Announcement

The following rollouts have completed for managed Cloud Service Mesh:

• 1.21.6-asm.4 has rolled out to the rapid release channel.
• 1.20.8-asm.56 has rolled out to the regular release channel.
• 1.19.10-asm.52 has rolled out to the stable release channel.
• CNI and MDPC version 1.20.8-asm.56 has rolled out to all release channels.

While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

Security

1.25.5-asm.9 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed in GCP-2025-064. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.25.5-asm.9 uses Envoy v1.33.12.

Security

1.26.5-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed in GCP-2025-064. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.26.5-asm.1 uses Envoy v1.34.10.

Security

1.27.2-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains fixes for the security vulnerabilities listed in GCP-2025-064. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.27.2-asm.1 uses Envoy v1.35.6.

Announcement

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.6-asm.4 is rolling out to the rapid release channel.
• 1.20.8-asm.56 is rolling out to the regular release channel.
• 1.19.10-asm.52 is rolling out to the stable release channel.

CNI/managed data plane controller version 1.20.8-asm.56 is rolling out to all release channels.

Fixed

These patches contain fixes for the following CVEs:

1.21.6-asm.4

1.20.8-asm.55

1.19.10-asm.52

CNI & MDPC

Announcement

The promotion of 1.21 to the Rapid release channel included upstream breaking changes to ExternalName and auto-sni when using the ISTIOD implementation. After considering the impact on customers, we have decided to restore the previous behavior from 1.20 and earlier for managed Cloud Service Mesh clusters using the ISTIOD implementation to match Rapid clusters using the TRAFFIC_DIRECTOR implementation. These changes are rolling out to the Rapid release channel in version 1.21.5-asm.55 or later.

• If you are using an ExternalName service in the Rapid channel without a port description, the ExternalName service will not be translated into Cluster in the Envoy configuration. If the ExternalName service is a destination of VirtualService or ExternalName service is used with REGISTRY_ONLY mode, you must specify the port in the service like in 1.20 and earlier.

• If you have an external service multiplexing traffic based on SNI but the corresponding DestinationRule doesn't have an explicit SNI, you must set SNI properly.

Announcement

1.26.4-asm.7 is now available for in-cluster Cloud Service Mesh.

You can now download 1.26.4-asm.7 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.26.4 subject to the list of supported features.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.26.4-asm.7 uses Envoy v1.34.8-dev.

Fixed

1.26.4-asm.7 includes the fixes for the following CVEs:

Fixed

1.25.5-asm.7 includes the fixes for the following CVEs:

Announcement

1.25.5-asm.7 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.5-asm.7 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.5 subject to the list of supported features. Cloud Service Mesh version 1.25.5-asm.7 uses envoy v1.33.10-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Fixed

1.27.1-asm.5 includes the fixes for the following CVEs:

Announcement

1.27.1-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.1-asm.5 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.27.1 subject to the list of supported features.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.27.1-asm.5 uses Envoy v1.35.4-dev.

Announcement

In-cluster Cloud Service Mesh 1.24 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.

Feature

You can now configure traffic routing using Cloud Service Mesh service routing APIs between Cloud Run and Cloud Run, Google Kubernetes Engine, and Google Compute Engine services. (GA).

Changed

Managed Cloud Service Mesh with a TD control plane in the Rapid release channel will start using proxy images with an internal envoy version.

All features supported by Managed (TD) control planes are supported by this proxy. To identify which proxy version is used in a cluster, see Identify the proxy versions used in the cluster.

This release uses the version csm_istio_proxy_20250611.00_p0. More details about the proxy version can be found on the Versions page.

Fixed

Announcement

CNI/managed data plane controller version 1.23.6-asm.15 is rolling out to all release channels.

Deprecated

Support for the following features will end on March 17, 2027:

• GKE on AWS
• GKE on Azure
• EKS Attached Clusters on AWS
• Azure Attached Clusters with AKS

Note that there are no changes to the other features of GKE attached clusters or Google Distributed Cloud (software only or air-gapped),

You must migrate to an alternative service mesh solution or an alternative Istio-based solution using your existing CSM configuration files by March 17, 2027.

Announcement

1.27.1-asm.2 is now available for in-cluster Cloud Service Mesh.

You can now download 1.27.1-asm.2 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.27.1 subject to the list of supported features.

The following environment variables and annotations are not supported:

• ENVOY_STATUS_PORT_ENABLE_PROXY_PROTOCOL
• PILOT_DNS_CARES_UDP_MAX_QUERIES
• PILOT_IP_AUTOALLOCATE_IPV4_PREFIX and PILOT_IP_AUTOALLOCATE_IPV6_PREFIX
• sidecar.istio.io/bootstrapOverride

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.27.1-asm.2 uses Envoy v 1.35.3-dev.

