Hi team, we are using Omniverse Kit App Streaming - Kit App Streaming Session 1.11.1 container image (as Helm charts) for our project with Envoy proxy as side-car container but the helm charts is using Envoy 1.18 docker image which is deprticated and has vulnerabilities. So we tried upgrading the Envoy’s images to latest version but post that the kit app streaming pod is failing. Can you please help us here ?? Do we need to do some changes in kit app post Envoy image upgrade or Kit app streaming supports Envoy 1.18 only ??
NVIDIA’s published docs for Kit App Streaming do not state that it is limited to Envoy 1.18, but the official Helm chart is version‑coupled and assumes a specific Envoy config/API level, so jumping directly to a “latest” Envoy image will usually break the pod unless you update Envoy config and chart values in lockstep. catalog.ngc.nvidia
What is actually supported
- The official
kit-appstreaming-sessionHelm chart from NGC is the reference for supported sidecars and configuration; it is designed and tested against the specific Envoy image/version baked into that chart release. catalog.ngc.nvidia - Kit itself does not need code changes for a different Envoy version, but the chart’s Envoy bootstrap/config and CLI args do depend on Envoy’s API and behavior, which change across major/minor versions. docs.omniverse.nvidia
Why your pod fails after upgrading Envoy
- Newer Envoy versions frequently deprecate or remove config fields, filter names, and bootstrap options that older charts still use, which causes Envoy to fail at startup and thus the whole pod/sidecar to crash. docs.omniverse.nvidia
- If you simply change the container image tag to a much newer Envoy, but keep the same bootstrap/config from the 1.11.1 chart, you will hit schema/validation or runtime errors in Envoy, which manifests as the Kit Streaming pod not becoming Ready or exiting quickly. catalog.ngc.nvidia
Practical options that are less risky
-
Stay on the chart‑pinned Envoy minor line, but use a patched image
- Determine the exact Envoy 1.18.x version the chart expects, then move to the latest 1.18.x patch (e.g., 1.18.6 or similar) that has CVE fixes but is still API‑compatible with your existing config. groups.google
- This minimizes config changes and typically avoids breaking Kit, while still reducing known vulnerabilities compared with an older 1.18.0 image. cybersecurity-help
-
Upgrade Kit App Streaming / Helm chart instead of only Envoy
- Check NGC for a newer
kit-appstreaming-sessionchart version (and matching Kit App Streaming release) that already ships with a newer Envoy image and updated config. catalog.ngc.nvidia - Upgrading the chart + app together is the supported path and far more likely to work than manually bumping Envoy in an older chart. catalog.ngc.nvidia
- Check NGC for a newer
-
If you must jump to a recent Envoy release
- You will need to adjust the Envoy bootstrap and listeners in the Helm chart templates or values to match the target Envoy version’s config schema and filter APIs (fields, filter names, extension names, etc.). docs.omniverse.nvidia
- This is not documented as a supported customization path by NVIDIA, so you’d be in “custom integration” territory and should test thoroughly, and ideally open a ticket with NVIDIA Support to confirm compatibility. docs.omniverse.nvidia
Direct answers to your questions
-
“Do we need to do some changes in Kit app post Envoy image upgrade?”
You generally do not need to change the Kit app code, but you do need to ensure the Envoy configuration (Helm templates/values, bootstrap, filters) is compatible with the Envoy version you upgrade to. docs.omniverse.nvidia -
“Or does Kit App Streaming support Envoy 1.18 only?”
The platform is not inherently limited to Envoy 1.18, but each Kit App Streaming + Helm chart release is tested against a specific Envoy image; your 1.11.1 chart is effectively tied to the Envoy line it ships with, so moving beyond that without updating config is unsupported and will break. catalog.ngc.nvidia
To give you concrete next steps (e.g., exact image tag and any minimal config edits), can you share which precise Envoy image tag you upgraded to and, if possible, the first error lines from the Envoy container logs?