Istio 1.19.0 Change Notes
Istio 1.19.0 change notes.
These notices describe functionality that will be removed in a future release according to Istio’s deprecation policy. Please consider upgrading your environment to remove the deprecated functionality.
The macOS and Windows artifacts without an architecture specified in the name
istio-1.18.0-osx.tar.gz). They will be removed in several releases. They have been replaced
by artifacts containing the architecture in the name (ex:
istio-1.18.0-osx-amd64.tar.gz). (Issue #45677)
Improved JWT claim based routing to support using
as a separator for nested claim names. (Issue #44228)
Improved performance of sidecar injection, in particular with pods with a large number of environment variables.
Updated DNS resolution when using
ServiceEntriesso that DNS for multi-network gateways will be resolved at the proxy instead of in the control plane.
Added support for
traffic.sidecar.istio.io/excludeInterfacesannotation in proxy. (Issue #41271)
Added initial ambient support for
WorkloadEntry. (Issue #45472)
Added ambient support for
WorkloadEntryresources without an address. (Issue #45758)
Added initial ambient support for ServiceEntry.
Added support for regex rewrite in VirtualService
HTTPRewrite. (Issue #22290)
Added a new TLS mode
ServerTLSSettingsof Gateway that will validate client certificate if presented.
Added enhancement for Dual Stack to set up the correct DNS family type.
CheckIPFamilyTypeForFirstIPshas been added to help confirm the IP family type based on the first IP address. Changed the
ISTIO_DUAL_STACKenvironment variable to be uniform the for both control and data plane. (Issue #41462)
WorkloadEntryresources on different networks to not require an address to be specified. (Issue #45150)
Fixed Istio’s Gateway API implementation to adhere to the Gateway API requirement that a
group: ""field must be set for a
kind: Service. Istio previously tolerated the missing group for Service-kind parent references. This is a breaking change; see the upgrade notes for details. (Issue #2309)
istio.alpnfilter for non-Istio mTLS. (Issue #40680)
Fixed the bug where patching
virtualhosts. (Issue #44820)
Fixed EnvoyFilter operation orders so that deleted and re-added resources don’t get deleted. (Issue #45089)
WorkloadEntryauto register failing with invalid
istio-localitylabel when user specified
./etc/istio/pod/labels. (Issue #45413)
Fixed an issue in dual stack meshes where
virtualHost.Domainswas missing the second IP address from dual stack services. (Issue #45557)
Fixed a bug where route configuration is rejected with duplicate domains when
VirtualServicehas the same hosts with different case. (Issue #45719)
Fixed an issue where Istiod might crash when a cluster is deleted if the xDS cache is disabled. (Issue #45798)
genevelinks on nodes which already have configured an external
genevelink or another
genevelink for the same VNI and remote IP. To avoid getting errors in these cases, istio-cni dynamically determines available destination ports for created
Fixed an issue where Istiod can’t auto-detect the service port change when the service is referred to by ingress using service port name. (Issue #46035)
Fixed an issue where HTTP probe’s
request.hostwas not well propagated. (Issue #46087)
WorkloadEntryxDS events to fire on updates to spec. (Issue #46267)
health_checkersEnvoyFilter extensions not being compiled into the proxy. (Issue #46277)
Fixed crash when
LoadBalancer.Ingress.IPwas not present or was unset to not include empty IP strings in VIPs.
Fixed regression in
healthcheckprobe translation. (Issue #45632)
Removed the support for deprecated EnvoyFilter names in Envoy API name matches. EnvoyFilter will only be matched with canonical naming standard. See the Envoy documentation for more details.
ISTIO_DEFAULT_REQUEST_TIMEOUTfeature flag. Please use timeout in VirtualService API.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTfeature flag. This can be configured in MeshConfig if needed.
Removed support for xDS v2 types in
EnvoyFilters. These should use the v3 interface. This has been a warning for multiple releases and is now upgraded to an error.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDfeature flags. These have been enabled by default since Istio 1.5.
Removed support for looking up Envoy extensions in
EnvoyFilterconfiguration by name without the typed config URL.
Optimized EnvoyFilter index generation to avoid rebuilding all
EnvoyFiltersevery time one has changed, instead only rebuilding the changed
EnvoyFilterand updating it in place.
insecureSkipVerifyimplementation from DestinationRule. Setting
truewill disable CA certificate and Subject Alternative Names verification for the host. (Issue #33472)
Added support for PeerAuthentication policies in ambient. (Issue #42696)
cipher_suitessupport for non
ISTIO_MUTUALtraffic through MeshConfig API. (Issue #28996)
Added Certificate Revocation List (CRL) support for peer certificate validation.
Added support for a flag called
USE_EXTERNAL_WORKLOAD_SDS. When set to true, it will require an external SDS workload socket and it will prevent the istio-proxy from starting if the workload SDS socket is not found. (Issue #45534)
Fixed an issue where
jwkissuer was not resolved correctly when having a trailing slash in the issuer URL. (Issue #45546)
Added new metric named
provider_lookup_cluster_failuresfor lookup cluster failures.
