Istio 1.14 Change Notes
Istio 1.14.0 change notes.
Traffic Management
Added support for sending unready endpoints to Envoy. This will be useful when slow start mode in Envoy is enabled. This can be disabled by setting
PILOT_SEND_UNHEALTHY_ENDPOINTS
to false.Added new configuration options to
istio-iptables
andistio-clean-iptables
for including/excluding certain user groups from interception of the outgoing traffic generated by them.
This feature is intended primarily for use on VMs, where system administrators need to restrain interception of the outgoing traffic down to a few applications instead of intercepting all outgoing traffic.
By default, as before, the Istio Sidecar will intercept outgoing traffic from all processes, no matter what user groups they are running under.
To change this behavior, system administrators can now use 2 new environment variables
supported by istio-iptables
and istio-clean-iptables
: ISTIO_OUTBOUND_OWNER_GROUPS
and ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE
.
ISTIO_OUTBOUND_OWNER_GROUPS
is a comma separated list of groups whose outgoing traffic
should be redirected to Envoy (sidecar).
A group can be specified either by name or by a numeric GID.
The wildcard character *
can be used to configure redirection of traffic from all groups
(default).
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE
is a comma separated list of groups whose outgoing
traffic should be excluded from redirection to Envoy (sidecar).
A group can be specified either by name or by a numeric GID.
Only applies when traffic from all groups (i.e. *
) is being redirected to Envoy (sidecar).
ISTIO_OUTBOUND_OWNER_GROUPS
and ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE
are mutually
exclusive, use only one of them.
For example, ISTIO_OUTBOUND_OWNER_GROUPS=101,java
instructs to intercept outgoing traffic only from
those processes that run under one of the user groups 101
(by GID
) or java
(by name).
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202
instructs to intercept outgoing traffic
from all processes except for those that under one of the user groups 202
(by GID
)
or root
(by name).
(Issue #37057)
Added the ability to perform automatic SAN validation based on the downstream HTTP host/authority header when
ENABLE_AUTO_SNI
andVERIFY_CERTIFICATE_AT_CLIENT
feature flags are enabled.Added the ability to automatically set SNI when
DestinationRules
do not specify it andENABLE_AUTO_SNI
is enabled.Added the ability to set
credentialName
based secret configuration at sidecars for egress TLS traffic whenWorkloadSelector
is specified inDestinationRule
, provided the sidecar has permission to list secrets in the namespace where it resides.Added support for
WorkloadSelector
inDestinationRule
.Added warning messages for users attempting to use IP addresses as SNI values in
VirtualService.TLSRoute.Match.SniHosts
(Issue #33401)Added support of replacing virtual host in envoy filter.
Added the API
runtimeValues
to Proxy Config for configuring Envoy runtime configuration. (Issue #37202)Added setting upstream TLS maximum version to TLS 1.3. (Issue #36271)
Fixed the problem that xDS may not be updated if multiple
destinationRules
for a service are merged. In this case the merged rule only records one name/namespace pair of all thedestinationRules
. However, this meta is used to record config dependencies of a sidecar.
In this fix, we introduce a new struct consolidatedDestRule
and record all the destinationrules
’ meta
to avoid missing any destinationRule
dependencies. (Issue #38082)
Fixed an issue where removing inline Network and HTTP filters was not working properly.
Fixed an issue causing traffic from a gateway to a service with an undeclared protocol being treated as TCP traffic rather than HTTP. (Issue #37196)
Fixed an issue with
DNS
typeServiceEntry
s causing excessive DNS requests when the DNS lookup fails. (Issue #35603)Fixed IP family detection when using the CNI to behave the same way as without it. (Issue #36871)
Fixed IPv6 detection on clusters with IPv4 NAT implementation, such as Amazon EKS, by excluding link-local addresses from detection. (Issue #36961)
Improved XDS generation to send less resource when possible, sometimes omitting a response entirely. This can be disabled by the
PILOT_PARTIAL_FULL_PUSHES=false
environment variable. (Issue #37989),(Issue #37974)Updated Istio’s default load balancing algorithm from
ROUND_ROBIN
toLEAST_REQUEST
. TheROUND_ROBIN
algorithm can lead to overburdened endpoints, especially when weights are used. TheLEAST_REQUEST
algorithm distributes the load more evenly across and is far less likely to overburden endpoints. A number of experiments (by both the Istio and Envoy teams) have shown thatLEAST_REQUEST
outperformsROUND_ROBIN
in virtually all cases, with little/no downsides. It’s generally considered a drop-in replacement forROUND_ROBIN
.
