We’re proud to release Istio 1.0! Istio has been in development for nearly two years, and the 1.0 release represents a substantial milestone for us. All of our core features are now ready for production use.
These release notes describe what’s different between Istio 0.8 and Istio 1.0. Istio 1.0 only has a few new features relative to 0.8 as most of the effort for this release went into fixing bugs and improving performance.
SNI Routing using Virtual Services. Newly introduced
VirtualServicecan be used to route TLS traffic based on SNI values. Service ports named as TLS/HTTPS can be used in conjunction with virtual service TLS routes. TLS/HTTPS ports without an accompanying virtual service will be treated as opaque TCP.
Streaming gRPC Restored. Istio 0.8 caused periodic termination of long running streaming gRPC connections. This has been fixed in 1.0.
Old (v1alpha1) Networking APIs Removed. Support for the old
v1alpha1traffic management model has been removed.
Istio Ingress Deprecated. The old Istio ingress is deprecated and disabled by default. We encourage users to use gateways instead.
Policy and Telemetry
Updated Attributes. The set of attributes used to describe the source and destination of traffic have been completely revamped in order to be more precise and comprehensive.
Policy Check Cache. Mixer now features a large level 2 cache for policy checks, complementing the level 1 cache present in the sidecar proxy. This further reduces the average latency of externally-enforced policy checks.
Telemetry Buffering. Mixer now buffers report calls before dispatching to adapters, which gives an opportunity for adapters to process telemetry data in bigger chunks, reducing overall computational overhead in Mixer and its adapters.
Out of Process Adapters. Mixer now includes initial support for out-of-process adapters. This will be the recommended approach moving forward for integrating with Mixer. Initial documentation on how to build an out-of-process adapter is provided by the Out Of Process Adapter Dev Guide and the Out Of Process Adapter Walk-through.
Client-Side Telemetry. It’s now possible to collect telemetry from the client of an interaction, in addition to the server-side telemetry.
SignalFX. There is a new
stackdriveradapter has been substantially enhanced in this release to add new features and improve performance.
Authorization. We’ve reimplemented our authorization functionality. RPC-level authorization policies can now be implemented without the need for Mixer and Mixer adapters.
Improved Mutual TLS Authentication Control. It’s now easier to control mutual TLS authentication between services. We provide ‘PERMISSIVE’ mode so that you can incrementally turn on mutual TLS for your services. We removed service annotations and have a unique approach to turn on mutual TLS, coupled with client-side destination rules.
JWT Authentication. We now support JWT authentication which can be configured using authentication policies.
istioctl authn tls-checkcommand.
istioctl experimental convert-ingresscommand.
istioctl experimental convert-networking-configcommand.
Enhancements and bug fixes:
istioctl get allreturns all types of networking and authentication configuration.
istioctl getto retrieve resources across all namespaces.
Known issues with 1.0
Amazon’s EKS service does not implement automatic sidecar injection. Istio can be used in Amazon’s EKS by using manual injection for sidecars and turning off galley using the Helm parameter
In a multicluster deployment the mixer-telemetry and mixer-policy components do not connect to the Kubernetes API endpoints of any of the remote clusters. This results in a loss of telemetry fidelity as some of the metadata associated with workloads on remote clusters is incomplete.
There are Kubernetes manifests available for using Citadel standalone or with Citadel health checking enabled. There is not a Helm implementation of these modes. See Issue 6922 for more details.
Mesh expansion functionality, which lets you add raw VMs to a mesh is broken in 1.0. We’re expecting to produce a patch that fixes this problem within a few days.