Istio 1.21.0 Change Notes
Istio 1.21.0 release notes.
Traffic Management
Improved pilot-agent to return the HTTP probe body and status code from the probe setting in the container.
Improved support for
ExternalName
services. See Upgrade Notes for more information.Improved the variables
PILOT_MAX_REQUESTS_PER_SECOND
(which rate limits the incoming requests, previously defaulted to 25.0) andPILOT_PUSH_THROTTLE
(which limits the number of concurrent responses, previously defaulted to 100) to automatically scale with the CPU size Istiod is running on if not explicitly configured.Added the ability to configure the IPv4 loopback CIDR used by
istio-iptables
in various firewall rules. (Issue #47211)Added support for automatically setting default network for workloads if they are added to the ambient mesh before the network topology is set. Before, when you set
topology.istio.io/network
on your Istio root namespace, you needed to manually rollout the ambient workloads to make the network change take effect. Now, the network of ambient workloads will be automatically updated even if they do not have a network label. Note that if your ztunnel is not in the same network as what you set in thetopology.istio.io/network
label in your Istio root namespace, your ambient workloads will not be able to communicate with each other.Added namespace discovery selector support on gateway deployment controller. It is protected under
ENABLE_ENHANCED_RESOURCE_SCOPING
. When enabled, the gateway controller will only watch the k8s gateways that match the selector. Note it will affect both gateway and waypoint deployment.Added support for the delta ADS client.
Added support for concurrent
SidecarScope
conversion. You can usePILOT_CONVERT_SIDECAR_SCOPE_CONCURRENCY
to adjust the number of concurrent executions. Its default value is 1 and will not be executed concurrently. WheninitSidecarScopes
consumes a lot of time and you want to reduce time consumption by increasing CPU consumption, you can increase the number of concurrent executions by increasing the value ofPILOT_CONVERT_SIDECAR_SCOPE_CONCURRENCY
.Added support for setting the
:authority
header in virtual service’sHTTPRouteDestination
. Now, we support host rewrite for bothhost
and:authority
.Added prefixes to the
WasmPlugin
resource name.Added support for setting
idle_timeout
inTcpProxy
filters for outbound traffic.Added support for In-Cluster Gateway Deployments. Deployments now have both
istio.io/gateway-name
andgateway.networking.k8s.io/gateway-name
labels like Pods and Services.Added support for max concurrent streams settings in the
DestinationRule
s HTTP traffic policy for HTTP2 connections. (Issue #47166)Added support for setting TCP idle timeout for HTTP services.
Added connection pool settings to the
Sidecar
API to enable configuring the inbound connection pool for sidecars in the mesh. Previously, theDestinationRule
’s connection pool settings applied to both client and server sidecars. Using the updatedSidecar
API, it’s now possible to configure the server’s connection pool separately from the clients’ in the mesh. (reference) (Issue #32130),(Issue #41235)Added
idle_timeout
to the TCP settings in theDestinationRule
API to enable configuring idle timeout perTcpProxy
filter.Enabled the Envoy configuration to use an endpoint cache when there is a delay in sending endpoint configurations from Istiod when a cluster is updated.
Fixed a bug where overlapping wildcard hosts in a
VirtualService
would produce incorrect routing configuration when wildcard services were selected (e.g. inServiceEntries
). (Issue #45415)Fixed an issue where the
WasmPlugin
resource was not correctly applied to the waypoint. (Issue #47227)Fixed an issue where sometimes the network of waypoint was not properly configured.
