diff --git a/README.md b/README.md
index d2a87f2fbe..46f725daf8 100644
--- a/README.md
+++ b/README.md
@@ -73,7 +73,7 @@ This repository periodically synchronizes all official Kubeflow components from
| Kubeflow Pipelines | applications/pipeline/upstream | [2.14.3](https://github.com/kubeflow/pipelines/tree/2.14.3/manifests/kustomize) | 970m | 3552Mi | 35GB |
| Kubeflow Model Registry | applications/model-registry/upstream | [v0.3.3](https://github.com/kubeflow/model-registry/tree/v0.3.3/manifests/kustomize) | 510m | 2112Mi | 20GB |
| Spark Operator | applications/spark/spark-operator | [2.3.0](https://github.com/kubeflow/spark-operator/tree/v2.3.0) | 9m | 41Mi | 0GB |
-| Istio | common/istio | [1.27.0](https://github.com/istio/istio/releases/tag/1.27.0) | 750m | 2364Mi | 0GB |
+| Istio | common/istio | [1.28.0](https://github.com/istio/istio/releases/tag/1.28.0) | 750m | 2364Mi | 0GB |
| Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.16.2](https://github.com/knative/serving/releases/tag/knative-v1.16.2)
[v1.16.4](https://github.com/knative/eventing/releases/tag/knative-v1.16.4) | 1450m | 1038Mi | 0GB |
| Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) | 3m | 128Mi | 0GB |
| Dex | common/dex | [2.43.1](https://github.com/dexidp/dex/releases/tag/v2.43.1) | 3m | 27Mi | 0GB |
diff --git a/common/istio/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio/cluster-local-gateway/base/cluster-local-gateway.yaml
index 48869f02b6..feb11cf87d 100644
--- a/common/istio/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -7,8 +7,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -26,8 +26,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/dataplane-mode: none
@@ -59,9 +59,9 @@ spec:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
+ app.kubernetes.io/version: 1.28.0
chart: gateways
- helm.sh/chart: istio-ingress-1.27.0
+ helm.sh/chart: istio-ingress-1.28.0
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
@@ -143,7 +143,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: gcr.io/istio-release/proxyv2:1.27.0
+ image: gcr.io/istio-release/proxyv2:1.28.0
name: istio-proxy
ports:
- containerPort: 15020
@@ -251,31 +251,6 @@ spec:
optional: true
secretName: istio-ingressgateway-ca-certs
---
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app: cluster-local-gateway
- app.kubernetes.io/instance: istio
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: istio-ingressgateway
- app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
- install.operator.istio.io/owning-resource: unknown
- istio: cluster-local-gateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: cluster-local-gateway
- namespace: istio-system
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: cluster-local-gateway
- istio: cluster-local-gateway
----
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -284,8 +259,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -310,8 +285,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -335,8 +310,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -369,8 +344,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
diff --git a/common/istio/cluster-local-gateway/base/kustomization.yaml b/common/istio/cluster-local-gateway/base/kustomization.yaml
index 4943fed10b..289d3b49fa 100644
--- a/common/istio/cluster-local-gateway/base/kustomization.yaml
+++ b/common/istio/cluster-local-gateway/base/kustomization.yaml
@@ -9,5 +9,4 @@ resources:
- gateway.yaml
patches:
-- path: patches/remove-pdb.yaml
- path: patches/seccomp-cluster-local-gateway.yaml
diff --git a/common/istio/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio/cluster-local-gateway/base/patches/remove-pdb.yaml
deleted file mode 100644
index 547db933d4..0000000000
--- a/common/istio/cluster-local-gateway/base/patches/remove-pdb.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-$patch: delete
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: cluster-local-gateway
- namespace: istio-system
diff --git a/common/istio/istio-crds/base/crd.yaml b/common/istio/istio-crds/base/crd.yaml
index 8614057024..713a018533 100644
--- a/common/istio/istio-crds/base/crd.yaml
+++ b/common/istio/istio-crds/base/crd.yaml
@@ -7,8 +7,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: authorizationpolicies.security.istio.io
spec:
group: security.istio.io
@@ -402,7 +402,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
@@ -783,7 +783,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
@@ -797,8 +797,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: destinationrules.networking.istio.io
spec:
group: networking.istio.io
@@ -1030,6 +1030,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of
+ the cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -1418,6 +1435,24 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes
+ for the cookie.
