Istio 1.30.0 ships with extensive changes across traffic management, security, telemetry, extensibility, and installation. Traffic management highlights include ambient waypoint XFCC synthesis, TLSRoute GA support, CIDR-based ServiceEntry routing in ambient mode, wildcard ServiceEntry support for sidecar proxies, a new TrafficExtension API for Lua extensibility, and numerous bug fixes for multi-cluster routing, HTTPRoute behavior, and HBONE connection pooling. Security fixes are significant: multiple CVEs are patched including a critical RSA private key leak in the JWKS fallback (CVE-2026-31837), authorization bypass via unescaped regex in AuthorizationPolicy (CVE-2026-39350), unauthenticated XDS debug endpoints (CVE-2026-31838), JWKS URI CIDR bypass (CVE-2026-41413), and a potential SSRF in WasmPlugin image fetching. New security features include multiple CUSTOM authorization providers per workload and configurable debug endpoint namespace authorization. Telemetry adds OpenTelemetry semantic convention support and a new disableContextPropagation tracing field. Installation adds Helm v4 server-side apply support and updates the minimum supported Kubernetes version to 1.32.x.
Table of contents
Traffic ManagementSecurityTelemetryExtensibilityInstallationistioctlDocumentation changesSort: