Istio 1.3 Change Notes

Installation

• Added experimental manifest and profile commands to install and manage the Istio control plane for evaluation.

Traffic management

• Added automatic protocol determination of HTTP or TCP for outbound traffic when ports are not named according to Istio’s conventions.
• Added a mode to the Gateway API for mutual TLS operation.
• Fixed issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.
• Improved Envoy proxy readiness checks. They now check Envoy’s readiness status.
• Improved container ports are no longer required in the pod spec. All ports are captured by default.
• Improved the EnvoyFilter API. You can now add or update all configurations.
• Improved the Redis load balancer to now default to MAGLEV when using the Redis proxy.
• Improved load balancing to direct traffic to the same region and zone by default.
• Improved Pilot by reducing CPU utilization. The reduction approaches 90% depending on the specific deployment.
• Improved the ServiceEntry API to allow for the same hostname in different namespaces.
• Improved the Sidecar API to customize the OutboundTrafficPolicy policy.

Security

• Added trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.
• Added [labels]((/docs/ops/configuration/mesh/secret-creation/) to control service account secret generation by namespace.
• Added SDS support to deliver the private key and certificates to each Istio control plane service.
• Added support for introspection to Citadel.
• Added metrics to the /metrics endpoint of Citadel Agent on port 15014 to monitor the SDS service.
• Added diagnostics to the Citadel Agent using the /debug/sds/workload and /debug/sds/gateway on port 8080.
• Improved the ingress gateway to load the trusted CA certificate from a separate secret when using SDS.
• Improved SDS security by enforcing the usage of Kubernetes Trustworthy JWTs.
• Improved Citadel Agent logs by unifying the logging pattern.
• Removed support for Istio SDS when using Kubernetes versions earlier than 1.13.
• Removed integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.
• Enabled the Envoy JWT filter by default to improve security and reliability.

Telemetry

• Added Access Log Service ALS support for Envoy gRPC.
• Added a Grafana dashboard for Citadel monitoring.
• Added metrics for monitoring the sidecar injector webhook.
• Added control plane metrics to monitor Istio’s configuration state.
• Added telemetry reporting for traffic destined to the Passthrough and BlackHole clusters.
• Added alpha support for in-proxy generation of service metrics using Prometheus.
• Added alpha support for environmental metadata in Envoy node metadata.
• Added alpha support for Proxy Metadata Exchange.
• Added alpha support for the OpenCensus trace driver.
• Improved reporting for external services by removing requirements to add a service entry.
• Improved the mesh dashboard to provide monitoring of Istio’s configuration state.
• Improved the Pilot dashboard to expose additional key metrics to more clearly identify errors.
• Removed deprecated Adapter and Template custom resource definitions (CRDs).
• Deprecated the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.

Policy

• Improved rate limit enforcement to allow communication when the quota backend is unavailable.

Configuration management

• Fixed Galley to stop too many gRPC pings from closing connections.
• Improved Galley to avoid control plane upgrade failures.

istioctl

• Added istioctl experimental manifest to manage the new experimental install manifests.
• Added istioctl experimental profile to manage the new experimental install profiles.
• Added istioctl experimental metrics
• Added istioctl experimental describe pod to describe an Istio pod’s configuration.
• Added istioctl experimental add-to-mesh to add Kubernetes services or virtual machines to an existing Istio service mesh.
• Added istioctl experimental remove-from-mesh to remove Kubernetes services or virtual machines from an existing Istio service mesh.
• Promoted the istioctl experimental convert-ingress command to istioctl convert-ingress.
• Promoted the istioctl experimental dashboard command to istioctl dashboard.

Miscellaneous

• Added new images based on distroless base images.
• Improved the Istio CNI Helm chart to have consistent versions with Istio.
• Improved Kubernetes Jobs behavior. Kubernetes Jobs now exit correctly when the job manually calls the /quitquitquit endpoint.