Istio 1.12 Change Notes
Istio 1.12.0 change notes.
Traffic Management
Improved support for headless services with undeclared protocols to not require specific
Host
headers. (Issue #34679)Added validator for empty regex match in VirtualService, preventing invalid Envoy configuration. (Issue #34065)
Added support for
useSourceIP
consistent hash load balancing for TCP traffic. Previously, only HTTP was supported. (Issue #33558)Added support for envoy to track active connections during drain and quit if active connections become zero instead of waiting for entire drain duration. This is disabled by default and can be enabled by setting
EXIT_ON_ZERO_ACTIVE_CONNECTIONS
to true. (Issue #34855)Added support for
trafficPolicy.loadBalancer.consistentHash
inDestinationRule
for proxyless gRPC clients. (Pull Request #35333)Added the ability for users to specify Envoy’s
LOGICAL_DNS
as a connection type for a cluster usingDNS_ROUND_ROBIN
in ServiceEntry. (Issue #35475)Added
failoverPriority
load balancing traffic policy, which allows users to set an ordered list of labels used to sort endpoints to do priority based load balancing. (Pull Request #34740)Added support for creating mirrored QUIC listeners for non-passthrough HTTPS listeners at gateways. (Pull Request #33817)
Added support for the
v1alpha2
version of the gateway-api. (Pull Request #35009)Added experimental support for the
cluster.local
host behavior as defined by the Kubernetes Multi-Cluster Services (MCS) spec. This feature is off by default, but can be enabled by setting the following flags in Istio:ENABLE_MCS_CLUSTER_LOCAL
,ENABLE_MCS_HOST
andENABLE_MCS_SERVICE_DISCOVERY
. When enabled, requests to thecluster.local
host will be routed to only those endpoints residing within the same cluster as the client. (Issue #35424)Fixed TCP probes. When using TCP probes with older versions of Istio the check was always successful, even if the application didn’t open the port. (details)
Fixed Gateway API xRoute does not forward the traffic to that backend when weight
0
. (Issue #34129)Fixed an issue in which ADS would hang due to the wrong
syncCh
size being provided. (Pull Request #34633)Fixed an issue causing Ingress resources with the same name but different namespaces from conflicting. (Issue #31833)
Security
Improved performance of TLS certificate Secret watches to reduce memory usage. (Issue #35231)
Added support to istiod to notice
cacerts
file changes via theAUTO_RELOAD_PLUGIN_CERTS
environment variable. (Issue #31522)Added
VERIFY_CERT_AT_CLIENT
environment variable to istiod. SettingVERIFY_CERT_AT_CLIENT
totrue
will verify server certificates using the OS CA certificates when not using aDestinationRule
caCertificates
field. (Issue #33472)Added Auto mTLS support for workload level peer authentication. You no longer need to configure destination rule when servers are configured with workload level peer authentication policy. This can be disabled by setting
ENABLE_AUTO_MTLS_CHECK_POLICIES
tofalse
. (Issue #33809)Added support for integration of GKE workload certificates. (Issue #35385)
Added values to the Istio Gateway Helm charts for configuring annotations on the ServiceAccount. Can be used to enable IAM Roles for Service Accounts on AWS EKS. (Pull Request #33914)
Added support for JWT claim based routing on ingress gateways. (Pull Request #35762)
Fixed the
EnvoyExternalAuthorizationHttpProvider
to match HTTP headers in a case-insensitive way. (Issue #35220)Promoted the external authorization feature from Experimental to Alpha. (Pull Request #104)
Telemetry
- Fixed an issue with
WorkloadGroup
andWorkloadEntry
labeling of canonical revision. (Issue #34395)
Extensibility
- Added support for Istio
WasmPlugin
API. (Pull Request #33374)
Installation
Updated
istioctl tag set default
to control which revision handles Istio resource validation. The revision indicated through the default tag will also win leader elections and assume singleton cluster responsibilities. (Pull Request #35286)Added labels on pod level for istio-operator and istiod. (Issue #33879)
Added pilot service annotations on helm chart. (Issue #35229)
Added support for arm64 API for operator, add nodeAffinity arm64 expression. (Pull Request #35648)
Fixed a bug where specifying same port number with different protocols (TCP and UDP) lead to incorrect merging and rendered an erroneous manifest. (Issue #33841)
Fixed Istioctl not wait on CNI DaemonSet update. (Issue #34811)
Fixed no Permission to list
ServiceExport
from remote clusters in primary cluster. (Issue #35068)
istioctl
Improved analyzers report output to match the naming scheme expected by the API, i.e
<ns>/<name>
instead of<name>.<ns>
. (Issue #35405)Improved destination rule ca analyzer to show exact error line when using
istioctl analyze
, otherwise it will show the first line of its yaml configuration chunk. (Issue #22872)Updated
istioctl x create-remote-secret
andistioctl x remote-clusters
to the top level command, out of experimental. (Issue #33799)Added
istioctl install
will now doIST0139
analysis on webhooks. (Issue #33537)Added
istioctl x remote-clusters
to list the remote clusters eachistiod
instance has API Server credentials for, and the service registry sync status of each cluster. (Issue #33799)Added the pod alias
po
for users to useistioctl x describe po
, which is consistent with thekubectl
command. (Pull Request #34802)Added precheck now detects usage of Alpha Annotations. (Pull Request #35483)
Added
istioctl operator dump
now supports thewatchedNamespaces
argument to specify the namespaces the operator controller watches. (Issue #35485)Fixed
istioctl operator
subcommands to now support remote URLs specified in the--manifests
argument. (Issue #34896)Fixed
istioctl admin log
format. (Issue #34982)Fixed APP pods (such as httpbin) can not be created if not using ‘istio-system’ as the Istio namespace to install Istio at the first time. And
istioctl install
,istioctl tag set
andistioctl tag generate
will be influenced. For example, user can set a specified namespace (mesh-1
as an example) to install Istio viaistioctl install --set profile=demo --set values.global.istioNamespace=mesh-1 -y
(Issue #35539)Fixed
istioctl bug-report
has the extra default system namespaces displayed when--exclude
is not set. (Issue #35593)Fixed the release tar URL by adding the patch version. (Pull Request #35712)
Fixed an issue in istioctl bug-report where –context and –kubeconfig were not being honored. (Issue #35574)