Istio 1.13 Change Notes
Istio 1.13.0 change notes.
Traffic Management
Added an API (CRD) for configuring
ProxyConfig
values containing a stable subset of the configuration fromMeshConfig.DefaultConfig
.Added support for hostname-based multi-network gateways for east-west traffic. The hostname will be resolved in the control plane and each of the IPs will be used as an endpoint. This behavior can be disabled by setting
RESOLVE_HOSTNAME_GATEWAYS=false
for istiod. (Issue #29359)Added support for rewriting gRPC probes.
Added a feature flag
PILOT_LEGACY_INGRESS_BEHAVIOR
, default to false. If this is set to true, Istio ingress will perform the legacy behavior, which does not meet the Kubernetes specification. (Issue #35033)Added support for listeners to balance between Envoy worker threads via
proxyMetadata
. (Issue #18152)Promoted
WorkloadGroup
to v1beta1. (Issue #25652)Improved istio-agent health probe rewrite to not re-use connections, mirroring Kubernetes’ probing behavior. (Issue #36390)
Improved the default
PILOT_MAX_REQUESTS_PER_SECOND
, which limits the number of new XDS connections per second, to 25 (from 100). This has been shown to improve performance under high load.Updated the control plane to read
EndpointSlice
instead ofEndpoints
for service discovery for Kubernetes 1.21 or later. To switch back to the oldEndpoints
based behavior setPILOT_USE_ENDPOINT_SLICE=false
in istiod.Fixed an issue where specifying conflict protocols for a service target port will cause unstable protocol selection for that port. (Issue #36462)
Fixed an issue where scaling endpoint for a service from 0 to 1 might cause client side service account verification to be populated incorrectly. (Issue #36465 and #31534)
Fixed an issue where the
TcpKeepalive
setting at mesh config is not honored. (Issue #36499)Fixed an issue where stale endpoints can be configured when a service gets deleted and created again. (Issue #36510)
Fixed an issue where istiod crashes if prioritized leader election (controlled via
PRIORITIZED_LEADER_ELECTION
env variable) is disabled. (Issue #36541)Fixed an issue that sidecar iptables will cause intermittent connection reset due to the out of window packet. Introduced a flag
meshConfig.defaultConfig.proxyMetadata.INVALID_DROP
to control this setting. (Issue #36566)Fixed an issue where an in-place upgrade will cause TCP connections between a <1.12 proxy and a 1.12 proxy to fail. (Issue #36797)
Fixed an issue where
EnvoyFilter
with ANY patch context will skip adding new clusters and listeners at gateway.Fixed an issue causing HTTP/1.0 requests to be rejected (with a
426 Upgrade Required
error) in some cases. (Issue #36707)Fixed an issue where using
ISTIO_MUTUAL
TLS mode in Gateways while also settingcredentialName
cause mutual TLS to not be configured. This configuration is now rejected, asISTIO_MUTUAL
is intended to be used withoutcredentialName
set. The old behavior can be retained by configuring thePILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME=true
environment variable in Istiod.Fixed an issue where changes in a delegate VirtualService do not take effect when RDS cache is enabled. (Issue #36525)
Fixed an issue causing mTLS errors for traffic on port 22, by including port 22 in iptables by default. (Issue #35733)
Fixed an issue causing hostnames overlapping the cluster domain (such as
example.local
) to generate invalid routes. (Issue #35676)Fixed an issue that if duplicated cipher suites were configured in Gateway, they were pushed to Envoy configuration. With this fix, duplicated cipher suites will be ignored and logged. (Issue #36805)
Security
Added TLS settings to the sidecar API in order to enable TLS/mTLS termination on the sidecar proxy for requests coming from outside the mesh. (Issue #35111)
Promoted authorization policy dry-run mode to Alpha. (Issue #112)
Fixed a couple of issues in the ext-authz filter affecting the behavior of the gRPC check response API. Please see the Envoy release note for more details of the bug fixes if you are using authorization policies with the ext-authz gRPC extension provider in Istio. (Issue #35480)
Telemetry
Added configuration for selecting service name generation scheme in Envoy-generated trace spans. (Issue #36162 and #12644)
Added Common Expression Language (CEL) filter support for access logs. (Issue #36514)
Added access logging providers and controls for access log filtering to the Telemetry API.
Added an option to set whether the Request ID generated by the sidecar should be used when determining the sampling strategy for tracing.
Added configurable service-cluster naming scheme support. (Issue #36162)
Improved Istiod
JWTRule
: FailedJWKS
requests are now logged with truncation to 100 characters. (Issue #35663)
Installation
Added a privileged flag to Istio-CNI Helm charts to set
securityContext
flag. (Issue #34211)Removed support for a number of nonstandard
kubeconfig
authentication methods when using multicluster secrets.Updated istiod deployment to respect
values.pilot.nodeSelector
. (Issue #36110)Fixed an issue where the in-cluster operator can’t prune resources when the Istio control plane has active proxies connected. (Issue #35657)
Fixed omission of the
.Values.sidecarInjectiorWebhook.enableNamespacesByDefault
setting in the default revision mutating webhook, and added--auto-inject-namespaces
flag toistioctl tag
controlling this setting. (Issue #36258)Fixed an issue where setting
includeInboundPorts
with Helm values did not take effect. (Issue #36644)Fixed an issue that was preventing the Helm chart to be used as a chart dependency. (Issue #35495)
Fixed that the Helm chart generated an invalid manifest when given boolean or numeric values for environment variables. (Issue #36946)
Fixed detection of
prometheus.io.scrape
annotations when merging metrics. (Issue #31187)
istioctl
Added
istioctl analyze
will display a warning when service of type ExternalName have invalid port name or port name is tcp. (Issue #35429)Added log options to
istioctl install
to prevent unexpected messages. (Issue #35770)Added
CLUSTER
column in the output ofistioctl ps
command.Added the global wildcard pattern match for the bug report
--include
and--exclude
flag.Added the output format flag to
operator dump
.Added
--operatorFileName
flag tokube-inject
to supportIstioOperator
files. (Issue #36472)Added
istioctl analyze
now supports--ignore-unknown
, which suppresses errors when non-k8s yaml files are found in a file or directory. (Issue #36471)Added stats command
istioctl experimental envoy-stats
for retrieving istio-proxy envoy metrics.Fixed the
--duration
flag never gets used in theistioctl bug-report
command.Fixed using flags in
istioctl bug-report
results in errors. (Issue #36103)Fixed
operator init --dry-run
creates unexpected namespaces.Fixed error format after json marshal in virtual machine config. (Issue #36358)
Documentation changes
- Fixed formatting of the telemetry configuration reference page.