Istio 1.2

We’re proud to release Istio 1.2! We are excited that we are back with a 3 month release cadence!

We’ve spent the last 3 months making some significant improvements to the overall product, with fixes and features from the Istio community. Special thanks to all of our end-users for providing feedback, feature requests, and testing the release candidates at various scales.

This release note describes what’s different between Istio 1.1.9 and Istio 1.2.

General

• Added traffic.sidecar.istio.io/includeInboundPorts annotation to eliminate the need for service owner to declare containerPort in the deployment yaml file. This will become the default in a future release.
• Added IPv6 experimental support for Kubernetes clusters.

Traffic Management

• Improved locality based routing in multicluster environments.
• Improved outbound traffic policy in ALLOW_ANY mode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs.
• Added support for setting HTTP idle timeouts to upstream services.
• Improved Sidecar support for NONE mode (without iptables) .
• Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers.
• Graduated Sidecar API from Alpha to Alpha API and Beta runtime.

Security

• Improved extend the default lifetime of self-signed Citadel root certificates to 10 years.
• Added Kubernetes health check prober rewrite per deployment via sidecar.istio.io/rewriteAppHTTPProbers: "true" in the PodSpec annotation.
• Added support for configuring the secret paths for Istio mutual TLS certificates. Refer here for more details.
• Added support for PKCS 8 private keys for workloads, enabled by the flag pkcs8-keys on Citadel.
• Improved JWT public key fetching logic to be more resilient to network failure.
• Fixed SAN field in workload certificates is set as critical. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates.
• Fixed mutual TLS probe rewrite for HTTPS probes.
• Graduated SNI with multiple certificates support at ingress gateway from Alpha to Stable.
• Graduated certification management on Ingress Gateway from Alpha to Beta.

Telemetry

• Added Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
• Changed Prometheus generated traffic is excluded from metrics.
• Added support for sending traces to Datadog.
• Graduated distributed tracing from Beta to Stable.

Policy

• Fixed Mixer basedTCP Policy enforcement.
• Graduated Authorization (RBAC) from Alpha to Alpha API and Beta runtime.

Configuration Management

• Improved validation of Policy & Telemetry CRDs.
• Graduated basic configuration resource validation from Alpha to Beta.

Installation and Upgrade

• Updated default proxy memory limit size(global.proxy.resources.limits.memory) from 128Mi to 1024Mi to ensure proxy has sufficient memory.
• Added pod anti-affinity and toleration support to all of our control plane components.
• Added sidecarInjectorWebhook.neverInjectSelector and sidecarInjectorWebhook.alwaysInjectSelector to allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors.
• Added global.logging.level and global.proxy.logLevel to allow users to easily configure logs for control plane and data plane components globally.
• Added support to configure the Datadog location via global.tracer.datadog.address.
• Removed Previously deprecated Adapter and Template CRDs are disabled by default. Use mixer.templates.useTemplateCRDs=true and mixer.adapters.useAdapterCRDs=true install options to re-enable them.

Refer to the installation option change page to view the complete list of changes.

istioctl and kubectl

• Graduated istioctl verify-install out of experimental.
• Improved istioctl verify-install to validate if a given Kubernetes environment meets Istio’s prerequisites.
• Added auto-completion support to istioctl.
• Added istioctl experimental dashboard to allow users to easily open the web UI of any Istio addons.
• Added istioctl x alias to conveniently run istioctl experimental command.
• Improved istioctl version to report both Istio control plane and istioctl version info by default.
• Improved istioctl validate to validate Mixer configuration and supports deep validation with referential integrity.

Others

• Added Istio CNI support to setup sidecar network redirection and remove the use of istio-init containers requiring NET_ADMIN capability.
• Added a new experimental ‘a-la-carte’ Istio installer to enable users to install and upgrade Istio with desired isolation and security.
• Added the DNS-discovery and iter8 in Istio ecosystem.
• Added environment variable and configuration file support for configuring Galley, in addition to command-line flags.
• Added ControlZ support to visualize the state of the MCP Server in Galley.
• Added the enableServiceDiscovery command-line flag to control the service discovery module in Galley.
• Added InitialWindowSize and InitialConnWindowSize parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.
• Graduated configuration processing with Galley from Alpha to Beta.