Announcing Istio 1.5

Major Update

We are pleased to announce the release of Istio 1.5!

We’ve made it simpler to install and run Istio by consolidating the control plane components into a single binary; we’ve introduced a powerful and fast new extension model for proxy servers across the industry, and we’ve continued to improve usability, security, telemetry and traffic control.

After a year of amazing growth and learning, we have packed more in this release than any since 1.1. A year ago we decided to move to quarterly releases, and we are happy to report that this is the fifth consecutive time we have met that goal. Users are getting more new functionality faster than ever!

Here’s some of what’s coming to you in today’s release:

Introducing Istiod

We are dramatically simplifying the experience of installing, running, and upgrading Istio by “embracing the monolith” and consolidating our control plane into a single new binary - Istiod. Operators’ lives will get much easier with fewer moving parts which are easier to debug and understand. For mesh users, Istiod doesn’t change any of their experience: all APIs and runtime characteristics are consistent with the previous components.

Keep your eyes out for a blog post in the coming days devoted to Istiod, and the benefits of moving to a simpler deployment model.

A new model for extensibility

Istio has long been the most extensible service mesh, with Mixer plugins allowing custom policy and telemetry support and Envoy extensions allowing data plane customization. In Istio 1.5 we’re announcing a new model that unifies Istio’s extensibility model with Envoy’s, using WebAssembly (Wasm). Wasm will give developers the ability to safely distribute and execute code in the Envoy proxy – to integrate with telemetry systems, policy systems, control routing and even transform the body of a message. It will be more flexible and more efficient, eliminating the need for running a Mixer component separately (which also simplifies deployments).

Read our Wasm blog post, and look out for posts from Google, and the Envoy community for much more detail about this exciting work!

Easier to use

We’re always making Istio easier to adopt and use, and this release in particular has some cool enhancements. Command line installation of Istio using istioctl is now beta for installation and will work for most customers in most use cases. Managing your installation via an Operator is still alpha, but we continue to improve it with a new IstioOperator API.

Speaking of istioctl, it has over a dozen improvements – new items it can analyze, better validation rules, and better ability to integrate with CI systems (look for examples coming soon!). It is now an essential tool for understanding the state of a running Istio system and for ensuring that configuration changes are safe. And istioctl analyze has graduated from the Experimental stage.

We have made numerous enhancements to Istio security to make it easier to use. mTLS configuration is simplified and automated with the Beta launch of auto mTLS. We have simplified access control by removing indirection and consolidating to a single CRD with the beta launch of authorization policy in Istio 1.4.

More secure

As always, we are working to make Istio more secure with every release. With 1.5, all security policies including Auto mTLS, AuthenticationPolicy (PeerAuthentication and RequestAuthentication) and authorization are now in Beta. SDS is now stable. Authorization now supports Deny semantics to enforce mandatory controls that cannot be overridden. We have combined the Node agent and the Istio agent into a single binary, which means we no longer require configuration of a PodSecurityPolicy.

The improvements don’t stop there. We no longer need to mount certificates on every pod nor have to restart Envoy when certificates change. Certificates are delivered directly from Istiod to every pod. And whats more, each pod gets a unique certificate.

Look for blog posts in the coming days for a deeper dive on Istio security and the threats that it helps mitigate.

Better observability

We continue to invest in making Istio the best way to understand your distributed applications. Telemetry v2 now reports metrics for raw TCP connections (in addition to HTTP), and we’ve enhanced the support for gRPC workloads by adding response status codes in telemetry and logs. Telemetry v2 is now used by default.

The new telemetry system cuts latency in half - 90th percentile latency has been reduced from 7ms to 3.3 ms. Not only that, but the elimination of Mixer has reduced total CPU consumption by 50% to 0.55 vCPUs per 1,000 requests per second.

Join the Istio community

As always, there is a lot happening in the Community Meeting; join us every other Thursday at 10 AM Pacific. We’d love to have you join the conversation at Istio Discuss, and you can also join our Slack workspace.

We were very proud to be called out as one of the top five fastest growing open source projects in all of GitHub. Want to get involved? Join one of our Working Groups and help us make Istio even better.