Announcing Istio 1.1.3
We’re pleased to announce the availability of Istio 1.1.3. Please see below for what’s changed.
Known issues with 1.1.3
- A panic in the Node Agent was discovered late in the 1.1.3 qualification process. The panic only occurs in clusters with the alpha-quality SDS certificate rotation feature enabled. Since this is the first time we have included SDS certificate rotation in our long-running release tests, we don’t know whether this is a latent bug or a new regression. Considering SDS certificate rotation is in alpha, we have decided to release 1.1.3 with this issue and target a fix for the 1.1.4 release.
Istio-specific back-ports of Envoy patches for
CVE-2019-9901included in Istio 1.1.2 have been dropped in favor of an Envoy update which contains the final version of the patches.
Fix load balancer weight setting for split horizon
Fix typo in the default Envoy
JSONlog format (Issue 12232).
Correctly reload out-of-process adapter address upon configuration change (Issue 12488).
Restore Kiali settings that were accidentally deleted (Issue 3660).
Prevent services with same target port resulting in duplicate inbound listeners (Issue 9504).
Fix issue with configuring
egressports for namespaces other than
istio-systemresulting in a
BlackHoleClusterby auto binding to services for
Sidecarlisteners (Issue 12536).
vhostconfiguration generation issue by favoring more specific host matches (Issue 12655).
ALLOW_ANYso it now allows external traffic if there is already an http service present on a port.
Fix validation logic so that
port.nameis no longer a valid
istioctl proxy-config clusterscluster type column rendering (Issue 12455).
Fix SDS secret mount configuration.
Fix incorrect Istio version in the Helm charts.
Fix partial DNS failures in the presence of overlapping ports (Issue 11658).
podAntiAffinitytemplate error (Issue 12790).
Fix bug with the original destination service discovery not using the original destination load balancer.
Fix SDS memory leak in the presence of invalid or missing keying materials (Issue 13197).
PushContextlog to reduce log volume.
values.yamlby passing it through to the mesh configuration.
Remove the soon-to-be deprecated
critical-podannotation from Helm charts (Issue 12650).
Support pod anti-affinity annotations to improve control plane availability (Issue 11333).
IPaddresses in access logs.
Remove redundant write header to further reduce log volume.
Improve destination host validation in Pilot.
istio-initto run as root so use of pod-level
securityContext.runAsUserdoesn’t break it (Issue 5453).
Add configuration samples for Vault integration.
Respect locality load balancing weight settings from
Make the TLS certificate location watched by Pilot Agent configurable (Issue 11984).
Add support for Datadog tracing.
Add alias to
istioctlso ‘x’ can be used instead of ‘experimental’.
Provide improved distribution of sidecar certificate by adding jitter to their CSR requests.
Allow weighted load balancing registry locality to be configured.
Add support for standard CRDs for compiled-in Mixer adapters.
Reduce Pilot resource requirements for demo configuration.
Fully populate Galley dashboard by adding data source (Issue 13040).
sidecarperformance tuning to the
Improve destination host validation by rejecting
*hosts (Issue 12794).
idle_timeoutin cluster definition so dead connections can sometimes be removed from connection pools before they are used (Issue 9113).
When registering a
Sidecarresource to restrict what a pod can see, the restrictions are now applied if the spec contains a
Update the Bookinfo example to use port 80 for TLS origination.
Add liveness probe for Citadel.
Improve AWS ELB interoperability by making 15020 the first port listed in the
ingressgatewayservice (Issue 12502).
Use outlier detection for failover mode but not for distribute mode for locality weighted load balancing (Issues 12965).
Replace generation of Envoy’s deprecated
CorsPolicywith the replacement
filter_enabledfield for 1.1.0+ sidecars only.
Standardize labels on Mixer’s Helm charts.