Istio 0.5

 2018年2月2日 |  阅读大约需要 3 分钟

在平淡无奇的问题修复和性能增强之外,这一版本包含了部分全新的功能,以及对现有功能的改进,具体包括以下内容。

0.5 下载 0.5 文档

网络

  • Istio 的渐进式部署(预览):现在可以仅安装需要的 Istio 组件,也就是用渐进的方式来采用 Istio(例如仅安装 Pilot+Ingress 这样的最小化组合)。istioctl 客户端工具可以生成自定义 Istio 部署的信息。

  • Sidecar 的自动注入Mutating webhook 是 Kubernetes 1.9 中的新功能,Istio 借助这一功能提供了自动的 Pod 级别的 Sidecar 注入能力。自动注入需要 Kubernetes 1.9 或者更高版本。Alpha 版本中使用的 Initializer 已经过时并不再使用。参考资料

  • 通信规则的修改:根据用户反馈,我们对 Istio 的通信管理(路由规则、目标规则等)做出了显著改进。未来几周中我们会持续对这方面的功能进行打磨,欢迎反馈。

Mixer 适配器

  • Open Policy Agent:Mixer 实现了一个实现了 open policy agent 授权模型的适配器,其中实现了有弹性的粒度合理的访问控制机制。参考资料

  • Istio RBAC:Mixer 有了一套基于角色的访问控制适配器。参考资料

  • Fluentd:Mixer 新增了使用 Fluentd 进行日志收集的功能。

  • Stdio:该适配器可以将日志存储到主机的本地文件,并且支持日志的翻转和备份功能。

安全

  • 自有 CA:自有 CA 功能有了很多增强。参考资料

  • PKCS8:在 Istio PKI 中加入了 PKCS8 密钥支持。

  • Istio RBAC:Istio RBAC 为 Istio 服务网格中的服务提供了访问控制能力。参考资料.

其它

  • 发布模式:二进制文件以及安装缺省参数都设置为发布模式,从而提供更好的性能和安全性。

  • 组件日志:Istio 组件提供了一系列丰富的命令行参数,可以对包括日志翻转等功能的本地日志行为进行定制。

  • 一致的版本报告:Istio 组件提供了一致的命令行接口用来报告版本信息。

  • 可选的 Instance 字段:定义 Mixer Instance 的时候不再需要包含相关 Template 中的所有字段了,被省略掉的资源会被赋值为 0 或空值。

已知问题

  • Helm chart 安装方式目前不可用。

  • Sidecar 自动注入功能只在 1.9 或更新的 Kubernetes 上支持。

Networking

  • Incremental Istio Deployment. (Preview) You can now adopt Istio incrementally, more easily than before, by installing only the components you want (e.g, Pilot+Ingress only as the minimal Istio install). Refer to the istioctl CLI tool for generating a information on customized Istio deployments.

  • Automatic Proxy Injection. We leverage Kubernetes 1.9’s new mutating webhook feature to provide automatic pod-level proxy injection. Automatic injection requires Kubernetes 1.9 or beyond and therefore doesn’t work on older versions. The alpha initializer mechanism is no longer supported. Learn more

  • Revised Traffic Rules. Based on user feedback, we have made significant changes to Istio’s traffic management (routing rules, destination rules, etc.). We would love your continuing feedback while we polish this in the coming weeks.

Mixer adapters

  • Open Policy Agent. Mixer now has an authorization adapter implementing the open policy agent model, providing a flexible fine-grained access control mechanism. Learn more

  • Istio RBAC. Mixer now has a role-based access control adapter. Learn more

  • Fluentd. Mixer now has an adapter for log collection through Fluentd. Learn more

  • Stdio. The stdio adapter now lets you log to files with support for log rotation & backup, along with a host of controls.

Security

  • Bring Your Own CA. There have been many enhancements to the ‘bring your own CA’ feature. Learn more

  • PKCS8. Add support for PKCS8 keys to Istio PKI.

  • Istio RBAC Istio RBAC provides access control for services in Istio mesh. Learn more.

Other

  • Release-Mode Binaries. We switched release and installation default to release for improved performance and security.

  • Component Logging. Istio components now offer a rich set of command-line options to control local logging, including common support for log rotation.

  • Consistent Version Reporting. Istio components now offer a consistent command-line interface to report their version information.

  • Optional Instance Fields. Within configuration, definitions of Mixer instances no longer need to include every field of the associated template. Omitted fields get a zero or empty value.

Known issues

  • Installing with Helm charts is currently broken.

  • Automatic sidecar injection only works with Kubernetes 1.9 or later.