content/en/news/releases/1.9.x/announcing-1.9.4/index.md
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.9.3 and Istio 1.9.4
{{< relnote >}}
Fixed an issue where the Istio operator prunes all resources created by the operator, including itself. Now the operator will only remove resources belonging to the custom resource. (Issue #30833)
Fixed an issue ensuring lease duration is always greater than the user configured RENEW_DEADLINE for Istio operator manager. (Issue #27509)
Fixed an issue where a certificate provisioned by sidecar proxy cannot be used by Prometheus. (Issue #29919)
Fixed an issue that creates an IOP under istio-system when installing Istio in another namespace. (Issue #31517)
Fixed an issue when using PeerAuthentication to turn off mTLS while using multi-network. Now non-mTLS endpoints will be removed from cross-network load-balancing endpoints to prevent 500 errors. (Issue #28798)
Fixed istiod never becoming ready when it fails to read resources from clusters configured via remote secrets.
After a timeout configured by PILOT_REMOTE_CLUSTER_TIMEOUT (default 30s), istiod will become ready without
syncing remote clusters. The stat remote_cluster_sync_timeouts will be incremented when this occurs. (Issue #30838)
Fixed an issue where istiod will not create a self-signed root CA and istio-ca-root-cert configmap when values.global.pilotCertProvider is kubernetes. (Issue #32023)
Improved the istioctl x workload command to configure VMs to disable inbound iptables capture for admin ports, matching the behavior of Kubernetes Pods. (Issue #29412)
Improved performance of istiod when running on clusters with thousands of namespaces. (Issue #32269
Improved detection of Server Side Apply in Kubernetes. (Issue #32101)