+ items:
+ properties:
+ name:
+ description: The name of the
+ cookie attribute.
+ type: string
+ value:
+ description: The optional
+ value of the cookie
+ attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -1982,6 +2017,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of the
+ cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -2347,6 +2399,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of
+ the cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -3055,6 +3124,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of
+ the cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -3443,6 +3529,24 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes
+ for the cookie.
+ items:
+ properties:
+ name:
+ description: The name of the
+ cookie attribute.
+ type: string
+ value:
+ description: The optional
+ value of the cookie
+ attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -4007,6 +4111,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of the
+ cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -4372,6 +4493,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of
+ the cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -5080,6 +5218,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of
+ the cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -5468,6 +5623,24 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes
+ for the cookie.
+ items:
+ properties:
+ name:
+ description: The name of the
+ cookie attribute.
+ type: string
+ value:
+ description: The optional
+ value of the cookie
+ attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -6032,6 +6205,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of the
+ cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -6397,6 +6587,23 @@ spec:
httpCookie:
description: Hash based on HTTP cookie.
properties:
+ attributes:
+ description: Additional attributes for the
+ cookie.
+ items:
+ properties:
+ name:
+ description: The name of the cookie
+ attribute.
+ type: string
+ value:
+ description: The optional value of
+ the cookie attribute.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
name:
description: Name of the cookie.
type: string
@@ -6900,8 +7107,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
@@ -7329,8 +7536,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: gateways.networking.istio.io
spec:
group: networking.istio.io
@@ -7408,6 +7615,10 @@ spec:
description: Set of TLS related options that govern the
server's behavior.
properties:
+ caCertCredentialName:
+ description: For mutual TLS, the name of the secret or
+ the configmap that holds CA certificates.
+ type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or
`OPTIONAL_MUTUAL`.
@@ -7691,6 +7902,10 @@ spec:
description: Set of TLS related options that govern the
server's behavior.
properties:
+ caCertCredentialName:
+ description: For mutual TLS, the name of the secret or
+ the configmap that holds CA certificates.
+ type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or
`OPTIONAL_MUTUAL`.
@@ -7974,6 +8189,10 @@ spec:
description: Set of TLS related options that govern the
server's behavior.
properties:
+ caCertCredentialName:
+ description: For mutual TLS, the name of the secret or
+ the configmap that holds CA certificates.
+ type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or
`OPTIONAL_MUTUAL`.
@@ -8206,8 +8425,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: peerauthentications.security.istio.io
spec:
group: security.istio.io
@@ -8387,7 +8606,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
@@ -8554,7 +8773,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
@@ -8568,8 +8787,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: proxyconfigs.networking.istio.io
spec:
group: networking.istio.io
@@ -8726,8 +8945,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: requestauthentications.security.istio.io
spec:
group: security.istio.io
@@ -8851,6 +9070,14 @@ spec:
output a successfully verified JWT payload to the
backend.
type: string
+ spaceDelimitedClaims:
+ description: List of JWT claim names that should be
+ treated as space-delimited strings.
+ items:
+ minLength: 1
+ type: string
+ maxItems: 64
+ type: array
timeout:
description: The maximum amount of time that the resolver,
determined by the PILOT_JWT_ENABLE_REMOTE_JWKS
@@ -9037,7 +9264,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
- name: v1beta1
@@ -9148,6 +9375,14 @@ spec:
output a successfully verified JWT payload to the
backend.
type: string
+ spaceDelimitedClaims:
+ description: List of JWT claim names that should be
+ treated as space-delimited strings.
+ items:
+ minLength: 1
+ type: string
+ maxItems: 64
+ type: array
timeout:
description: The maximum amount of time that the resolver,
determined by the PILOT_JWT_ENABLE_REMOTE_JWKS
@@ -9334,7 +9569,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
@@ -9348,8 +9583,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: serviceentries.networking.istio.io
spec:
group: networking.istio.io
@@ -9541,12 +9776,13 @@ spec:
description: |-
Service resolution mode for the hosts.
- Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+ Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS
enum:
- NONE
- STATIC
- DNS
- DNS_ROUND_ROBIN
+ - DYNAMIC_DNS
type: string
subjectAltNames:
description: If specified, the proxy will verify that the server
@@ -9850,12 +10086,13 @@ spec:
description: |-
Service resolution mode for the hosts.
- Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+ Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS
enum:
- NONE
- STATIC
- DNS
- DNS_ROUND_ROBIN
+ - DYNAMIC_DNS
type: string
subjectAltNames:
description: If specified, the proxy will verify that the server
@@ -10159,12 +10396,13 @@ spec:
description: |-
Service resolution mode for the hosts.
- Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+ Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS
enum:
- NONE
- STATIC
- DNS
- DNS_ROUND_ROBIN
+ - DYNAMIC_DNS
type: string
subjectAltNames:
description: If specified, the proxy will verify that the server
@@ -10303,8 +10541,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
@@ -10646,6 +10884,10 @@ spec:
TLS termination on the sidecar for requests originating
from outside the mesh.
properties:
+ caCertCredentialName:
+ description: For mutual TLS, the name of the secret or
+ the configmap that holds CA certificates.
+ type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or
`OPTIONAL_MUTUAL`.
@@ -11246,6 +11488,10 @@ spec:
TLS termination on the sidecar for requests originating
from outside the mesh.
properties:
+ caCertCredentialName:
+ description: For mutual TLS, the name of the secret or
+ the configmap that holds CA certificates.
+ type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or
`OPTIONAL_MUTUAL`.
@@ -11846,6 +12092,10 @@ spec:
TLS termination on the sidecar for requests originating
from outside the mesh.
properties:
+ caCertCredentialName:
+ description: For mutual TLS, the name of the secret or
+ the configmap that holds CA certificates.
+ type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or
`OPTIONAL_MUTUAL`.
@@ -12129,8 +12379,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: telemetries.telemetry.istio.io
spec:
group: telemetry.istio.io
@@ -13081,8 +13331,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: virtualservices.networking.istio.io
spec:
group: networking.istio.io
@@ -16367,8 +16617,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: wasmplugins.extensions.istio.io
spec:
group: extensions.istio.io
@@ -16740,8 +16990,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: workloadentries.networking.istio.io
spec:
group: networking.istio.io
@@ -17264,8 +17514,8 @@ metadata:
app.kubernetes.io/instance: istio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
name: workloadgroups.networking.istio.io
spec:
group: networking.istio.io
diff --git a/common/istio/istio-install/base/install.yaml b/common/istio/istio-install/base/install.yaml
index c911bfef06..604aad70dd 100644
--- a/common/istio/istio-install/base/install.yaml
+++ b/common/istio/istio-install/base/install.yaml
@@ -7,8 +7,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -25,8 +25,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
@@ -44,8 +44,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-reader
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: base-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: base-1.28.0
release: istio
name: istio-reader-service-account
namespace: istio-system
@@ -59,8 +59,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod
namespace: istio-system
@@ -74,8 +74,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -102,8 +102,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -135,8 +135,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-reader
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istio-reader-clusterrole-istio-system
rules:
@@ -249,8 +249,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod-clusterrole-istio-system
rules:
@@ -443,7 +443,7 @@ rules:
- patch
- delete
- apiGroups:
- - inference.networking.x-k8s.io
+ - inference.networking.k8s.io
resources:
- inferencepools
verbs:
@@ -451,7 +451,7 @@ rules:
- watch
- list
- apiGroups:
- - inference.networking.x-k8s.io
+ - inference.networking.k8s.io
resources:
- inferencepools/status
verbs:
@@ -493,8 +493,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod-gateway-controller-istio-system
rules:
@@ -568,8 +568,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -592,8 +592,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
k8s-app: istio-cni-repair
@@ -618,8 +618,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-reader
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istio-reader-clusterrole-istio-system
roleRef:
@@ -640,8 +640,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod-clusterrole-istio-system
roleRef:
@@ -662,8 +662,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod-gateway-controller-istio-system
roleRef:
@@ -684,8 +684,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
istio: istiod
istio.io/rev: default
release: istio
@@ -744,8 +744,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -773,7 +773,7 @@ data:
AMBIENT_IPV6: 'true'
AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: 'false'
CHAINED_CNI_PLUGIN: 'true'
- CURRENT_AGENT_VERSION: 1.27.0
+ CURRENT_AGENT_VERSION: 1.28.0
EXCLUDE_NAMESPACES: kube-system
ISTIO_OWNED_CNI_CONFIG: 'false'
NATIVE_NFTABLES: 'false'
@@ -792,8 +792,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -936,13 +936,12 @@ data:
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
- {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- - "-k"
- - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
- {{ end -}}
{{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+ {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+ - "-k"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
- "-c"
@@ -993,6 +992,10 @@ data:
runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
runAsNonRoot: true
{{- end }}
+ {{- if .Values.global.proxy.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+ {{- end }}
{{ end -}}
{{ end -}}
{{ if not $nativeSidecar }}
@@ -1220,6 +1223,10 @@ data:
runAsGroup: {{ .ProxyGID | default "1337" }}
{{- end }}
{{- end }}
+ {{- if .Values.global.proxy.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+ {{- end }}
resources:
{{ template "resources" . }}
volumeMounts:
@@ -2030,6 +2037,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
@@ -2052,6 +2060,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
"gateway.istio.io/managed" .ControllerLabel
) | nindent 4 }}
ownerReferences:
@@ -2085,6 +2094,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
"gateway.istio.io/managed" .ControllerLabel
) | nindent 8}}
spec:
@@ -2104,7 +2114,6 @@ data:
tolerations:
{{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
{{- end }}
- terminationGracePeriodSeconds: 2
serviceAccountName: {{.ServiceAccount | quote}}
containers:
- name: istio-proxy
@@ -2342,6 +2351,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
@@ -2378,6 +2388,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
@@ -2403,6 +2414,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
@@ -2426,6 +2438,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
@@ -2448,6 +2461,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
"gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 4 }}
ownerReferences:
@@ -2480,6 +2494,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
"gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 8 }}
spec:
@@ -2743,6 +2758,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
@@ -2779,6 +2795,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
@@ -2804,6 +2821,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
) | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
@@ -2856,6 +2874,9 @@ data:
},
"nativeNftables": false,
"network": "",
+ "networkPolicy": {
+ "enabled": false
+ },
"omitSidecarInjectorConfigMap": false,
"operatorManageWebhooks": false,
"pilotCertProvider": "istiod",
@@ -2887,6 +2908,7 @@ data:
"memory": "128Mi"
}
},
+ "seccompProfile": {},
"startupProbe": {
"enabled": true,
"failureThreshold": 600
@@ -2899,6 +2921,7 @@ data:
"image": "proxyv2"
},
"remotePilotAddress": "",
+ "resourceScope": "all",
"sds": {
"token": {
"aud": "istio-ca"
@@ -2907,7 +2930,7 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.27.0",
+ "tag": "1.28.0",
"variant": "",
"waypoint": {
"affinity": {},
@@ -2952,8 +2975,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -3034,6 +3057,9 @@ data:
