Istio 1.18.0 Change Notes
Istio 1.18.0 change notes.
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
- There are no new deprecations in Istio 1.18.0
Improved Gateway API Automated Deployment management logic. See Upgrade Notes for more information.
Updated the VirtualService validation to fail on empty prefix header matcher. (Issue #44424)
ProxyConfigresources with workload selector will be applied to Kubernetes
Gatewaypods only if the specified label is
istio.io/gateway-name. Other labels are ignored.
Added provision to provide overridden/explicit value for
failoverPrioritylabel. This provided value is used while assigning priority for endpoints instead of the client’s value. (Issue #39111)
Added prefix matching on query parameter. (Issue #43710)
Added health checks for those VMs that are not using auto-registration. (Issue #44712)
Fixed admission webhook fails with custom header value format. (Issue #42749)
Fixed an issue where
Cluster.ConnectTimeoutwas affecting unrelated
Clusters. (Issue #43435)
Fixed reporting Programmed condition on Gateway API Gateway resources. (Issue #43498)
Fixed an issue that when there are different Binds specified in the Gateways with the same port and different protocols, listeners are not generated correctly. (Issue #43688)
Fixed an issue that when there are different Binds specified in the Gateways with the same port and TCP protocol, listeners are not generated correctly. (Issue #43775)
Fixed an issue with service entry deletion not deleting the corresponding endpoints in some cases. (Issue #43853)
Fixed an issue where auto allocated service entry IPs change on host reuse. (Issue #43858)
WorkloadEntryresources never being cleaned up if multiple
WorkloadEntrieswere auto-registered with the same IP and network. (Issue #43950)
dns_upstream_failures_totalmetric was mistakenly deleted in the previous release. (Issue #44151)
Fixed an issue where ServiceEntry and Service had undefined or empty workload selectors. If the workload selector is undefined or empty, ServiceEntry and Service should not select any
Fixed An issue where a Service Entry configured with partial wildcard hosts generates a warning during validation as the config can some times generate invalid server name match. (Issue #44195)
Fixed an issue where
Istio Gateway(Envoy) would crash due to a duplicate
istio_authnnetwork filter in the Envoy filter chain. (Issue #44385)
Fixed a bug where services are missing in gateways if
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGis enabled. (Issue #44439)
Fixed CPU usage abnormally high when cert specified by DestinationRule are invalid. (Issue #44986)
Fixed an issue where changing a label on a workload instance with a previously matched
ServiceEntrywould not properly get removed. (Issue #42921)
Fixed istiod not reconciling k8s gateway deployments and services when they are changed. (Issue #43332)
Fixed an issue where istiod does not retry resolving east-west gateway hostnames on failure. (Issue #44155)
Fixed an issue where istiod generates incorrect endpoints when it fails to resolve east-west gateway hostnames. (Issue #44155)
Fixed an issue where sidecars do not proxy DNS properly for a hostname backed by multiple services. (Issue #43152)
Fixed an issue where updating Service ExternalName does not take effect. (Issue #43440)
Fixed an issue causing VMs using auto-registration to ignore labels other than those defined in a
WorkloadGroup. (Issue #32210)
Upgraded the gateway-api integration to read
GatewayClass. Users of the gateway-api must be on
v0.6.0+before upgrading Istio.
istioctl x precheckcan detect this issue before upgrading.
Removed support for
proxy.istio.io/configannotation applied to Kubernetes
Removed support for
v1version has been available since Kubernetes 1.19.
alphaGateway API types by default. They can be explicitly re-enabled with
Removed the experimental “taint controller” for Istio CNI.
Removed support for
v1version has been available since Kubernetes 1.21.
v1is automatically used on Kubernetes 1.21+, while
Endpointsis used on older versions. This change only impacts users explicitly enabling
PILOT_USE_ENDPOINT_SLICEon Kubernetes versions older than 1.21, which is no longer supported.
Removed deprecated and unsupported status conditions
Detachedfrom Gateway API.
--profilingflag to allow enabling or disabling profiling on pilot-agent status port. (Issue #41457)
Added support for pushing additional federated trust domains from
caCertificatesto the peer SAN validator. (Issue #41666)
Added support for using P384 curves when using ECDSA (PR #44459)
ecdh_curvessupport for non
ISTIO_MUTUALtraffic through MeshConfig API. (Issue #41645)
AUTO_RELOAD_PLUGIN_CERTSenv var by default for istiod to notice
cacertsfile changes in common cases (e.g. reload intermediate certs). (Issue #43104)
Fixed ignoring default CA certificate when
Fixed issue with metadata handling for Azure platform. Support added for
tagsListserialization of tags on instance metadata. (Issue #31176)
Fixed an issue where RBAC updates were not sent to older proxies after upgrading istiod to 1.17. (Issue #43785)
Fixed handling of remote SPIFFE trust bundles containing multiple certs. (Issue #44831)
Removed support for the
MeshConfig. This was deprecated in 1.15, and does not work on Kubernetes 1.22+. (Issue #36231)
Added support to control trace id length on Zipkin tracing provider. (Issue #43359)
Added support for
METADATAcommand operator in access log. (Issue #44074)
Added metric expiry support, when env flags
Fixed an issue where you could not disable tracing in
ProxyConfig. (Issue #31809)
Fixed an issue where
ALL_METRICSdoes not disable metrics as expected. (PR #43179)
Fixed a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for
SERVERwill not affect each other.