Announcement

The following rollouts have completed for managed Cloud Service Mesh:

• 1.21.5-asm.55 has rolled out to the rapid release channel.
• 1.20.8-asm.48 has rolled out to the regular release channel.
• 1.19.10-asm.48 has rolled out to the stable release channel.

While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

Announcement

1.25.4-asm.0 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.4 subject to the list of supported features. Cloud Service Mesh version 1.25.4-asm.0 uses envoy v1.33.8-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.24.6-asm.12 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.12 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.6 subject to the list of supported features. Cloud Service Mesh version 1.24.6-asm.12 uses envoy v1.33.8-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Fixed

These patches address the following CVEs:

Announcement

1.26.4-asm.1 in-cluster Cloud Service Mesh already includes the fixes for these CVEs.

Security

The managed Cloud Service Mesh rollouts previously announced address the following vulnerabilities. While the managed data plane automatically updates Envoy Proxies by restarting workloads, you must manually restart any StatefulSets and Jobs.

1.21.5-asm.55

1.20.8-asm.48

1.19.10-asm.48

Security

1.26.4-asm.1 is now available for in-cluster Cloud Service Mesh.

This patch release contains a fix for a use-after-free (UAF) vulnerability in the DNS cache. For more information, see the security bulletin.

Only clusters running in-cluster Cloud Service Mesh version 1.26 are affected. If you are running an earlier in-cluster version or managed Cloud Service Mesh, you are not affected and do not need to take any action.

For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh.

Announcement

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.5-asm.55 is rolling out to the rapid release channel.
• 1.20.8-asm.48 is rolling out to the regular release channel.
• 1.19.10-asm.48 is rolling out to the stable release channel.

Feature

Advanced load balancing for managed Cloud Service Mesh (TD) now generally available (GA).

Changed

Managed Cloud Service Mesh will start using proxy version csm_mesh_proxy.20250623b_RC00 for Gateway API on GKE clusters. This proxy version maps closest to Envoy version 1.35. This change is rolling out to all release channels.

Announcement

1.25.3-asm.11 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.3-asm.11 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.3 subject to the list of supported features. Cloud Service Mesh version 1.25.3-asm.11 uses envoy v1.33.4-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.26.0-asm.11 is now available for in-cluster Cloud Service Mesh.

You can now download 1.26.0-asm.11 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.26.0 subject to the list of supported features.

The following environment variables and annotations are not supported:

• ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT
• RETRY_IGNORE_PREVIOUS_HOSTS
• ENABLE_CLUSTER_TRUST_BUNDLE_API
• OMIT_EMPTY_VALUES
• PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY
• MAX_CONNECTIONS_PER_SOCKET_EVENT_LOOP with the value 1
• Referencing ConfigMaps in a DestinationRule with TLS mode set to SIMPLE mode is not supported

The ENABLE_AUTO_SNI flag is still supported to stay aligned with the legacy behavior.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.26.0-asm.11 uses Envoy v1.34.2-dev.

Announcement

In-cluster Cloud Service Mesh 1.23 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.

Announcement

1.24.6-asm.9 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.9 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.6 subject to the list of supported features. Cloud Service Mesh version 1.24.6-asm.9 uses envoy v1.32.7-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Changed

1.23.6-asm.11 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.6-asm.11 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.6 subject to the list of supported features. Cloud Service Mesh version 1.23.6-asm.11 uses envoy v1.31.9-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.25.3-asm.8 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.3-asm.8 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.3 subject to the list of supported features. Cloud Service Mesh version 1.25.3-asm.8 uses envoy v1.33.4-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.24.6-asm.4 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.6-asm.4 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.6 subject to the list of supported features. Cloud Service Mesh version 1.24.6-asm.4 uses envoy v1.32.7-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Feature

You can now enforce cluster-local traffic for an individual service, all services in a particular namespace, or globally for all services in the mesh. For more information, see Keeping traffic in-cluster.

Feature

DNS Proxy feature is now available in the Rapid release channel. This feature requires sidecar version 1.21.5-asm.39 or later.

Changed

This change affects clusters using both the TRAFFIC_DIRECTOR and ISTIOD control plane implementations.

When using Cloud Service Mesh with Istio APIs, configuring an unsupported field or value in an Istio Custom Resources will be reflected as an error in the Mesh status API.

In some cases, the validation webhook will also reject unsupported API usage with an error message indicating the specific unsupported API. For more information, see Common webhook error messages. You can mitigate these issues by amending the Istio Custom Resource to remove the specified unsupported API configuration.

Feature

Isolation support to prevent cross-region overflow is now available as a preview feature for TRAFFIC_DIRECTOR implementations of Cloud Service Mesh. For more information, see Isolation for Cloud Service Mesh.

Announcement

In-cluster Cloud Service Mesh 1.22 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.

Announcement

1.25.2-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.2-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.2 subject to the list of supported features. Cloud Service Mesh version 1.25.2-asm.3 uses envoy v1.33.1-dev..

