Announcing Istio 1.21.0

Mar 13, 2024

We are pleased to announce the release of Istio 1.21. This is the first Istio release of 2024. We would like to thank the entire Istio community for helping get the 1.21.0 release published. We would like to thank the Release Managers for this release, Aryan Gupta from Google, Jianpeng He from Tetrate, and Sumit Vij. The release managers would once again like to thank the Test & Release WG lead Eric Van Norman (IBM) for his help and guidance throughout the release cycle. We would also like to thank the maintainers of the Istio work groups and the broader Istio community for helping us throughout the release process with timely feedback, reviews, community testing and for all your support to help ensure a timely release.

What’s new

Easing upgrades with compatibility versions

Istio 1.21 introduces a new concept known as compatibility versions.

Compatibility versions solve a long running problem in Istio: as time passes, changes to the behavior of Istio may be desired to fix bugs, improve integration with the rest of the ecosystem, improve security, or fix surprising behaviors. However, even the smallest behavioral changes can cause issues on upgrade for a project like Istio deployed across thousands of companies in production. At best, this makes upgrades more challenging - at worst, it pushes users to not upgrade at all!

With compatibility versions, behavioral changes are decoupled from the Istio version. For example, if you want to upgrade to Istio 1.21 but don’t want to adopt the changes introduced yet, simply install with --set compatibilityVersion=1.20 to retain the 1.20 behavior.

Not sure if you need the old behavior? Not a problem, istioctl can tell you!

$ istioctl experimental precheck --from-version 1.21
Warning [IST0168] (DestinationRule default/tls) The configuration "ENABLE_AUTO_SNI"
changed in release 1.20: previously, no SNI would be set; now it will be automatically
set. Or, install with `--set compatibilityVersion=1.20` to retain the old default.

Error: Issues found when checking the cluster. Istio may not be safe to install or upgrade.
See https://istio.io/v1.21/docs/reference/config/analysis for more information about
causes and resolutions.

In this release, the following changes are gated behind compatibility versions:

• Improved ExternalName service support
• Automatic SNI for SIMPLE TLS origination in DestinationRule
• Default-on TLS verification for TLS origination in DestinationRule

istioctl experimental precheck can detect possibly impacted resources for all of these changes. For more info on these changes, see the Upgrade Notes.

Istio joins related projects like Kubernetes and Go who have introduced similar features.

Binary size reductions

With each release, Istio gets faster, more reliable, and more stable, and this release is no different. In this release, binary sizes have dropped across the board, with roughly 10MB smaller binaries.

This is especially important with the sidecar, because its deployed alongside every workload. Coming in at 25% smaller, the sidecar image can be pulled faster improving pod startup times. Additionally, the reduced binary size typically results in a 5MB RAM reduction - across many pods, this quickly adds up to cost savings.

Support for all CNIs in ambient mode

Our new ambient mode now works across all Kubernetes platforms and CNI implementations. Ambient mode has been tested with GKE, AKS, and EKS and all the CNI implementations they offer, 3rd-party CNIs like Calico and Cilium, and platforms like OpenShift, all with solid results. The engineering challenges behind this fix were described in a recent blog post.

Ambient mode is targeted to move to Beta in the upcoming Istio 1.22.

Upgrading to 1.21

We would like to hear from you regarding your experience upgrading to Istio 1.21. You can provide feedback in the #release-1.21 channel in our Slack workspace.

Would you like to contribute directly to Istio? Find and join one of our Working Groups and help us improve.

See also