Announcing Istio 1.2
Major Update
We are pleased to announce the release of Istio 1.2!
The theme of 1.2 is Predictable Releases - predictable in quality (we want every release to be a good release) as well as in time (we want to be able to ship on well known schedules).
As nearly anyone using Istio 1.0 noticed, it took us a long time to get 1.1 out. Far too long. One of the reasons was that we needed to do some work on our testing and infrastructure – it was simply far too manual a process to build, test and release. Because of that, 1.2 focuses on improving the stability of these new features, and improving general product health.
In order to make release quality and timing predictable, we declared a “Code Mauve”, meaning that we would spend the next iteration focusing on project infrastructure. As a result, we’ve been investing a ton of effort in our build, test and release machinery.
We formed 3 new teams (GitHub Workflow, Source Organization, Testing Methodology, and Build & Release Automation). Each had a set of issues to take on and a set of exit criteria. Code Mauve isn’t over yet, in fact we expect it to go on for some time. We’re putting in place the infrastructure to measure the metrics each team decided on (paraphrasing Peter Drucker: if you can’t measure it, you can’t manage it).
You might have noticed that the patch releases for 1.1 have been coming fast and furious.
In order to get features in the hands of our customers and users as soon as possible, most of the new features from the last three months have been delivered in 1.1.x releases. With 1.2, those features are now officially part of the release.
We’re seeing early results from the usability group. In the release notes,
you’ll find that you can now set log levels for the control plane and the
data plane globally. You can use istioctl
to validate that your Kubernetes
installation meets Istio’s requirements. And the new
traffic.sidecar.istio.io/includeInboundPorts
annotation to eliminate the
need for service owner to declare containerPort
in the deployment yaml.
Some of the features have matured as well. The following features have progressed from Beta status to Stable: SNI at ingress, distributed tracing, and service tracing. The following features have reached beta status: cert management on ingress, configuration resource validation, and configuration processing with Galley. We know there are lots of feature requests outstanding, and we have an exciting roadmap (watch for a forthcoming post from the TOC on that). The work we have done in this release has taken care of some technical debt which will help us get those features out reliably in future.
As always, there is also a lot happening in the Community
Meeting (Thursdays at
11 a.m. Pactific
) and in the Working
Groups. And
if you haven’t yet joined the conversation at
discuss.istio.io, head over, log in with your
GitHub credentials and join us!
Release notes
General
- Added
traffic.sidecar.istio.io/includeInboundPorts
annotation to eliminate the need for service owner to declarecontainerPort
in the deployment yaml file. This will become the default in a future release. - Added IPv6 experimental support for Kubernetes clusters.
Traffic management
- Improved locality based routing in multicluster environments.
- Improved outbound traffic policy in
ALLOW_ANY
mode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs. - Added support for setting HTTP idle timeouts to upstream services.
- Improved Sidecar support for NONE mode (without iptables) .
- Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers.
- Graduated Sidecar API from Alpha to Alpha API and Beta runtime.
Security
- Improved extend the default lifetime of self-signed Citadel root certificates to 10 years.
- Added Kubernetes health check prober rewrite per deployment via
sidecar.istio.io/rewriteAppHTTPProbers: "true"
in thePodSpec
annotation. - Added support for configuring the secret paths for Istio mutual TLS certificates. Refer here for more details.
- Added support for PKCS 8 private keys for workloads, enabled by the flag
pkcs8-keys
on Citadel. - Improved JWT public key fetching logic to be more resilient to network failure.
- Fixed SAN field in workload certificates is set as
critical
. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates. - Fixed mutual TLS probe rewrite for HTTPS probes.
- Graduated SNI with multiple certificates support at ingress gateway from Alpha to Stable.
- Graduated certification management on Ingress Gateway from Alpha to Beta.
Telemetry
- Added Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
- Changed Prometheus generated traffic is excluded from metrics.
- Added support for sending traces to Datadog.
- Graduated distributed tracing from Beta to Stable.
Policy
- Fixed Mixer basedTCP Policy enforcement.
- Graduated Authorization (RBAC) from Alpha to Alpha API and Beta runtime.
Configuration management
- Improved validation of Policy & Telemetry CRDs.
- Graduated basic configuration resource validation from Alpha to Beta.
Installation and upgrade
- Updated default proxy memory limit size(
global.proxy.resources.limits.memory
) from128Mi
to1024Mi
to ensure proxy has sufficient memory. - Added pod anti-affinity and toleration support to all of our control plane components.
- Added
sidecarInjectorWebhook.neverInjectSelector
andsidecarInjectorWebhook.alwaysInjectSelector
to allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors. - Added
global.logging.level
andglobal.proxy.logLevel
to allow users to easily configure logs for control plane and data plane components globally. - Added support to configure the Datadog location via
global.tracer.datadog.address
. - Removed Previously deprecated Adapter and Template CRDs are disabled by default. Use
mixer.templates.useTemplateCRDs=true
andmixer.adapters.useAdapterCRDs=true
install options to re-enable them.
Refer to the installation option change page to view the complete list of changes.
istioctl
and kubectl
- Graduated
istioctl verify-install
out of experimental. - Improved
istioctl verify-install
to validate if a given Kubernetes environment meets Istio’s prerequisites. - Added auto-completion support to
istioctl
. - Added
istioctl experimental dashboard
to allow users to easily open the web UI of any Istio addons. - Added
istioctl x
alias to conveniently runistioctl experimental
command. - Improved
istioctl version
to report both Istio control plane andistioctl
version info by default. - Improved
istioctl validate
to validate Mixer configuration and supports deep validation with referential integrity.
Others
- Added Istio CNI support to setup sidecar network redirection and remove the use of
istio-init
containers requiringNET_ADMIN
capability. - Added a new experimental ‘a-la-carte’ Istio installer to enable users to install and upgrade Istio with desired isolation and security.
- Added the DNS-discovery and iter8 in Istio ecosystem.
- Added environment variable and configuration file support for configuring Galley, in addition to command-line flags.
- Added ControlZ support to visualize the state of the MCP Server in Galley.
- Added the
enableServiceDiscovery
command-line flag to control the service discovery module in Galley. - Added
InitialWindowSize
andInitialConnWindowSize
parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings. - Graduated configuration processing with Galley from Alpha to Beta.