What’s new in Istio v1.11?

by | 22.08.2021 | Changelog

Istio is an open platform for providing a uniform way to integrate microservices. It also manages traffic flow across microservices, enforce policies and aggregate telemetry data. The control plane of Istio offers an abstraction layer over the underlying cluster management platform, such as Kubernetes.

Learn More Here:

Istio came with their new release with the version of 1.11.0. This major update came with many promotions, fixings, the addition of new features and much more. We will talk about all those changes in this article, along with how Istio functions.

Let’s start.

Changes with v1.11.0

The new release brings a lot of changes in various sectors of Istio. We will see all the changes in traffic management, security, telemetry, installation and istioctl.

Traffic Management

Improvements

The new release brings the promotion of CNI to beta. We can observe the improved resolution of headless services via in-agent DNS to include endpoints from other clusters on the same network. Again, we can see the enhanced usage of AUTO_PASSTHROUGH Gateways to no longer require configuring the ISTIO_META_ROUTER_MODE environment variable on the gateway deployment; instead, we can detect it automatically. Version 1.11.0 brings the improvement of the CNI network plugin to send logs to the CNI DaemonSet. This improvement will allow the viewing of CNI logs using kubectl logs instead of looking at kubelet logs. Lastly, we can also see the improved service conflict resolution to favour Kubernetes Services over ServiceEntries with the same hostname.

Updates

The new release brings an updated CNI install container, and we can see the combination of race condition and repair container into one container. It also introduces an updated Istiod debug interface, which can only be accessible over localhost or with proper authentication (mTLS or JWT). The recommended way to access the debug interface is through istioctl experimental internal-debug, which handles this automatically.

Additions

The release brings a whole lot of addition of new features and missing elements. Firstly, we can see the addition of the shutdownDuration flag to pilot-discovery so that users can configure the duration istiod needs to terminate gracefully. The default value is 10s. The devs have also added an environment variable PILOT_STATUS_UPDATE_INTERVAL that is the interval to update the XDS distribution status, and its default value is 500ms. We can also see the HTTP endpoint localhost:15004/debug/<typeurl> to the Istio sidecar agent. We can resolve the GET requests to that URL by sending an xDS discovery “event” to istiod. We can also disable this by setting the following in the Istio Operator: meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_DEBUG_VIA_AGENT=false.

Version 1.11.0 also adds support for overriding the locality of the WorkloadGroup template in an auto registered WorkloadEntry. We can pass locality overrides through the Envoy bootstrap configuration. Also, there is a new metric for tracking the distribution of configuration resource sizes which istiod pushes.

A valuable addition is experimental support for the Kubernetes Multi-Cluster Services (MCS) host (clusterset.local). This feature is off by default, but we can enable it by setting the following environment variables for our Istiod deployment: ENABLE_MCS_HOST and ENABLE_MCS_SERVICE_DISCOVERY. When enabled, Istio will include the MCS host as a domain in the service’s HTTP route. Additionally, it will also support the MCS host during a DNS lookup. For now, the MCS host is just an alias for cluster.local and resolves to the same service IP. Future work will give the MCS host a separate IP as the MCS spec defines it.

Lastly, we can see another added experimental support for controlling service endpoint discoverability with Kubernetes Multi-Cluster Services (MCS). By default, this feature is off, but we can enable it by setting the ENABLE_MCS_SERVICE_DISCOVERY flag in Istio. When enabled, Istio will make service endpoints only discoverable from within the same cluster by default. To make the service endpoints within a cluster discoverable throughout the mesh, we must create a ServiceExport CR within the same cluster as the service endpoints. We can automate this process by enabling the Istio flag ENABLE_MCS_AUTOEXPORT. With this enabled, Istio will automatically create ServiceExport in all clusters for each service.

Bug Fixes

Several fixes in the traffic management section will help a lot to the users. Firstly, we can see the fixing of an issue to enable CoreDump using the sidecar annotation. The new release fixed the issue where both inbound and outbound apps could not intercept traffic when using podIP in TPROXY interception mode. The devs have also fixed an issue where we do not consider alternate subject names specified in service entry while building TLS context.

The new release fixes the bug where multiple gateways on the same port with SIMPLE and PASSTHROUGH modes was not working correctly. Again, we see fixing a bug where Istio config generation failed when the sum of endpoint weights was over uint32 max. Smart DNS will now support Istio CNI.

We again see fixing a bug in Kubernetes Ingress causing paths with prefixes of the form /foo to match the route /foo/ but not the route /foo. The new release also fixed an issue allowing a ServiceEntry to act as an instance in other namespaces and causing proxies to send Transfer-Encoding headers with 1xx and 204 responses.

We can also see the fixing of reconciliation logic in the validation webhook controller to rate-limit the retries in the loop. It will drastically reduce churn (and generated logs) in cases of misconfiguration. Lastly, we see the optimization of generated routing configuration to merge virtual hosts with the same routing configuration. It will improve performance for Virtual Services, which will have a definition of multiple hostnames.

Security

The only thing that changes in the security of Istio in version 1.11.0 is the added validation for the jwks field in the request authentication policy.

Telemetry

Updates

The new release brings the updated Prometheus telemetry behaviour for inbound traffic to disable host header fallback by default. This update will prevent traffic coming from out-of-mesh locations from potentially polluting the destination_service dimension in metrics with junk data (and exploding metrics cardinality).

With this change, users relying on host headers for labeling the destination service for inbound traffic from out-of-mesh workloads may see that traffic marked as unknown. We can restore the behaviour by modifying the Istio configuration to remove the disable_host_header_fallback: true configuration.