Fixed an issue where the
pilot-agent istio-clean-iptables
command was not able to clean up the iptables rules generated for the Istio DNS proxy. (Issue #47957)Fixed slow cleanup of auto-registered
WorkloadEntry
resources when auto-registration and cleanup would occur shortly after the initialWorkloadGroup
creation. (Issue #44640)Fixed an issue where Istio was performing additional XDS pushes for
StatefulSets
/headlessService
endpoints while scaling. (Issue #48207)Fixed a memory leak caused when a remote cluster is deleted or
kubeConfig
is rotated. (Issue #48224)Fixed an issue where if a
DestinationRule
’sexportTo
includes a workload’s current namespace (not ‘.’), other namespaces are ignored fromexportTo
. (Issue #48349)Fixed an issue where the QUIC listeners were not correctly created when dual-stack is enabled. (Issue #48336)
Fixed an issue where
convertToEnvoyFilterWrapper
returned an invalid patch that could cause a null pointer exception when it was applied.Fixed an issue where updating a Service’s
targetPort
does not trigger an xDS push. (Issue #48580)Fixed an issue where in-cluster analysis was unnecessarily performed when there was no configuration change. (Issue #48665)
Fixed a bug that results in the incorrect generation of configurations for pods without associated services, which includes all services within the same namespace. This can occasionally lead to conflicting inbound listeners error.
Fixed an issue where new endpoints may not be sent to proxies. (Issue #48373)
Fixed Gateway API
AllowedRoutes
handling forNotIn
andDoesNotExist
label selector match expressions. (Issue #48044)Fixed
VirtualService
HTTP header present match not working whenheader-name: {}
is set. (Issue #47341)Fixed multi-cluster leader election not prioritizing local over remote leader. (Issue #47901)
Fixed a memory leak when
hostNetwork
Pods scale up and down. (Issue #47893)Fixed a memory leak when
WorkloadEntries
change their IP address. (Issue #47893)Fixed a memory leak when a
ServiceEntry
is removed. (Issue #47893)Fixed a bug when there is more than one service with the same host name within the same namespace, a
STRICT_DNS cluster without endpoints
error could occur. (Issue #49489)Fixed an issue that when using a delegate in a
VirtualService
, the effectiveVirtualService
may not be consistent with expectations due to a sorting error. (Issue #49539)Fixed a bug where specifying a URI regex
.*
match within aVirtualService
HTTP route did not short-circuit the subsequent HTTP routes.Fixed sending stale name table when pure HTTP headless service endpoints are changed.
Fixed a bug for IPv6 only clusters that prevented ServiceEntry-based listeners from having correct SNI matches. (Issue #49476)
Fixed an issue where the local client contained incorrect entries in the local DNS name table. (Issue #47340)
Fixed a bug where
VirtualService
containing wildcard hosts that aren’t present in the service registry are ignored. (Issue #49364)Upgraded ambient traffic capture and redirection compatibility by switching to an in-pod mechanism. (Issue #48212)
Removed the
PILOT_ENABLE_INBOUND_PASSTHROUGH
environment variable, which has been enabled-by-default for the past 8 releases.
Security
Improved request JWT authentication to use the upstream Envoy JWT filter instead of the custom Istio Proxy filter. Because the new upstream JWT filter capabilities are needed, the feature is gated for the proxies that support them. Note that a custom Envoy or Wasm filter that used
istio_authn
dynamic metadata key needs to be updated to useenvoy.filters.http.jwt_authn
dynamic metadata key.Updated the default value of the feature flag
ENABLE_AUTO_SNI
totrue
. If undesired, please use the newcompatibilityVersion
feature to fallback to old behavior.Updated the default value of the feature flag
VERIFY_CERT_AT_CLIENT
totrue
. This means server certificates will be automatically verified using the OS CA certificates when not using aDestinationRule
caCertificates
field. If undesired, please use the newcompatibilityVersion
feature to fallback to old behavior, orinsecureSkipVerify
field inDestinationRule
to skip the verification.Added an environment variable
COMPLIANCE_POLICY
to Istio components for enforcing TLS restriction for compliance with FIPS. When set tofips-140-2
on the Istiod container, the Istio Proxy container, and all other Istio components, TLS version is restricted tov1.2
, the cipher suites to a subset ofECDHE-ECDSA-AES128-GCM-SHA256
,ECDHE-RSA-AES128-GCM-SHA256
,ECDHE-ECDSA-AES256-GCM-SHA384
,ECDHE-RSA-AES256-GCM-SHA384
, and ECDH curves toP-256
.These restrictions apply on the following data paths:
- mTLS communication between Envoy proxies.