},
"nativeNftables": false,
"network": "",
+ "networkPolicy": {
+ "enabled": false
+ },
"omitSidecarInjectorConfigMap": false,
"operatorManageWebhooks": false,
"pilotCertProvider": "istiod",
@@ -3065,6 +3091,7 @@ data:
"memory": "128Mi"
}
},
+ "seccompProfile": {},
"startupProbe": {
"enabled": true,
"failureThreshold": 600
@@ -3077,6 +3104,7 @@ data:
"image": "proxyv2"
},
"remotePilotAddress": "",
+ "resourceScope": "all",
"sds": {
"token": {
"aud": "istio-ca"
@@ -3085,7 +3113,7 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.27.0",
+ "tag": "1.28.0",
"variant": "",
"waypoint": {
"affinity": {},
@@ -3209,7 +3237,7 @@ data:
"configValidation": true,
"hub": "gcr.io/istio-release",
"istioNamespace": "istio-system",
- "tag": "1.27.0"
+ "tag": "1.28.0"
},
"meshConfig": {
"tcpKeepalive": {
@@ -3239,8 +3267,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -3257,8 +3285,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -3414,8 +3442,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
k8s-app: istio-cni-node
@@ -3440,8 +3468,8 @@ spec:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-cni
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: cni-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: cni-1.28.0
istio.io/dataplane-mode: none
k8s-app: istio-cni-node
sidecar.istio.io/inject: 'false'
@@ -3488,7 +3516,7 @@ spec:
envFrom:
- configMapRef:
name: istio-cni-config
- image: gcr.io/istio-release/install-cni:1.27.0
+ image: gcr.io/istio-release/install-cni:1.28.0
name: install-cni
ports:
- containerPort: 15014
@@ -3570,8 +3598,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/dataplane-mode: none
@@ -3603,9 +3631,9 @@ spec:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
+ app.kubernetes.io/version: 1.28.0
chart: gateways
- helm.sh/chart: istio-ingress-1.27.0
+ helm.sh/chart: istio-ingress-1.28.0
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
@@ -3685,7 +3713,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: gcr.io/istio-release/proxyv2:1.27.0
+ image: gcr.io/istio-release/proxyv2:1.28.0
name: istio-proxy
ports:
- containerPort: 15021
@@ -3804,8 +3832,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
@@ -3833,8 +3861,8 @@ spec:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/dataplane-mode: none
@@ -3895,7 +3923,7 @@ spec:
resource: limits.cpu
- name: PLATFORM
value: ''
- image: gcr.io/istio-release/pilot:1.27.0
+ image: gcr.io/istio-release/pilot:1.28.0
name: discovery
ports:
- containerPort: 8080
@@ -3982,56 +4010,6 @@ spec:
optional: true
name: istio-csr-ca-configmap
---
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app: istio-ingressgateway
- app.kubernetes.io/instance: istio
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: istio-ingressgateway
- app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: istio-ingressgateway
- istio: ingressgateway
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app: istiod
- app.kubernetes.io/instance: istio
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: istiod
- app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
- install.operator.istio.io/owning-resource: unknown
- istio: pilot
- istio.io/rev: default
- operator.istio.io/component: Pilot
- release: istio
- name: istiod
- namespace: istio-system
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: istiod
- istio: pilot
----
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@@ -4040,8 +4018,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -4067,8 +4045,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod
namespace: istio-system
@@ -4114,8 +4092,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -4139,8 +4117,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
release: istio
name: istiod
namespace: istio-system
@@ -4162,8 +4140,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
@@ -4195,8 +4173,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -4228,8 +4206,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingressgateway
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istio-ingress-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istio-ingress-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
@@ -4265,8 +4243,8 @@ metadata:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istiod
