Change Notes

Installation

Traffic management

  • Added automatic protocol determination of HTTP or TCP for outbound traffic when ports are not named according to Istio‚Äôs conventions.
  • Added a mode to the Gateway API for mutual TLS operation.
  • Fixed issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.
  • Improved Envoy proxy readiness checks. They now check Envoy’s readiness status.
  • Improved container ports are no longer required in the pod spec. All ports are captured by default.
  • Improved the EnvoyFilter API. You can now add or update all configurations.
  • Improved the Redis load balancer to now default to MAGLEV when using the Redis proxy.
  • Improved load balancing to direct traffic to the same region and zone by default.
  • Improved Pilot by reducing CPU utilization. The reduction approaches 90% depending on the specific deployment.
  • Improved the ServiceEntry API to allow for the same hostname in different namespaces.
  • Improved the Sidecar API to customize the OutboundTrafficPolicy policy.

Security

  • Added trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.
  • Added labels to control service account secret generation by namespace.
  • Added SDS support to deliver the private key and certificates to each Istio control plane service.
  • Added support for introspection to Citadel.
  • Added metrics to the /metrics endpoint of Citadel Agent on port 15014 to monitor the SDS service.
  • Added diagnostics to the Citadel Agent using the /debug/sds/workload and /debug/sds/gateway on port 8080.
  • Improved the ingress gateway to load the trusted CA certificate from a separate secret when using SDS.
  • Improved SDS security by enforcing the usage of Kubernetes Trustworthy JWTs.
  • Improved Citadel Agent logs by unifying the logging pattern.
  • Removed support for Istio SDS when using Kubernetes versions earlier than 1.13.
  • Removed integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.
  • Enabled the Envoy JWT filter by default to improve security and reliability.

Telemetry

  • Added Access Log Service ALS support for Envoy gRPC.
  • Added a Grafana dashboard for Citadel monitoring.
  • Added metrics for monitoring the sidecar injector webhook.
  • Added control plane metrics to monitor Istio’s configuration state.
  • Added telemetry reporting for traffic destined to the Passthrough and BlackHole clusters.
  • Added alpha support for in-proxy generation of service metrics using Prometheus.
  • Added alpha support for environmental metadata in Envoy node metadata.
  • Added alpha support for Proxy Metadata Exchange.
  • Added alpha support for the OpenCensus trace driver.
  • Improved reporting for external services by removing requirements to add a service entry.
  • Improved the mesh dashboard to provide monitoring of Istio’s configuration state.
  • Improved the Pilot dashboard to expose additional key metrics to more clearly identify errors.
  • Removed deprecated Adapter and Template custom resource definitions (CRDs).
  • Deprecated the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.

Policy

  • Improved rate limit enforcement to allow communication when the quota backend is unavailable.

Configuration management

  • Fixed Galley to stop too many gRPC pings from closing connections.
  • Improved Galley to avoid control plane upgrade failures.

istioctl

Miscellaneous

  • Added new images based on distroless base images.
  • Improved the Istio CNI Helm chart to have consistent versions with Istio.
  • Improved Kubernetes Jobs behavior. Kubernetes Jobs now exit correctly when the job manually calls the /quitquitquit endpoint.