Aspen Mesh Carrier-Grade 1.14.5-am1 release notes

Introduction

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.11.8-am4 and 1.14.5-am1.

Supported platforms

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.10	3.9

Security updates

Istio

• CVE-2022-39278 (CVSS score 7.5, High): Denial of service attack due to Golang Regex Library

• CVE-2022-21679 (CVSS score 6.8, Moderate): Configuration for proxies at version 1.11 is generated incorrectly, affecting the hosts and notHosts fields in the authorization policy.

• CVE-2022-21701 (CVSS score 4.7, Moderate): Vulnerability to a privilege escalation attack. Users who have CREATE permission for gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as Pod.

Note

The following Istio CVEs were also fixed in open source Istio 1.14.5 but had already been fixed in earlier versions of Aspen Mesh. We’ve included them here for completeness.

• CVE-2022-31045 (1.11.8-am3)

• CVE-2022-24726 (1.11.8-am1)

• CVE-2022-23635 (1.11.7-am1)

Istio proxy (Envoy)

• CVE-2022-23606 (CVSS score 4.4, Moderate): XStack exhaustion when a cluster is deleted via Cluster Discovery Service

• CVE-2022-21656 (CVSS score 3.1, Low): X.509 subjectAltName matching (and nameConstraints) bypass

Note

The following Envoy CVEs were also fixed in open source Istio 1.14.5 but had already been fixed in earlier versions of Aspen Mesh. We’ve included them here for completeness.

• CVE-2022-29226 (1.11.8-am3)

• CVE-2022-29225 (1.11.8-am3)

• CVE-2022-29227 (1.11.8-am3)

• CVE-2022-29228 (1.11.8-am3)

• CVE-2022-29224 (1.11.8-am3)

• CVE-2022-21657 (1.11.7-am1)

• CVE-2022-21655 (1.11.7-am1)

• CVE-2022-21654 (1.11.7-am1)

• CVE-2021-43824 (1.11.7-am1)

• CVE-2021-43825 (1.11.7-am1)

• CVE-2021-43826 (1.11.7-am1)

Aspen Mesh features

(No security updates)

Other changes

Istio

• Istio 1.14.5

• Istio 1.14.4

• Istio 1.14.3

• Istio 1.14.2

• Istio 1.14.1

• Istio 1.14

  Note

  This version introduced the ability to configure the minimum TLS version allowed for TLS connections between mesh workloads, which prevents earlier TLS versions from being used. If you don’t configure the minimum TLS version, it defaults to 1.2. The maximum TLS version is 1.3, which is not configurable.

  Example 1

  Configuring a minimum TLS version of 1.3 allows TLS version 1.3 but disallows TLS versions 1.0, 1.1, and 1.2.

  Example 2

  Not configuring a minimum TLS version allows TLS versions 1.2 and 1.3 but disallows TLS versions 1.0 and 1.1.

  Configure the minimum TLS version for mesh workloads

  1. In your Aspen Mesh override values file, set .meshConfig.meshMTLS.minProtocolVersion to the minimum TLS version you want to allow (for example, TLSV1_3 for TLS 1.3).

  2. Perform a clean installation or an upgrade of Aspen Mesh.

• Istio 1.13.7

• Istio 1.13.6

• Istio 1.13.5

• Istio 1.13.4

• Istio 1.13.3

• Istio 1.13.2

• Istio 1.13.1

• Istio 1.13

• Istio 1.12.9

• Istio 1.12.8

• Istio 1.12.7

• Istio 1.12.6

• Istio 1.12.5

• Istio 1.12.4

• Istio 1.12.3

• Istio 1.12.2

• Istio 1.12.1

• Istio 1.12

Aspen Mesh features

• Decoupled the following components from Aspen Mesh. These components are now installed and upgraded individually via their own Helm charts, which are included in the Aspen Mesh release archive file.

