We’re proud to release Istio 1.2! We are excited that we are back with a 3 month release cadence!
We’ve spent the last 3 months making some significant improvements to the overall product, with fixes and features from the Istio community. Special thanks to all of our end-users for providing feedback, feature requests, and testing the release candidates at various scales.
This release note describes what’s different between Istio 1.1.9 and Istio 1.2.
traffic.sidecar.istio.io/includeInboundPortsannotation to eliminate the need for service owner to declare
containerPortin the deployment yaml file. This will become the default in a future release.
- Added IPv6 experimental support for Kubernetes clusters.
- Improved locality based routing in multicluster environments.
- Improved outbound traffic policy in
ALLOW_ANYmode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs.
- Added support for setting HTTP idle timeouts to upstream services.
- Improved Sidecar support for NONE mode (without iptables) .
- Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers.
- Graduated Sidecar API from Alpha to Alpha API and Beta runtime.
- Improved extend the default lifetime of self-signed Citadel root certificates to 10 years.
- Added Kubernetes health check prober rewrite per deployment via
sidecar.istio.io/rewriteAppHTTPProbers: "true"in the
- Added support for configuring the secret paths for Istio mutual TLS certificates. Refer here for more details.
- Added support for PKCS 8 private keys for workloads, enabled by the flag
- Improved JWT public key fetching logic to be more resilient to network failure.
- Fixed SAN field in workload certificates is set as
critical. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates.
- Fixed mutual TLS probe rewrite for HTTPS probes.
- Graduated SNI with multiple certificates support at ingress gateway from Alpha to Stable.
- Graduated certification management on Ingress Gateway from Alpha to Beta.
- Added Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
- Changed Prometheus generated traffic is excluded from metrics.
- Added support for sending traces to Datadog.
- Graduated distributed tracing from Beta to Stable.
- Fixed Mixer basedTCP Policy enforcement.
- Graduated Authorization (RBAC) from Alpha to Alpha API and Beta runtime.
- Improved validation of Policy & Telemetry CRDs.
- Graduated basic configuration resource validation from Alpha to Beta.
Installation and Upgrade
- Updated default proxy memory limit size(
1024Mito ensure proxy has sufficient memory.
- Added pod anti-affinity and toleration support to all of our control plane components.
sidecarInjectorWebhook.alwaysInjectSelectorto allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors.
global.proxy.logLevelto allow users to easily configure logs for control plane and data plane components globally.
- Added support to configure the Datadog location via
- Removed Previously deprecated Adapter and Template CRDs are disabled by default. Use
mixer.adapters.useAdapterCRDs=trueinstall options to re-enable them.
Refer to the installation option change page to view the complete list of changes.
istioctl verify-installout of experimental.
istioctl verify-installto validate if a given Kubernetes environment meets Istio’s prerequisites.
- Added auto-completion support to
istioctl experimental dashboardto allow users to easily open the web UI of any Istio addons.
istioctl xalias to conveniently run
istioctl versionto report both Istio control plane and
istioctlversion info by default.
istioctl validateto validate Mixer configuration and supports deep validation with referential integrity.
- Added Istio CNI support to setup sidecar network redirection and remove the use of
- Added a new experimental ‘a-la-carte’ Istio installer to enable users to install and upgrade Istio with desired isolation and security.
- Added the DNS-discovery and iter8 in Istio ecosystem.
- Added environment variable and configuration file support for configuring Galley, in addition to command-line flags.
- Added ControlZ support to visualize the state of the MCP Server in Galley.
- Added the
enableServiceDiscoverycommand-line flag to control the service discovery module in Galley.
InitialConnWindowSizeparameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.
- Graduated configuration processing with Galley from Alpha to Beta.