Istio 1.19.0 Change Notes
Istio 1.19.0 change notes.
Deprecation Notices
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
Artifacts
The macOS and Windows artifacts without an architecture specified in the name
(ex: istio-1.18.0-osx.tar.gz
). They will be removed in several releases. They have been replaced
by artifacts containing the architecture in the name (ex: istio-1.18.0-osx-amd64.tar.gz
). (Issue #45677)
Traffic Management
Improved JWT claim based routing to support using
[]
as a separator for nested claim names. (Issue #44228)Improved performance of sidecar injection, in particular with pods with a large number of environment variables.
Updated DNS resolution when using
ServiceEntries
so that DNS for multi-network gateways will be resolved at the proxy instead of in the control plane.Added support for
traffic.sidecar.istio.io/excludeInterfaces
annotation in proxy. (Issue #41271)Added initial ambient support for
WorkloadEntry
. (Issue #45472)Added ambient support for
WorkloadEntry
resources without an address. (Issue #45758)Added initial ambient support for ServiceEntry.
Added support for regex rewrite in VirtualService
HTTPRewrite
. (Issue #22290)Added a new TLS mode
OPTIONAL_MUTUAL
inServerTLSSettings
of Gateway that will validate client certificate if presented.Added enhancement for Dual Stack to set up the correct DNS family type.
CheckIPFamilyTypeForFirstIPs
has been added to help confirm the IP family type based on the first IP address. Changed theISTIO_DUAL_STACK
environment variable to be uniform the for both control and data plane. (Issue #41462)Fixed
WorkloadEntry
resources on different networks to not require an address to be specified. (Issue #45150)Fixed Istio’s Gateway API implementation to adhere to the Gateway API requirement that a
group: ""
field must be set for aparentRef
ofkind: Service
. Istio previously tolerated the missing group for Service-kind parent references. This is a breaking change; see the upgrade notes for details. (Issue #2309)Fixed configuring
istio.alpn
filter for non-Istio mTLS. (Issue #40680)Fixed the bug where patching
http_route
affects othervirtualhosts
. (Issue #44820)Fixed EnvoyFilter operation orders so that deleted and re-added resources don’t get deleted. (Issue #45089)
Fixed
VirtualMachine
WorkloadEntry
auto register failing with invalidistio-locality
label when user specifiedistio-locality
in./etc/istio/pod/labels
. (Issue #45413)Fixed an issue in dual stack meshes where
virtualHost.Domains
was missing the second IP address from dual stack services. (Issue #45557)Fixed a bug where route configuration is rejected with duplicate domains when
VirtualService
has the same hosts with different case. (Issue #45719)Fixed an issue where Istiod might crash when a cluster is deleted if the xDS cache is disabled. (Issue #45798)
Fixed creating
istioin
andistioout
geneve
links on nodes which already have configured an externalgeneve
link or anothergeneve
link for the same VNI and remote IP. To avoid getting errors in these cases, istio-cni dynamically determines available destination ports for createdgeneve
links.Fixed an issue where Istiod can’t auto-detect the service port change when the service is referred to by ingress using service port name. (Issue #46035)
Fixed an issue where HTTP probe’s
request.host
was not well propagated. (Issue #46087)Fixed ambient
WorkloadEntry
xDS events to fire on updates to spec. (Issue #46267)Fixed
health_checkers
EnvoyFilter extensions not being compiled into the proxy. (Issue #46277)Fixed crash when
LoadBalancer.Ingress.IP
was not present or was unset to not include empty IP strings in VIPs.Fixed regression in
HTTPGet
healthcheck
probe translation. (Issue #45632)Removed the
CNI_ENABLE_INSTALL
,CNI_ENABLE_REINSTALL
,SKIP_CNI_BINARIES
, andUPDATE_CNI_BINARIES
feature flags.Removed the support for deprecated EnvoyFilter names in Envoy API name matches. EnvoyFilter will only be matched with canonical naming standard. See the Envoy documentation for more details.
Removed the
ISTIO_DEFAULT_REQUEST_TIMEOUT
feature flag. Please use timeout in VirtualService API.Removed the
ENABLE_AUTO_MTLS_CHECK_POLICIES
feature flag.Removed the
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH
feature flag.Removed the
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME
feature flag.Removed the
PILOT_LEGACY_INGRESS_BEHAVIOR
feature flag.Removed the
PILOT_ENABLE_ISTIO_TAGS
feature flag.Removed the
ENABLE_LEGACY_LB_ALGORITHM_DEFAULT
feature flag.Removed the
PILOT_PARTIAL_FULL_PUSHES
feature flag.Removed the
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT
feature flag. This can be configured in MeshConfig if needed.Removed the
AUTO_RELOAD_PLUGIN_CERTS
feature flag.Removed the
PRIORITIZED_LEADER_ELECTION
feature flag.Removed the
SIDECAR_IGNORE_PORT_IN_HOST_MATCH
feature flag.Removed the
REWRITE_TCP_PROBES
feature flag.Removed support for xDS v2 types in
EnvoyFilter
s. These should use the v3 interface. This has been a warning for multiple releases and is now upgraded to an error.Removed the
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
andPILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
feature flags. These have been enabled by default since Istio 1.5.Removed support for looking up Envoy extensions in
EnvoyFilter
configuration by name without the typed config URL.Optimized EnvoyFilter index generation to avoid rebuilding all
EnvoyFilters
every time one has changed, instead only rebuilding the changedEnvoyFilter
and updating it in place.
Security
Added
insecureSkipVerify
implementation from DestinationRule. SettinginsecureSkipVerify
totrue
will disable CA certificate and Subject Alternative Names verification for the host. (Issue #33472)Added support for PeerAuthentication policies in ambient. (Issue #42696)
Added
cipher_suites
support for nonISTIO_MUTUAL
traffic through MeshConfig API. (Issue #28996)Added Certificate Revocation List (CRL) support for peer certificate validation.
Added support for a flag called
USE_EXTERNAL_WORKLOAD_SDS
. When set to true, it will require an external SDS workload socket and it will prevent the istio-proxy from starting if the workload SDS socket is not found. (Issue #45534)Fixed an issue where
jwk
issuer was not resolved correctly when having a trailing slash in the issuer URL. (Issue #45546)Removed the
SPIFFE_BUNDLE_ENDPOINTS
feature flag.
Telemetry
Added new metric named
provider_lookup_cluster_failures
for lookup cluster failures.Added support for K8s controller queue metrics, enabled by setting env variable
ISTIO_ENABLE_CONTROLLER_QUEUE_METRICS
totrue
. (Issue #44985)Added a flag to disable
OTel
builtin resource labels.Added
cluster
label forremote_cluster_sync_timeouts_total
metric. (Issue #44489)Added support for annotation
sidecar.istio.io/statsHistogramBuckets
to customize the histogram buckets in the proxy.Added HTTP metadata exchange filter to support a fallback to xDS workload metadata discovery in addition to the metadata HTTP headers. The discovery method is off by default.
Added an option to configure Envoy to report load stats to the Load Reporting Service (LRS) server.
Fixed an issue where disabling a log provider through Istio telemetry API would not work.
Fixed an issue where
Telemetry
would not be fully disabled unlessmatch.metric=ALL_METRICS
was explicitly specified; matching all metrics is now correctly considered as the default.
Extensibility
- Added an option to fail open on fetch failure and VM fatal errors.
