Announcing Istio 1.2
We are pleased to announce the release of Istio 1.2!
The theme of 1.2 is Predictable Releases - predictable in quality (we want every release to be a good release) as well as in time (we want to be able to ship on well known schedules).
As nearly anyone using Istio 1.0 noticed, it took us a long time to get 1.1 out. Far too long. One of the reasons was that we needed to do some work on our testing and infrastructure – it was simply far too manual a process to build, test and release. Because of that, 1.2 focuses on improving the stability of these new features, and improving general product health.
In order to make release quality and timing predictable, we declared a “Code Mauve”, meaning that we would spend the next iteration focusing on project infrastructure. As a result, we’ve been investing a ton of effort in our build, test and release machinery.
We formed 3 new teams (GitHub Workflow, Source Organization, Testing Methodology, and Build & Release Automation). Each had a set of issues to take on and a set of exit criteria. Code Mauve isn’t over yet, in fact we expect it to go on for some time. We’re putting in place the infrastructure to measure the metrics each team decided on (paraphrasing Peter Drucker: if you can’t measure it, you can’t manage it).
You might have noticed that the patch releases for 1.1 have been coming fast and furious.
In order to get features in the hands of our customers and users as soon as possible, most of the new features from the last three months have been delivered in 1.1.x releases. With 1.2, those features are now officially part of the release.
We're seeing early results from the usability group. In the release notes,
you'll find that you can now set log levels for the control plane and the
data plane globally. You can use
istioctl to validate that your Kubernetes
installation meets Istio's requirements. And the new
traffic.sidecar.istio.io/includeInboundPorts annotation to eliminate the
need for service owner to declare
containerPort in the deployment yaml.
Some of the features have matured as well. The following features have progressed from Beta status to Stable: SNI at ingress, distributed tracing, and service tracing. The following features have reached beta status: cert management on ingress, configuration resource validation, and configuration processing with Galley. We know there are lots of feature requests outstanding, and we have an exciting roadmap (watch for a forthcoming post from the TOC on that). The work we have done in this release has taken care of some technical debt which will help us get those features out reliably in future.
As always, there is also a lot happening in the Community
Meeting (Thursdays at
11 a.m. Pactific) and in the Working
if you haven’t yet joined the conversation at
discuss.istio.io, head over, log in with your
GitHub credentials and join us!
traffic.sidecar.istio.io/includeInboundPortsannotation to eliminate the need for service owner to declare
containerPortin the deployment yaml file. This will become the default in a future release.
- Added IPv6 experimental support for Kubernetes clusters.
- Improved locality based routing in multicluster environments.
- Improved outbound traffic policy in
ALLOW_ANYmode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs.
- Added support for setting HTTP idle timeouts to upstream services.
- Improved Sidecar support for NONE mode (without iptables) .
- Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers.
- Graduated Sidecar API from Alpha to Alpha API and Beta runtime.
- Improved extend the default lifetime of self-signed Citadel root certificates to 10 years.
- Added Kubernetes health check prober rewrite per deployment via
sidecar.istio.io/rewriteAppHTTPProbers: "true"in the
- Added support for configuring the secret paths for Istio mutual TLS certificates. Refer here for more details.
- Added support for PKCS 8 private keys for workloads, enabled by the flag
- Improved JWT public key fetching logic to be more resilient to network failure.
- Fixed SAN field in workload certificates is set as
critical. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates.
- Fixed mutual TLS probe rewrite for HTTPS probes.
- Graduated SNI with multiple certificates support at ingress gateway from Alpha to Stable.
- Graduated certification management on Ingress Gateway from Alpha to Beta.
- Added Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
- Changed Prometheus generated traffic is excluded from metrics.
- Added support for sending traces to Datadog.
- Graduated distributed tracing from Beta to Stable.
- Fixed Mixer basedTCP Policy enforcement.
- Graduated Authorization (RBAC) from Alpha to Alpha API and Beta runtime.
- Improved validation of Policy & Telemetry CRDs.
- Graduated basic configuration resource validation from Alpha to Beta.
Installation and upgrade
- Updated default proxy memory limit size(
1024Mito ensure proxy has sufficient memory.
- Added pod anti-affinity and toleration support to all of our control plane components.
sidecarInjectorWebhook.alwaysInjectSelectorto allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors.
global.proxy.logLevelto allow users to easily configure logs for control plane and data plane components globally.
- Added support to configure the Datadog location via
- Removed Previously deprecated Adapter and Template CRDs are disabled by default. Use
mixer.adapters.useAdapterCRDs=trueinstall options to re-enable them.
Refer to the installation option change page to view the complete list of changes.
istioctl verify-installout of experimental.
istioctl verify-installto validate if a given Kubernetes environment meets Istio's prerequisites.
- Added auto-completion support to
istioctl experimental dashboardto allow users to easily open the web UI of any Istio addons.
istioctl xalias to conveniently run
istioctl versionto report both Istio control plane and
istioctlversion info by default.
istioctl validateto validate Mixer configuration and supports deep validation with referential integrity.
- Added Istio CNI support to setup sidecar network redirection and remove the use of
- Added a new experimental ‘a-la-carte’ Istio installer to enable users to install and upgrade Istio with desired isolation and security.
- Added the DNS-discovery and iter8 in Istio ecosystem.
- Added environment variable and configuration file support for configuring Galley, in addition to command-line flags.
- Added ControlZ support to visualize the state of the MCP Server in Galley.
- Added the
enableServiceDiscoverycommand-line flag to control the service discovery module in Galley.
InitialConnWindowSizeparameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.
- Graduated configuration processing with Galley from Alpha to Beta.