Announcing Istio 1.3

Istio 1.3 release announcement.

Sep 12, 2019

We are pleased to announce the release of Istio 1.3!

CHANGE NOTES

Get a detailed list of what's changed.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

HELM CHANGES

Learn about changes in our Helm installation options.

The theme of Istio 1.3 is User Experience:

Every few releases, the Istio team delivers dramatic improvements to usability, APIs, and the overall system performance. Istio 1.3 is one such release, and the team is very excited to roll out some key updates.

Intelligent protocol detection (experimental)

To take advantage of Istio’s routing features, service ports must use a special port naming format to explicitly declare the protocol. This requirement can cause problems for users that do not name their ports when they add their applications to the mesh. Starting with 1.3, the protocol for outbound traffic is automatically detected as HTTP or TCP when the ports are not named according to Istio’s conventions. We will be polishing this feature in the upcoming releases with support for protocol sniffing on inbound traffic as well as identifying protocols other than HTTP.

Mixer-less telemetry (experimental)

Yes, you read that right! We implemented most of the common security policies, such as RBAC, directly into Envoy. We previously turned off the istio-policy service by default and are now on track to migrate most of Mixer’s telemetry functionality into Envoy as well. In this release, we have enhanced the Istio proxy to emit HTTP metrics directly to Prometheus, without requiring the istio-telemetry service to enrich the information. This enhancement is great if all you care about is telemetry for HTTP services. Follow the Mixer-less HTTP telemetry instructions to experiment with this feature. We are polishing this feature in the coming months to add telemetry support for TCP services when you enable Istio mutual TLS.

Container ports are no longer required

Previous releases required that pods explicitly declare the Kubernetes containerPort for each container as a security measure against trampolining traffic. Istio 1.3 has a secure and simpler way of handling all inbound traffic on any port into a workload instance without requiring the containerPort declarations. We have also completely eliminated the infinite loops caused in the IP tables rules when workload instances send traffic to themselves.

Fully customize generated Envoy configuration

While Istio 1.3 focuses on usability, expert users can use advanced features in Envoy that are not part of the Istio Networking APIs. We enhanced the EnvoyFilter API to allow users to fully customize:

You get the best of both worlds:

Leverage Istio to integrate with Kubernetes and handle large fleets of Envoys in an efficient manner, while you still can customize the generated Envoy configuration to meet specific requirements within your infrastructure.

Other enhancements

As always, there is a lot happening in the Community Meeting; join us every other Thursday at 10 AM Pacific.

The growth and success of Istio is due to its 400+ contributors from over 300 companies. Join one of our Working Groups and help us make Istio even better.

To join the conversation, go to discuss.istio.io, log in with your GitHub credentials and join us!

See also