Change Notes
Traffic management
- Added support for mirroring a percentage of traffic.
- Improved the Envoy sidecar. The Envoy sidecar now exits when it crashes. This change makes it easier to see whether or not the Envoy sidecar is healthy.
- Improved Pilot to skip sending redundant configuration to Envoy when no changes are required.
- Improved headless services to avoid conflicts with different services on the same port.
- Disabled default circuit breakers.
- Updated the default regex engine to
re2
. Please see the Upgrade Notes for details.
Security
- Added the
v1beta1
authorization policy model for enforcing access control. This will eventually replace thev1alpha1
RBAC policy. - Added experimental support for automatic mutual TLS to enable mutual TLS without destination rule configuration.
- Added experimental support for authorization policy trust domain migration.
- Added experimental DNS certificate management to securely provision and manage DNS certificates signed by the Kubernetes CA.
- Improved Citadel to periodically check and rotate the expired root certificate when running in self-sign CA mode.
- Updated JWT authentication to treat space-delimited claim as a list of claims.
Telemetry
- Added experimental in-proxy telemetry reporting to Stackdriver.
- Improved support for in-proxy Prometheus generation of HTTP service metrics (from experimental to alpha).
- Improved telemetry collection for blocked and passthrough external service traffic.
- Added the option to configure stat patterns for Envoy stats.
- Added the
inbound
andoutbound
prefixes to the Envoy HTTP stats to specify traffic direction. - Improved reporting of telemetry for traffic that goes through an egress gateway.
Configuration management
- Added multiple validation checks to the
istioctl analyze
sub-command. - Added the experimental option to enable validation messages for Istio resource statuses.
- Added OpenAPI v3 schema validation of Custom Resource Definitions (CRDs). Please see the Upgrade Notes for details.
- Added client-go libraries to access Istio APIs.
Installation
- Added the experimental operator controller for dynamic updates to an Istio installation.
- Removed the
proxy_init
Docker image. Instead, theistio-init
container reuses theproxyv2
image. - Updated the base image to
ubuntu:bionic
.
istioctl
- Added the
istioctl proxy-config logs
sub-command retrieve and update Envoy logging levels. - Updated the
istioctl authn tls-check
sub-command to display which policy is in use. - Added the experimental
istioctl experimental wait
sub-command to have Istio wait until it has pushed a configuration to all Envoy sidecars. - Added the experimental
istioctl experimental multicluster
sub-command to help manage Istio across multiple clusters. - Added the experimental
istioctl experimental post-install webhook
sub-command to securely manage webhook configurations. - Added the experimental
istioctl experimental upgrade
sub-command to perform upgrades of Istio. - Improved the
istioctl version
sub-command. It now shows the Envoy proxy versions.