Aspen Mesh Carrier-Grade 1.11.8-am4 release notes#
Introduction#
These release notes describe the differences between Aspen Mesh Carrier-Grade 1.11.8-am3 and 1.11.8-am4.
Supported platforms#
This release is officially supported on these platforms and versions:
Platform |
Version |
Recommended Helm version |
|---|---|---|
OpenShift |
4.10 |
3.9 |
Security updates#
Istio 1.11.8#
(No security updates)
Aspen Mesh features#
(No security updates)
Other changes#
Istio 1.11.8#
(No changes)
Aspen Mesh features#
Renamed Packet Inspector to Packet Inspector 1.
AM63 (early access): Added Packet Inspector 2, which provides support for directly communicating with a supported analysis service (for example, NetScout)—without the need for an aggregator—and capturing traffic from a set of labeled pods.
TW-2410: Improved the DNS controller so managed Istio service entries have different names than their corresponding original Istio service entries. If you decide to stop using the DNS controller, you can now re-create your original service entries before you uninstall the DNS controller, which ensures that on-mesh services can connect to off-mesh services without interruption. Learn how to use the DNS controller.
TW-2627: Added a DNS-controller configuration option to scale the controller so it can perform more DNS queries simultaneously.
TW-2443: Added a DNS-controller configuration option to specify the DNS query timeout.
Known issues#
Istio 1.11.8 proxy (Envoy)#
CVE-2022-21656 (CVSS score 3.1, Low): X.509
subjectAltNamematching (andnameConstraints) bypassDue to significant divergence in the affected source code between this and later versions of Envoy, it’s not feasible to implement the fix without destabilizing this version.
If the certificate authorities (CAs) you use are limited to istiod and Citadel, Envoy is not exposed to this vulnerability because those CAs don’t create malformed certificates. If your ingress gateway serves certificates issued by a CA other than Citadel, ensure that the certificates are not malformed.
Aspen Mesh features#
AM-3069: OpenShift clusters using either the Multi-Primary or the Multi-Primary on different networks configuration for multicluster connectivity fail to create the remote secret with the following error:
$ istioctl x create-remote-secret --name=cluster1 error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
AM-3547: Pods with Istio sidecars get evicted when a node runs low on storage because they don’t request ephemeral storage.
ASM-3699: When Aspen Mesh is in IPv4/IPv6 dual-stack mode on a dual-stack cluster, applications can’t reach hosts defined in service entries.
Instructions#
Use these instructions, with the exception noted below:
Exception: Socket-option filter#
Delete a manually installed socket-option filter#
Important
If you want to perform an upgrade and have previously installed the socket-option filter manually (without using Helm), uninstall the filter first (a new socket-option filter will be installed as part of the upgrade):
List any socket-option filters in the
istio-systemnamespace:$ kubectl get envoyfilter --namespace istio-system -o json | \ jq -r '.items[] | select(.spec.configPatches[0].patch.value .upstream_bind_config.socket_options[0].name==18).metadata.name'
Does the output show the name of a socket-option filter (typically
http-capture-cfg)?Yes: Go to step 3.
No: Stop. You can safely perform an upgrade because the filter is not installed.
Delete the socket-option filter:
$ kubectl delete envoyfilter --namespace istio-system <filterName>
You can now safely perform an upgrade.
Download#
Use either of the following methods to download the release archive file: