Istio 1.14 Change Notes

Traffic Management

• Added support for sending unready endpoints to Envoy. This will be useful when slow start mode in Envoy is enabled. This can be disabled by setting PILOT_SEND_UNHEALTHY_ENDPOINTS to false.

• Added new configuration options to istio-iptables and istio-clean-iptables for including/excluding certain user groups from interception of the outgoing traffic generated by them.

  This feature is intended primarily for use on VMs, where system administrators need to restrain interception of the outgoing traffic down to a few applications instead of intercepting all outgoing traffic.

  By default, as before, the Istio Sidecar will intercept outgoing traffic from all processes, no matter what user groups they are running under.

  To change this behavior, system administrators can now use 2 new environment variables supported by istio-iptables and istio-clean-iptables : ISTIO_OUTBOUND_OWNER_GROUPS and ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE.

  ISTIO_OUTBOUND_OWNER_GROUPS is a comma separated list of groups whose outgoing traffic should be redirected to Envoy (sidecar). A group can be specified either by name or by a numeric GID. The wildcard character * can be used to configure redirection of traffic from all groups (default).

  ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE is a comma separated list of groups whose outgoing traffic should be excluded from redirection to Envoy (sidecar). A group can be specified either by name or by a numeric GID. Only applies when traffic from all groups (i.e. *) is being redirected to Envoy (sidecar).

  ISTIO_OUTBOUND_OWNER_GROUPS and ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE are mutually exclusive, use only one of them.

  For example, ISTIO_OUTBOUND_OWNER_GROUPS=101,java instructs to intercept outgoing traffic only from those processes that run under one of the user groups 101 (by GID) or java (by name). ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE=root,202 instructs to intercept outgoing traffic from all processes except for those that under one of the user groups 202 (by GID) or root (by name). (Issue #37057)

• Added the ability to perform automatic SAN validation based on the downstream HTTP host/authority header when ENABLE_AUTO_SNI and VERIFY_CERTIFICATE_AT_CLIENT feature flags are enabled.

• Added the ability to automatically set SNI when DestinationRules do not specify it and ENABLE_AUTO_SNI is enabled.

• Added the ability to set credentialName based secret configuration at sidecars for egress TLS traffic when WorkloadSelector is specified in DestinationRule, provided the sidecar has permission to list secrets in the namespace where it resides.

• Added support for WorkloadSelector in DestinationRule.

• Added warning messages for users attempting to use IP addresses as SNI values in VirtualService.TLSRoute.Match.SniHosts (Issue #33401)

• Added support of replacing virtual host in envoy filter.

• Added the API runtimeValues to Proxy Config for configuring Envoy runtime configuration. (Issue #37202)

• Added setting upstream TLS maximum version to TLS 1.3. (Issue #36271)

• Fixed the problem that xDS may not be updated if multiple destinationRules for a service are merged. In this case the merged rule only records one name/namespace pair of all the destinationRules. However, this meta is used to record config dependencies of a sidecar.

  In this fix, we introduce a new struct consolidatedDestRule and record all the destinationrules’ meta to avoid missing any destinationRule dependencies. (Issue #38082)

• Fixed an issue where removing inline Network and HTTP filters was not working properly.

• Fixed an issue causing traffic from a gateway to a service with an undeclared protocol being treated as TCP traffic rather than HTTP. (Issue #37196)

• Fixed an issue with DNS type ServiceEntrys causing excessive DNS requests when the DNS lookup fails. (Issue #35603)

• Fixed IP family detection when using the CNI to behave the same way as without it. (Issue #36871)

• Fixed IPv6 detection on clusters with IPv4 NAT implementation, such as Amazon EKS, by excluding link-local addresses from detection. (Issue #36961)

• Improved XDS generation to send less resource when possible, sometimes omitting a response entirely. This can be disabled by the PILOT_PARTIAL_FULL_PUSHES=false environment variable. (Issue #37989),(Issue #37974)

• Updated Istio’s default load balancing algorithm from ROUND_ROBIN to LEAST_REQUEST. The ROUND_ROBIN algorithm can lead to overburdened endpoints, especially when weights are used. The LEAST_REQUEST algorithm distributes the load more evenly across and is far less likely to overburden endpoints. A number of experiments (by both the Istio and Envoy teams) have shown that LEAST_REQUEST outperforms ROUND_ROBIN in virtually all cases, with little/no downsides. It’s generally considered a drop-in replacement for ROUND_ROBIN.

