Istio 1.11 Change Notes
Istio 1.11.0 release notes.
Improved resolution of headless services via in-agent DNS to include endpoints from other clusters that are on the same network. (Issue #27342)
Improved usage of
AUTO_PASSTHROUGHGateways to no longer require configuring the
ISTIO_META_ROUTER_MODEenvironment variable on the gateway deployment; instead, it is automatically detected. (Issue #33127)
Improved CNI network plugin to send logs to the CNI DaemonSet. This allows viewing CNI logs using
kubectl logs, instead of looking at kubelet logs. (Issue #32437)
Improved service conflict resolution to favor Kubernetes Services over
ServiceEntrieswith the same hostname.
Updated CNI install container and race condition repair container are combined into one container. (Issue #33712)
Updated the Istiod debug interface to be only accessible over localhost or with proper authentication (mTLS or JWT). The recommended way to access the debug interface is through
istioctl experimental internal-debug, which handles this automatically.
shutdownDurationflag to pilot-discovery so that users can configure the duration istiod needs to terminate gracefully. The default value is 10s.
Added an environment variable
PILOT_STATUS_UPDATE_INTERVALthat is the interval to update the XDS distribution status and its default value is
Added the HTTP endpoint localhost:15004/debug/<
typeurl> to the Istio sidecar agent. GET requests to that URL will be resolved by sending an xDS discovery “event” to istiod. This can be disabled by setting the following in the Istio Operator:
meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_DEBUG_VIA_AGENT=false. (Issue #22274)
Added support for overriding the locality of the
WorkloadGrouptemplate in an auto registered
WorkloadEntry. Locality overrides can be passed in through Envoy bootstrap configuration. (Issue #33426),(Issue #33426)
Added new metric for tracking distribution of configuration resource sizes being pushed by istiod. (Issue #31772)
Added experimental support for the Kubernetes Multi-Cluster Services (MCS) host (
clusterset.local). This feature is off by default, but can be enabled by setting the following environment variables for your Istiod deployment:
ENABLE_MCS_SERVICE_DISCOVERY. When enabled Istio will include the MCS host as a domain in the service’s HTTP route. Additionally, Istio will support the MCS host during a DNS lookup. For now, the MCS host is just an alias for
cluster.localand resolves to the same service IP. Future work will give the MCS host a separate IP as is defined by the MCS spec. (Issue #33949)
Added experimental support for controlling service endpoint discoverability with Kubernetes Multi-Cluster Services (MCS). This feature is off by default, but can be enabled by setting the
ENABLE_MCS_SERVICE_DISCOVERYflag in Istio. When enabled, Istio will make service endpoints only discoverable from within the same cluster by default. To make the service endpoints within a cluster discoverable throughout the mesh, a
ServiceExportCR must be created within the same cluster as the service endpoints. this process can be automated by enabling the Istio flag
ENABLE_MCS_AUTOEXPORT. With this enabled, Istio will automatically create
ServiceExportin all clusters for each service. (Issue #29384)
Fixed where both inbound and outbound apps were unable to intercept traffic when using
podIPin TPROXY interception mode. (Issue #31095)
Fixed an issue where subject alternate names specified in service entry are not considered while building TLS context. (Issue #32539)
Fixed a bug where multiple gateways on the same port with
PASSTHROUGHmodes was not working correctly. (Issue #33405)
Fixed a bug where Istio config generation fails when the sum of endpoint weights was over uint32 max. (Issue #33536)
Fixed smart DNS support in Istio CNI. (Issue #29511)
Fixed a bug in Kubernetes Ingress causing paths with prefixes of the form
/footo match the route
/foo/but not the route
Fixed an issue allowing a
ServiceEntryto act as an instance in other namespaces.
Fixed an issue causing proxies to send
Fixed reconciliation logic in the validation webhook controller to rate-limit the retries in the loop. This should drastically reduce churn (and generated logs) in cases of misconfiguration. (Issue #32210)
Optimized generated routing configuration to merge virtual hosts with the same routing configuration. This improves performance for Virtual Services with multiple hostnames defined. (Issue #28659)
- Added validation for the
jwksfield in the request authentication policy. (Issue #33053)
Updated Prometheus telemetry behavior for inbound traffic to disable host header fallback by default. This will prevent traffic coming from out-of-mesh locations from potentially polluting the
destination_servicedimension in metrics with junk data (and exploding metrics cardinality). With this change, it is possible that users relying on host headers for labeling the destination service for inbound traffic from out-of-mesh workloads will see that traffic labeled as
unknown. The behavior can be restored by modifying Istio configuration to remove the
Added a new metric to
istiodto report server uptime.
Added a new metric (
istiodto track the number of clusters managed by an
Improved the installation of Istio on remote clusters using an external control plane. The
istiodRemotecomponent now includes all of the resources needed for either a basic remote or config cluster. (Issue #33455)
Improved the size of container images, decreasing each image by up to 50Mb. As a result, the
linux-tools-genericpackage, as well as dependencies (including
python) are no longer installed.
Updated the base image versions to be built on
Updated Jaeger addon to version 1.22.
Fixed the upgrade and downgrade message of the control plane. (Issue #32749)
Removed the empty
caBundledefault value from Chart to allow a GitOps approach. (Issue #33052)
istioctl experimental revision tagcommand group to
istioctl x workload entry configure, which sets the configuration for the workload IP that the sidecar proxy uses to auto register a workload Entry. Usually required when the VM workloads aren’t in the same network as the primary cluster to which they register. (Issue #32462)
istioctl x uninstall. (Issue #32513)
istioctl proxy-config bootstrapnow has a short output option (
-o short) that shows the Istio and Envoy version summary. (Issue #21517)
Added a new analyzer to check for
image: autoin Pods and Deployments that will not be injected.
Added support for auto-completion of the namespace for istioctl.
Added istioctl now supports completion for Kubernetes pods, services.
--vklogoption to enable verbose logging in client-go. (Issue #28231)
Fixed user-agent in all Istio binaries to include version.