Istio 1.30 Deep Dive — Agentgateway, Ambient Multicluster, TrafficExtension API, and 4 CVE Patches (JWKS RSA Leak, XDS Debug Auth)

Istio 1.30 Deep Dive — Agentgateway, Ambient Multicluster, TrafficExtension API, and 4 CVE Patches (JWKS RSA Leak, XDS Debug Auth)

On May 18, 2026, the Istio community shipped Istio 1.30.0 alongside backports 1.29.3 and 1.28.7. On the surface it's a regular quarterly release, but the content is roughly double the normal scope. First, Agentgateway — a new Gateway API data-plane proxy built for AI agent and MCP server traffic — is wired in as an experimental GatewayClass, replacing Envoy on the gateway pod when enabled. Second, Ambient mode finally crosses an operability threshold with CIDR ServiceEntry, optional XFCC synthesis at waypoints, configurable HBONE window sizing, and Tokio runtime metrics in ztunnel. Third, the new TrafficExtension API lands as a unified replacement for WasmPlugin, consolidating Wasm and Lua extensibility behind a single resource that applies to sidecars, gateways, and waypoints. And decisively — four security advisories are patched together: CVE-2026-31837 (JWKS fallback leaks an RSA private key, enabling JWT forgery), CVE-2026-31838 (XDS debug endpoints on plaintext port 15010 reachable without authentication), CVE-2026-39350 (regex metacharacters in AuthorizationPolicy SPIFFE/namespace fields are not escaped), and CVE-2026-41413 (JWKS URI CIDR blocking is bypassed via DNS redirects and issuer discovery). This article decomposes the 1.29 → 1.30 breaking changes — XDS debug auth becoming mandatory, CNI config permissions tightening to 0600, and the sidecar service-namespace selection order flipping from alphabetical to "Kubernetes Service first" — across the five components that matter (ztunnel, waypoint, CNI, istiod, istioctl), and walks through the upgrade checklist we ran on a lab cluster (EKS 1.33 + Ambient + multi-network).