  ROUND_ROBIN will continue to be supported if explicitly specified. To restore ROUND_ROBIN as the default, set the istiod environment variable ENABLE_LEGACY_LB_ALGORITHM_DEFAULT=true.

Security

• Added a new approach for CA integration through the Envoy SDS API. (usage)(design) (Issue #37183)

• Added allowed_client_headers_on_success feature for Istio external authorization. (Issue #36950)

• Added support for using PrivateKeyProvider in SDS. (Issue #35809)

• Added support for TLS configuration API for workloads. (Issue #2285)

• Fixed the request authentication policy to always allow the CORS preflight request. (Issue #36911)

Telemetry

• Added the implementation of the OpenTelemetry access log.

• Added environment variable support at Wasm extension via VM configuration in WasmPlugin API.

• Added WorkloadMode selection to Logging.

• Added support for tracing WorkloadMode in Telemetry API. This will allow customization of tracing behavior based on traffic direction.

• Added initial flag-protected support for exporting canonical service labels for ServiceEntry resources with a location of MESH_EXTERNAL.

Extensibility

• Added allow all insecure servers when one of the host name in the environment variable WASM_INSECURE_REGISTRIES is *.

• Added Support for ImagePullPolicy of WasmPlugin API.

• Added support for WasmPlugin pulling image from private repository with imagePullSecret.

• Improved Use tag-stripped URL + checksum as a Wasm module cache key, and the tagged URL is separately cached. This may increase the chance of cache hit (e.g., trying to find the same image with both of the tagged and digest URLs.) In addition, this will be a base to implement ImagePullPolicy.

Installation

• Added support of installing gateway helm chart as daemonset. (Issue #37610)

• Added support for policy/v1 PDB. (Issue #32005)

• Fixed an issue of Envoy losing connection after istio-ca-root-cert is changed. (Issue #36723)

• Fixed an issue that was preventing the operator from updating deployments when .autoscaleEnabled is true and .k8s.replicaCount is nonzero. When both autoscale is enabled and replicaCount is nonzero, warning messages will be generated during validation.

• Fixed an unknown field customService in v1alpha1.EgressGatewayConfig. (Issue #37260)

• Fixed the default container annotation when there are multiple containers. (Issue #38060)

• Fixed istioctl should add Kubernetes resource in all revisions when running analyze. (Issue #38148)

• Fixed change to add priority of -1 to EnvoyFilters deployed by default by Istio to remove warnings from istioctl EnvoyFilter analyzer on first install (Issue #38676)

• Fixed the in-cluster operator can’t create resources on recreation of the same IstioOperator resource. (Issue #35657)

• Removed caBundle default value from Chart to allow a GitOps approach. (Issue #33052)

istioctl

• Added analysis interval to reduce the wasteful re-runs of analyzer. (Issue #30200)

• Added the cluster id to istioctl experimental ps. (Issue #36290)

• Added a new analyzer for envoy filter patch operations. (Issue #37415)

• Added the pod full name to the IST0103 analysis message.

• Added istioctl ps support for ECDS.

• Fixed unexpected warning logs for istioctl install --dry-run. (Issue #37084)

• Fixed nil pointer dereference panic when using kube-inject when not passing a needed revision but also passing injectConfigMapName. (Issue #38083)

• Fixed behavior for istioctl create-remote-secret on Kubernetes 1.24+. In these versions, a Secret containing a ServiceAccount API token is no longer automatically created, so istioctl will create one.