Istio 1.11 Upgrade Notes

Important changes to consider when upgrading to Istio 1.11.0.

Aug 12, 2021

When you upgrade from Istio 1.10.0 to Istio 1.11.0, you need to consider the changes on this page. These notes detail the changes which purposefully break backwards compatibility with Istio 1.10.0. The notes also mention changes which preserve backwards compatibility while introducing new behavior. Changes are only included if the new behavior would be unexpected to a user of Istio 1.10.0.

The istiodRemote installation component now includes config cluster resources

Installing Istio on a remote cluster that is using an external control plane was previously done by disabling the base and pilot components and enabling the istiodRemote component in the IOP:

components:
  base:
    enabled: false
  pilot:
    enabled: false
  istiodRemote:
    enabled: true
values:
  global:
    externalIstiod: true

If the remote cluster also serves as the config cluster for the external control plane, the base component would also be enabled:

components:
  base:
    enabled: true
  pilot:
    enabled: false
  istiodRemote:
    enabled: true
values:
  global:
    externalIstiod: true

To simplify the implementation and to completely separate the remote installation from the base component, the istiodRemote component now includes all of the charts needed for any remote cluster, whether it serves as a config cluster or not. A new variable values.global.configCluster is used to enable/disable the resources needed in a config cluster:

components:
  base:
    enabled: false
  pilot:
    enabled: false
  istiodRemote:
    enabled: true
values:
  global:
    externalIstiod: true
    configCluster: true

Host header fallback disabled by default for Prometheus metrics for all inbound traffic

Host header fallback for determining values for Prometheus destination_service labels has been disabled for all incoming traffic. Previously, this was disabled only for traffic arriving at Gateways. If you are relying on host header fallback behavior to properly label the destination_service in Prometheus metrics for traffic originating from out-of-mesh workloads, then you will need to update the telemetry configuration to enable host header fallback.

EnvoyFilter match.routeConfiguration.vhost.name semantics change

EnvoyFilter matches rely on internal implementation details to match generated xDS segments, which is subject to change at any time.

In this release, the virtual host name match may have different results.

Previously, each domain name had its own virtual host. As an optimization, multiple domains may use a single virtual host. This means that an Envoy Filter previously matching a specific virtual host may now apply to more domains than in previous releases.

This optimization may be temporarily disabled by setting PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION=false on the Istiod deployment.

New hostPath added to CNI DaemonSet

A new hostPath volume /var/run/istio-cni is added to the CNI DaemonSet, which is used to collect CNI network plugin logs at CNI DaemonSet pod. If you have PodSecurityPolicy defined to allowlist hostPaths for your CNI DaemonSet, /var/run/istio-cni also needs to be added to the list. CNI will not start in absence of this change.