The beta validation toolasmctl is retired and the lessons learned are built into the new, streamlinedAnthos Service Mesh install script.

If you use unsupported Istio features in your Anthos Service Mesh deployment, seeIstio upgrade notes for changes that might affect you.

You can now allow an experimental feature to exceed 4GB of memory usage.

1.4.10-asm.19 is now available

1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18

Fixes the security issue,ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see theIstio 1.6.11 release notes.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.6

• Upgrading Anthos Service Mesh on GKE
• Upgrading Anthos Service Mesh on premises

1.5

• Upgrading Anthos Service Mesh on GKE
• Upgrading Anthos Service Mesh on premises

1.4

• Upgrading Anthos Service Mesh on GKE
• Upgrading Anthos Service Mesh on premises

1.6.8-asm.9 is now available

Adds Citadel CA support forgcp profiles.

Adds beta support for joining multiple clusters fromdifferent projects into a single Anthos Service Mesh on Google Kubernetes Engine.

Fixes anissue for enabling trust domain validation at the transport socket level.

1.6.8-asm.0 and 1.5.9-asm.0

Fixes the security issue,ISTIO-SECURITY-2020-009, with the same fixes as Istio 1.6.8 and Istio 1.5.9. For more information, see the Istio release notes:

• Istio 1.6.8 release notes

• Istio 1.5.9 release notes

Anthos Service Mesh on GKE on AWS is supported.

For more information, seeInstalling Anthos Service Mesh on GKE on AWS.

1.6.5-asm.7, 1.5.8-asm.7, and 1.4.10-asm.15 are now available

This release provides these features and fixes:

• Builds Istiod (Pilot), Citadel Agent, Pilot Agent, Galley, and Sidecar Injector withGo+BoringCrypto.
• Builds Istio Proxy (Envoy) with the--define boringssl=fips option.
• Ensures the components listed above use FIPS-compliant algorithms.

1.6.5-asm.1, 1.5.8-asm.0, and 1.4.10-asm.4

Fixes the security issue,ISTIO-SECURITY-2020-008, with the same fixes as Istio 1.6.5 and Istio 1.5.8. These fixes were backported to 1.4.10-asm.4. For more information, see the Istio release notes:

• Istio 1.6.5

• Istio 1.5.8

1.5.7-asm.0 and 1.4.10-asm.3

Fixes the security issue,ISTIO-SECURITY-2020-007, with the same fixes as Istio 1.6.4. For information, see theIstio release notes.

Description

The vulnerability affects Anthos Service Mesh (ASM) versions 1.4.0 to 1.4.10, 1.5.0 to 1.5.5, and 1.6.4 whether running in Anthos clusters on VMware or on GKE, potentially exposing your application to Denial of Service (DOS) attacks. This vulnerability is referenced in these publicly disclosed Istio security bulletins:

• ISTIO-SECURITY-2020-007:
  • CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.
  • CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
  • CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.1 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
  • CVE-2020-12604 (CVSS score 7.0, High): Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.

Mitigation

If you use ASM 1.6.4:* Apply the additional configuration changes specified inISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.

If you use ASM 1.4.0 to 1.4.10 or 1.5.0 to 1.5.5:* Upgrade your clusters to ASM 1.4.10-asm.3 or ASM 1.5.7-asm.0 as soon as possible and apply the additional configuration changes specified inISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.

• See the following documentation for how to upgrade your Anthos Service Mesh.

  • ASM 1.5 for GKE and on-premises, respectively:
  • Upgrading Anthos Service Mesh on GKE

  • Upgrading Anthos Service Mesh on-prem

  • ASM 1.4 for GKE and on-premises, respectively:

  • Upgrading Anthos Service Mesh on GKE

  • Upgrading Anthos Service Mesh on-prem

1.6.4-asm.9 is now available.

ASM 1.6 is compatible with and has the feature set of Istio 1.6 (seeIstio release notes), subject to the list ofASM Supported Features.

Upgrade from ASM 1.5 to ASM 1.6 without downtime using adual control plane upgrade.

In theasm-multicloud profile, ASM now installs a complete observability stack (Prometheus, Grafana and Kiali).

Anthos Service Mesh now supports cross-cluster security policies (beta) for yourmulti-cluster mesh when running on GKE on Google Cloud.

Support for cross-cluster load balancing (beta) for yourmulti-cluster mesh for GKE on Google Cloud.

The profile to install ASM in GKE has been renamed fromasm toasm-gcp, seeUpgrading Anthos Service Mesh on GKE. The profile to install ASM in GKE on-premise clusters has been renamed fromasm-onprem toasm-multicloud, seeUpgrading Anthos Service Mesh on premises.

Users that configure multiple clusters in their mesh can now see unified, multi-cluster views of their services in the Anthos Service Mesh pages in the Cloud Console. Note that multi-cluster support is in Beta and not all UI features are supported in multi-cluster mode.

Anthos Service Mesh now supports multi-cluster meshes (beta) when running on GKE on Google Cloud.

New installation guides:Installing Anthos Service Mesh on attached clusters andAdding clusters to an Anthos Service Mesh.

ASM 1.6 is supported in a single cluster configuration in Anthos Attached Clusters in the following environments: Amazon Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).

Known Issue: If you upgrade from Istio to ASM 1.6 and have set SLOs on your service metrics, those SLOs might be lost and need to be recreated after the upgrade.

1.5.6-asm.0 and 1.4.10.asm.2

Contains the same fixes as OSS Istio 1.5.6. Non-critical, minor improvements were also backported to ASM 1.4.10. SeeAnnouncing Istio 1.5.6 for more information.

1.5.5-asm.2

Fixes a bug in theistioctlHorizontalPodAutoscaling setting that caused Anthos Service Mesh installations to fail.

