Istio 1.10 Change Notes
Istio 1.10.0 release notes.
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
values.global.jwtPolicy=first-party-jwtoption. This option is less secure and intended for backwards compatibility with older Kubernetes clusters without support for more secure token authentication but is now enabled by default in new Kubernetes versions. See this documentation for more information.
values.global.archoption in favor of the affinity Kubernetes settings. (Issue #30027)
remoteinstallation profile and added the
externalprofile for installing Istio with an external control plane. (Issue #32370)
meshConfig.discoverySelectorsto dynamically restrict the set of namespaces for
Endpointsthat istiod processes when pushing xDS updates to improve performance on the data plane. (Blog, Issue #26679)
ISTIO_GATEWAY_STRIP_HOST_PORTenvironment variable to control whether gateways strip the host port before any processing of requests by HTTP filters or routing. This option is disabled by default. (Issue #25350)
Fixed configuration of TLS parameters (TLS version, TLS cipher suites, curves, etc.) with
EnvoyFilter. (Issue #28996)
Fixed an issue where the filter chain name was ignored when processing
EnvoyFiltermatch. (Issue #31166)
Improved the full push scoping by adding
Improved virtual machine integration to clean up
iptablesrules when the service is stopped. (Issue #29556)
Updated istio-proxy drain notification strategy from gradual to immediate. (Issue #31403)
Added CNI metrics counting repair operations. (Issue #19300)
/debug/connectionsistiod debug interface to list the current connected clients. (Issue #31075)
Added SDS secrets fetch failure metric
pilot_sds_certificate_errors_total. (Issue #31779)
Added metrics for istiod informer errors.
Fixed a bug where
ISTIO_META_IDLE_TIMEOUTis not reflected when set to
0s. (Issue #30067)
Fixed a bug causing unnecessary full push in service entry store. (Issue #30683)
Fixed a bug where the
INSERT_FIRST. (Issue #31573)
Fixed an issue where services with
PASSTHROUGHload balancing were always sent mTLS traffic, even if the destinations did not support mTLS. (Issue #23494)
Fixed a bug where
EnvoyFilterwith service match did not work for inbound clusters.
Updated configuration to sign istiod certificates using Kubernetes CA (
PILOT_CERT_PROVIDER=kubernetes) will not be honored in clusters with version 1.22 and greater. (Issue #22161)
Improved the experimental External Authorization feature with new capabilities:
- Added the
timeoutfield to configure the timeout (default is
10m) between the
ext_authzfilter and the external service.
- Added the
include_additional_headers_in_checkfield to send additional headers to the external service.
- Added the
include_request_body_in_checkfield to send the body to the external service.
- Supported prefix and suffix match in the
- Deprecated the
include_headers_in_checkfield with the new
include_request_headers_in_checkfield for better naming. (Reference, PR #1926)
- Added the
Added experimental option to configure Envoy to fetch the JWKS by itself. This should be enabled if the
jwks_uriis a mesh cluster URL for mTLS and has other benefits like retries, JWKS caching etc. This is disabled by default and can be enabled by setting
PILOT_JWT_ENABLE_REMOTE_JWKSto true. (Issue #28742)
Added an environment variable
PILOT_JWT_PUB_KEY_REFRESH_INTERVALto configure the interval of istiod fetching the
jwks_urifor the JWKS public key. Users can set the refresh interval with
--set values.pilot.env.PILOT_JWT_PUB_KEY_REFRESH_INTERVAL=<duration>during installation. The default interval is
20m. Valid time units are “ns”, “us”, “ms”, “s”, “m”, “h”.
Update the istiod JWT public key refresh job to retry the failed fetch of the
jwks_uriwith exponential backoff. (Issue #30261)
Removed ability to configure
global.values. Now it is configured through
Fixed an issue causing simple TLS traffic to ports not exposed by a
Serviceto be rejected by servers when in
PERMISSIVEmTLS mode. (Issue #31297)
Added experimental support for the Telemetry API. (Issue #24284)
Fixed the missing
destination_clustermetric label reported by client proxy on request failures. (Issue #29373)
Fixed an issue where Envoy did not start up properly when duplicate stats tags were configured. (Issue #31270)
- Added reliable Wasm module remote load with istio-agent. (Issue #29989)
istioctl experimental revision tagcommand group. Revision tags act as aliases for control plane revisions. Users can label their namespaces with a revision tag rather than pointing them directly at a revision and selectively decide the granularity of their namespace labels. This makes it possible to perform upgrades with the ease of in-place upgrades while having the safety of revision-based upgrades under the hood. Read more about using revision tags here.
ConfigMapsto be read directly rather than from volume mounts. This improves the speed of updates and ensures that for external istiod installations that the configmaps are read from the config cluster. (Issue #31410)
Improved the sidecar injector to better utilize pod labels to determine if injection is required. (Issue #30013)
Updated non-revisioned installs to target the label
istio.io/rev=defaultfor injection in addition to the existing default injection labels (
Added support for slash characters in environment variables on
injectionURL. (Issue #31732)
externalprofile for installing Istio with an external control plane and deprecated the
remoteprofile. (Issue #32370)
Fixed a bug preventing
istioctl kube-injectfrom working with revisions. (Issue #30991)
Improved the output of istioctl YAML diff commands. (Issue #31186)
15443ports from the default gateway installation. These can be explicitly added if desired, although it is recommended to follow the new multicluster installation guide instead.
Updated Kiali addon to the latest version
istioctl experimental precheckcommand to identify potential upgrade issues prior to actually running an upgrade.
istioctl kube-injectto call the webhook server to get the injection template by default. (Issue #29270)
istioctl experimental internal-debugto retrieve istiod debug information via a secured debug interface. (Issue #31338)
istioctl validateand the validating webhook now report duplicate or unreachable virtual service matches. (Issue #31525)
istioctl proxy-config allcommand to view the full proxy configuration.
Added tooling for revision-centric view of current Istio deployments in a cluster. This is to provide a better understanding of deployments- such as the number of istiod, gateway pods,
IstioOperatorcustom resources- defining a particular revision, and the number of pods with sidecars pointing to a particular revision. (Issue #23892)
Added a new analyzer for invalid webhook configurations.
Fixed an issue where
istioctl x create-remote-secret --secret-namefailed incorrectly when pointing to a non-existent secret in the remote cluster. (Issue #30723)