Fixed pilot has an additional invalid gateway metric that was not created by the user.
istioctl operator removecommand to run without the confirmation in the dry-run mode. (PR #43120)
downloadIstioCtl.shscript to not change to the home directory at the end. (Issue #43771)
Improved the default telemetry installation to configure
meshConfig.defaultProvidersinstead of custom
EnvoyFilters when advanced customizations are not used, improving performance.
Updated the proxies
concurrencyconfiguration to always be detected based on CPU limits, unless explicitly configured. See upgrade notes for more info. (PR #43865)
Kialiaddon to version
v1.67.0. (PR #44498)
Added env variables to support modifying grpc keepalive values. (Issue #43256)
Added support for scraping metrics in dual stack clusters. (Issue #35915)
Added make inbound port configurable. (Issue #43655)
Added injection of
istio.io/revannotation to sidecars and gateways for multi-revision observability.
Added an automatically set GOMEMLIMIT to
istiodto reduce the risk of out-of-memory issues. (Issue #40676)
Added check to limit the
clusterrolefor k8s CSR permissions for external CA
Added configurable node affinity to istio-cni
values.yaml. Can be used to allow excluding istio-cni from being scheduled on specific nodes.
Fixed SELinux issue on
CentOS9/RHEL9 where iptables-restore isn’t allowed to open files in
/tmp. Rules passed to iptables-restore are no longer written to a file, but are passed via
stdin. (Issue #42485)
Fixed an issue where webhook configuration was being modified in dry-run mode when installing Istio with istioctl. (PR #44345)
Removed injecting label
istio.io/revto gateways to avoid creating pods indefinitely when
istio.io/rev=<tag>. (Issue #33237)
Removed operator skip reconcile for
iopresources with names starting with
installed-state. It now relies solely on the annotation
install.istio.io/ignoreReconcile. This won’t affect the behavior of
istioctl install. (Issue #29394)
pre-generatedinstallation manifests (
gen-istio.yaml, etc) from published releases. These previously installed unsupported testing images, which led to accidental usage by users and tools such as Argo CD.
istioctl pc secretoutput to display the certificate serial number in HEX. (Issue #43765)
istioctl analyzeto output mismatched proxy image messages as IST0158 on namespace level instead of IST0105 on pod level, which is more succinct.
istioctl analyzewill display a error when encountering two additional erroneous Telemetry scenarios. (Issue #43705)
--output-dirflag to specify the output directory for the
bug-reportcommand’s generated archive file. (Issue #43842)
Added credential validation when using
istioctl analyzeto validate the secrets specified with
credentialNamein Gateway resources. (Issue #43891)
Added an analyzer for showing warning messages when the deprecated
lightstepprovider is still being used. (Issue #40027)
Added istiod metrics to
bug-report, and a few more debug points like
telemetryz. (Issue #44062)
Added a “VHOST NAME” column to the output of
istioctl pc route. (Issue #44413)
Added local flags
istioctl dashboardcommands to allow users to specify the component UI port to use for the dashboard.
Fixed Server Side Apply is enabled by default for Kubernetes cluster versions above 1.22 or be detected if it can be run in Kubernetes versions 1.18-1.21.
istioctl install --set <boolvar>=<bool>and
istioctl manifests generate --set <boolvar>=<bool>improperly converting a boolean into a string. (Issue #43355)
istioctl experimental describenot showing all weighted routes when the VirtualService is defined to split traffic across multiple services. (Issue #43368)
istioctl x precheckdisplays unwanted IST0136 messages which are set by Istio as default. (Issue #36860)
Fixed a bug in
istioctl analyzewhere some messages are missed when there are services with no selector in the analyzed namespace.
Fixed resource namespace resolution for
Fixed an issue where specifying the directory for temporary artifacts with
istioctl bug-reportdid not work. (Issue #43835)
istioctl experimental revision describewarning gateway is not enabled when gateway exists. (Issue #44002)
istioctl experimental revision describehas incorrect number of egress gateways. (Issue #44002)
Fixed inaccuracies in analysis results when analyzing configuration files with empty content.
istioctl analyzeno longer expects pods and runtime resources when analyzing files. (Issue #40861)
istioctl analyzeto prevent panic when the server port in Gateway is nil. (Issue #44318)
istioctl experimental revision list
REQD-COMPONENTScolumn data being incomplete and general output format.
istioctl operator removecannot remove the operator controller due to a
no Deployment detectederror. (Issue #43659)
istioctl verify-installfails when using multiple
iops. (Issue #42964)
istioctl experimental waithas undecipherable message when
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGis not enabled. (PR #43023)