Change Notes

General

  • Added traffic.sidecar.istio.io/includeInboundPorts annotation to eliminate the need for service owner to declare containerPort in the deployment yaml file. This will become the default in a future release.
  • Added IPv6 experimental support for Kubernetes clusters.

Traffic management

  • Improved locality based routing in multicluster environments.
  • Improved outbound traffic policy in ALLOW_ANY mode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs.
  • Added support for setting HTTP idle timeouts to upstream services.
  • Improved Sidecar support for NONE mode (without iptables) .
  • Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers.
  • Graduated Sidecar API from Alpha to Alpha API and Beta runtime.

Security

  • Improved extend the default lifetime of self-signed Citadel root certificates to 10 years.
  • Added Kubernetes health check prober rewrite per deployment via sidecar.istio.io/rewriteAppHTTPProbers: "true" in the PodSpec annotation.
  • Added support for configuring the secret paths for Istio mutual TLS certificates. Refer here for more details.
  • Added support for PKCS 8 private keys for workloads, enabled by the flag pkcs8-keys on Citadel.
  • Improved JWT public key fetching logic to be more resilient to network failure.
  • Fixed SAN field in workload certificates is set as critical. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates.
  • Fixed mutual TLS probe rewrite for HTTPS probes.
  • Graduated SNI with multiple certificates support at ingress gateway from Alpha to Stable.
  • Graduated certification management on Ingress Gateway from Alpha to Beta.

Telemetry

  • Added Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
  • Changed Prometheus generated traffic is excluded from metrics.
  • Added support for sending traces to Datadog.
  • Graduated distributed tracing from Beta to Stable.

Policy

Configuration management

  • Improved validation of Policy & Telemetry CRDs.
  • Graduated basic configuration resource validation from Alpha to Beta.

Installation and upgrade

  • Updated default proxy memory limit size(global.proxy.resources.limits.memory) from 128Mi to 1024Mi to ensure proxy has sufficient memory.
  • Added pod anti-affinity and toleration support to all of our control plane components.
  • Added sidecarInjectorWebhook.neverInjectSelector and sidecarInjectorWebhook.alwaysInjectSelector to allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors.
  • Added global.logging.level and global.proxy.logLevel to allow users to easily configure logs for control plane and data plane components globally.
  • Added support to configure the Datadog location via global.tracer.datadog.address.
  • Removed Previously deprecated Adapter and Template CRDs are disabled by default. Use mixer.templates.useTemplateCRDs=true and mixer.adapters.useAdapterCRDs=true install options to re-enable them.

Refer to the installation option change page to view the complete list of changes.

istioctl and kubectl

  • Graduated istioctl verify-install out of experimental.
  • Improved istioctl verify-install to validate if a given Kubernetes environment meets Istio’s prerequisites.
  • Added auto-completion support to istioctl.
  • Added istioctl experimental dashboard to allow users to easily open the web UI of any Istio addons.
  • Added istioctl x alias to conveniently run istioctl experimental command.
  • Improved istioctl version to report both Istio control plane and istioctl version info by default.
  • Improved istioctl validate to validate Mixer configuration and supports deep validation with referential integrity.

Miscellaneous

  • Added Istio CNI support to setup sidecar network redirection and remove the use of istio-init containers requiring NET_ADMIN capability.
  • Added a new experimental ‘a-la-carte’ Istio installer to enable users to install and upgrade Istio with desired isolation and security.
  • Added environment variable and configuration file support for configuring Galley, in addition to command-line flags.
  • Added ControlZ support to visualize the state of the MCP Server in Galley.
  • Added the enableServiceDiscovery command-line flag to control the service discovery module in Galley.
  • Added InitialWindowSize and InitialConnWindowSize parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.
  • Graduated configuration processing with Galley from Alpha to Beta.
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!