Istio 1.5 Change Notes
Istio 1.5 release notes.
- Improved performance of the
ServiceEntryresource by avoiding unnecessary full pushes #19305
- Improved Envoy sidecar readiness probe to more accurate determine readiness #18164.
- Improved performance of Envoy proxy configuration updates via xDS by sending partial updates where possible #18354.
- Added an option to configure locality load balancing settings for each targeted service via destination rule#18406.
- Fixed an issue where pods crashing would trigger excessive Envoy proxy configuration pushes #18574.
- Fixed issues with applications such as headless services to call themselves directly without going through Envoy proxy #19308.
- Added detection of
iptablesfailure when using Istio CNI #19534
consecutive5xxErrorsas outlier detection options within destination rule #19771.
EnvoyFiltermatching performance #19786
- Added support for
iptablessetup to use
iptables-restoreby default #18847.
- Improved Gateway performance by filtering unused clusters. This setting is disabled by default #20124.
- Graduated SDS to stable and enabled by default. It provides identity provisioning for Istio Envoy proxies.
- Added Beta authentication API. The new API separates peer (i.e mutual TLS) and origin (JWT) authentication into
RequestAuthenticationrespectively. Both new APIs are workload-oriented, as opposed to service-oriented in alpha
- Added deny semantics and exclusion matching to Authorization Policy.
- Graduated auto mutual TLS from alpha to beta. This feature is now enabled by default.
- Improved SDS security by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
- Improved Istio by including certificate provisioning functionality within Istiod.
- Added Support Kubernetes
first-party-jwtas a fallback token for CSR authentication in clusters where
third-party-jwtis not supported.
- Added Support Istio CA and Kubernetes CA to provision certificates for the control plane, configurable via
- Added Istio Agent provisions a key and certificates for Prometheus.
- Added TCP protocol support for v2 telemetry.
- Added gRPC response status code support in metrics/logs.
- Added support for Istio Canonical Service.
- Improved stability of v2 telemetry pipeline.
- Added alpha-level support for configurability in v2 telemetry.
- Added support for populating AWS platform metadata in Envoy node metadata.
- Improved Stackdriver adapter for Mixer to support configurable flush intervals for tracing data.
- Added support for a headless collector service to the Jaeger addon.
kubernetesenvadapter to provide proper support for pods that contain a dot in their name.
- Improved the Fluentd adapter for Mixer to provide millisecond-resolution in exported timestamps.
- Replaced the alpha
IstioControlPlaneAPI with the new
IstioOperatorAPI to align with existing
istioctl operator initand
istioctl operator removecommands.
- Improved reconciliation speed with caching
Istioctl Analyzeout of experimental.
- Added various analyzers: mutual TLS, JWT,
ServiceAssociation, Secret, sidecar image, port name and policy deprecated analyzers.
- Updated more validation rules for
- Added a new flag
istioctl analyzeto analyze the entire cluster.
- Added support for analyzing content passed via
istioctl analyze -Lto show a list of all analyzers available.
- Added the ability to suppress messages from
- Added structured format options to
- Added links to relevant documentation to
- Updated annotation methods provided by Istio API in
istioctl analyzenow loads files from a directory.
istioctl analyzeto try to associate message with their source filename.
istioctl analyzeto print the namespace that is being analyzed.
istioctl analyzeto analyze in-cluster resources by default.
- Fixed bug where
istioctl analyzesuppressed cluster-level resource messages.
- Added support for multiple input files to
- Replaced the
IstioControlPlaneAPI with the
- Added selector for
- Added support for slices and lists in
istioctl manifest --setflag.
- Added support for
istioctl manifestto read profiles from
- Added a