ROUND_ROBIN
will continue to be supported if explicitly specified. To restore
ROUND_ROBIN
as the default, set the istiod environment variable
ENABLE_LEGACY_LB_ALGORITHM_DEFAULT=true
.
Security
Added a new approach for CA integration through the Envoy SDS API. (usage)(design) (Issue #37183)
Added
allowed_client_headers_on_success
feature for Istio external authorization. (Issue #36950)Added support for using
PrivateKeyProvider
in SDS. (Issue #35809)Added support for TLS configuration API for workloads. (Issue #2285)
Fixed the request authentication policy to always allow the CORS preflight request. (Issue #36911)
Telemetry
Added the implementation of the OpenTelemetry access log.
Added environment variable support at Wasm extension via VM configuration in WasmPlugin API.
Added
WorkloadMode
selection to Logging.Added support for tracing
WorkloadMode
in Telemetry API. This will allow customization of tracing behavior based on traffic direction.Added initial flag-protected support for exporting canonical service labels for ServiceEntry resources with a location of
MESH_EXTERNAL
.
Extensibility
Added allow all insecure servers when one of the host name in the environment variable
WASM_INSECURE_REGISTRIES
is *.Added Support for
ImagePullPolicy
ofWasmPlugin
API.Added support for
WasmPlugin
pulling image from private repository withimagePullSecret
.Improved Use tag-stripped URL + checksum as a Wasm module cache key, and the tagged URL is separately cached. This may increase the chance of cache hit (e.g., trying to find the same image with both of the tagged and digest URLs.) In addition, this will be a base to implement
ImagePullPolicy
.
Installation
Added support of installing gateway helm chart as
daemonset
. (Issue #37610)Added support for policy/v1 PDB. (Issue #32005)
Fixed an issue of Envoy losing connection after
istio-ca-root-cert
is changed. (Issue #36723)Fixed an issue that was preventing the operator from updating deployments when
.autoscaleEnabled
istrue
and.k8s.replicaCount
is nonzero. When bothautoscale
is enabled andreplicaCount
is nonzero, warning messages will be generated during validation.Fixed an unknown field
customService
inv1alpha1.EgressGatewayConfig
. (Issue #37260)Fixed the default container annotation when there are multiple containers. (Issue #38060)
Fixed
istioctl
should add Kubernetes resource in all revisions when running analyze. (Issue #38148)Fixed change to add priority of -1 to
EnvoyFilters
deployed by default by Istio to remove warnings fromistioctl
EnvoyFilter
analyzer on first install (Issue #38676)Fixed the in-cluster operator can’t create resources on recreation of the same
IstioOperator
resource. (Issue #35657)Removed
caBundle
default value from Chart to allow a GitOps approach. (Issue #33052)
istioctl
Added analysis interval to reduce the wasteful re-runs of analyzer. (Issue #30200)
Added the cluster id to
istioctl experimental ps
. (Issue #36290)Added a new analyzer for envoy filter patch operations. (Issue #37415)
Added the pod full name to the IST0103 analysis message.
Added
istioctl ps
support for ECDS.Fixed unexpected warning logs for
istioctl install --dry-run
. (Issue #37084)Fixed nil pointer dereference panic when using
kube-inject
when not passing a needed revision but also passinginjectConfigMapName
. (Issue #38083)Fixed behavior for
istioctl create-remote-secret
on Kubernetes 1.24+. In these versions, a Secret containing aServiceAccount
API token is no longer automatically created, soistioctl
will create one.