Istio 1.1 Change Notes
Istio 1.1 release notes.
Incompatible changes from 1.0
In addition to the new features and improvements listed below, Istio 1.1 has introduced a number of significant changes from 1.0 that can alter the behavior of applications. A concise list of these changes can be found in the upgrade notice.
We recommend a manual upgrade of the control plane and data plane to 1.1. See the upgrades documents for more information.
CRD Install Separated from Istio Install. Placed Istio’s Custom Resource Definitions (CRDs) into the
istio-initHelm chart. Placing the CRDs in their own Helm chart preserves the data continuity of the custom resource content during the upgrade process and further enables Istio to evolve beyond a Helm-based installation.
Installation Configuration Profiles. Added several installation configuration profiles to simplify the installation process using well-known and well-tested patterns. Learn more about the better user experience afforded by the installation profile feature.
Improved Multicluster Integration. Consolidated the 1.0
istio-remotechart previously used for multicluster VPN and multicluster split horizon remote cluster installation into the Istio Helm chart simplifying the operational experience.
SidecarResource. The new sidecar resource enables more fine-grained control over the behavior of the sidecar proxies attached to workloads within a namespace. In particular it adds support to limit the set of services a sidecar will send traffic to. This reduces the amount of configuration computed and transmitted to the proxy, improving startup time, resource consumption and control-plane scalability. For large deployments, we recommend adding a sidecar resource per namespace. Controls are also provided for ports, protocols and traffic capture for advanced use-cases.
Restrict Visibility of Services. Added the new
exportTofeature which allows service owners to control which namespaces can reference their services. This feature is added to
VirtualServiceand is also supported on a Kubernetes Service via the
Namespace Scoping. When referring to a
VirtualServicein a Gateway we use DNS based name matching in our configuration model. This can be ambiguous when more than one namespace defines a virtual service for the same host name. To resolve ambiguity it is now possible to explicitly scope these references by namespace using a syntax of the form
hostsfield. The equivalent capability is also available in
ServiceEntryResources. Added support to specify the locality of a service and the associated SAN to use with mutual TLS. Service entries with HTTPS ports no longer need an additional virtual service to enable SNI-based routing.
Locality-Aware Routing. Added full support for routing to services in the same locality before picking services in other localities. See Locality Load Balancer Settings
Refined Multicluster Routing. Simplified the multicluster setup and enabled additional deployment modes. You can now connect multiple clusters simply using their ingress gateways without needing pod-level VPNs, deploy control planes in each cluster for high-availability cases, and span a namespace across several clusters to create global namespaces. Locality-aware routing is enabled by default in the high-availability control plane solution.
Istio Ingress Deprecated. Removed the previously deprecated Istio ingress. Refer to the Securing Kubernetes Ingress with Cert-Manager example for more details on how to use Kubernetes Ingress resources with gateways.
Performance and Scalability Improvements. Tuned the performance and scalability of Istio and Envoy. Read more about Performance and Scalability enhancements.
Access Logging Off by Default. Disabled the access logs for all Envoy sidecars by default to improve performance.
Readiness and Liveness Probes. Added support for Kubernetes’ HTTP readiness and liveness probes when mutual TLS is enabled.
Cluster RBAC Configuration. Replaced the
RbacConfigresource with the
ClusterRbacConfigresource to implement the correct cluster scope. See Migrating
ClusterRbacConfig. for migration instructions.
Identity Provisioning Through SDS. Added SDS support to provide stronger security with on-node key generation and dynamic certificate rotation without restarting Envoy.
Authorization for TCP Services. Added support of authorization for TCP services in addition to HTTP and gRPC services. See Authorization for TCP Services for more information.
Authorization for End-User Groups. Added authorization based on
groupsclaim or any list-typed claims in JWT. See Authorization for JWT for more information.
External Certificate Management on Ingress Gateway Controller. Added a controller to dynamically load and rotate external certificates.
Custom PKI Integration. Added Vault PKI integration with support for Vault-protected signing keys and ability to integrate with existing Vault PKIs.
cluster.local) Trust Domains. Added support for organization- or cluster-specific trust domains in the identities.
Policies and telemetry
Policy Checks Off By Default. Changed policy checks to be turned off by default to improve performance for most customer scenarios. Enabling Policy Enforcement details how to turn on Istio policy checks, if needed.
Reduced Overhead. Added several performance and scale improvements including:
Significant reduction in default collection of Envoy-generated statistics.
Added load-shedding functionality to Mixer workloads.
Improved the protocol between Envoy and Mixer.
Control Headers and Routing. Added the option to create adapters to influence the headers and routing of an incoming request. See the Control Headers and Routing task for more information.
Out of Process Adapters. Added the out-of-process adapter functionality for production use. As a result, we deprecated the in-process adapter model in this release. All new adapter development should use the out-of-process model moving forward.
Tracing Improvements. Performed many improvements in our overall tracing story:
Trace ids are now 128 bit wide.
Added support for sending trace data to Lightstep
Added the option to disable tracing for Mixer-backed services entirely.
Added policy decision-aware tracing.
Default TCP Metrics. Added default metrics for tracking TCP connections.
Reduced Load Balancer Requirements for Addons. Stopped exposing addons via separate load balancers. Instead, addons are exposed via the Istio gateway. To expose addons externally using either HTTP or HTTPS protocols, please use the Addon Gateway documentation.
Secure Addon Credentials. Changed storage of the addon credentials. Grafana, Kiali, and Jaeger passwords and username are now stored in Kubernetes secrets for improved security and compliance.
More Flexibility with
statsdCollector. Removed the built-in
statsdcollector. Istio now supports bring your own
statsdfor improved flexibility with existing Kubernetes deployments.
Galley. Added Galley as the primary configuration ingestion and distribution mechanism within Istio. It provides a robust model to validate, transform, and distribute configuration states to Istio components insulating the Istio components from Kubernetes details. Galley uses the Mesh Configuration Protocol to interact with components.
Monitoring Port. Changed Galley’s default monitoring port from 9093 to 15014.
Validate Command. Added the
istioctl validatecommand for offline validation of Istio Kubernetes resources.
Verify-Install Command. Added the
istioctl verify-installcommand to verify the status of an Istio installation given a specified installation YAML file.
Deprecated Commands. Deprecated the
istioctl get, and
istioctl deletecommands. Use the
kubectlequivalents instead. Deprecated the
istioctl gen-deploycommand too. Use a
helm templateinstead. Release 1.2 will remove these commands.
Short Commands. Included short commands in
kubectlfor gateways, virtual services, destination rules and service entries.