Change Notes
General
- Added
traffic.sidecar.istio.io/includeInboundPorts
annotation to eliminate the need for service owner to declarecontainerPort
in the deployment yaml file. This will become the default in a future release. - Added IPv6 experimental support for Kubernetes clusters.
Traffic management
- Improved locality based routing in multicluster environments.
- Improved outbound traffic policy in
ALLOW_ANY
mode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs. - Added support for setting HTTP idle timeouts to upstream services.
- Improved Sidecar support for NONE mode (without iptables) .
- Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers.
- Graduated Sidecar API from Alpha to Alpha API and Beta runtime.
Security
- Improved extend the default lifetime of self-signed Citadel root certificates to 10 years.
- Added Kubernetes health check prober rewrite per deployment via
sidecar.istio.io/rewriteAppHTTPProbers: "true"
in thePodSpec
annotation. - Added support for configuring the secret paths for Istio mutual TLS certificates. Refer here for more details.
- Added support for PKCS 8 private keys for workloads, enabled by the flag
pkcs8-keys
on Citadel. - Improved JWT public key fetching logic to be more resilient to network failure.
- Fixed SAN field in workload certificates is set as
critical
. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates. - Fixed mutual TLS probe rewrite for HTTPS probes.
- Graduated SNI with multiple certificates support at ingress gateway from Alpha to Stable.
- Graduated certification management on Ingress Gateway from Alpha to Beta.
Telemetry
- Added Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
- Changed Prometheus generated traffic is excluded from metrics.
- Added support for sending traces to Datadog.
- Graduated distributed tracing from Beta to Stable.
Policy
- Fixed Mixer basedTCP Policy enforcement.
- Graduated Authorization (RBAC) from Alpha to Alpha API and Beta runtime.
Configuration management
- Improved validation of Policy & Telemetry CRDs.
- Graduated basic configuration resource validation from Alpha to Beta.
Installation and upgrade
- Updated default proxy memory limit size(
global.proxy.resources.limits.memory
) from128Mi
to1024Mi
to ensure proxy has sufficient memory. - Added pod anti-affinity and toleration support to all of our control plane components.
- Added
sidecarInjectorWebhook.neverInjectSelector
andsidecarInjectorWebhook.alwaysInjectSelector
to allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors. - Added
global.logging.level
andglobal.proxy.logLevel
to allow users to easily configure logs for control plane and data plane components globally. - Added support to configure the Datadog location via
global.tracer.datadog.address
. - Removed Previously deprecated Adapter and Template CRDs are disabled by default. Use
mixer.templates.useTemplateCRDs=true
andmixer.adapters.useAdapterCRDs=true
install options to re-enable them.
Refer to the installation option change page to view the complete list of changes.
istioctl
and kubectl
- Graduated
istioctl verify-install
out of experimental. - Improved
istioctl verify-install
to validate if a given Kubernetes environment meets Istio’s prerequisites. - Added auto-completion support to
istioctl
. - Added
istioctl experimental dashboard
to allow users to easily open the web UI of any Istio addons. - Added
istioctl x
alias to conveniently runistioctl experimental
command. - Improved
istioctl version
to report both Istio control plane andistioctl
version info by default. - Improved
istioctl validate
to validate Mixer configuration and supports deep validation with referential integrity.
Miscellaneous
- Added Istio CNI support to setup sidecar network redirection and remove the use of
istio-init
containers requiringNET_ADMIN
capability. - Added a new experimental ‘a-la-carte’ Istio installer to enable users to install and upgrade Istio with desired isolation and security.
- Added environment variable and configuration file support for configuring Galley, in addition to command-line flags.
- Added ControlZ support to visualize the state of the MCP Server in Galley.
- Added the
enableServiceDiscovery
command-line flag to control the service discovery module in Galley. - Added
InitialWindowSize
andInitialConnWindowSize
parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings. - Graduated configuration processing with Galley from Alpha to Beta.