Announcing Istio 1.29.0

Feb 16, 2026

We are pleased to announce the release of Istio 1.29. Thank you to all our contributors, testers, users and enthusiasts for helping us get the 1.29.0 release published! We would like to thank the Release Managers for this release, Francisco Herrera from Red Hat, Darrin Cecil from Microsoft, and Petr McAllister from Solo.io.

What’s new?

Ambient Mesh Production-Ready Enhancements

Istio 1.29 adds two operational improvements enabled by default for ambient mesh: DNS capture is now enabled by default for ambient workloads, improving security and performance while enabling advanced features like better service discovery and traffic management. This enhancement ensures that DNS traffic from ambient workloads is properly proxied through the mesh infrastructure.

Additionally, iptables reconciliation is now enabled by default, providing automatic network rule updates when the istio-cni DaemonSet is upgraded. This eliminates the manual intervention previously required to ensure existing ambient pods receive updated networking configuration, making ambient mesh operations more seamless and reliable for production environments.

Enhanced Security Posture

This release adds security enhancements across multiple components. Certificate Revocation List (CRL) support is now available in ztunnel, allowing validation and rejection of revoked certificates when using plugged in certificate authorities. This strengthens the security posture of service mesh deployments using external CAs.

Debug endpoint authorization is enabled by default, providing namespace based access controls for debug endpoints on port 15014. Non system namespaces are now restricted to specific endpoints (config_dump, ndsz, edsz) and same namespace proxies only, improving security without impacting normal operations. Special thanks to Sergey KANIBOR at Luntry for reporting the debug endpoint authorization issue.

Optional NetworkPolicy deployment is now available for istiod, istio-cni, and ztunnel components, enabling users to deploy default NetworkPolicies with global.networkPolicy.enabled=true for enhanced network security.

TLS Traffic Management for Wildcard Hosts

Istio 1.29 introduces alpha support for wildcard hosts in ServiceEntry resources with DYNAMIC_DNS resolution specifically for TLS traffic. Enables routing based on SNI (Server Name Indication) from TLS handshakes without terminating the TLS connection to inspect Host headers.

While this feature has important security implications due to potential SNI spoofing, it provides powerful capabilities for managing external TLS services when used with trusted clients. The feature requires explicit enablement via the ENABLE_WILDCARD_HOST_SERVICE_ENTRIES_FOR_TLS feature flag.

Performance and Observability Improvements

HTTP compression for Envoy metrics is now enabled by default, providing automatic compression (brotli, gzip, and zstd) for the Prometheus stats endpoint based on client Accept-Header values. This reduces network overhead for metrics collection while maintaining compatibility with existing monitoring infrastructure.

Baggage based telemetry support has been added in alpha for ambient mesh, particularly benefiting multinetwork deployments. When enabled via the AMBIENT_ENABLE_BAGGAGE pilot environment variable, this feature ensures proper source and destination attribution for cross-network traffic metrics, improving observability in complex network topologies.

Simplified Operations and Resource Management

Istio 1.29 introduces pilot resource filtering capabilities through the PILOT_IGNORE_RESOURCES environment variable, enabling administrators to deploy Istio as a Gateway API only controller or with specific resource subsets. This is particularly valuable for GAMMA (Gateway API for Mesh Management and Administration) deployments.

Memory management has been improved with istiod now automatically setting GOMEMLIMIT to 90% of memory limits (via the automemlimit library), reducing the risk of OOM kills while maintaining optimal performance. Circuit breaker metrics tracking is now disabled by default, improving proxy memory usage while maintaining the option to enable legacy behavior when needed.

Inference Extension Support Promoted to Beta

Support for the Gateway API Inference Extension has been promoted to beta in Istio 1.29. The inference extension is an official Kubernetes project that utilizes a new InferencePool CRD object, along with existing Kubernetes Gateway API traffic management objects (Gateway, HTTPRoute), in order to optimize the serving of self-hosted Generative AI models in Kubernetes.

Istio 1.29 is conformant with the v1.0.1 version of the inference extension, and is available to try by enabling the ENABLE_GATEWAY_API_INFERENCE_EXTENSION pilot environment variable. Future releases of Gateway API Inference Extension will be supported in upcoming versions of Istio.

See our guide and original blog post in order to get started.

Multi-network multicluster ambient goes Beta

This release also promotes multi-network multicluster in ambient to beta status. Lots of improvements were made for robustness and completeness. The main area of focus for this transition was telemetry, where important gaps were addressed, including the implementation of more advanced peer metadata exchange in the ambient data-plane.

This means some confusing cases in multinetwork telemetry were addressed. In scenarios where Waypoints wouldn’t be properly reported in L4 metrics to cases where peer information was not fully available for requests traversing different networks through an E/W Gateway.

Also, we now have a quick guide showing how to deploy Prometheus and Kiali for multi-network multicluster in ambient mode.

Note that some of these improvements may also be behind the AMBIENT_ENABLE_BAGGAGE feature flag mentioned in the sections above, so make sure to enable it if you want to try them out. If you need more information on how to deploy multi-network multicluster using the ambient data-plane, please follow this guide. You’ll find more details about the feature on the release notes.

Don’t forget to share your feedback with us!

Plus Much More

• Enhanced istioctl capabilities: New --wait flag for istioctl waypoint status, support for --all-namespaces flag, and improved proxy admin port specification
• Installation improvements: Configurable terminationGracePeriodSeconds for istio-cni pods, safeguards for gateway deployment controller, and support for custom envoy file flush intervals
• Traffic management enhancements: Support for LEAST_REQUEST load balancing and circuit breaking in gRPC proxyless clients, improved ambient multicluster ingress routing
• Telemetry advances: Source and destination workload identification in waypoint proxy traces, timeout and headers support for Zipkin tracing provider

Read about these and more in the full release notes.

Upgrading to 1.29

We would like to hear from you regarding your experience upgrading to Istio 1.29. You can provide feedback in the #release-1.29 channel in our Slack workspace.

Would you like to contribute directly to Istio? Find and join one of our Working Groups and help us improve.

See also