- Added experimental manifest and profile commands to install and manage the Istio control plane for evaluation.
- Added automatic protocol determination of HTTP or TCP for outbound traffic when ports are not named according to Istio’s [conventions]/docs/ops/prep/requirements/).
- Added a mode to the Gateway API for mutual TLS operation.
- Fixed issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.
- Improved Envoy proxy readiness checks. They now check Envoy’s readiness status.
- Improved container ports are no longer required in the pod spec. All ports are captured by default.
- Improved the
EnvoyFilterAPI. You can now add or update all configurations.
- Improved the Redis load balancer to now default to
MAGLEVwhen using the Redis proxy.
- Improved load balancing to direct traffic to the same region and zone by default.
- Improved Pilot by reducing CPU utilization. The reduction approaches 90% depending on the specific deployment.
- Improved the
ServiceEntryAPI to allow for the same hostname in different namespaces.
- Improved the Sidecar API to customize the
- Added trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.
- Added labels to control service account secret generation by namespace.
- Added SDS support to deliver the private key and certificates to each Istio control plane service.
- Added support for introspection to Citadel.
- Added metrics to the
/metricsendpoint of Citadel Agent on port 15014 to monitor the SDS service.
- Added diagnostics to the Citadel Agent using the
/debug/sds/gatewayon port 8080.
- Improved the ingress gateway to load the trusted CA certificate from a separate secret when using SDS.
- Improved SDS security by enforcing the usage of Kubernetes Trustworthy JWTs.
- Improved Citadel Agent logs by unifying the logging pattern.
- Removed support for Istio SDS when using Kubernetes versions earlier than 1.13.
- Removed integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.
- Enabled the Envoy JWT filter by default to improve security and reliability.
- Added Access Log Service ALS support for Envoy gRPC.
- Added a Grafana dashboard for Citadel monitoring.
- Added metrics for monitoring the sidecar injector webhook.
- Added control plane metrics to monitor Istio’s configuration state.
- Added telemetry reporting for traffic destined to the
- Added alpha support for in-proxy generation of service metrics using Prometheus.
- Added alpha support for environmental metadata in Envoy node metadata.
- Added alpha support for Proxy Metadata Exchange.
- Added alpha support for the OpenCensus trace driver.
- Improved reporting for external services by removing requirements to add a service entry.
- Improved the mesh dashboard to provide monitoring of Istio’s configuration state.
- Improved the Pilot dashboard to expose additional key metrics to more clearly identify errors.
- Removed deprecated
Templatecustom resource definitions (CRDs).
- Deprecated the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.
- Improved rate limit enforcement to allow communication when the quota backend is unavailable.
- Fixed Galley to stop too many gRPC pings from closing connections.
- Improved Galley to avoid control plane upgrade failures.
istioctl experimental manifestto manage the new experimental install manifests.
istioctl experimental profileto manage the new experimental install profiles.
istioctl experimental metrics
istioctl experimental describe podto describe an Istio pod’s configuration.
istioctl experimental add-to-meshto add Kubernetes services or virtual machines to an existing Istio service mesh.
istioctl experimental remove-from-meshto remove Kubernetes services or virtual machines from an existing Istio service mesh.
- Promoted the
istioctl experimental convert-ingresscommand to
- Promoted the
istioctl experimental dashboardcommand to
- Added new images based on distroless base images.
- Improved the Istio CNI Helm chart to have consistent versions with Istio.
- Improved Kubernetes Jobs behavior. Kubernetes Jobs now exit correctly when the job manually calls the