content/en/news/releases/1.28.x/announcing-1.28/_index.md
We are pleased to announce the release of Istio 1.28. Thank you to all our contributors, testers, users and enthusiasts for helping us get the 1.28.0 release published! We would like to thank the Release Managers for this release, Gustavo Meira from Microsoft, Francisco Herrera from Red Hat, and Darrin Cecil from Microsoft.
{{< relnote >}}
{{< tip >}} Istio 1.28.0 is officially supported on Kubernetes versions 1.29 to 1.34. {{< /tip >}}
Istio 1.28 continues to build on the Gateway API Inference Extension support with the introduction of InferencePool v1. This enhancement provides better management and routing of AI inference workloads, making it easier to deploy and scale Generative AI models on Kubernetes with intelligent traffic management.
The InferencePool v1 API offers improved stability and functionality for managing pools of inference endpoints, enabling more sophisticated load balancing and failover strategies for AI workloads.
Istio 1.28 brings significant improvements to ambient multicluster deployments. Waypoints can now route traffic to remote networks in ambient multicluster configurations, expanding ambient capabilities. This enhancement enables outlier detection and other L7 policies for requests crossing networks, making it easier to manage multi-network service mesh deployments.
Ambient multicluster remains an alpha feature and there are several known issues that will be addressed in future releases. If the recent changes negatively impacted your ambient multicluster deployment, it's possible to disable the recent waypoint behavior change by setting AMBIENT_ENABLE_MULTI_NETWORK_WAYPOINT pilot environment variable to false.
We welcome feedback and bug reports from early adopters of ambient multicluster.
Istio 1.28 introduces support for native nftables when using ambient mode. This significant enhancement allows you to use nftables instead of iptables to manage network rules, providing a more flexible rule management. To enable nftables mode, use --set values.global.nativeNftables=true when installing Istio.
This addition complements the existing nftables support in sidecar mode, ensuring Istio stays current with modern Linux networking frameworks.
Istio's dual-stack networking support has been promoted to beta in this release. This advancement provides robust IPv4/IPv6 networking capabilities, enabling organizations to deploy Istio in modern network environments that require both IP protocol versions.
This release includes several important security improvements:
spaceDelimitedClaims field in RequestAuthentication resourcesNetworkPolicy Support: Optional NetworkPolicy deployment for istiod with global.networkPolicy.enabled=trueseccompProfile in istio-validation and istio-proxy containers for better security complianceFrontendTLSValidation (GEP-91) enabling mutual TLS ingress gateway configurationsBackendTLSPolicy v1: Full Gateway API v1.4 support with enhanced TLS configuration optionsServiceEntry Integration: Support for ServiceEntry as a targetRef in BackendTLSPolicy for external service TLS configurationServiceEntry resources now support wildcard hosts with DYNAMIC_DNS resolution (HTTP traffic only, requires ambient mode and waypoint)resourceScope option in Helm charts for namespace or cluster-scoped resource managementSameSite, Secure, and HttpOnlyRead about these and more in the full release notes.
We would like to hear from you regarding your experience upgrading to Istio 1.28. You can provide feedback in the #release-1.28 channel in our Slack workspace.
Would you like to contribute directly to Istio? Find and join one of our Working Groups and help us improve.