Istio 1.14 Change Notes

Istio 1.14.0 change notes.

May 24, 2022

Traffic Management

This feature is intended primarily for use on VMs, where system administrators need to restrain interception of the outgoing traffic down to a few applications instead of intercepting all outgoing traffic.

By default, as before, the Istio Sidecar will intercept outgoing traffic from all processes, no matter what user groups they are running under.

To change this behavior, system administrators can now use 2 new environment variables supported by istio-iptables and istio-clean-iptables : ISTIO_OUTBOUND_OWNER_GROUPS and ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE.

ISTIO_OUTBOUND_OWNER_GROUPS is a comma separated list of groups whose outgoing traffic should be redirected to Envoy (sidecar). A group can be specified either by name or by a numeric GID. The wildcard character * can be used to configure redirection of traffic from all groups (default).

ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE is a comma separated list of groups whose outgoing traffic should be excluded from redirection to Envoy (sidecar). A group can be specified either by name or by a numeric GID. Only applies when traffic from all groups (i.e. *) is being redirected to Envoy (sidecar).

ISTIO_OUTBOUND_OWNER_GROUPS and ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE are mutually exclusive, use only one of them.

For example, ISTIO_OUTBOUND_OWNER_GROUPS=101,java instructs to intercept outgoing traffic only from those processes that run under one of the user groups 101 (by GID) or java (by name). ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202 instructs to intercept outgoing traffic from all processes except for those that under one of the user groups 202 (by GID) or root (by name). (Issue #37057)

In this fix, we introduce a new struct consolidatedDestRule and record all the destinationrules’ meta to avoid missing any destinationRule dependencies. (Issue #38082)

ROUND_ROBIN will continue to be supported if explicitly specified. To restore ROUND_ROBIN as the default, set the istiod environment variable ENABLE_LEGACY_LB_ALGORITHM_DEFAULT=true.

Security

Telemetry

Extensibility

Installation

istioctl