Istio 1.17.0 Change Notes
Istio 1.17.0 change notes.
Deprecation Notices
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
Deprecated setting
PILOT_CERT_PROVIDER
tokubernetes
for Kubernetes versions less than 1.20. PR #42233Deprecated Lightstep provider. Please use OpenTelemetry provider instead. Issue #40027
Traffic Management
Improved
MostSpecificHostMatch
to prevent full scanning hosts when encountering wildcards. Issue #41453Improved Gateway naming conventions to be the concatenation of
Name
andGatewayClassName
. Deployment also now deploys with its own Service Account, rather than using thedefault
token. Naming convention affects name of Deployment, Service and Service Account. PR #43103Added dual stack support for
statefulsets/headless
, service entry and gateway and usegetWildcardsAndLocalHost
for inbound cluster building. PR #42712Added support for
ADD
,REMOVE
,REPLACE
,INSERT_FIRST
,INSERT_BEFORE
,INSERT_AFTER
operations forLISTENER_FILTER
inEnvoyFilter
. Issue #41445Added validation to
Gateway
andSidecar
to prevent partial wildcards as Envoy does not support them in hostnames. Issue #42094Added support for k8s
ServiceInternalTrafficPolicy
(does not takeProxyTerminatingEndpoints
into account). Issue #42377Added
excludeInterfaces
support to the CNI plugin. Issue #42381Added support for missing resource types to
/config_dump
API. PR #42658Fixed
istio-clean-iptables
to properly cleanup whenInboundInterceptionMode
is TPROXY. PR #41431Fixed
PrivateKeyProvider
may not be changed using proxy-config. Issue #41760Fixed issue where Istio and K8S Gateway API resources are not handled correctly when namespace is selected or deselected by discovery selectors or namespace label (
ENABLE_ENHANCED_RESOURCE_SCOPING=true
). Issue #42173Fixed ServiceEntries using
DNS_ROUND_ROBIN
being able to specify 0 endpoints. Issue #42184Fixed ServiceEntries with a different revision label (than the Istio version installed) were being processed and endpoints for them created. Issue #42212
Fixed an issue where the sync timeout setting doesn’t work on the remote clusters. PR #42252
Fixed Kubernetes service
exportTo
annotation not working on gateways by fixing gateway service dependencies. Issue #42400Fixed locality label missing for a sidecar without service selected. PR #42412
Fixed an issue where the network endpoints are incorrectly computed when network gateway changes. Issue #42818
Fixed auto-passthrough gateways not getting XDS pushes on service updates if
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
is enabled. PR #42721Fixed VirtualService delegate behavior not working with
defaultVirtualServiceExportTo: ["."]
setting. Issue #42602Fixed Pilot push XDS panic when
PortLevelSettings[].Port
is nil leading to abnormal exit of Pilot. Issue #42598Fixed a bug that caused the Namespace’s network label to have a higher priority than the Pod’s network label. Issue #42675
Fixed pilot status to not log too many errors when
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
is not enabled. Issue #42612
Security
Added validation warning message for L7 Deny rules which will block all TCP traffic under the scope of the policy having that rule. PR #41802
Added support for using QAT (
QuickAssist Technology
)PrivateKeyProvider
in SDS. PR #42203Added configuration for selecting QAT private key provider for gateways and sidecars. PR #2565
Added support to Copy JWT claims to HTTP request headers. Issue #39724
Fixed an issue preventing istio-proxy to access root CA when
automountServiceAccountToken
isfalse
andPILOT_CERT_PROVIDER
iskubernetes
. PR #42233
Telemetry
Updated the Telemetry API to use a new native extension (stats) for Prometheus stats instead of the Wasm-based extension. This improves CPU overhead and memory usage of the feature. Custom dimensions no longer require regex and bootstrap annotations. If customizations use CEL expressions with Wasm attributes, they are likely to be affected. PR #41441
Added an analyzer for Telemetry resource. Issue #41170 PR #41785
Added support for
reporting_interval
. This allows end-users to configuretcp_reporting_duration
(configuration of the time between calls) via the Telemetry API for metrics reporting. This currently supports TCP metrics only, but in the future we may use this for long duration HTTP streams. Issue #41763Fixed an issue with bad request
malformed Host header
in the Telemetry API when configuringDatadog
tracing provider. Issue #41829Fixed OpenTelemetry tracer not working because of missing service name. Issue #42080
Installation
Updated Kiali addon from version
1.55.1
to1.63.1
. PR #43052, PR #42193, PR #41984Updated minimum supported Kubernetes version to
1.23.x
. PR #43252Added
--purge
flag toistioctl operator remove
which will remove all revisions of Istio operator. Issue #41547Added support for allowing CSR signers via Helm installation. PR #41923
Added an input to the Gateway Helm deployment to explicitly set the
imagePullPolicy
of a gateway deployment. Issue #42852Fixed
istioctl install
fails when specifying--revision default
. PR #41912Fixed inconsistent behavior of
istioctl verify-install
when--revision
is not specified and when it is specified withdefault
. PR #41912Fixed
mutatingwebhook
not being split when setting multiple revision tags. Issue #42234Fixed initialization of secure gRPC server of Pilot when serving certificates are provided in default location. Issue #42249
Fixed
appProtocol
field not taking effect in IstioOperatorServicePort
. Issue #42759Fixed an issue where gateway pods were not respecting the
global.imagePullPolicy
specified in the Helm values. PR #42026Removed warning if
istio-cni
is not the default CNI plugin when CNI is used as a standalone plugin. PR #41858Removed fetching charts from URLs in
istio-operator
. Issue #41704
istioctl
Added
revision
flag to admin log to switch controls betweenIstiods
. PR #41321Updated
admin log
’s-r
flag to be shorthand for--revision
for consistency with other commands (originally-r
was shorthand for--reset
). PR #41321Updated
client-go
tov1.26.1
, removing support forazure
andgcp
auth plugins. PR #43101Added
istioctl proxy-config ecds
to support retrieving typed extension configuration from Envoy for a specified pod. PR #42365Added the ability to set proxy log level for all pods in a deployment for
istioctl proxy-config log
command. Issue #42919Added
--revision
toistioctl analyze
to specify a specific revision. Issue #38148Fixed manifest URL path (for downloading Istio version from a
Github
release) to support multi-arch instead of hard coding it. PR #41483Fixed the default behavior of generating manifests using the helm chart library when using
istioctl
without--cluster-specific
option to instead use the minimum Kubernetes version defined byistioctl
. Issue #42441Fixed the issue where
istioctl analyze
was throwingSIGSEGV
when optional fieldfilter
was missing underEnvoyFilter.ListenerMatch.FilterChainMatch
section. Issue #42831Fixed
istioctl proxy-config
failure when a user specifies a custom proxy admin port with--proxy-admin-port
. Issue #43063Fixed
istioctl version
not compatible with custom versions. PR #41650Fixed
istioctl validate
not detecting service portappProtocol
. PR #41517Fixed
istioctl proxy-config endpoint -f -
returnsError: open -: no such file or directory
. Issue #43045
Documentation changes
Fixed incorrect
pilot-discovery
environment variable name fromVERIFY_CERT_AT_CLIENT
toVERIFY_CERTIFICATE_AT_CLIENT
. PR #2596Removed comment about not supporting regex for delegate VirtualService. Issue #2527