Istio 1.14 Change Notes
Istio 1.14.0 change notes.
Added support for sending unready endpoints to Envoy. This will be useful when slow start mode in Envoy is enabled. This can be disabled by setting
Added new configuration options to
istio-clean-iptablesfor including/excluding certain user groups from interception of the outgoing traffic generated by them.
This feature is intended primarily for use on VMs, where system administrators need to restrain interception of the outgoing traffic down to a few applications instead of intercepting all outgoing traffic.
By default, as before, the Istio Sidecar will intercept outgoing traffic from all processes, no matter what user groups they are running under.
To change this behavior, system administrators can now use 2 new environment variables supported by
ISTIO_OUTBOUND_OWNER_GROUPSis a comma separated list of groups whose outgoing traffic should be redirected to Envoy (sidecar). A group can be specified either by name or by a numeric GID. The wildcard character
*can be used to configure redirection of traffic from all groups (default).
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEis a comma separated list of groups whose outgoing traffic should be excluded from redirection to Envoy (sidecar). A group can be specified either by name or by a numeric GID. Only applies when traffic from all groups (i.e.
*) is being redirected to Envoy (sidecar).
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEare mutually exclusive, use only one of them.
ISTIO_OUTBOUND_OWNER_GROUPS=101,javainstructs to intercept outgoing traffic only from those processes that run under one of the user groups
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202instructs to intercept outgoing traffic from all processes except for those that under one of the user groups
root(by name). (Issue #37057)
Added the ability to perform automatic SAN validation based on the downstream HTTP host/authority header when
VERIFY_CERTIFICATE_AT_CLIENTfeature flags are enabled.
Added the ability to automatically set SNI when
DestinationRulesdo not specify it and
Added the ability to set
credentialNamebased secret configuration at sidecars for egress TLS traffic when
WorkloadSelectoris specified in
DestinationRule, provided the sidecar has permission to list secrets in the namespace where it resides.
Added support for
Added warning messages for users attempting to use IP addresses as SNI values in
Added support of replacing virtual host in envoy filter.
Added setting upstream TLS maximum version to TLS 1.3. (Issue #36271)
Fixed the problem that xDS may not be updated if multiple
destinationRulesfor a service are merged. In this case the merged rule only records one name/namespace pair of all the
destinationRules. However, this meta is used to record config dependencies of a sidecar.
In this fix, we introduce a new struct
consolidatedDestRuleand record all the
destinationrules’ meta to avoid missing any
destinationRuledependencies. (Issue #38082)
Fixed an issue where removing inline Network and HTTP filters was not working properly.
Fixed an issue with
ServiceEntrys causing excessive DNS requests when the DNS lookup fails. (Issue #35603)
Fixed IP family detection when using the CNI to behave the same way as without it. (Issue #36871)
Fixed IPv6 detection on clusters with IPv4 NAT implementation, such as Amazon EKS, by excluding link-local addresses from detection. (Issue #36961)
Improved XDS generation to send less resource when possible, sometimes omitting a response entirely. This can be disabled by the
PILOT_PARTIAL_FULL_PUSHES=falseenvironment variable. (Issue #37989),(Issue #37974)
Updated Istio’s default load balancing algorithm from
ROUND_ROBINalgorithm can lead to overburdened endpoints, especially when weights are used. The
LEAST_REQUESTalgorithm distributes the load more evenly across and is far less likely to overburden endpoints. A number of experiments (by both the Istio and Envoy teams) have shown that
ROUND_ROBINin virtually all cases, with little/no downsides. It’s generally considered a drop-in replacement for
ROUND_ROBINwill continue to be supported if explicitly specified. To restore
ROUND_ROBINas the default, set the istiod environment variable
allowed_client_headers_on_successfeature for Istio external authorization. (Issue #36950)
Added support for using
PrivateKeyProviderin SDS. (Issue #35809)
Added support for TLS configuration API for workloads. (Issue #2285)
Fixed the request authentication policy to always allow the CORS preflight request. (Issue #36911)
Added the implementation of the OpenTelemetry access log.
Added environment variable support at Wasm extension via VM configuration in WasmPlugin API.
WorkloadModeselection to Logging.
Added support for tracing
WorkloadModein Telemetry API. This will allow customization of tracing behavior based on traffic direction.
Added initial flag-protected support for exporting canonical service labels for ServiceEntry resources with a location of
Added allow all insecure servers when one of the host name in the environment variable
Added Support for
Added support for
WasmPluginpulling image from private repository with
Improved Use tag-stripped URL + checksum as a Wasm module cache key, and the tagged URL is separately cached. This may increase the chance of cache hit (e.g., trying to find the same image with both of the tagged and digest URLs.) In addition, this will be a base to implement
Added support of installing gateway helm chart as
daemonset. (Issue #37610)
Added support for policy/v1 PDB. (Issue #32005)
Fixed an issue of Envoy losing connection after
istio-ca-root-certis changed. (Issue #36723)
Fixed an issue that was preventing the operator from updating deployments when
.k8s.replicaCountis nonzero. When both
autoscaleis enabled and
replicaCountis nonzero, warning messages will be generated during validation.
Fixed an unknown field
v1alpha1.EgressGatewayConfig. (Issue #37260)
Fixed the default container annotation when there are multiple containers. (Issue #38060)
istioctlshould add Kubernetes resource in all revisions when running analyze. (Issue #38148)
Fixed change to add priority of -1 to
EnvoyFiltersdeployed by default by Istio to remove warnings from
EnvoyFilteranalyzer on first install (Issue #38676)
Fixed the in-cluster operator can’t create resources on recreation of the same
IstioOperatorresource. (Issue #35657)
caBundledefault value from Chart to allow a GitOps approach. (Issue #33052)
Added analysis interval to reduce the wasteful re-runs of analyzer. (Issue #30200)
Added the cluster id to
istioctl experimental ps. (Issue #36290)
Added a new analyzer for envoy filter patch operations. (Issue #37415)
Added the pod full name to the IST0103 analysis message.
istioctl pssupport for ECDS.
Fixed unexpected warning logs for
istioctl install --dry-run. (Issue #37084)
Fixed nil pointer dereference panic when using
kube-injectwhen not passing a needed revision but also passing
injectConfigMapName. (Issue #38083)
Fixed behavior for
istioctl create-remote-secreton Kubernetes 1.24+. In these versions, a Secret containing a
ServiceAccountAPI token is no longer automatically created, so
istioctlwill create one.