Istio 1.18.0 Change Notes
Istio 1.18.0 change notes.
Deprecation Notices
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
- There are no new deprecations in Istio 1.18.0
Traffic Management
Improved Gateway API Automated Deployment management logic. See Upgrade Notes for more information.
Updated the VirtualService validation to fail on empty prefix header matcher. (Issue #44424)
Updated
ProxyConfig
resources with workload selector will be applied to KubernetesGateway
pods only if the specified label isistio.io/gateway-name
. Other labels are ignored.Added provision to provide overridden/explicit value for
failoverPriority
label. This provided value is used while assigning priority for endpoints instead of the client’s value. (Issue #39111)Added prefix matching on query parameter. (Issue #43710)
Added health checks for those VMs that are not using auto-registration. (Issue #44712)
Fixed admission webhook fails with custom header value format. (Issue #42749)
Fixed fixed bug of Istio cannot be deployed on IPv6-first DS clusters for Dual Stack support in Istio. (Optimized Design)(Original Design) (Issue #40394)(Issue #41462)
Fixed an issue where
EnvoyFilter
forCluster.ConnectTimeout
was affecting unrelatedClusters
. (Issue #43435)Fixed reporting Programmed condition on Gateway API Gateway resources. (Issue #43498)
Fixed an issue that when there are different Binds specified in the Gateways with the same port and different protocols, listeners are not generated correctly. (Issue #43688)
Fixed an issue that when there are different Binds specified in the Gateways with the same port and TCP protocol, listeners are not generated correctly. (Issue #43775)
Fixed an issue with service entry deletion not deleting the corresponding endpoints in some cases. (Issue #43853)
Fixed an issue where auto allocated service entry IPs change on host reuse. (Issue #43858)
Fixed
WorkloadEntry
resources never being cleaned up if multipleWorkloadEntries
were auto-registered with the same IP and network. (Issue #43950)Fixed the
dns_upstream_failures_total
metric was mistakenly deleted in the previous release. (Issue #44151)Fixed an issue where ServiceEntry and Service had undefined or empty workload selectors. If the workload selector is undefined or empty, ServiceEntry and Service should not select any
WorkloadEntry
or endpoint.Fixed An issue where a Service Entry configured with partial wildcard hosts generates a warning during validation as the config can some times generate invalid server name match. (Issue #44195)
Fixed an issue where
Istio Gateway
(Envoy) would crash due to a duplicateistio_authn
network filter in the Envoy filter chain. (Issue #44385)Fixed a bug where services are missing in gateways if
PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
is enabled. (Issue #44439)Fixed CPU usage abnormally high when cert specified by DestinationRule are invalid. (Issue #44986)
Fixed an issue where changing a label on a workload instance with a previously matched
ServiceEntry
would not properly get removed. (Issue #42921)Fixed istiod not reconciling k8s gateway deployments and services when they are changed. (Issue #43332)
Fixed an issue where istiod does not retry resolving east-west gateway hostnames on failure. (Issue #44155)
Fixed an issue where istiod generates incorrect endpoints when it fails to resolve east-west gateway hostnames. (Issue #44155)
Fixed an issue where sidecars do not proxy DNS properly for a hostname backed by multiple services. (Issue #43152)
Fixed an issue where updating Service ExternalName does not take effect. (Issue #43440)
Fixed an issue causing VMs using auto-registration to ignore labels other than those defined in a
WorkloadGroup
. (Issue #32210)Upgraded the gateway-api integration to read
v1beta1
resources forReferenceGrant
,Gateway
, andGatewayClass
. Users of the gateway-api must be onv0.6.0+
before upgrading Istio.istioctl x precheck
can detect this issue before upgrading.Removed support for
proxy.istio.io/config
annotation applied to KubernetesGateway
pods.Removed support for
Ingress
versionnetworking.k8s.io/v1beta1
. Thev1
version has been available since Kubernetes 1.19.Removed
alpha
Gateway API types by default. They can be explicitly re-enabled withPILOT_ENABLE_ALPHA_GATEWAY_API=true
.Removed the experimental “taint controller” for Istio CNI.
Removed support for
EndpointSlice
versiondiscovery.k8s.io/v1beta1
. Thev1
version has been available since Kubernetes 1.21.EndpointSlice
v1
is automatically used on Kubernetes 1.21+, whileEndpoints
is used on older versions. This change only impacts users explicitly enablingPILOT_USE_ENDPOINT_SLICE
on Kubernetes versions older than 1.21, which is no longer supported.Removed deprecated and unsupported status conditions
Ready
,Scheduled
, andDetached
from Gateway API.
Security
Added
--profiling
flag to allow enabling or disabling profiling on pilot-agent status port. (Issue #41457)Added support for pushing additional federated trust domains from
caCertificates
to the peer SAN validator. (Issue #41666)Added support for using P384 curves when using ECDSA (PR #44459)
Added
ecdh_curves
support for nonISTIO_MUTUAL
traffic through MeshConfig API. (Issue #41645)Enabled the
AUTO_RELOAD_PLUGIN_CERTS
env var by default for istiod to noticecacerts
file changes in common cases (e.g. reload intermediate certs). (Issue #43104)Fixed ignoring default CA certificate when
PeerCertificateVerifier
is created.Fixed issue with metadata handling for Azure platform. Support added for
tagsList
serialization of tags on instance metadata. (Issue #31176)Fixed an issue where RBAC updates were not sent to older proxies after upgrading istiod to 1.17. (Issue #43785)
Fixed handling of remote SPIFFE trust bundles containing multiple certs. (Issue #44831)
Removed support for the
certificates
field inMeshConfig
. This was deprecated in 1.15, and does not work on Kubernetes 1.22+. (Issue #36231)
Telemetry
Added support to control trace id length on Zipkin tracing provider. (Issue #43359)
Added support for
METADATA
command operator in access log. (Issue #44074)Added metric expiry support, when env flags
METRIC_ROTATION_INTERVAL
andMETRIC_GRACEFUL_DELETION_INTERVAL
are enabled.Fixed an issue where you could not disable tracing in
ProxyConfig
. (Issue #31809)Fixed an issue where
ALL_METRICS
does not disable metrics as expected. (PR #43179)Fixed a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for
CLIENT
orSERVER
will not affect each other.Fixed pilot has an additional invalid gateway metric that was not created by the user.
Fixed an issue where grpc stats are absent. (Issue #43908),(Issue #44144)
Installation
Improved
istioctl operator remove
command to run without the confirmation in the dry-run mode. (PR #43120)Improved the
downloadIstioCtl.sh
script to not change to the home directory at the end. (Issue #43771)Improved the default telemetry installation to configure
meshConfig.defaultProviders
instead of customEnvoyFilter
s when advanced customizations are not used, improving performance.Updated the proxies
concurrency
configuration to always be detected based on CPU limits, unless explicitly configured. See upgrade notes for more info. (PR #43865)Updated
Kiali
addon to versionv1.67.0
. (PR #44498)Added env variables to support modifying grpc keepalive values. (Issue #43256)
Added support for scraping metrics in dual stack clusters. (Issue #35915)
Added make inbound port configurable. (Issue #43655)
Added injection of
istio.io/rev
annotation to sidecars and gateways for multi-revision observability.Added an automatically set GOMEMLIMIT to
istiod
to reduce the risk of out-of-memory issues. (Issue #40676)Added support for labels to be added to the Gateway pod template via
.Values.labels
. (Issue #41057),(Issue #43585)Added check to limit the
clusterrole
for k8s CSR permissions for external CAusecases
by verifying.Values.pilot.env.EXTERNAL_CA
and.Values.global.pilotCertProvider
parameters.Added configurable node affinity to istio-cni
values.yaml
. Can be used to allow excluding istio-cni from being scheduled on specific nodes.Fixed SELinux issue on
CentOS9
/RHEL9 where iptables-restore isn’t allowed to open files in/tmp
. Rules passed to iptables-restore are no longer written to a file, but are passed viastdin
. (Issue #42485)Fixed an issue where webhook configuration was being modified in dry-run mode when installing Istio with istioctl. (PR #44345)
Removed injecting label
istio.io/rev
to gateways to avoid creating pods indefinitely whenistio.io/rev=<tag>
. (Issue #33237)Removed operator skip reconcile for
iop
resources with names starting withinstalled-state
. It now relies solely on the annotationinstall.istio.io/ignoreReconcile
. This won’t affect the behavior ofistioctl install
. (Issue #29394)Removed
kustomization.yaml
andpre-generated
installation manifests (gen-istio.yaml
, etc) from published releases. These previously installed unsupported testing images, which led to accidental usage by users and tools such as Argo CD.
istioctl
Improved the
istioctl pc secret
output to display the certificate serial number in HEX. (Issue #43765)Improved the
istioctl analyze
to output mismatched proxy image messages as IST0158 on namespace level instead of IST0105 on pod level, which is more succinct.Added
istioctl analyze
will display a error when encountering two additional erroneous Telemetry scenarios. (Issue #43705)Added
--output-dir
flag to specify the output directory for thebug-report
command’s generated archive file. (Issue #43842)Added credential validation when using
istioctl analyze
to validate the secrets specified withcredentialName
in Gateway resources. (Issue #43891)Added an analyzer for showing warning messages when the deprecated
lightstep
provider is still being used. (Issue #40027)Added istiod metrics to
bug-report
, and a few more debug points liketelemetryz
. (Issue #44062)Added a “VHOST NAME” column to the output of
istioctl pc route
. (Issue #44413)Added local flags
--ui-port
for differentistioctl dashboard
commands to allow users to specify the component UI port to use for the dashboard.Fixed Server Side Apply is enabled by default for Kubernetes cluster versions above 1.22 or be detected if it can be run in Kubernetes versions 1.18-1.21.
Fixed
istioctl install --set <boolvar>=<bool>
andistioctl manifests generate --set <boolvar>=<bool>
improperly converting a boolean into a string. (Issue #43355)Fixed
istioctl experimental describe
not showing all weighted routes when the VirtualService is defined to split traffic across multiple services. (Issue #43368)Fixed
istioctl x precheck
displays unwanted IST0136 messages which are set by Istio as default. (Issue #36860)Fixed a bug in
istioctl analyze
where some messages are missed when there are services with no selector in the analyzed namespace.Fixed resource namespace resolution for
istioctl
commands.Fixed an issue where specifying the directory for temporary artifacts with
--dir
when usingistioctl bug-report
did not work. (Issue #43835)Fixed
istioctl experimental revision describe
warning gateway is not enabled when gateway exists. (Issue #44002)Fixed
istioctl experimental revision describe
has incorrect number of egress gateways. (Issue #44002)Fixed inaccuracies in analysis results when analyzing configuration files with empty content.
Fixed
istioctl analyze
no longer expects pods and runtime resources when analyzing files. (Issue #40861)Fixed
istioctl analyze
to prevent panic when the server port in Gateway is nil. (Issue #44318)Fixed the
istioctl experimental revision list
REQD-COMPONENTS
column data being incomplete and general output format.Fixed
istioctl operator remove
cannot remove the operator controller due to ano Deployment detected
error. (Issue #43659)Fixed
istioctl verify-install
fails when using multipleiops
. (Issue #42964)Fixed
istioctl experimental wait
has undecipherable message whenPILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
is not enabled. (PR #43023)