Istio 1.10 Change Notes
Istio 1.10.0 release notes.
Deprecation Notices
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
Deprecated the
values.global.jwtPolicy=first-party-jwt
option. This option is less secure and intended for backwards compatibility with older Kubernetes clusters without support for more secure token authentication but is now enabled by default in new Kubernetes versions. See this documentation for more information.Deprecated the
values.global.arch
option in favor of the affinity Kubernetes settings. (Issue #30027)Deprecated the
remote
installation profile and added theexternal
profile for installing Istio with an external control plane. (Issue #32370)
Traffic Management
Added
meshConfig.discoverySelectors
to dynamically restrict the set of namespaces forServices
,Pods
, andEndpoints
that istiod processes when pushing xDS updates to improve performance on the data plane. (Blog, Issue #26679)Added the
ISTIO_GATEWAY_STRIP_HOST_PORT
environment variable to control whether gateways strip the host port before any processing of requests by HTTP filters or routing. This option is disabled by default. (Issue #25350)Fixed configuration of TLS parameters (TLS version, TLS cipher suites, curves, etc.) with
EnvoyFilter
. (Issue #28996)Fixed an issue where the filter chain name was ignored when processing
EnvoyFilter
match. (Issue #31166)Improved the full push scoping by adding
Sidecar
config tosidecarScopeKnownConfigTypes
.Improved virtual machine integration to clean up
iptables
rules when the service is stopped. (Issue #29556)Updated istio-proxy drain notification strategy from gradual to immediate. (Issue #31403)
Added CNI metrics counting repair operations. (Issue #19300)
Added
/debug/connections
istiod debug interface to list the current connected clients. (Issue #31075)Added SDS secrets fetch failure metric
pilot_sds_certificate_errors_total
. (Issue #31779)Added metrics for istiod informer errors.
Fixed a bug where
ISTIO_META_IDLE_TIMEOUT
is not reflected when set to0s
. (Issue #30067)Fixed a bug causing unnecessary full push in service entry store. (Issue #30683)
Fixed a bug where the
EnvoyFilter
HTTP_FILTER
didn’t supportINSERT_FIRST
. (Issue #31573)Fixed an issue where services with
PASSTHROUGH
load balancing were always sent mTLS traffic, even if the destinations did not support mTLS. (Issue #23494)Fixed a bug where
EnvoyFilter
with service match did not work for inbound clusters.
Security
Added an experimental feature to allow dry-run of an
AuthorizationPolicy
without actually enforcing the policy. (Usage, Design, PR #1933)Updated configuration to sign istiod certificates using Kubernetes CA (
PILOT_CERT_PROVIDER=kubernetes
) will not be honored in clusters with version 1.22 and greater. (Issue #22161)Improved the experimental External Authorization feature with new capabilities:
- Added the
timeout
field to configure the timeout (default is10m
) between theext_authz
filter and the external service. - Added the
include_additional_headers_in_check
field to send additional headers to the external service. - Added the
include_request_body_in_check
field to send the body to the external service. - Supported prefix and suffix match in the
include_request_headers_in_check
,headers_to_upstream_on_allow
andheaders_to_downstream_on_deny
field. - Deprecated the
include_headers_in_check
field with the newinclude_request_headers_in_check
field for better naming. (Reference, PR #1926)
- Added the
Added experimental option to configure Envoy to fetch the JWKS by itself. This should be enabled if the
jwks_uri
is a mesh cluster URL for mTLS and has other benefits like retries, JWKS caching etc. This is disabled by default and can be enabled by settingPILOT_JWT_ENABLE_REMOTE_JWKS
to true. (Issue #28742)Added an environment variable
PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
to configure the interval of istiod fetching thejwks_uri
for the JWKS public key. Users can set the refresh interval with--set values.pilot.env.PILOT_JWT_PUB_KEY_REFRESH_INTERVAL=<duration>
during installation. The default interval is20m
. Valid time units are “ns”, “us”, “ms”, “s”, “m”, “h”.Update the istiod JWT public key refresh job to retry the failed fetch of the
jwks_uri
with exponential backoff. (Issue #30261)Removed ability to configure
trustDomain
from Helmglobal.values
. Now it is configured throughmeshConfig.trustDomain
(Issue #27734)Fixed an issue causing simple TLS traffic to ports not exposed by a
Service
to be rejected by servers when inPERMISSIVE
mTLS mode. (Issue #31297)
Telemetry
Added experimental support for the Telemetry API. (Issue #24284)
Fixed the missing
destination_cluster
metric label reported by client proxy on request failures. (Issue #29373)Fixed an issue where Envoy did not start up properly when duplicate stats tags were configured. (Issue #31270)
Extensibility
- Added reliable Wasm module remote load with istio-agent. (Issue #29989)
Installation
Added
istioctl experimental revision tag
command group. Revision tags act as aliases for control plane revisions. Users can label their namespaces with a revision tag rather than pointing them directly at a revision and selectively decide the granularity of their namespace labels. This makes it possible to perform upgrades with the ease of in-place upgrades while having the safety of revision-based upgrades under the hood. Read more about using revision tags here.Improved
ConfigMaps
to be read directly rather than from volume mounts. This improves the speed of updates and ensures that for external istiod installations that the configmaps are read from the config cluster. (Issue #31410)Improved the sidecar injector to better utilize pod labels to determine if injection is required. (Issue #30013)
Updated non-revisioned installs to target the label
istio.io/rev=default
for injection in addition to the existing default injection labels (istio-injection=enabled
andsidecar.istio.io/inject=true
).Added support for slash characters in environment variables on
injectionURL
. (Issue #31732)Added an
external
profile for installing Istio with an external control plane and deprecated theremote
profile. (Issue #32370)Fixed a bug preventing
istioctl kube-inject
from working with revisions. (Issue #30991)Improved the output of istioctl YAML diff commands. (Issue #31186)
Removed the
15012
and15443
ports from the default gateway installation. These can be explicitly added if desired, although it is recommended to follow the new multicluster installation guide instead.Updated Kiali addon to the latest version
v1.34
.
istioctl
Updated the
istioctl experimental precheck
command to identify potential upgrade issues prior to actually running an upgrade.Updated
istioctl kube-inject
to call the webhook server to get the injection template by default. (Issue #29270)Added
istioctl experimental internal-debug
to retrieve istiod debug information via a secured debug interface. (Issue #31338)Added
istioctl validate
and the validating webhook now report duplicate or unreachable virtual service matches. (Issue #31525)Added
istioctl proxy-config -o yaml
to display in YAML along with the current JSON and short format. (Usage, Issue #31695)Added the
istioctl proxy-config all
command to view the full proxy configuration.Added tooling for revision-centric view of current Istio deployments in a cluster. This is to provide a better understanding of deployments- such as the number of istiod, gateway pods,
IstioOperator
custom resources- defining a particular revision, and the number of pods with sidecars pointing to a particular revision. (Issue #23892)Added a new analyzer for invalid webhook configurations.
Fixed an issue where
istioctl x create-remote-secret --secret-name
failed incorrectly when pointing to a non-existent secret in the remote cluster. (Issue #30723)