- regular TLS on the downstream and the upstream of Envoy proxies (e.g. gateway)
- Google gRPC side requests from Envoy proxies (e.g. Stackdriver extensions).
- Istiod xDS server.
- Istiod injection and validation webhook servers.
The restrictions are not applied on the following data paths:
- Istiod to Kubernetes API server.
- JWK fetch from Istiod.
- Wasm image and URL fetch from Istio Proxy containers.
- ztunnel.
Note that Istio injector will propagate the value of
COMPLIANCE_POLICY
to the injected proxy container, when set. (Issue #49081)Added the ability for waypoints to run as non-root. (Issue #46592)
Added a
fallback
field forPrivateKeyProvider
to support falling back to the default BoringSSL implementation if the private key provider isn’t available.Added support to retrieve JWT from cookies. (Issue #47847)
Fixed a bug that made
PeerAuthentication
too restrictive in ambient mode.Fixed an issue where
auto-san-validation
was enabled even when SNI was explicitly set in theDestinationRule
.Fixed an issue where gateways were unable to fetch JWKS from
jwksUri
inRequestAuthentication
whenPILOT_FILTER_GATEWAY_CLUSTER_CONFIG
was enabled andPILOT_JWT_ENABLE_REMOTE_JWKS
was set tohybrid
/true
/envoy
.
Telemetry
Improved JSON access logs to emit keys in a stable ordering.
Added support for
brotli
,gzip
, andzstd
compression for the Envoy stats endpoint. (Issue #30987)Added the
istio.cluster_id
tag to all tracing spans. (Issue #48336)Fixed a bug where
destination_cluster
reported by client proxies was occasionally incorrect when accessing workloads in a different network.Removed legacy
EnvoyFilter
implementation for Telemetry. For the majority of users, this change has no impact, and was already enabled in previous releases. However, the following fields are no longer respected:prometheus.configOverride
,stackdriver.configOverride
,stackdriver.disableOutbound
,stackdriver.outboundAccessLogging
.
Extensibility
Added support for outbound traffic using the PROXY Protocol. By specifying
proxyProtocol
in aDestinationRule
trafficPolicy
, the sidecar will send PROXY Protocol headers to the upstream service. This feature is not supported for HBONE proxy at the present time.Added support for matching
ApplicationProtocols
in anEnvoyFilter
.Removed support for the
policy/v1beta1
API version ofPodDisruptionBudget
.Removed using the
BOOTSTRAP_XDS_AGENT
experimental feature to applyBOOTSTRAP
EnvoyFilter
patches at startup.
Installation
Improved aborting graceful termination logic if the Envoy process terminates early. (Issue #36686)
Updated Kiali addon to version v1.79.0.
Added configurable scaling behavior for Gateway HPA in the Helm chart. (usage)
Added
allocateLoadBalancerNodePorts
config option to the Gateway chart. (Issue #48751)Added a message to indicate the default webhook shifting from a revisioned installation to a default installation. (Issue #48643)
Added the
affinity
field to Istiod Deployment. This field is used to control the scheduling of Istiod pods.Added
tolerations
field to Istiod Deployment. This field is used to control the scheduling of Istiod pods.Added support for “profiles” to Helm installation. Try it out with
--set profile=demo
! (Issue #47838)Added the setting
priorityClassName: system-node-critical
to the ztunnel DaemonSet template to ensure it is running on all nodes. (Issue #47867)Fixed an issue where the webhook generated with
istioctl tag set
is unexpectedly removed by the installer. (Issue #47423)Fixed an issue where uninstalling Istio didn’t prune all the resources created by custom files. (Issue #47960)
Fixed an issue where injection failed when the name of the Pod or its custom owner exceeded 63 characters.
