Announcing Istio 1.3

Major Update

We are pleased to announce the release of Istio 1.3!

1.3 DOCS

The theme of Istio 1.3 is User Experience:

  • Improve the experience of new users adopting Istio
  • Improve the experience of users debugging problems
  • Support more applications without any additional configuration

Every few releases, the Istio team delivers dramatic improvements to usability, APIs, and the overall system performance. Istio 1.3 is one such release, and the team is very excited to roll out some key updates.

Intelligent protocol detection (experimental)

To take advantage of Istio’s routing features, service ports must use a special port naming format to explicitly declare the protocol. This requirement can cause problems for users that do not name their ports when they add their applications to the mesh. Starting with 1.3, the protocol for outbound traffic is automatically detected as HTTP or TCP when the ports are not named according to Istio’s conventions. We will be polishing this feature in the upcoming releases with support for protocol sniffing on inbound traffic as well as identifying protocols other than HTTP.

Mixer-less telemetry (experimental)

Yes, you read that right! We implemented most of the common security policies, such as RBAC, directly into Envoy. We previously turned off the istio-policy service by default and are now on track to migrate most of Mixer’s telemetry functionality into Envoy as well. In this release, we have enhanced the Istio proxy to emit HTTP metrics directly to Prometheus, without requiring the istio-telemetry service to enrich the information. This enhancement is great if all you care about is telemetry for HTTP services. Follow the Mixer-less HTTP telemetry instructions to experiment with this feature. We are polishing this feature in the coming months to add telemetry support for TCP services when you enable Istio mutual TLS.

Container ports are no longer required

Previous releases required that pods explicitly declare the Kubernetes containerPort for each container as a security measure against trampolining traffic. Istio 1.3 has a secure and simpler way of handling all inbound traffic on any port into a workload instance without requiring the containerPort declarations. We have also completely eliminated the infinite loops caused in the IP tables rules when workload instances send traffic to themselves.

Fully customize generated Envoy configuration

While Istio 1.3 focuses on usability, expert users can use advanced features in Envoy that are not part of the Istio Networking APIs. We enhanced the EnvoyFilter API to allow users to fully customize:

  • The HTTP/TCP listeners and their filter chains returned by LDS
  • The Envoy HTTP route configuration returned by the RDS
  • The set of clusters returned by CDS

You get the best of both worlds:

Leverage Istio to integrate with Kubernetes and handle large fleets of Envoys in an efficient manner, while you still can customize the generated Envoy configuration to meet specific requirements within your infrastructure.

Other enhancements

  • istioctl gained many debugging features to help you highlight various issues in your mesh installation. Checkout the istioctl reference page for the set of all supported features.

  • Locality aware load balancing graduated from experimental to default in this release too. Istio now takes advantage of existing locality information to prioritize load balancing pools and favor sending requests to the closest backends.

  • Better support for headless services with Istio mutual TLS

  • We enhanced control plane monitoring in the following ways:

    • Added new metrics to monitor configuration state
    • Added metrics for sidecar injector
    • Added a new Grafana dashboard for Citadel
    • Improved the Pilot dashboard to expose additional key metrics
  • Added the new Istio Deployment Models concept to help you decide what deployment model suits your needs.

  • Organized the content in of our Operations Guide and created a section with all troubleshooting tasks to help you find the information you seek faster.

As always, there is a lot happening in the Community Meeting; join us every other Thursday at 11 AM Pacific.

The growth and success of Istio is due to its 400+ contributors from over 300 companies. Join one of our Working Groups and help us make Istio even better.

To join the conversation, go to discuss.istio.io, log in with your GitHub credentials and join us!

Release notes

Installation

Traffic management

  • Added automatic determination of HTTP or TCP for outbound traffic when ports are not named according to Istio‚Äôs conventions.
  • Added a mode to the Gateway API for mutual TLS operation.
  • Fixed issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.
  • Improved Envoy proxy readiness checks. They now check Envoy’s readiness status.
  • Improved container ports are no longer required in the pod spec. All ports are captured by default.
  • Improved the EnvoyFilter API. You can now add or update all configurations.
  • Improved the Redis load balancer to now default to MAGLEV when using the Redis proxy.
  • Improved load balancing to direct traffic to the same region and zone by default.
  • Improved Pilot by reducing CPU utilization. The reduction approaches 90% depending on the specific deployment.
  • Improved the ServiceEntry API to allow for the same hostname in different namespaces.
  • Improved the Sidecar API to customize the OutboundTrafficPolicy policy.

Security

  • Added trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.
  • Added labels to control service account secret generation by namespace.
  • Added SDS support to deliver the private key and certificates to each Istio control plane service.
  • Added support for introspection to Citadel.
  • Added metrics to the /metrics endpoint of Citadel Agent on port 15014 to monitor the SDS service.
  • Added diagnostics to the Citadel Agent using the /debug/sds/workload and /debug/sds/gateway on port 8080.
  • Improved the ingress gateway to load the trusted CA certificate from a separate secret when using SDS.
  • Improved SDS security by enforcing the usage of Kubernetes Trustworthy JWTs.
  • Improved Citadel Agent logs by unifying the logging pattern.
  • Removed support for Istio SDS when using Kubernetes versions earlier than 1.13.
  • Removed integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.
  • Enabled the Envoy JWT filter by default to improve security and reliability.

Telemetry

  • Added Access Log Service ALS support for Envoy gRPC.
  • Added a Grafana dashboard for Citadel monitoring.
  • Added metrics for monitoring the sidecar injector webhook.
  • Added control plane metrics to monitor Istio’s configuration state.
  • Added telemetry reporting for traffic destined to the Passthrough and BlackHole clusters.
  • Added alpha support for in-proxy generation of service metrics using Prometheus.
  • Added alpha support for environmental metadata in Envoy node metadata.
  • Added alpha support for Proxy Metadata Exchange.
  • Added alpha support for the OpenCensus trace driver.
  • Improved reporting for external services by removing requirements to add a service entry.
  • Improved the mesh dashboard to provide monitoring of Istio’s configuration state.
  • Improved the Pilot dashboard to expose additional key metrics to more clearly identify errors.
  • Removed deprecated Adapter and Template custom resource definitions (CRDs).
  • Deprecated the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.

Policy

  • Improved rate limit enforcement to allow communication when the quota backend is unavailable.

Configuration management

  • Fixed Galley to stop too many gRPC pings from closing connections.
  • Improved Galley to avoid control plane upgrade failures.

istioctl

Other

  • Added new images based on distroless base images.
  • Improved the Istio CNI Helm chart to have consistent versions with Istio.
  • Improved Kubernetes Jobs behavior. Kubernetes Jobs now exit correctly when the job manually calls the /quitquitquit endpoint.