Change Notes
Known Issues
- Wasm extension configuration updates can be disruptive (see Issue #29843).
Traffic Management
Added Add pprof endpoint to pilot-agent. (Issue #28040)
Added Allow enabling gRPC logging with –log_output_level for pilot. (Issue #28482)
Added a new experimental proxy option DNS_AUTO_ALLOCATE, to control auto allocation of ServiceEntry addresses. Previously, this option was tied to
DNS_CAPTURE
. Now,DNS_CAPTURE
can be enabled without auto allocation. See Smart DNS Proxying for more info. (Issue #29324)Fixed istiod will no longer generate listeners for privileged gateway ports (<1024) if the gateway Pod does not have sufficient permissions. (Issue #27566)
Fixed an issue that caused very high memory usage with a large number of
ServiceEntries
. (Issue #25531)Removed support for reading Istio configuration over the Mesh Configuration Protocol (MCP). (Pull Request #28634)
Security
Added option to allow users to enable token exchange for their XDS flows, which exchanges a k8s token for a token that can be authenticated by their XDS servers. (Issue #29943)
Added OIDC JWT authenticator that supports both JWKS-URI and OIDC discovery. The OIDC JWT authenticator will be used when configured through the JWT_RULE env variable. (Issue #30295)
Added support of PeerAuthentication per-port-level configuration on pass through filter chains. (Issue #27994)
Added an experimental
CUSTOM
action in AuthorizationPolicy for integration with external authorization systems like OPA, OAuth2 and more. See the blog on this feature for more info. (Issue #27790)
Telemetry
Added Istio Grafana Dashboards Query Reporter Dropdown. (Issue #27595)
Added canonical service tags to Envoy-generated trace spans. (Pull Request #28801)
Fixed an issue to allow nested JSON structure in
meshConfig.accessLogFormat
. (Issue #28597)Updated Prometheus metrics to include
source_cluster
anddestination_cluster
labels by default for all scenarios. Previously, this was only enabled for multi-cluster scenarios. (Pull Request #30036)Updated default access log to include
RESPONSE_CODE_DETAILS
andCONNECTION_TERMINATION_DETAILS
for proxy version >= 1.9. (Pull Request #27903)
Extensibility
- Added Reliable Wasm module remote load with Istio agent. (Issue #29989)
Networking
Added Correctly iptables rules and listener filters setting to support original src ip preserve in TPROXY mode within a cluster. (Issue #23369)
Fixed a bug where locality weights are only applied when outlier detection is enabled. (Issue #28942)
Installation
Added post-install/in-place upgrade verification of control plane health. Use
--verify
flag withistioctl install
oristioctl upgrade
. (Issue #21715)Added Add pprof endpoint to pilot-agent. (Issue #28040)
Added
enableIstioConfigCRDs
tobase
to allow user specify whether the Istio CRDs will be installed. (Pull Request #28346)Added Istio 1.9 supports Kubernetes versions 1.17 to 1.20. (Issue #30176)
Added support for applications that bind to their pod IP address, rather than wildcard or localhost address, through the
Sidecar
API. (Pull Request #28178)Fixed revision is not applied to the scale target reference of
HorizontalPodAutoscaler
when helm values forhpa
are specified explicitly. (Issue #30203)Improved the sidecar injector to better utilize pod labels to determine if injection is required. This is not enabled by default in this release, but can be tested using
--set values.sidecarInjectorWebhook.useLegacySelectors=false
. (Pull Request #30013)Updated Kiali addon to the latest version v1.29 . (Pull Request #30438)
istioctl
Added
istioctl install
will detect different Istio version installed (istioctl, control plan version) and display warning. (Issue #18487)Added
istioctl apply
as an alias foristioctl install
. (Issue #28753)Added
--browser
flag toistioctl dashboard
, which controls whether you want to open a browser to view the dashboard. (Issue #29022)Added
istioctl verify-install
will indicate errors in red and expected configuration in green. (Issue #29336)Added the severity level for each analysis message in the
validationMessages
field within thestatus
field. (Issue #29445)Added
WorkloadEntry
resources will be read from all clusters in multi-cluster installations and do not need to be duplicated. Makes Virtual Machine auto-registration compatible with multi-primary multi-cluster. This feature is disabled by default and can be enabled by setting thePILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY
environment variable in istiod. (Issue #29026)Added
istioctl analyze
now informs if deprecated or alpha-level annotations are present. (These checks can be disabled using--suppress "IST0135=*"
and--suppress "IST0136=*"
respectively.) (Issue #29154)Added
istioctl x injector list
command to show which namespaces have Istio sidecar injection and, for control plane canaries, show all Istio injectors and the namespaces they control. (Issue #23892)Fixed
istioctl
wait now tracks resource’smetadata.generation
field, rather thanmetadata.resourceVersion
. Command line arguments have been updated to reflect this. (Issue #28797)Fixed namespace shorthand flag missing in dashboard subcommand. (Issue #28970)
Fixed
istioctl dashboard controlz
could not port forward to istiod pod. (Issue #30208)Fixed installation issue in which
--readiness-timeout
flag is not honored. (Issue #30221)Improved
verify-install
detects Istio injector without control plane. (Issue #29607)Removed
istioctl convert-ingress
command. (Issue #29153)Removed
istioctl experimental multicluster
command. (Issue #29153)Removed
istioctl experimental post-install
webhook command. (Issue #29153)Removed
istioctl register
andderegister
commands. (Issue #29153)Updated
istioctl proxy-config log
to allow filtering logs based on label. (Issue #27490)
Documentation
- Added The locality load balancing docs have been re-written into a formal traffic management task. The new docs describe in more detail how locality load balancing works as well as how to configure both failover and weighted distribution. In addition, the new docs are now automatically verified for correctness. (Pull Request #29651)