Additions

For telemetry, we can see the added support for the Apache SkyWalking tracer. Now we can run the istioctl dashboard skywalking command to view the SkyWalking dashboard UI. Also, there is the addition of a new metric to istiod to report server uptime. Again, the devs have added a new metric (istiod_managed_clusters) to istiod to track the number of clusters managed by an istiod instance.

Bug Fixes

The only thing that got a fixing for telemetry is the Prometheus metrics merging to correctly handle the case where we can see the expose of the application metrics as OpenMetrics.

Installation

Improvements

In the installation section, the devs have promoted the external control plane to beta. We can see the improvement of the installation of Istio on remote clusters using an external control plane. The istiodRemote component now includes all of the resources needed for either a basic remote or config cluster. Also, there is an improvement in container images’ size, decreasing each image by up to 50Mb. As a result, we no longer see the installation of the linux-tools-generic package and dependencies (including python).

Updates

The new version now comes with updating the base image versions built on ubuntu:focal and debian10 (for distroless). It also has updated Jaeger addon to version 1.22.

Bug Fixes

The only fixing in the installation section is fixing the upgrade and downgrade message of the control plane.

Removals

The installation section got the only removal in this update. The devs have removed the empty caBundle default value from Chart to allow a GitOps approach.

Istioctl

Improvements

In the case of istioctl, we can see the promotion of the istioctl experimental revision tag command group to the istioctl tag.

Additions

The new release brings the --workloadIP flag to istioctl x workload entry configure, which sets the configuration for the workload IP that the sidecar proxy uses to auto-register a workload Entry. We usually require this flag when the VM workloads aren’t in the same network as the primary cluster to which they register. There is also the addition of --dry-run flag for istioctl x uninstall.

The istioctl proxy-config bootstrap now has a short output option (-o short) that shows the Istio and Envoy version summary. The devs have added a new analyzer to check for image: auto in Pods and Deployments that will not get an injection. Again, we see the added support for auto-completion of the namespace for istioctl. Also, istioctl will now support completion for Kubernetes pods, services. Lastly, we can see the addition of the --vklog option to enable verbose logging in client-go.

Bug Fixes

The only fixing that istioctl got is the fixing of user-agent in all Istio binaries to include version.

Conclusion

We have discussed all the changes that took place with version 1.11.0 of Istio. I know that you guys also want to enjoy the new and improved Istio. You can do that by downloading Istio here. Read more of our articles below.

Join the Community

The DevOps Awareness Program

Subscribe to the newsletter

Join 100+ cloud native ethusiasts

#wearep3r

Join the community Slack

Discuss all things Kubernetes, DevOps and Cloud Native

More stories from our blog

Linkerd: Looming on Service Meshes

Linkerd: Looming on Service Meshes

Microservices and service meshes have become a staple of the industry as companies realize the full potential of creating an independent architecture that allows for easier scale up, agile development, resilience and streamlined deployment. Many of these applications...

What’s new in Flux v0.17.0?

What’s new in Flux v0.17.0?

Flux2 came with its new update a while ago, and it is sheer exciting for the users because it brought a lot of new features. It also made a lot of new enhancements and updates. We will take a look at the entire catalogue in this article. So, without further a due,...

What’s new in Portainer v2.7.0 BE?

What’s new in Portainer v2.7.0 BE?

A few days ago, Portainer Business Edition came up with their new update. It is quite a massive update with many new features, bug fixes, enhancements and much more. In this article, we will see all of those in a nutshell. Let's start What is Portainer? Portainer is...

DVC (Git For Data): A Complete Intro

DVC (Git For Data): A Complete Intro

As a data scientist or ML engineer, have you ever faced the inconvenience of experimenting with the model? When we train the model, the model file is generated. Now, if you want to experiment with some different parameters or data, generally people rename the existing...

Recap of the Cloud Native Meetup Saar #3

Recap of the Cloud Native Meetup Saar #3

We are looking back on a very successful third edition of our Cloud Native Meetup Saar #3! Togetherer with our co-host anynines, we enjoyed a fun afternoon filled with great speakers, intriguing topics and thoughtful conversations! We welcomed a total of three...

Portainer Ambassador Series ft. Fabian Peter

Portainer Ambassador Series ft. Fabian Peter

Portainer arranged a fun and informative discussion through a one-hour special named “Ambassador Series” on 1st July 2021. It was pretty amazing to see Savannah Peterson as the host and two other guests. One is our very own CEO of p3r.one, Fabian Peter and the other...

What’s new in Longhorn v1.2.0?

What’s new in Longhorn v1.2.0?

Longhorn came with their new update. It is full of surprises. We will peel off one by one to see all the latest updates, features, bug fixes and much more. This one is a much-awaited update, and we will see all of it in a moment. So, without further a due, let's...

Kubernetes Stateful Friend: What’s more to etcd?

Kubernetes Stateful Friend: What’s more to etcd?

The Kubernetes control plane consists of various components, and one of such components is etcd. Anyone starting to learn k8s come across it and memorizes quickly that it’s a key-value pair for Kubernetes with persistence store. But, what’s more to it? Why do we need...

What’s New in Flux 1.24.0?

What’s New in Flux 1.24.0?

Flux 1.24 is out this month with couple of updates and Important notices. Let’s get around what are the updates in the new release. But, first, let’s do a quick intro on Flux. What is Flux? Flux is a tool that checks to see if the status of a cluster matches the git...

Event Driven Architecture Demystified (For Pros)

Event Driven Architecture Demystified (For Pros)

Event-Driven Architecture or EDA is talked about with pride inside any organization. But, through last few months, I have noticed a trend that the definition of EDA is not consistent across people and organizations. It’s vague. EDA is something where you have events...

Interested in what we do? Looking for help? Wanna talk about software strategy?