Fixed an issue causing Istio CNI to stop functioning on minimal/locked down nodes (such as no
sh
binary). The new logic runs with no external dependencies, and will attempt to continue if errors are encountered (which could be caused by things like SELinux rules). In particular, this fixes running Istio on Bottlerocket nodes. (Issue #48746)Fixed custom injection of the
istio-proxy
container not working on OpenShift because of the way OpenShift sets pods’SecurityContext.RunAs
field.Fixed veth lookup for ztunnel pod on OpenShift where default CNIs do not create routes for each veth interface.
Fixed an issue where installing with Stackdriver and having custom configs would lead to Stackdriver not being enabled.
Fixed an issue where Endpoint and Service in the istiod-remote chart did not respect the revision value. (Issue #47552)
Removed support for
.Values.cni.psp_cluster_role
as part of installation, asPodSecurityPolicy
was deprecated.Removed the
istioctl experimental revision
command. Revisions can be inspected by the stableistioctl tag list
command.Removed the
installed-state
IstioOperator
that was created when runningistioctl install
. This previously provided only a snapshot of what was installed. However, it was a common source of confusion (as users would change it and nothing would happen), and did not reliably represent the current state. As there is noIstioOperator
needed for these usages anymore,istioctl install
andhelm install
no longer install theIstioOperator
CRD. Note this only impactsistioctl install
, not the in-cluster operator.
istioctl
Improved injector list to exclude ambient namespaces.
Improved
bug-report
performance by reducing the amount of calls to the k8s API. The pod/node details included in the report will look different, but contain the same information.Improved
istioctl bug-report
to sort gathered events by creation date.Updated
verify-install
to not require a IstioOperator file, since it is now removed from the installation process.Added support for deleting multiple waypoints at once via
istioctl experimental waypoint delete <waypoint1> <waypoint2> ...
.Added the
--all
flag toistioctl experimental waypoint delete
to delete all waypoint resources in a given namespace.Added an analyzer to warn users if they set the
selector
field instead of thetargetRef
field for specific Istio resources, which will cause the resource to be ineffective. (Issue #48273)Added message IST0167 to warn users that policies, such as Sidecar, will have no impact when applied to ambient namespaces. (Issue #48105)
Added bootstrap summary to all config dumps’ summary.
Added completion for Kubernetes pods for some commands that can select pods, such as
istioctl proxy-status <pod>
.Added
--wait
option to theistioctl experimental waypoint apply
command. (Issue #46297)Added
path_separated_prefix
to the MATCH column in the output ofproxy-config routes
command.Fixed an issue where sometimes control plane revisions and proxy versions were not obtained in the bug report.
Fixed an issue where
istioctl tag list
command didn’t accept--output
flag. (Issue #47696)Fixed an issue where the default namespace of Envoy and proxy dashboard command was not set to the actual default namespace.
Fixed an issue where the IST0158 message was incorrectly reported when the
imageType
field was set todistroless
in mesh config. (Issue #47964)Fixed an issue where
istioctl experimental version
has no proxy info shown.Fixed an issue where the IST0158 message was incorrectly reported when the
imageType
field was set by theProxyConfig
resource, or the resource annotationproxy.istio.io/config
.Fixed an issue where
proxy-config ecds
didn’t show all ofEcdsConfigDump
.Fixed injector list having duplicated namespaces shown for the same injector hook.
Fixed
analyze
not working correctly when analyzing files containing resources that already exist in the cluster. (Issue #44844)Fixed
analyze
where it was reporting errors for empty files. (Issue #45653)Fixed an issue where the External Control Plane Analyzer was not working in some remote control plane setups.
Fixed an issue where
istioctl precheck
inaccurately reports the IST0141 message related to resource permissions. (Issue #49379)Removed the
--rps-limit
flag foristioctl bug-report
and added the--rq-concurrency
flag. The bug reporter will now limit request concurrency instead of limiting request rate to the Kube API.
Documentation changes
- Fixed
httpbin
sample manifests to deploy correctly on OpenShift.