Change Notes
Known Issues
Memory leak in TCP Wasm extensions affecting TCP telemetry (see Issue #24720). The leak occurs when upstream connections are interrupted mid-stream.
Wasm extension configuration updates are disruptive (see Issue #13690). The configuration is immediately applied for existing requests and connections, and is not reverted if the outer xDS is rejected.
Race condition with Envoy aggregate cluster when creating an
EnvoyFilter
andServiceEntry
for the same service. Istio-injected pods are unable to start up due toistio-proxy
crashing with a segfault. See Issue #28620 for more information.
Traffic Management
Deprecated the use of the
.global
stub domain for multi-primary (formerly “replicated control planes”) multicluster configurations. The new onboarding flow uses a simpler configuration which allows services across the mesh to be accessed via*.cluster.local
. There were several limitations with.global
, such as poor load balancing when using gateways, which are no longer an issue with the new configuration.Added DNS capture in istio-agent by default for VMs installed using
istioctl x workload entry configure
.Added
holdApplicationUntilProxyStarts
field toProxyConfig
, allowing it to be configured at the pod level. Should not be used in conjunction with the deprecatedvalues.global.proxy.holdApplicationUntilProxyStarts
value. (Issue #27696)
Added support for
INSERT_FIRST
,INSERT_BEFORE
,INSERT_AFTER
insert operations forHTTP_ROUTE
inEnvoyFilter
(Issue #26692)Added
REPLACE
operation forEnvoyFilter
.REPLACE
operation can replace the contents of a named filter with new contents. It is only valid forHTTP_FILTER
andNETWORK_FILTER
. (Issue #27425)Added Istio resource status now includes observed generation (Issue #28003)
Fixed remove endpoints when the new labels in
WorkloadEntry
do not match theworkloadSelector
inServiceEntry
. (Issue #25678)Fixed when a node has multiple IP addresses (e.g., a VM in the mesh expansion scenario), Istio Proxy will now bind
inbound
listeners to the first applicable address in the list (new behavior) rather than to the last one (former behavior). (Issue #28269)
Security
Improved Gateway certificates to be read and distributed from Istiod, rather than in the gateway pods. This reduces the permissions required in the gateways, improves performance, and makes certificate reading more extensible. This change is fully backwards compatible with the old mechanism, and requires no changes to your cluster. If required, it can be disabled by setting the
ISTIOD_ENABLE_SDS_SERVER=false
environment variable in Istiod. (Pull Request #27744)Improved TLS configuration on sidecar server side inbound paths to enforce
TLSv2
version along with recommended cipher suites. If this is not needed or creates problems with non Envoy clients, it can disabled by setting Istiod env variablePILOT_SIDECAR_ENABLE_INBOUND_TLS_V2
to false. (Pull Request #27500)Updated The
ipBlocks
/notIpBlocks
fields of anAuthorizationPolicy
now strictly refer to the source IP address of the IP packet as it arrives at the sidecar. Prior to this release, if using the Proxy Protocol, then theipBlocks
/notIpBlocks
would refer to the IP address determined by the Proxy Protocol. Now theremoteIpBlocks
/notRemoteIpBlocks
fields must be used to refer to the client IP address from the Proxy Protocol. (reference)(usage)(usage) (Issue #22341)Added
AuthorizationPolicy
now supports nested JWT claims. (Issue #21340)Added support for client side Envoy secure naming config when trust domain alias is used. This fixes the multi-cluster service discovery client SAN generation to use all endpoints’ service accounts rather than the first found service registry. (Pull Request #26185)
Added Experimental feature support allowing Istiod to integrate with external certificate authorities using Kubernetes CSR API (>=1.18 only). (Issue #27606)(usage)
Added Enable user to set the custom VM identity provider for credential authentication (Issue #27947)
Added action ‘AUDIT’ to Authorization Policy that can be used to determine which requests should be audited. (Issue #25591)
Added support for migration and concurrent use of regular K8S tokens as well as new K8S tokens with audience. This feature is enabled by default, can be disabled by
REQUIRE_3P_TOKEN
environment variable in Istiod, which will require new tokens with audience. TheTOKEN_AUDIENCES
environment variable allows customizing the checked audience, default remainsistio-ca
. (Pull Request #26482)Added
AuthorizationPolicy
now supports aSource
of typeremoteIpBlocks
/notRemoteIpBlocks
that map to a newCondition
attribute calledremote.ip
that can also be used in the “when” clause. If using an http/https load balancer in front of the ingress gateway, theremote.ip
attribute is set to the original client IP address determined by theX-Forwarded-For
http header from the trusted proxy configured through thenumTrustedProxies
field of thegatewayTopology
under themeshConfig
when you install Istio or set it via an annotation on the ingress gateway. See the documentation here: Configuring Gateway Network Topology. If using a TCP load balancer with the Proxy Protocol in front of the ingress gateway, theremote.ip
is set to the original client IP address as given by the Proxy Protocol. (reference)(usage)(usage) (Issue #22341)
Telemetry
Updated the “Control Plane Dashboard” and the “Performance Dashboard” to use the
container_memory_working_set_bytes
metric to display memory. This metric only counts memory that cannot be reclaimed by the kernel even under memory pressure, and therefore more relevant for tracking. It is also consistent withkubectl top
. The reported values are lower than the previous values.Updated the Istio Workload and Istio Service dashboards resulting in faster load time. (Issue #22408)
Added
datasource
parameter to Grafana dashboards (Issue #22408)Added Listener Access Logs when
ResponseFlag
from Envoy is set. (Issue #26851)Added support for
OpenCensusAgent
formatted trace export with configurable trace context headers.Added Proxy config to control Envoy native stats generation. (Issue #26546)
Added Istio Wasm Extension Grafana Dashboard. (Issue #25843)
Added gRPC streaming message count proxy Prometheus
metrics istio_request_messages_total
andistio_response_messages_total
(Pull Request #3048)Added support for properly labeling traffic in client metrics for cases when the destination is not reached or is not behind a proxy. (Issue #20538)
Fixed interpretation of
$(HOST_IP)
in Zipkin and Datadog tracer address. (Issue #27911)Removed all Mixer-related features and functionality. This is a scheduled removal of a deprecated Istio services and deployments, as well as Mixer-focused CRDs and component and related functionality. (Issue #25333),(Issue #24300)
Installation
Promoted external control plane to alpha. (Issue #11)
Updated Kiali addon to version 1.26.
