Istio 1.11 Upgrade Notes
Important changes to consider when upgrading to Istio 1.11.0.
When you upgrade from Istio 1.10.0 to Istio 1.11.0, you need to consider the changes on this page. These notes detail the changes which purposefully break backwards compatibility with Istio 1.10.0. The notes also mention changes which preserve backwards compatibility while introducing new behavior. Changes are only included if the new behavior would be unexpected to a user of Istio 1.10.0.
istiodRemote installation component now includes config cluster resources
Installing Istio on a remote cluster that is using an external control plane was previously done by disabling the
components and enabling the
istiodRemote component in the IOP:
components: base: enabled: false pilot: enabled: false istiodRemote: enabled: true values: global: externalIstiod: true
If the remote cluster also serves as the config cluster for the external control plane,
base component would also be enabled:
components: base: enabled: true pilot: enabled: false istiodRemote: enabled: true values: global: externalIstiod: true
To simplify the implementation and to completely separate the remote installation from the
istiodRemote component now includes all of the charts needed for any remote cluster, whether it serves as a config
cluster or not. A new variable
values.global.configCluster is used to enable/disable the resources needed
in a config cluster:
components: base: enabled: false pilot: enabled: false istiodRemote: enabled: true values: global: externalIstiod: true configCluster: true
Host header fallback disabled by default for Prometheus metrics for all inbound traffic
Host header fallback for determining values for Prometheus
destination_service labels has been disabled for all incoming traffic.
Previously, this was disabled only for traffic arriving at Gateways. If you are relying on host header fallback behavior to properly
destination_service in Prometheus metrics for traffic originating from out-of-mesh workloads, then you will need to update the telemetry
configuration to enable host header fallback.
match.routeConfiguration.vhost.name semantics change
EnvoyFilter matches rely on internal implementation details to match generated xDS segments, which is subject to change at any time.
In this release, the virtual host name match may have different results.
Previously, each domain name had its own virtual host. As an optimization, multiple domains may use a single virtual host. This means that an Envoy Filter previously matching a specific virtual host may now apply to more domains than in previous releases.
This optimization may be temporarily disabled by setting
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION=false on the Istiod deployment.
hostPath added to CNI DaemonSet
/var/run/istio-cni is added to the CNI DaemonSet, which is used to collect CNI network plugin logs at CNI DaemonSet pod.
If you have
PodSecurityPolicy defined to allowlist
hostPaths for your CNI DaemonSet,
/var/run/istio-cni also needs to be added to the list. CNI will not start in absence of this change.