Announcing Istio 1.1.3
Istio 1.1.3 patch release.
We’re pleased to announce the availability of Istio 1.1.3. Please see below for what’s changed.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Known issues with 1.1.3
- A panic in the Node Agent was discovered late in the 1.1.3 qualification process. The panic only occurs in clusters with the alpha-quality SDS certificate rotation feature enabled. Since this is the first time we have included SDS certificate rotation in our long-running release tests, we don’t know whether this is a latent bug or a new regression. Considering SDS certificate rotation is in alpha, we have decided to release 1.1.3 with this issue and target a fix for the 1.1.4 release.
Bug fixes
Istio-specific back-ports of Envoy patches for
CVE-2019-9900
andCVE-2019-9901
included in Istio 1.1.2 have been dropped in favor of an Envoy update which contains the final version of the patches.Fix load balancer weight setting for split horizon
EDS
.Fix typo in the default Envoy
JSON
log format (Issue 12232).Correctly reload out-of-process adapter address upon configuration change (Issue 12488).
Restore Kiali settings that were accidentally deleted (Issue 3660).
Prevent services with same target port resulting in duplicate inbound listeners (Issue 9504).
Fix issue with configuring
Sidecar egress
ports for namespaces other thanistio-system
resulting in aenvoy.tcp_proxy
filter ofBlackHoleCluster
by auto binding to services forSidecar
listeners (Issue 12536).Fix gateway
vhost
configuration generation issue by favoring more specific host matches (Issue 12655).Fix
ALLOW_ANY
so it now allows external traffic if there is already an http service present on a port.Fix validation logic so that
port.name
is no longer a validPortSelection
.Fix
istioctl proxy-config cluster
cluster type column rendering (Issue 12455).Fix SDS secret mount configuration.
Fix incorrect Istio version in the Helm charts.
Fix partial DNS failures in the presence of overlapping ports (Issue 11658).
Fix Helm
podAntiAffinity
template error (Issue 12790).Fix bug with the original destination service discovery not using the original destination load balancer.
Fix SDS memory leak in the presence of invalid or missing keying materials (Issue 13197).
Small enhancements
Hide
ServiceAccounts
fromPushContext
log to reduce log volume.Configure
localityLbSetting
invalues.yaml
by passing it through to the mesh configuration.Remove the soon-to-be deprecated
critical-pod
annotation from Helm charts (Issue 12650).Support pod anti-affinity annotations to improve control plane availability (Issue 11333).
Pretty print
IP
addresses in access logs.Remove redundant write header to further reduce log volume.
Improve destination host validation in Pilot.
Explicitly configure
istio-init
to run as root so use of pod-levelsecurityContext.runAsUser
doesn’t break it (Issue 5453).Add configuration samples for Vault integration.
Respect locality load balancing weight settings from
ServiceEntry
.Make the TLS certificate location watched by Pilot Agent configurable (Issue 11984).
Add support for Datadog tracing.
Add alias to
istioctl
so ‘x’ can be used instead of ‘experimental’.Provide improved distribution of sidecar certificate by adding jitter to their CSR requests.
Allow weighted load balancing registry locality to be configured.
Add support for standard CRDs for compiled-in Mixer adapters.
Reduce Pilot resource requirements for demo configuration.
Fully populate Galley dashboard by adding data source (Issue 13040).
Propagate Istio 1.1
sidecar
performance tuning to theistio-gateway
.Improve destination host validation by rejecting
*
hosts (Issue 12794).Expose upstream
idle_timeout
in cluster definition so dead connections can sometimes be removed from connection pools before they are used (Issue 9113).When registering a
Sidecar
resource to restrict what a pod can see, the restrictions are now applied if the spec contains aworkloadSelector
(Issue 11818).Update the Bookinfo example to use port 80 for TLS origination.
Add liveness probe for Citadel.
Improve AWS ELB interoperability by making 15020 the first port listed in the
ingressgateway
service (Issue 12502).Use outlier detection for failover mode but not for distribute mode for locality weighted load balancing (Issues 12965).
Replace generation of Envoy’s deprecated
enabled
field inCorsPolicy
with the replacementfilter_enabled
field for 1.1.0+ sidecars only.Standardize labels on Mixer’s Helm charts.