Istio 1.15.0 Change Notes
Istio 1.15.0 change notes.
Traffic Management
Improved the number of pushes to gateway proxies by not pushing when services are not visible from the gateway. (Issue #39110)
Improved compatibility with minimal host operating systems without
nsenter
binary (like Talos OS). Thecni.conf
flagHostNSEnterExec
reverts to old behavior with use of nsenter. (Issue #38794)Updated istiod to allow unknown flags for backward-compatibility. If an unknown flag is passed, no warning or error will be logged.
Added a validation warning when protocol is unset and address is also unset. (Issue #27990)
Added support for configuring internal addresses for the mesh. This can be enabled by setting
ENABLE_HCM_INTERNAL_NETWORKS
to true.Added sidecar
traffic.sidecar.istio.io/excludeInterfaces
annotation. (Issue #39404)Added support for configuring
max_connection_duration
inDestinationRule
.Added support to inject faults by specifying gRPC status code.
Added support for sending parallel DNS queries to all nameservers in the Istio agent. This feature is disabled by default and can be enabled by setting the istio-agent environment variable
DNS_FORWARD_PARALLEL=true
. (Issue #39598)Added support for tunneling outbound traffic via external HTTP forward proxies using HTTP CONNECT or POST methods. Tunnel settings can be applied only to TCP and TLS listeners, HTTP listeners are not supported for now.
Added an option for sidecar
Host
header matching to ignore port numbers. This can be controlled by theSIDECAR_IGNORE_PORT_IN_HOST_MATCH
environment variable.Fixed CNI installation to detect changes in projected service account token and reinstall istio-cni plugin with a new kubeconfig. (Issue #38077)
Fixed an issue where some
ServiceEntry
hostnames could cause non-deterministic Envoy routes. (Issue #38678)Fixed an issue when network gateway names could not be properly resolved in some cases. (Issue #38689)
Fixed an issue where updating split
DestinationRules
did not take effect if the RDS/CDS/EDS cache was enabled. (Issue #39726)Fixed an issue where Istio would send traffic to unready pods when
PILOT_SEND_UNHEALTHY_ENDPOINTS
was enabled. (Issue #39825)Fixed an issue causing rejected configuration when using
STATIC
ServiceEntries
withPASSTHROUGH
DestinationRules
. (Issue #39736)Fixed an issue causing Envoy clusters to be stuck initializing, blocking configuration updates or proxy startup. (Issue #38709)
Fixed an issue causing traffic not to match (and return a
404
) when using wildcard domain names and including an unexpected port in theHost
header.Fixed an issue causing traffic to match an unexpected route when using wildcard domain names and including a port in the
Host
header.Fixed a potential memory leak triggered by updating
ServiceEntry
hostname.Fixed any issue that can cause xDS configuration updates to be blocked during high traffic. (Issue #39209)
Security
Added an istio-agent environment variable
WORKLOAD_RSA_KEY_SIZE
for configuring the RSA key size of workload certificates.Fixed a bug where the
n
dynamically generated by JWKS was not base64 encoded, causing envoy to fail to parse it correctly.
Telemetry
Fixed the TCP metadata exchange between sidecar client and
ISTIO_MUTUAL
, TCP server at the gateway.Fixed a bug that would ignore some configuration when specifying multiple
accessLogging
in Telemetry resources within a single stanza. With this fix, all provided access logging configuration within a single stanza of Telemetry resource are respected. (Issue #39468)
Extensibility
Added the
WASM_MODULE_EXPIRY
,WASM_PURGE_INTERVAL
,WASM_HTTP_REQUEST_TIMEOUT
, andWASM_HTTP_REQUEST_MAX_RETRIES
istio-agent environment variables to control WASM cache related parameters.Added the ability to decompress and/or untar the WASM binary when it is pulled via HTTP/HTTPS.
Added the
WASM_INSECURE_REGISTRIES
istio-agent environment variable for when theWasmPlugin
is pointing HTTP/HTTPS server.Extended the scope of
ImagePullPolicy
inWasmPlugin
to accept HTTP/HTTPS URLs in addition to OCI image URLs.
Installation
Added support for
arm64
architecture for all components. (Issue #26652)Added
--log_output_level
and--log_as_json
to theistio-init
container (as they are inistio-proxy
).Added values to the Istio Gateway Helm chart for configuring topologySpreadConstraints on the gateway deployment.
Added support for watching local secret resource updates for external istiod. (Issue #31946)
Updated the default value of the feature flag
ENABLE_LEGACY_FSGROUP_INJECTION
to false. This may cause issues with sidecars when installing on Helm on Kubernetes versions prior to 1.19.Updated the Kiali addon to the latest version (v1.55.1).
Improved external control plane setup instructions, including tips for simpler control plane ingress setup, making it easier to experiment with the external control plane deployment model in a test environment.
Removed the deprecated
remote.yaml
profile which is equivalent to the default profile. (Issue #38832)
istioctl
Promoted
istioctl x uninstall
toistioctl uninstall
. (Issue #40339)Improved the output format of the active logging levels.
Added a new analyzer for Envoy filter patch operations to provide warnings when relative patch operations are used without a priority set which can cause Envoy filters not to be applied correctly. (Issue #37415)
Added
istioctl analyze
beta API version support for file resources.Added pod name and cluster name to bookinfo’s reviews, where the cluster name is determined by the
CLUSTER_NAME
environment variable on the reviews deployments.Added support for parsing list type of files in
istioctl analyze
. (Issue #39982)Added description to
istioctl admin log
.Fixed an issue causing
istioctl analyze
to return an unexpected IST0134 message whenServiceEntry
address is empty but mesh configISTIO_META_DNS_AUTO_ALLOCATE
is enabled.Fixed an issue causing
istioctl x injector list
to provide incorrect pod information.Fixed an issue causing
ConflictingMeshGatewayVirtualServiceHosts (IST0109)
message to appear withistioctl analyze
when usingexportTo
for a specific namespace. (Issue #39634)