Added support for K8s controller queue metrics, enabled by setting env variable
true. (Issue #44985)
Added a flag to disable
OTelbuiltin resource labels.
remote_cluster_sync_timeouts_totalmetric. (Issue #44489)
Added support for annotation
sidecar.istio.io/statsHistogramBucketsto customize the histogram buckets in the proxy.
Added HTTP metadata exchange filter to support a fallback to xDS workload metadata discovery in addition to the metadata HTTP headers. The discovery method is off by default.
Added an option to configure Envoy to report load stats to the Load Reporting Service (LRS) server.
Fixed an issue where disabling a log provider through Istio telemetry API would not work.
Fixed an issue where
Telemetrywould not be fully disabled unless
match.metric=ALL_METRICSwas explicitly specified; matching all metrics is now correctly considered as the default.
- Added an option to fail open on fetch failure and VM fatal errors.
Improved usage on OpenShift clusters by removing the need to manually create a
NetworkAttachmentDefinitionresource in every application namespace.
Updated Kiali addon to version
Added support for
PodDisruptionBudget(PDB) in the Gateway chart. (Issue #44469)
Added the Helm value of setting CNI ambient
configDirpath. (Issue #45400)
amd64named artifacts for macOS and Windows. The
amd64flavor of the artifacts did not contain the architecture in the name as we do for the other operating systems. This makes the artifact naming consistent.
maxUnavailablesetting to the CNI deployment Helm chart to speed up deployments.
Added an automatically set
GOMAXPROCSto all deployments to improve performance.
Added values to the Istio Pilot Helm charts for configuring additional container arguments:
volumes. Can be used in conjunction with cert-manager
istio-csr. (Issue #113)
Added Allow setting
terminationGracePeriodSecondsfor ztunnel pod via Helm chart.
Fixed an issue where removing field(s) from IstioOperator and re-installing did not reflect changes in existing IstioOperator spec. (Issue #42068)
ValidatingWebhookConfigurationnot being generated correctly with operator installation when the revision is not set. (Issue #43893)
Fixed an issue where the operator did not reject invalid CIDR entries that included spaces. (Issue #45338)
Fixed an issue where the hostname package is not listed as a dependency for the VM packages. (Issue #45866)
Fixed an issue preventing the Gateway chart from being used with a custom
Fixed an issue that Istio should using
IMDSv2as possible on AWS. (Issue #45825)
Fixed a null traversal issue when using
stackdriverwith no tracing options. (Issue #45855)
Fixed an issue preventing the ports of waypoint and ztunnel ports from being exposed. Scraped configuration files can be created for ambient components, too. (Issue #45093)
Removed the following experimental
kube-uninject. Usage of automatic sidecar injection is recommended instead.
ENABLE_LEGACY_FSGROUP_INJECTIONfeature flag. This was intended to support Kubernetes 1.18 and older, which are out of support.
Removed obsolete manifests from the
baseHelm chart. See Upgrade Notes for more information.
Improved IST0123 warning message description.
istioctl experimental workload configurecommand to accept IPv6 address passed with
Added config type and endpoint configuration summaries to
istioctl proxy-config all. (Issue #43807)
Added directory support for
istioctl validate. Now, the
-fflag accepts both file paths and directory paths.
Added support for YAML output to
istioctl admin log.
Added support for checking telemetry labels, which now includes Istio canonical labels and Kubernetes recommended labels.
Added support for namespace filtering for proxy statuses. Note: please ensure that both istioctl and istiod are upgraded for this feature to work.
Added warning if user specifies more than one Istio label in the same namespace. Including
Added support for displaying multiple addresses of listeners in
istioctl proxy-config listeners.
verify-installfailing to detect
Fixed an issue where the cert validity was not accurate in the
istioctl proxy-config secretcommand.
Fixed an issue where xDS
proxy-statuswas showing inaccurate Istio version. Note: please ensure that both istioctl and istiod are upgraded for this fix to work.
Fixed an issue where ztunnel pods could be compared to Envoy configuration files in
istioctl experimental proxy-status. They are now excluded from the comparison.
Fixed an issue where there was a parse error when performing
rootCAcomparison for ztunnel pods.
Fixed an issue where analyzers were reporting messages for the gateway-managed services.
Fixed an issue where specifying multiple include conditions by
istioctl bug-reportdidn’t work as expected. (Issue #45839)
Fixed an issue where Kubernetes resources with revision labels were being filtered out by
istioctl analyzewhen the
--revisionflag was not used. (Issue #46239)
Fixed an issue where the creation of a Telemetry object without any providers throws the IST0157 error. (Issue #46510)
Fixed an issue where the analyzer produced incorrect results for
GatewayPortNotOnWorkloadwhen there was an incorrect association of
Gateway.Spec.Servers.Port.Numberwith a Service’s
Portinstead of its
revisionflag missing in
istioctl experimental precheck.
istioctl experimental. Use
Removed the following experimental
remote-clusters. They have been moved to the top level
- Improved Bookinfo samples so they can now be used in OpenShift without the