Istio 1.16.0 Change Notes
Istio 1.16.0 change notes.
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
- Deprecated fetching charts from URLs in
Hostheader matching to ignore port numbers by default. This can be controlled by the
SIDECAR_IGNORE_PORT_IN_HOST_MATCHenvironment variable. (Issue #36627)
meshConfig.discoverySelectorsto dynamically restrict the set of namespaces where istiod creates the
istio-ca-root-certconfigmap if the
ENABLE_ENHANCED_RESOURCE_SCOPINGfeature flag is enabled.
meshConfig.discoverySelectorsto dynamically restrict the set of namespaces where istiod discovers Custom Resource configurations (like Gateway, VirtualService, DestinationRule, Ingress, etc.) if the
ENABLE_ENHANCED_RESOURCE_SCOPINGfeature flag is enabled. (Issue #36627)
Updated the gateway-api integration to read
GatewayClass. Users of the gateway-api must be on version 0.5.0+ before upgrading Istio.
Added support for MAGLEV load balancing algorithm for consistent hashing.
Added the creation of inbound listeners for service ports and sidecar and ingress listener both using environment variable
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE. Using this, the traffic for a service port is not sent via passthrough TCP even though it is regular HTTP traffic when sidecar ingress listener is defined. In case the same port number is defined in both sidecar ingress and service, sidecar always takes precedence. (Issue #40919)
LocalityLoadBalancerSetting.failoverPrioritynot working properly if xDS cache is enabled. (Issue #40198)
Fixed some memory/CPU cost issues by temporarily disabling
Fixed an issue where Remote JWKS URI’s without a host port fail to parse into their host and port components.
Fixed the ordering of RBAC and metadata exchange filters while generating HTTP/network filters. (Issue #41066)
Fixed an issue causing traffic to not match (and return a
404) when using wildcard domain names and including an unexpected port in the
Fixed an issue causing traffic to match an unexpected route when using wildcard domain names and including an port in the
- Improved Pilot will now load its DNS serving certificate from well known locations:
/var/run/secrets/istiod/tls/tls.crt /var/run/secrets/istiod/tls/tls.key /var/run/secrets/istiod/ca/root-cert.pem
The CA path will alternatively be loaded from
It also automatically loads any secret called
istiod-tls and the
istio-root-ca-configmap into those paths.
This method is preferred to use these well known paths than to set the TLS arguments.
This will allow for an easier installation process for
istio-csr as well as any other external issuer that needs to modify
the Pilot DNS serving certificate. (Issue #36916)
- Updated dependency in Envoy to properly parse JWTs with negative values for
Updated Telemetry API to use a new native extension for Prometheus stats instead of the Wasm-based extension. This improves CPU overhead and memory usage of the feature. Custom dimensions no longer require regex and bootstrap annotations. If customizations use CEL expressions with Wasm attributes, they are likely to be affected. This change can be disabled by setting the control plane feature flag
Added support for use of the OpenTelemetry tracing provider with the Telemetry API. (Issue #40027)
Fixed an issue to allow multiple regular expressions with the same tag name. (Issue #39903)
Improved when Wasm module downloading fails and
fail_openis true, a RBAC filter allowing all the traffic is passed to Envoy instead of the original Wasm filter. Previously, the given Wasm filter itself was passed to Envoy in this case, but it may cause errors because some fields of Wasm configuration are optional in Istio, but not in Envoy.
Improved WasmPlugin images (docker and OCI standard image) to support more than one layer as per specification changes. See (https://github.com/solo-io/wasm/pull/293) for more details.
matchfield in the WasmPlugin API. With this
matchclause, a WasmPlugin can be applied to more specific traffic (e.g., traffic to a specific port). (Issue #39345)
seccompProfilefields to set the
seccompProfilefield in container
securityContexts as per https://kubernetes.io/docs/tutorials/security/seccomp/. (Issue #39791)
Added a new Istio Operator
remoteprofile and deprecated the equivalent
externalprofile. (Issue #39797)
istioctl manifest generate. When this is set, the current cluster context will be used to determine dynamic default settings, mirroring
Added auto-detection of GKE specific installation steps when using CNI to
Added support for configuring
MaxConcurrentReconcilesin istio-operator. (Issue #40827)
Fixed an issue when
namespaceSelectorcaused problems with cluster maintenance. (Issue #40984)
Fixed an issue issue when deleting a custom gateway using an Istio Operator custom resource, other gateways are restarted. (Issue #40577)
Fixed an issue in Istio Operator where CNI is not created properly when
cni.resourceQuotasis enabled due to missing RBAC permissions. (Issue #41159)
istioctl operator removeto add a confirmation mechanism for operator removal. (Issue #41244)
Added precheck for revision when running
istioctl uninstall. (Issue #40598)
istioctl bug-reportthat allows increasing the requests per second limit to the Kubernetes API server which can greatly reduce the time to collect bug reports.
istioctl experimental check-injectfeature to describe why injection will/won’t or did/didn’t occur to the pod based on current running webhooks. (Issue #38299)
networking.istio.io/exportToannotation leading to an incorrect IST0101 message. (Issue #39629)
networking.istio.io/exportToannotation to services with multiple values lead to an incorrect IST0101 message. (Issue #39629)
experimental un-injectproviding incorrect templates for “un-injecting”.
build_push_update_images.shnow supports the
--multiarch-imagesargument to build multi-arch container images used in the bookinfo application. (Issue #40405)