app.kubernetes.io/part-of: istio
- app.kubernetes.io/version: 1.27.0
- helm.sh/chart: istiod-1.27.0
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: istiod-1.28.0
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
diff --git a/common/istio/istio-install/base/kustomization.yaml b/common/istio/istio-install/base/kustomization.yaml
index 677a626d09..e0adf6754c 100644
--- a/common/istio/istio-install/base/kustomization.yaml
+++ b/common/istio/istio-install/base/kustomization.yaml
@@ -14,8 +14,6 @@ patches:
- path: patches/service.yaml
- path: patches/istio-configmap-disable-tracing.yaml
- path: patches/disable-debugging.yaml
-- path: patches/istio-ingressgateway-remove-pdb.yaml
-- path: patches/istiod-remove-pdb.yaml
- path: patches/seccomp-istio-ingressgateway.yaml
- path: patches/seccomp-istiod.yaml
diff --git a/common/istio/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
deleted file mode 100644
index f40567eb95..0000000000
--- a/common/istio/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-$patch: delete
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: istio-ingressgateway
- namespace: istio-system
diff --git a/common/istio/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio/istio-install/base/patches/istiod-remove-pdb.yaml
deleted file mode 100644
index 3de371b704..0000000000
--- a/common/istio/istio-install/base/patches/istiod-remove-pdb.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-$patch: delete
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: istiod
- namespace: istio-system
diff --git a/common/istio/istio-install/components/ambient-mode/ztunnel.yaml b/common/istio/istio-install/components/ambient-mode/ztunnel.yaml
index 0c3115ca7d..eda4be7b1f 100644
--- a/common/istio/istio-install/components/ambient-mode/ztunnel.yaml
+++ b/common/istio/istio-install/components/ambient-mode/ztunnel.yaml
@@ -1,104 +1,53 @@
----
-# Source: ztunnel/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
- name: ztunnel
- namespace: istio-system
+ annotations: {}
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ztunnel
- app.kubernetes.io/managed-by: "Helm"
- app.kubernetes.io/instance: "ztunnel"
- app.kubernetes.io/part-of: "istio"
- app.kubernetes.io/version: "1.27.1"
- helm.sh/chart: ztunnel-1.27.1
- annotations:
- {}
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: ztunnel-1.28.0
+ name: ztunnel
+ namespace: istio-system
---
-# Source: ztunnel/templates/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
- name: ztunnel
- namespace: istio-system
+ annotations: {}
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ztunnel
- app.kubernetes.io/managed-by: "Helm"
- app.kubernetes.io/instance: "ztunnel"
- app.kubernetes.io/part-of: "istio"
- app.kubernetes.io/version: "1.27.1"
- helm.sh/chart: ztunnel-1.27.1
- annotations:
- {}
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: ztunnel-1.28.0
+ name: ztunnel
+ namespace: istio-system
spec:
- updateStrategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 0
- type: RollingUpdate
selector:
matchLabels:
app: ztunnel
template:
metadata:
+ annotations:
+ prometheus.io/port: '15020'
+ prometheus.io/scrape: 'true'
+ sidecar.istio.io/inject: 'false'
labels:
- sidecar.istio.io/inject: "false"
- istio.io/dataplane-mode: none
app: ztunnel
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ztunnel
- app.kubernetes.io/managed-by: "Helm"
- app.kubernetes.io/instance: "ztunnel"
- app.kubernetes.io/part-of: "istio"
- app.kubernetes.io/version: "1.27.1"
- helm.sh/chart: ztunnel-1.27.1
- annotations:
- sidecar.istio.io/inject: "false"
- prometheus.io/port: "15020"
- prometheus.io/scrape: "true"
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.28.0
+ helm.sh/chart: ztunnel-1.28.0
+ istio.io/dataplane-mode: none
+ sidecar.istio.io/inject: 'false'
spec:
- nodeSelector:
- kubernetes.io/os: linux
- serviceAccountName: ztunnel
- tolerations:
- - effect: NoSchedule
- operator: Exists
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoExecute
- operator: Exists
containers:
- - name: istio-proxy
- image: "docker.io/istio/ztunnel:1.27.1"
- ports:
- - containerPort: 15020
- name: ztunnel-stats
- protocol: TCP
- resources:
- requests:
- cpu: 200m
- memory: 512Mi
