Announcing Istio 1.9.1
This release fixes the security vulnerability described in our March 1st, 2021 news post as well as bug fixes to improve robustness.
This release note describes what’s different between Istio 1.9.0 and Istio 1.9.1.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
A zero-day security vulnerability was fixed in the version of Envoy shipped with Istio 1.9.0. This vulnerability was fixed on February 26th, 2021. 1.9.0 is the only version of Istio that includes the vulnerable version of Envoy. This vulnerability can only be exploited on misconfigured systems.
Improved sidecar injection to automatically specify the
kubectl.kubernetes.io/default-logs-container. This ensures
kubectl logsdefaults to reading the application container’s logs, rather than requiring explicitly setting the container. (Issue #26764)
Improved the sidecar injector to better utilize pod labels to determine if injection is required. This is not enabled by default in this release, but can be tested using
--set values.sidecarInjectorWebhook.useLegacySelectors=false. (Issue #30013)
Updated Prometheus metrics to include
destination_clusterlabels by default for all scenarios. Previously, this was only enabled for multi-cluster scenarios. (Issue #30036)
Updated default access log to include
CONNECTION_TERMINATION_DETAILSfor proxy version >= 1.9. (Issue #27903)
Updated Kiali addon to the latest version
v1.29. (Issue #30438)
baseto allow users to specify whether the Istio CRDs will be installed. (Issue #28346)
Added support for
DestinationRuleinheritance for mesh/namespace level rules. Enable feature with the
PILOT_ENABLE_DESTINATION_RULE_INHERITANCEenvironment variable. (Issue #29525)
Added support for applications that bind to their pod IP address, rather than wildcard or localhost address, through the
SidecarAPI. (Issue #28178)
Added flag to enable capture of DNS traffic to the
istio-iptablesscript. (Issue #29908)
Added canonical service tags to Envoy-generated trace spans. (Issue #28801)
Fixed an issue causing the timeout header
x-envoy-upstream-rq-timeout-msto not be honored. (Issue #30885)
Fixed an issue where access log service causes Istio proxy to reject configuration. (Issue #30939)
Fixed an issue causing an alternative Envoy binary to be included in the Docker image. The binaries are functionally equivalent. (Issue #31038)
Fixed an issue where the TLS v2 version was enforced only on HTTP ports. This option is now applied to all ports.
Fixed an issue where Wasm plugin configuration update will cause requests to fail. (Issue #29843)
Removed support for reading Istio configuration over the Mesh Configuration Protocol (MCP). (Issue #28634)