Istio 1.15.0 Change Notes

Istio 1.15.0 change notes.

Aug 31, 2022

Traffic Management

Improved the number of pushes to gateway proxies by not pushing when services are not visible from the gateway. (Issue #39110)
Improved compatibility with minimal host operating systems without nsenter binary (like Talos OS). The cni.conf flag HostNSEnterExec reverts to old behavior with use of nsenter. (Issue #38794)
Updated istiod to allow unknown flags for backward-compatibility. If an unknown flag is passed, no warning or error will be logged.
Added a validation warning when protocol is unset and address is also unset. (Issue #27990)
Added support for configuring internal addresses for the mesh. This can be enabled by setting ENABLE_HCM_INTERNAL_NETWORKS to true.
Added sidecar traffic.sidecar.istio.io/excludeInterfaces annotation. (Issue #39404)
Added support for configuring max_connection_duration in DestinationRule.
Added support to inject faults by specifying gRPC status code.
Added support for sending parallel DNS queries to all nameservers in the Istio agent. This feature is disabled by default and can be enabled by setting the istio-agent environment variable DNS_FORWARD_PARALLEL=true. (Issue #39598)
Added support for tunneling outbound traffic via external HTTP forward proxies using HTTP CONNECT or POST methods. Tunnel settings can be applied only to TCP and TLS listeners, HTTP listeners are not supported for now.
Added an option for sidecar Host header matching to ignore port numbers. This can be controlled by the SIDECAR_IGNORE_PORT_IN_HOST_MATCH environment variable.
Fixed CNI installation to detect changes in projected service account token and reinstall istio-cni plugin with a new kubeconfig. (Issue #38077)
Fixed an issue where some ServiceEntry hostnames could cause non-deterministic Envoy routes. (Issue #38678)
Fixed an issue when network gateway names could not be properly resolved in some cases. (Issue #38689)
Fixed an issue where updating split DestinationRules did not take effect if the RDS/CDS/EDS cache was enabled. (Issue #39726)
Fixed an issue where Istio would send traffic to unready pods when PILOT_SEND_UNHEALTHY_ENDPOINTS was enabled. (Issue #39825)
Fixed an issue causing rejected configuration when using STATIC ServiceEntries with PASSTHROUGH DestinationRules. (Issue #39736)
Fixed an issue causing Envoy clusters to be stuck initializing, blocking configuration updates or proxy startup. (Issue #38709)
Fixed an issue causing traffic not to match (and return a 404) when using wildcard domain names and including an unexpected port in the Host header.
Fixed an issue causing traffic to match an unexpected route when using wildcard domain names and including a port in the Host header.
Fixed a potential memory leak triggered by updating ServiceEntry hostname.
Fixed any issue that can cause xDS configuration updates to be blocked during high traffic. (Issue #39209)

Security

Added an istio-agent environment variable WORKLOAD_RSA_KEY_SIZE for configuring the RSA key size of workload certificates.
Fixed a bug where the n dynamically generated by JWKS was not base64 encoded, causing envoy to fail to parse it correctly.

Telemetry

Fixed the TCP metadata exchange between sidecar client and ISTIO_MUTUAL, TCP server at the gateway.
Fixed a bug that would ignore some configuration when specifying multiple accessLogging in Telemetry resources within a single stanza. With this fix, all provided access logging configuration within a single stanza of Telemetry resource are respected. (Issue #39468)

Extensibility

Added the WASM_MODULE_EXPIRY, WASM_PURGE_INTERVAL, WASM_HTTP_REQUEST_TIMEOUT, and WASM_HTTP_REQUEST_MAX_RETRIES istio-agent environment variables to control WASM cache related parameters.
Added the ability to decompress and/or untar the WASM binary when it is pulled via HTTP/HTTPS.
Added the WASM_INSECURE_REGISTRIES istio-agent environment variable for when the WasmPlugin is pointing HTTP/HTTPS server.
Extended the scope of ImagePullPolicy in WasmPlugin to accept HTTP/HTTPS URLs in addition to OCI image URLs.

Installation

Added support for arm64 architecture for all components. (Issue #26652)
Added --log_output_level and --log_as_json to the istio-init container (as they are in istio-proxy).
Added values to the Istio Gateway Helm chart for configuring topologySpreadConstraints on the gateway deployment.
Added support for watching local secret resource updates for external istiod. (Issue #31946)
Updated the default value of the feature flag ENABLE_LEGACY_FSGROUP_INJECTION to false. This may cause issues with sidecars when installing on Helm on Kubernetes versions prior to 1.19.
Updated the Kiali addon to the latest version (v1.55.1).
Improved external control plane setup instructions, including tips for simpler control plane ingress setup, making it easier to experiment with the external control plane deployment model in a test environment.
Removed the deprecated remote.yaml profile which is equivalent to the default profile. (Issue #38832)

istioctl

Promoted istioctl x uninstall to istioctl uninstall. (Issue #40339)
Improved the output format of the active logging levels.
Added a new analyzer for Envoy filter patch operations to provide warnings when relative patch operations are used without a priority set which can cause Envoy filters not to be applied correctly. (Issue #37415)
Added istioctl analyze beta API version support for file resources.
Added pod name and cluster name to bookinfo’s reviews, where the cluster name is determined by the CLUSTER_NAME environment variable on the reviews deployments.
Added support for parsing list type of files in istioctl analyze. (Issue #39982)
Added description to istioctl admin log.
Fixed an issue causing istioctl analyze to return an unexpected IST0134 message when ServiceEntry address is empty but mesh config ISTIO_META_DNS_AUTO_ALLOCATE is enabled.
Fixed an issue causing istioctl x injector list to provide incorrect pod information.
Fixed an issue causing ConflictingMeshGatewayVirtualServiceHosts (IST0109) message to appear with istioctl analyze when using exportTo for a specific namespace. (Issue #39634)