- securityContext:
- # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
- # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
- # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
- allowPrivilegeEscalation: true
- privileged: false
- capabilities:
- drop:
- - ALL
- add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
- - NET_ADMIN # Required for TPROXY and setsockopt
- - SYS_ADMIN # Required for `setns` - doing things in other netns
- - NET_RAW # Required for RAW/PACKET sockets, TPROXY
- readOnlyRootFilesystem: true
- runAsGroup: 1337
- runAsNonRoot: false
- runAsUser: 0
- readinessProbe:
- httpGet:
- port: 15021
- path: /healthz/ready
- args:
+ - args:
- proxy
- ztunnel
env:
@@ -107,15 +56,15 @@ spec:
- name: XDS_ADDRESS
value: istiod.istio-system.svc:15012
- name: RUST_LOG
- value: "info"
+ value: info
- name: RUST_BACKTRACE
- value: "1"
+ value: '1'
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: INPOD_ENABLED
- value: "true"
+ value: 'true'
- name: TERMINATION_GRACE_PERIOD_SECONDS
- value: "30"
+ value: '30'
- name: POD_NAME
valueFrom:
fieldRef:
@@ -140,6 +89,34 @@ spec:
valueFrom:
resourceFieldRef:
resource: limits.cpu
+ image: gcr.io/istio-release/ztunnel:1.28.0
+ name: istio-proxy
+ ports:
+ - containerPort: 15020
+ name: ztunnel-stats
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ resources:
+ requests:
+ cpu: 200m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - NET_ADMIN
+ - SYS_ADMIN
+ - NET_RAW
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1337
+ runAsNonRoot: false
+ runAsUser: 0
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
@@ -149,29 +126,37 @@ spec:
name: cni-ztunnel-sock-dir
- mountPath: /tmp
name: tmp
+ nodeSelector:
+ kubernetes.io/os: linux
priorityClassName: system-node-critical
+ serviceAccountName: ztunnel
terminationGracePeriodSeconds: 30
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
volumes:
- name: istio-token
projected:
sources:
- serviceAccountToken:
- path: istio-token
- expirationSeconds: 43200
audience: istio-ca
- - name: istiod-ca-cert
- configMap:
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
name: istio-ca-root-cert
- - name: cni-ztunnel-sock-dir
- hostPath:
+ name: istiod-ca-cert
+ - hostPath:
path: /var/run/ztunnel
- type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
- # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
- - name: tmp
- emptyDir: {}
----
-# Source: ztunnel/templates/rbac.yaml
----
----
-# Source: ztunnel/templates/zzz_profile.yaml
-# Flatten globals, if defined on a per-chart basis
+ type: DirectoryOrCreate
+ name: cni-ztunnel-sock-dir
+ - emptyDir: {}
+ name: tmp
+ updateStrategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ type: RollingUpdate
diff --git a/common/istio/profile.yaml b/common/istio/profile.yaml
index 7b7cf01703..369c7d9cfb 100644
--- a/common/istio/profile.yaml
+++ b/common/istio/profile.yaml
@@ -18,7 +18,7 @@ spec:
value: "true"
hub: gcr.io/istio-release
profile: default
- tag: 1.27.0
+ tag: 1.28.0
values:
defaultRevision: ""
gateways:
diff --git a/scripts/synchronize-istio-manifests.sh b/scripts/synchronize-istio-manifests.sh
index cf878de60e..e3286a0c9a 100755
--- a/scripts/synchronize-istio-manifests.sh
+++ b/scripts/synchronize-istio-manifests.sh
@@ -7,7 +7,7 @@ source "${SCRIPT_DIRECTORY}/library.sh"
setup_error_handling
COMPONENT_NAME="istio"
-COMMIT="1.27.0" # Update this for new versions
+COMMIT="1.28.0" # Update this for new versions
SOURCE_DIRECTORY=${SOURCE_DIRECTORY:=/tmp/${COMPONENT_NAME}}
BRANCH_NAME=${BRANCH_NAME:=${COMPONENT_NAME}-${COMMIT?}}
diff --git a/tests/katib_test.sh b/tests/katib_test.sh
index 9fbf5de94e..42e941a179 100755
--- a/tests/katib_test.sh
+++ b/tests/katib_test.sh
@@ -8,5 +8,5 @@ kubectl wait --for=condition=Running experiments.kubeflow.org -n $KF_PROFILE --a
echo "Waiting for all Trials to be Completed..."
kubectl wait --for=condition=Created trials.kubeflow.org -n $KF_PROFILE --all --timeout=60s
kubectl get trials.kubeflow.org -n $KF_PROFILE
-kubectl wait --for=condition=Succeeded trials.kubeflow.org -n $KF_PROFILE --all --timeout 720s
+kubectl wait --for=condition=Succeeded trials.kubeflow.org -n $KF_PROFILE --all --timeout 900s
kubectl get trials.kubeflow.org -n $KF_PROFILE