Istio / Announcing Istio 1.30.0Istio 1.30 is now available! Click here to learn more
Announcing Istio 1.30.0<br>Istio 1.30 Release Announcement.
May 18, 2026<br>We are pleased to announce the release of Istio 1.30. Thank you to all our contributors, testers, users, and enthusiasts for helping us get the 1.30.0 release published!<br>We would like to thank the Release Managers for this release, Petr McAllister from Solo.io, Jacek Ewertowski from Red Hat, and Jackson Greer from Microsoft.<br>CHANGE NOTES<br>Get a detailed list of what's changed.<br>BEFORE YOU UPGRADE<br>Things to know and prepare before upgrading.<br>DOWNLOAD<br>Download and install this release.<br>DOCS<br>Visit the documentation for this release.
Istio 1.30.0 is officially supported on Kubernetes versions 1.32 to 1.36.
What’s new?<br>Agentgateway: experimental new gateway implementation<br>Istio 1.30 ships experimental support for agentgateway as a Gateway API implementation. Agentgateway is a new data plane proxy built for AI agent and MCP server traffic; when enabled, it replaces Envoy on the gateway pod. In this release it is wired in as a single GatewayClass (istio-agentgateway) and is supported only as a Gateway API gateway, not as a sidecar or waypoint. Enable it by setting PILOT_ENABLE_AGENTGATEWAY=true on istiod. See the agentgateway Kubernetes documentation for installation and configuration details. This is early-access functionality. Expect rough edges; feedback is welcome.<br>Gateway API and TLSRoute improvements<br>This release adds support for TLSRoute termination and mixed mode, support for TLS passthrough listeners on east-west gateways, and reports attached ListenerSets and routes in Gateway status. Combined, these changes make Istio’s Gateway API implementation closer to feature parity with the in-tree spec and improve operability for multi-tenant gateway scenarios.<br>Ambient mode enhancements<br>Several ambient features land in 1.30:<br>CIDR address support in ServiceEntry . ServiceEntry resources can now use CIDR addresses for endpoints, enabling ambient routing for ranges of IPs without enumerating individual workloads.<br>Optional XFCC synthesis at waypoints . With the annotation ambient.istio.io/xfcc-include-client-identity: "true" on a waypoint Gateway, the waypoint synthesizes x-forwarded-client-cert from the ztunnel-provided source workload SPIFFE identity, so upstream apps can see the originating client.<br>Configurable HBONE window sizing via PILOT_HBONE_INITIAL_STREAM_WINDOW_SIZE and PILOT_HBONE_INITIAL_CONNECTION_WINDOW_SIZE, useful for tuning HBONE CONNECT clusters for high-throughput ambient workloads.<br>Tokio runtime metrics in ztunnel for clearer per-instance resource visibility.<br>New sidecar-to-ambient migration guide . A step-by-step guide for migrating an existing sidecar-based mesh to ambient mode, covering ambient component installation, policy migration, and per-namespace enablement. The migration is designed to be gradual and reversible, sidecar and ambient workloads can coexist during the process.<br>Traffic management additions<br>Namespace-level traffic distribution annotation . Services inherit traffic distribution from a namespace annotation when not explicitly set on the service, reducing per-service boilerplate.<br>istio.io/connect-strategy annotation on ServiceEntry with RACE_FIRST_TCP_CONNECT mode, useful when DNS returns multiple A records and the client should pick the first endpoint that successfully completes TCP connect.<br>DNS upstream timeout is now configurable via DNS_FORWARD_TIMEOUT, with the existing 5s default preserved.<br>DNS failover priority support for DNS clusters.<br>Multiple CUSTOM authorization providers per workload , enabling different authentication schemes (OAuth, LDAP, API keys) on different API paths.<br>TrafficExtension API , a single unified API for configuring Wasm and Lua extensions on Envoy-based sidecars, gateways, and waypoints, replacing WasmPlugin as the primary proxy extensibility mechanism.<br>Helm v4 support<br>Istio 1.30 adds support for Helm v4 (server-side apply). A long-standing issue with webhook failurePolicy field ownership during upgrades has also been addressed. Users running Helm v4 should upgrade smoothly without the previous workarounds.<br>Security<br>Debug endpoint authentication tightened. XDS debug endpoints (syncz, config_dump) on port 15010 now require authentication when ENABLE_DEBUG_ENDPOINT_AUTH=true (default). A new DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES setting lets operators allow specific namespaces beyond the system namespace. See the upgrade notes for the breaking-change details.<br>TLS minimum version flag for pilot-discovery (--tls-min-version), letting operators raise the floor for control-plane TLS.<br>Default registry for Istio images is now registry.istio.io. The previous registry remains accessible, but new installs default to the new location.<br>Installation and operability<br>Configurable port overrides for the network gateway service via networkGatewayPorts Helm values, plus template validation to fail...