  • Aspen Mesh add-ons (Aspen Mesh control plane, dashboard, event storage, metrics collector, and Jaeger). These features are deprecated. For now, you can add these features back after installing Aspen Mesh, but they may be removed in a later release. Learn about Aspen Mesh add-ons.

  • Citadel

  • Packet Inspector 1 aggregator

  • Packet Inspector 1 filter

  • Response-origin filter

• TW-126: Improved Packet Inspector 1 so you don’t have to capture traffic from all workloads. You can install more than one instance of the Packet Inspector 1 filter to capture traffic from more than one namespace or set of labeled pods. Learn about Packet Inspector 1.

• TW-2721/AM64: Added support for multiple DNS-controller instances. Learn about the DNS controller.

• TW-2712: Added a pod-disruption budget to the DNS-controller chart and the ability to specify the minimum number of DNS-controller pods the DNS controller can tolerate during a voluntary disruption (such as draining a node for repair or upgrade). Learn about pod-disruption budgets in Kubernetes.

  Example

  podDisruptionBudget:
    enabled: true  # Set to false to disable the pod-disruption budget.
    minAvailable: 1
  

  In addition, changed the default deployment of the DNS controller to specify an anti-affinity rule to require Kubernetes to schedule DNS-controller pods on separate nodes. Also provided the ability to define a custom set of affinity and anti-affinity rules. Learn about using affinity and anti-affinity to assign pods to nodes in Kubernetes.

• TW-2921: Added the ability to change the keep-alive interval for istiod by adding the .pilot.keepaliveInterval field to your Aspen Mesh override values file.

  Example

  pilot:
    keepaliveInterval: 20s
  

• TW-2331/AM66: Added the ability to perform “contains” matching on Envoy-proxy x-forwarded-client-cert (XFCC) headers for pods whose associated authorization policies include the following annotation:

  authz.contains.aspenmesh.io/xfcc = true

  Learn about best practices for Istio authorization policies.

Known issues

• TW-3100: The script for logging in to the Aspen Mesh image registry (tools/aspen-mesh-image-registry-login.sh) refers to the wrong location for the pull secret, which prevents the login. Only users who store Aspen Mesh container images in a private image registry are affected.

  To work around this issue, edit the script to change:

  $TOOLS_DIR/../manifests/charts/base/templates/pullsecret.yaml

  To:

  $TOOLS_DIR/../manifests/charts/istio-control/istio-discovery/templates/pullsecret.yaml

• TW-3062: In certain cases, Packet Inspector 1 packet captures can be lost due to an arbitrarily low default request timeout value used for streams between sidecar proxies and the aggregator service.

  To work around this issue:

  1. Add the .requestTimeout field to the override values file for the Packet Inspector 1 filter instance and set its value to 2074415s.

  2. Install or upgrade the Packet Inspector 1 filter instance.

• AM-3069: OpenShift clusters using either the Multi-Primary or the Multi-Primary on different networks configuration for multicluster connectivity fail to create the remote secret with the following error:

  $ istioctl x create-remote-secret --name=cluster1
  
  error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
  
  error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
  

• ASM-3695: When using Multus CNI and the Istio CNI plugin, Aspen Mesh overwrites existing pod annotations during sidecar injection.

• ASM-3699: When Aspen Mesh is in IPv4/IPv6 dual-stack mode on a dual-stack cluster, applications can’t reach hosts defined in service entries.

• ASM-3767: In IPv4/IPv6 dual-stack mode, when non-dual-stack services are exposed via an ingress gateway, the gateway pods don’t become ready.

• ASM-4263: In a dual-stack installation of Aspen Mesh with service entries with a protocol of TLS and multiple hosts, communication fails for some of the hosts when clients initiate communication over IPv6.

• ASM-4265: In a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (::1) (see also IstioIngressListener) fails to reroute traffic to the application.

Download

Use either of the following methods to download the release archive file:

• Script: Learn how to download Aspen Mesh using a script.

• Manual download: Use the link for your operating system:

  • Linux (hash)

  • macOS (hash)

  • Windows (hash)