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.23.6-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.6-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.6 subject to the list of supported features. Cloud Service Mesh version 1.23.6-asm.3 uses envoy v1.31.6.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.24.5-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.5-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.5 subject to the list of supported features. Cloud Service Mesh version 1.24.5-asm.3 uses envoy v1.32.6-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

The following images are now rolling out for managed Cloud Service Mesh:

• 1.21.5-asm.42 is rolling out to the rapid release channel.
• 1.20.8-asm.33 is rolling out to the regular release channel.
• 1.19.10-asm.33 is rolling out to the stable release channel.

Announcement

A behavioral change regarding user-provided credentials (private key and certificate) for TLS termination at ingress is now rolling out to the Rapid release channel. Subsequent announcements will appear for additional release channels.

The Kubernetes Secrets denoted by Gateway.servers.port.tls.credentialName will be read by each ingress gateway pod directly instead of the Control Plane. This change enhances security because the user-provided secret is read directly by the workloads instead of passing any managed component.

This change is compatible with previous behavior aside from the propagation speed of the updated secrets. Previously, updated secrets would propagate immediately. Now, updated secrets will propagate within 60 minutes. If you need immediate secret rotation, restart the gateway pods.

Each gateway pod reads Kubernetes secrets, so the number of the gateway pods becomes a scalability factor. We recommend the following maximum number of gateway pods:

• If the GKE cluster is regional, 1500 or fewer pods
• If the GKE cluster is zonal or using autopilot, 500 or fewer pods

If this change in behavior doesn't work for you, consider using the deployment with mounted credentials.

This change only affects clusters using Traffic Director and version 1.21.5-asm.42 or later.

Announcement

In-cluster Cloud Service Mesh 1.21 is no longer supported. For more information and to view the earliest end-of-life dates for other versions, see Supported versions.

Feature

New troubleshooting tools for your service mesh are now available. You can get detailed error codes for your Istio resources and check the state of your mesh to identify and resolve configuration problems. Learn more about Resolving configuration issues and Understanding Feature State Conditions.

Announcement

1.25.0-asm.8 is now available for in-cluster Cloud Service Mesh.

You can now download 1.25.0-asm.8 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.25.0 subject to the list of supported features.

The following environment variables are not supported:

• PILOT_MX_ADDITIONAL_LABELS
• PILOT_DNS_CARES_UDP_MAX_QUERIES
• PILOT_DNS_JITTER_DURATION
• PILOT_SEND_UNHEALTHY_ENDPOINTS

The following annotations are not supported:

• networking.istio.io/traffic-distribution
• istio.io/reroute-virtual-interfaces

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh. Cloud Service Mesh version 1.25.0-asm.8 uses Envoy v1.33.1-dev.

Issue

There is a known issue where all gateway CRs will see a downtime for status updates when upgrading from 1.24.3 to 1.25.x .

Announcement

1.22.8-asm.5 is now available for in-cluster Cloud Service Mesh.

You can now download 1.22.8-asm.5 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.8 subject to the list of supported features. Cloud Service Mesh version 1.22.8-asm.5 uses envoy v1.30.10-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.21.5-asm.34 is now available for in-cluster Cloud Service Mesh.

You can now download 1.21.5-asm.34 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.5 subject to the list of supported features. Cloud Service Mesh version 1.21.5-asm.34 uses envoy v1.29.12-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.24.3-asm.6 is now available for in-cluster Cloud Service Mesh.

You can now download 1.24.3-asm.6 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.24.3 subject to the list of supported features. Cloud Service Mesh version 1.24.3-asm.6 uses envoy v1.32.4-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Announcement

1.23.5-asm.3 is now available for in-cluster Cloud Service Mesh.

You can now download 1.23.5-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.5 subject to the list of supported features. Cloud Service Mesh version 1.23.5-asm.3 uses envoy v1.31.6-dev.

For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.

Feature

Cloud Service Mesh now supports dual-stack, extending IPv6 capability to both proxy-based Envoy and proxyless gRPC. For more information, see Configure IPv6 dual-stack for Cloud Service Mesh.

Feature

You can now use custom constraints with Organization Policy to provide more granular control over specific fields for some networksecurity and networkservices resources.

Announcement

If you use the managed Cloud Service Mesh with the ISTIOD control plane implementation, important changes have been made to how and when you'll receive notifications of upcoming modernization. For details, see Managed control plane modernization.

Announcement

The rollout of managed Cloud Service Mesh version 1.20 to the rapid channel has completed.

Announcement

Managed Cloud Service Mesh with the Traffic Director control plane now supports configuring the network topology to use X-Forwarded-For and X-Forwarded-Client-Cert headers by MeshConfig or annotations of workloads.

Announcement

If you're a user of managed Cloud Service Mesh with the ISTIOD control plane implementation, you can now fine-tune your control plane modernization. See the Managed control plane modernization page for details.

Announcement

Managed Cloud Service Mesh 1.20 is rolling out to the rapid channel.