Installation
Improved usage on OpenShift clusters by removing the need to manually create a
NetworkAttachmentDefinition
resource in every application namespace.Updated Kiali addon to version
v1.72.0
.Added support for
PodDisruptionBudget
(PDB) in the Gateway chart. (Issue #44469)Added the Helm value of setting CNI ambient
configDir
path. (Issue #45400)Added
amd64
named artifacts for macOS and Windows. Theamd64
flavor of the artifacts did not contain the architecture in the name as we do for the other operating systems. This makes the artifact naming consistent.Added
rollingUpdate
maxUnavailable
setting to the CNI deployment Helm chart to speed up deployments.Added an automatically set
GOMEMLIMIT
andGOMAXPROCS
to all deployments to improve performance.Added configurable scaling behavior for Istiod’s HPA in Helm chart (usage). (Issue #42634)
Added values to the Istio Pilot Helm charts for configuring additional container arguments:
volumeMounts
andvolumes
. Can be used in conjunction with cert-manageristio-csr
. (Issue #113)Added values to the Istiod Helm chart for configuring topologySpreadConstraints on the Deployment. Can be used for better placement of Istiod workloads. (Issue #42938)
Added Allow setting
terminationGracePeriodSeconds
for ztunnel pod via Helm chart.Fixed an issue where removing field(s) from IstioOperator and re-installing did not reflect changes in existing IstioOperator spec. (Issue #42068)
Fixed
ValidatingWebhookConfiguration
not being generated correctly with operator installation when the revision is not set. (Issue #43893)Fixed an issue where the operator did not reject invalid CIDR entries that included spaces. (Issue #45338)
Fixed an issue where the hostname package is not listed as a dependency for the VM packages. (Issue #45866)
Fixed an issue preventing the Gateway chart from being used with a custom
HorizontalPodAutoscaler
resource.Fixed an issue that Istio should using
IMDSv2
as possible on AWS. (Issue #45825)Fixed OpenShift profile setting
sidecarInjectorWebhook
causingk8s.v1.cni.cncf.io/networks
to be overwritten when using multiple networks. (Issue #43632),(Issue #45034)Fixed a null traversal issue when using
datadog
orstackdriver
with no tracing options. (Issue #45855)Fixed an issue preventing the ports of waypoint and ztunnel ports from being exposed. Scraped configuration files can be created for ambient components, too. (Issue #45093)
Removed the following experimental
istioctl
commands:add-to-mesh
,remove-from-mesh
andkube-uninject
. Usage of automatic sidecar injection is recommended instead.Removed the
ENABLE_LEGACY_FSGROUP_INJECTION
feature flag. This was intended to support Kubernetes 1.18 and older, which are out of support.Removed obsolete manifests from the
base
Helm chart. See Upgrade Notes for more information.
istioctl
Improved IST0123 warning message description.
Updated
istioctl experimental workload configure
command to accept IPv6 address passed with--ingressIP
.Added config type and endpoint configuration summaries to
istioctl proxy-config all
. (Issue #43807)Added directory support for
istioctl validate
. Now, the-f
flag accepts both file paths and directory paths.Added support for YAML output to
istioctl admin log
.Added support for checking telemetry labels, which now includes Istio canonical labels and Kubernetes recommended labels.
Added support for namespace filtering for proxy statuses. Note: please ensure that both istioctl and istiod are upgraded for this feature to work.
Added support for validating JSON files to
istioctl validate
. (Issue #46136),(Issue #46136)Added warning if user specifies more than one Istio label in the same namespace. Including
istio-injection
,istio.io/rev
,istio.io/dataplane-mode
.Added support for displaying multiple addresses of listeners in
istioctl proxy-config listeners
.Fixed
verify-install
failing to detectDaemonSet
component statuses.Fixed an issue where the cert validity was not accurate in the
istioctl proxy-config secret
command.Fixed an issue where xDS
proxy-status
was showing inaccurate Istio version. Note: please ensure that both istioctl and istiod are upgraded for this fix to work.Fixed an issue where ztunnel pods could be compared to Envoy configuration files in
istioctl proxy-status
andistioctl experimental proxy-status
. They are now excluded from the comparison.Fixed an issue where there was a parse error when performing
rootCA
comparison for ztunnel pods.Fixed an issue where analyzers were reporting messages for the gateway-managed services.
Fixed an issue where specifying multiple include conditions by
--include
inistioctl bug-report
didn’t work as expected. (Issue #45839)Fixed an issue where Kubernetes resources with revision labels were being filtered out by
istioctl analyze
when the--revision
flag was not used. (Issue #46239)Fixed an issue where the creation of a Telemetry object without any providers throws the IST0157 error. (Issue #46510)
Fixed an issue where the analyzer produced incorrect results for
GatewayPortNotOnWorkload
when there was an incorrect association ofGateway.Spec.Servers[].Port.Number
with a Service’sPort
instead of itsTargetPort
.Fixed
revision
flag missing inistioctl experimental precheck
.Removed
uninstall
command fromistioctl experimental
. Useistioctl uninstall
instead.Removed the following experimental
istioctl
commands:create-remote-secret
andremote-clusters
. They have been moved to the top levelistioctl
command.
Documentation changes
- Improved Bookinfo samples so they can now be used in OpenShift without the
anyuid
SCC privilege.