1.5.5-asm.0 and 1.4.10-asm.1

Fixes the security issue, CVE-2020-11080, with the same fixes asOSS Istio 1.5.5. The security fixes were backported to ASM 1.4.10.

Description

A vulnerability affecting the HTTP/2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ).

CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.

Mitigation

HTTP/2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration. HTTP/2 support at ingress can only be disabled if you are not exposing HTTP/2 services that cannot fallback to HTTP/1.1 through ingress. Note that gRPC services cannot fallback to HTTP/1.1.

apiVersion:networking.istio.io/v1alpha3kind:EnvoyFiltermetadata:name:disable-ingress-h2namespace:istio-systemspec:workloadSelector:labels:istio:ingressgatewayconfigPatches:-applyTo:NETWORK_FILTER# http connection manager is a filter in Envoymatch:context:GATEWAYlistener:filterChain:filter:name:"envoy.http_connection_manager"patch:operation:MERGEvalue:typed_config:"@type":type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManagercodec_type:HTTP1

For additional information, seeISTIO-SECURITY-2020-006.

1.5.4-asm.2

1.5.4-asm.2 is now available.

Security fixes

1.5.4-asm.2 contains all the same security fixes that are in Anthos Service Mesh 1.4.

Beta release of the Anthos CLI

The Anthos CLI simplifies the installation of Anthos Service Mesh. You can use the Anthos CLI to:

• Create a new cluster that meets the Anthos Service Mesh cluster requirements and install Anthos Service Mesh. SeeInstalling Anthos Service Mesh on a new cluster using the Anthos CLI.
• Update an existing cluster with the options that Anthos Service Mesh requires and install Anthos Service Mesh. SeeInstalling Anthos Service Mesh on an existing cluster using the Anthos CLI.

Port change for automatic sidecar injection

If you are installing Anthos Service Mesh on a private cluster, you must add afirewall rule to open port 15017 if you want to useautomatic sidecar injection. In Anthos Service Mesh 1.4, the port used for automatic sidecar injection is 9443.

If you don't add the firewall rule and automatic sidecar injection isenabled, you get an error when you deploy workloads. For details on adding afirewall rule, seeAdding firewall rules for specific use cases.

The alpha authentication policy is deprecated

SeeUpdating to the beta security policies for more information.

IstioOperator API replacesIstioControlPlane API

The alphaIstioControlPlane API has been replaced by theIstioOperator API. You must use theIstioOperator API in YAML files to enable optional features when you install Anthos Service Mesh.

Enabling pod security policies no longer needed

SDS security was improved by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.

Istio CNI plugin is supported

By default Anthos Service Mesh injects aninitContainer,istio-init, in pods deployed in the mesh. Theistio-init container sets up the pod network traffic redirection to/from the sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with theNET_ADMIN andNET_RAW capabilities. Requiring users to have elevated Kubernetes RBAC permissions is problematic for some organization's security compliance. The Istio Container Network Interface (CNI) plugin is a replacement for theistio-init container that performs the same networking functionality but without requiring users to enable elevated Kubernetes RBAC permissions.

The Istio CNI plugin performs the mesh pod traffic redirection in the Kubernetes pod lifecycle's network setup phase, thereby removing the requirement for theNET_ADMIN andNET_RAW capabilities for users deploying pods into the mesh. The Istio CNI plugin replaces the functionality provided by theistio-init container.

1.4.9-asm.1

Fixes the security issue, CVE-2020-10739, with the same fixes asOSS Istio 1.4.9. SeeISTIO-SECURITY-2020-005 for more information.

The Anthos Service Mesh dashboard in the Google Cloud Console is generally available for Anthos Service Mesh installations on Google Kubernetes Engine clusters. For more information, see theObservability overview.

1.4.7-asm.0

Contains the same fixes as OSS Istio 1.4.7. SeeAnnouncing Istio 1.4.7 for more information.

1.4.6-asm.0

Fixes known security issues with the same fixes asOSS Istio 1.4.6:

• CVE-2020-8659, CVE-2020-8661, CVE-2020-8664, CVE-2020-8660:ISTIO-SECURITY-2020-003

1.4.5-asm.0

Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Cloud.

Mesh CA is a Google managed, highly available and secure service that replaces Citadel for Anthos Service Mesh customers on GKE on Cloud. Mesh CA issues mTLS certificates for workloads running in Anthos Service Mesh.

GKE on premises continues to use Citadel.

The changes to support theAnthos Service Mesh observability features, including the topology graph on the Anthos Service Mesh Dashboard are included in 1.4.5-asm-0.

Note that the Anthos Service Mesh Dashboard itself is still in beta.

Prepare for a breaking change coming in Anthos Service Mesh 1.5

WARNING: Don't include aTargetSelectorin your authentication polices. Authentication policies that include aTargetSelector will not be automatically converted to the new version of the Authentication Policy API that will be released in Anthos Service Mesh 1.5. You will have to migrate these authentication policies manually to the new Authentication Policy API. If you don't remove theTargetSelector, the authentication policies might be ignored without warning in Anthos Service Mesh 1.5.

1.4.4-asm.0

Fixes aknown security issue with the same fixes as OSS Istio 1.4.4, as well as improvements from OSS Istio 1.4.3.

Anthos Service Mesh is generally available.

This release features a supported, downloadable installation of Anthos Service Mesh for use in your Anthos clusters on-premises or on Google Kubernetes Engine.

The following features remain in beta:

• Service Mesh Dashboard for Google Kubernetes Engine clusters
• Observability of your services
• Anthos Service Mesh certificate authority (Mesh CA)

Anthos Service Mesh certificate authority Beta.

Anthos Service Mesh Beta.*Service Mesh Dashboard for Google Kubernetes Engine clusters*Observability of your services