Added support for installing and upgrading Istio using Helm 3
Improved multi-network configuration so that labeling a service with
topology.istio.io/network=network-name
can configure cross-network gateways without using mesh networks.Improved sidecar injection to not modify the pod
securityPolicy.fsGroup
which could conflict with existing settings and secret mounts. This option is enabled automatically on Kubernetes 1.19+ and is not supported on older versions. (Issue #26882)Improved Generated operator manifests for use with
kustomize
are available in the manifests directory. (Issue #27139)Updated install script to bypass GitHub API Rate Limiting. (Pull Request #23469)
Added port
15012
to the default list of ports for theistio-ingressgateway
Service. (Issue #25933)Added support for Kubernetes versions 1.16 to 1.19 to Istio 1.8. (Issue #28814)
Added the ability to specify the network for a Pod using the label
topology.istio.io/network
. This overrides the setting for the cluster’s installation values (values.globalnetwork
). If the label isn’t set, it is injected based on the global value for the cluster. (Issue #25500)Deprecated installation flags
values.global.meshExpansion.enabled
in favor of user-managed config andvalues.gateways.istio-ingressgateway.meshExpansionPorts
in favor ofcomponents.ingressGateways[name=istio-ingressgateway].k8s.service.ports
(Issue #25933)Fixed Istio operator manager to allow configuring
RENEW_DEADLINE
. (Issue #27509)Fixed an issue preventing
NodePort
services from being used as theregistryServiceName
inmeshNetworks
.Removed support for installing third-party telemetry applications with
istioctl
. These applications (Prometheus, Grafana, Zipkin, Jaeger, and Kiali), often referred to as the Istio addons, must now be installed separately. This does not impact Istio’s ability to produce telemetry for those use in the addons. See Reworking our Addon Integrations for more info. (Issue #23868),(Issue #23583)Removed
istio-telemetry
andistio-policy
services and deployments from installation byistioctl
. (Issue #23868),(Issue #23583)Fixed Istio Grafana Dashboards queries which have
reporter
field. (Issue #27595)
istioctl
Improved
istioctl analyze
to find the exact line number with configuration errors when analyzing yaml files. Before, it would return the first line of the resource with the error. (Issue #22872)Updated
istioctl experimental version
andproxy-status
to use token security. A new option,--plaintext
, has been created for testing without tokens. (Issue #24905)Added istioctl commands may now refer to pods indirectly, for example
istioctl dashboard envoy deployment/httpbin
(Issue #26080)Added
io
as short name for Istio Operator resources in addition toiop
. (Issue #27159)Added
--type
foristioctl experimental create-remote-secret
to allow user specify type for the created secret.Added an experimental OpenShift Kubernetes platform profile to
istioctl
. To install with the OpenShift profile, useistioctl install --set profile=openshift
. (OpenShift Platform Setup)(Install OpenShift usingistioctl
)Added
istioctl bug-report
command to generate an archive of Istio and cluster information to assist with debugging. (Issue #26045)Added new command
istioctl experimental istiod log
to enable managing logging levels ofistiod
components. (Issue #25276),(Issue #27797)Deprecated
centralIstiod
flag in favor ofexternalIstiod
to better support external control plane model. (Issue #24471)Fixed an issue which allowed an empty revision flag on install. (Issue #26940)
Documentation
- Improved Multicluster install docs to include current
best practices, incorporating recent updates to onboarding tooling. In
particular, the multi-primary configuration (formerly known as
“replicated control planes”) no longer relies on manually configuring the
.global
stub domain, preferring instead to use*.svc.cluster.local
for accessing services throughout the mesh.