距离 Istio 1.5 版本发布还有 天。

Announcing Istio 1.0

The production ready service mesh

Today, we’re excited to announce Istio 1.0! It’s been a little over a year since our initial 0.1 release. Since then, Istio has evolved significantly with the help of a thriving and growing community of contributors and users. We’ve now reached the point where many companies have successfully adopted Istio in production and have gotten real value from the insight and control it provides over their deployments. We’ve helped large enterprises and fast-moving startups like eBay, Auto Trader UK, Descartes Labs, HP FitStation, JUSPAY, Namely, PubNub and Trulia use Istio to connect, manage and secure their services from the ground up. Shipping this release as 1.0 is recognition that we’ve built a core set of functionality that our users can rely on for production use.

Ecosystem

We’ve seen substantial growth in Istio's ecosystem in the last year. Envoy continues its impressive growth and added numerous features that are crucial for a production quality service mesh. Observability providers like Datadog, SolarWinds, Sysdig, Google Stackdriver and Amazon CloudWatch have written plugins to integrate Istio with their products. Tigera, Aporeto, Cilium and Styra built extensions to our policy enforcement and networking capabilities. Red Hat built Kiali to wrap a nice user-experience around mesh management and observability. Cloud Foundry is building on Istio for it’s next generation traffic routing stack, the recently announced Knative serverless project is doing the same and Apigee announced that they plan to use it in their API management solution. These are just some of the integrations the community has added in the last year.

Features

Since the 0.8 release we’ve added some important new features and more importantly marked many of our existing features as Beta signaling that they’re ready for production use. Here are some highlights:

  • Multiple Kubernetes clusters can now be added to a single mesh and enabling cross-cluster communication and consistent policy enforcement. Multicluster support is now Beta.

  • Networking APIs that enable fine grained control over the flow of traffic through a mesh are now Beta. Explicitly modeling ingress and egress concerns using Gateways allows operators to control the network topology and meet access security requirements at the edge.

  • Mutual TLS can now be rolled out incrementally without requiring all clients of a service to be updated. This is a critical feature that unblocks adoption in-place by existing production deployments.

  • Mixer now has support for developing out-of-process adapters. This will become the default way to extend Mixer over the coming releases and makes building adapters much simpler.

  • Authorization policies which control access to services are now entirely evaluated locally in Envoy increasing their performance and reliability.

  • Helm chart installation is now the recommended install method offering rich customization options to adopt Istio on your terms.

  • We’ve put a lot of effort into performance including continuous regression testing, large scale environment simulation and targeted fixes. We’re very happy with the results and will share more on this in detail in the coming weeks.

What’s next?

While this is a significant milestone for the project there’s lots more to do. In working with adopters we’ve gotten a lot of great feedback about what to focus next. We’ve heard consistent themes around support for hybrid-cloud, install modularity, richer networking features and scalability for massive deployments. We’ve already taken some of this feedback into account in the 1.0 release and we’ll continue to aggressively tackle this work in the coming months.

Getting started

If you’re new to Istio and looking to use it for your deployment we’d love to hear from you. Take a look at our docs or stop by our chat forum. If you’d like to go deeper and contribute to the project come to one of our community meetings and say hello.

Thanks

The Istio team would like to give huge thanks to everyone who has made a contribution to the project. It wouldn’t be where it is today without your help. The last year has been pretty amazing and we look forward to the next one with excitement about what we can achieve together as a community.

Release notes

Networking

  • SNI Routing using Virtual Services. Newly introduced TLS sections in VirtualService can be used to route TLS traffic based on SNI values. Service ports named as TLS/HTTPS can be used in conjunction with virtual service TLS routes. TLS/HTTPS ports without an accompanying virtual service will be treated as opaque TCP.

  • Streaming gRPC Restored. Istio 0.8 caused periodic termination of long running streaming gRPC connections. This has been fixed in 1.0.

  • Old (v1alpha1) Networking APIs Removed. Support for the old v1alpha1 traffic management model has been removed.

  • Istio Ingress Deprecated. The old Istio ingress is deprecated and disabled by default. We encourage users to use gateways instead.

Policy and telemetry

  • Updated Attributes. The set of attributes used to describe the source and destination of traffic have been completely revamped in order to be more precise and comprehensive.

  • Policy Check Cache. Mixer now features a large level 2 cache for policy checks, complementing the level 1 cache present in the sidecar proxy. This further reduces the average latency of externally-enforced policy checks.

  • Telemetry Buffering. Mixer now buffers report calls before dispatching to adapters, which gives an opportunity for adapters to process telemetry data in bigger chunks, reducing overall computational overhead in Mixer and its adapters.

  • Out of Process Adapters. Mixer now includes initial support for out-of-process adapters. This will be the recommended approach moving forward for integrating with Mixer. Initial documentation on how to build an out-of-process adapter is provided by the Out Of Process Adapter Dev Guide and the Out Of Process Adapter Walk-through.

  • Client-Side Telemetry. It's now possible to collect telemetry from the client of an interaction, in addition to the server-side telemetry.

Adapters

  • SignalFX. There is a new signalfx adapter.

  • Stackdriver. The stackdriver adapter has been substantially enhanced in this release to add new features and improve performance.

Security

istioctl

  • Added the istioctl authn tls-check command.

  • Added the istioctl proxy-status command.

  • Added the istioctl experimental convert-ingress command.

  • Removed the istioctl experimental convert-networking-config command.

  • Enhancements and bug fixes:

    • Align kubeconfig handling with kubectl

    • istioctl get all returns all types of networking and authentication configuration.

    • Added the --all-namespaces flag to istioctl get to retrieve resources across all namespaces.

Known issues with 1.0

  • Amazon's EKS service does not implement automatic sidecar injection. Istio can be used in Amazon's EKS by using manual injection for sidecars and turning off galley using the Helm parameter --set galley.enabled=false.

  • In a multicluster deployment the mixer-telemetry and mixer-policy components do not connect to the Kubernetes API endpoints of any of the remote clusters. This results in a loss of telemetry fidelity as some of the metadata associated with workloads on remote clusters is incomplete.

  • There are Kubernetes manifests available for using Citadel standalone or with Citadel health checking enabled. There is not a Helm implementation of these modes. See Issue 6922 for more details.

  • Mesh expansion functionality, which lets you add raw VMs to a mesh is broken in 1.0. We're expecting to produce a patch that fixes this problem within a few days.

这些信息有用吗?
Do you have any suggestions for improvement?

Thanks for your feedback!