Announcing Istio 1.11
Istio 1.11 release announcement.
We are pleased to announce the release of Istio 1.11!
Get a detailed list of what's changed.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
This is the third Istio release of 2021. We would like to thank the entire Istio community, and especially the release managers Jonh Wendell from Red Hat, Ryan King from Solo.io and Steve Zhang from Intel, for helping to get Istio 1.11.0 published.
Here are some highlights for this release:
CNI plugin (Beta)
By default Istio injects an init container in pods deployed in the mesh. The
istio-init container sets up the pod network traffic redirection to/from the Istio sidecar proxy using iptables. This requires the user or service account deploying pods in the mesh to have sufficient permissions to deploy containers with the
NET_RAW capabilities. Requiring Istio users to have elevated Kubernetes privileges can be problematic for security compliance within an organization. The Istio CNI plugin is a replacement for the
istio-init container that performs the same networking functionality, but without requiring Istio users to enable elevated Kubernetes permissions.
The CNI plugin can be chained with other plugins, and supports most hosted Kubernetes implementations.
In this release, we have promoted the CNI plugin functionality to Beta by improving our documentation and testing to ensure users can enable this feature safely in production. Learn how to install Istio with the CNI plugin.
External control plane (Beta)
Last year we introduced a new deployment model for Istio where the control plane for a cluster was managed outside of that cluster. This allows for separation of concerns between a mesh owner, who administers the control plane, and the mesh users, who deploy and configure services in the mesh. An external control plane, running in a separate cluster, can control a single data plane cluster or more than one cluster of a multicluster mesh.
In 1.11, this feature has been promoted to Beta. Learn how you can set up a mesh with an external control plane.
Istio provides gateways as a way to interface with the outside world. You can deploy ingress gateways, for incoming traffic originating outside your cluster, and egress gateways, for outgoing traffic from your applications to services deployed outside your cluster.
In the past, an Istio version would deploy a gateway as a Deployment which had a completely separate proxy configuration to all the rest of the sidecar proxies in the cluster. This made management and upgrade of the gateway complex, especially when multiple gateways were deployed in the cluster. One common issue was that settings from the control plane passed down to sidecar proxies and the gateways could drift, causing unexpected issues.
Gateway injection moves the management of gateways to the same method as sidecar proxies. Configuration that you set on your proxies globally will apply to your gateways, and complex configurations that weren’t possible (for example, running a gateway as a DaemonSet) are now easy. You can also update your gateways to the latest version after a cluster upgrade simply by restarting the pods.
In addition to these changes, we have released new Installing Gateways documentation, which covers best practices for installation, management, and upgrade of gateways.
Updates to revision and tag deployments
In Istio 1.6 we added support for running multiple control planes simultaneously, which allows you to do a canary deployment of a new Istio version. In 1.10, we introduced revision tags, which lets you mark a revision as “production” or “testing” and minimizes the chance of error when upgrading.
istioctl tag command has graduated out of experimental in 1.11. You can also now specify a default revision for the control plane. This helps further simplify the canary upgrade from a non-revisioned control plane to a new version.
We also fixed an outstanding issue with upgrades - you can safely perform a canary upgrade of your control plane regardless of whether or not it was installed using a revision.
To improve the sidecar injection experience,
sidecar.istio.io/inject labels were introduced. We recommend you to switch to using injection labels, as they perform better than injection annotations. We intend to deprecate the injection annotations in a future release.
Kubernetes Multi-cluster Services (MCS) support (Experimental)
The Kubernetes project is building an multi-cluster services API that allows service owners or mesh admins to control the export of services and their endpoints across the mesh.
Istio 1.11 adds experimental support for multi-cluster services. Once enabled, the discoverability of service endpoints is determined by client location and whether the service has been exported. Endpoints residing within the same cluster as the client will always be discoverable. Endpoints within a different cluster, however, will only be discoverable by the client if they were exported to the mesh.
Note that Istio does not yet support the behavior for the
clusterset.local hosts as defined by the MCS spec. Clients should continue to address services using either
This is the first phase in our plan to support MCS. Stay tuned!
Sneak peek: new APIs
A number of Istio features can only be configured by
EnvoyFilter, which allows you to set proxy configuration. We’re working on new APIs for common use cases - such as configuring telemetry settings and WebAssembly (Wasm) extension deployment, and you can expect to see these become available to users in the 1.12 release. If you’re interested in helping us test the implementations as they are built, please join the appropriate working group meeting.
Join the Istio community
You can also join the conversation at Discuss Istio, or join our Slack workspace.
Would you like to get involved? Find and join one of our Working Groups and help improve Istio.
Istio 1.11 Upgrade Survey
If you have completed your upgrade to Istio 1.11, we would like to hear from you! Please take a few minutes to respond to our brief survey to tell us how we’re doing.