istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1.13 release announcement and notes (#10849) 

* wip: 1.13 release announcement and notes

* regen notes

* merge some duplicated notes

* touchup formatting

* apply formatting suggestions

Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>
Co-authored-by: John Howard <howardjohn@google.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/docs/releases/supported-releases/index.md

Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>

* Apply suggestions from code review

Co-authored-by: craigbox <craigbox@google.com>

* Apply suggestions from code review

Co-authored-by: craigbox <craigbox@google.com>

* add announcement

* update supported versions

* spellling

* Update content/en/news/releases/1.13.x/announcing-1.13/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* spelling adjust

* Fixed wrong year

* Explain that the change is to improve the security

* Fixed a typo

* Removed an obsolete item

* Fix lint error of "Ensure markdown content uses relative references to istio.io"

* Fix another lint error of "Ensure markdown content uses relative references to istio.io"

* Fix yet another lint error of "Ensure markdown content uses relative references to istio.io"

* Fixed the date and the extra spaces in last column

* Reorder items into groups

* Fixed an issue URL and a lint error

* add missingnotes

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* lint

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Fix bullet indention

* Remove extraneous characters

* Update release date to Feb 11.

Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>
Co-authored-by: John Howard <howardjohn@google.com>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: lei-tang <32078630+lei-tang@users.noreply.github.com>
This commit is contained in:
Steven Landow 2022-02-11 11:44:18 -08:00 committed by GitHub
parent 7cb724cc2d
commit 1078b4c263
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 326 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.spelling
View File

@ -30,6 +30,7 @@
1.10.x
1.11.x
1.12.x
1.13.x
1.x
10ms
10s
@ -135,6 +136,7 @@ Autoscalers
autoscalers
autoscaling
AutoTrader
Avelar
az
backend
backends
@ -526,6 +528,7 @@ kyzy
L3-4
L4-L6
Landlow
Landow
learnings
LibreSSL
lifecycle

22
content/en/docs/releases/supported-releases/index.md
View File

@ -51,16 +51,17 @@ current `<minor>` release. A patch is usually a small change relative to the `<m
## Support status of Istio releases
| Version | Currently Supported | Release Date | End of Life | Supported Kubernetes Versions | Tested, but not supported |
|-----------------|----------------------|-------------------|------------------------|-------------------------------|---------------------------|
| master | No, development only | | | | |
| 1.12 | Yes | November 18, 2021 | ~June 2022 (Expected) | 1.19, 1.20, 1.21, 1.22 | 1.16, 1.17, 1.18 |
| 1.11 | Yes | August 12, 2021 | ~Mar 2022 (Expected) | 1.18, 1.19, 1.20, 1.21, 1.22 | 1.16, 1.17 |
| 1.10 | No | May 18, 2021 | Dec 30, 2021 | 1.18, 1.19, 1.20, 1.21 | 1.16, 1.17, 1.22 |
| 1.9 | No | February 9, 2021 | Oct 8, 2021 | 1.17, 1.18, 1.19, 1.20 | 1.15, 1.16 |
| 1.8 | No | November 10, 2020 | May 12, 2021 | 1.16, 1.17, 1.18, 1.19 | 1.15 |
| 1.7 | No | August 21, 2020 | Feb 25, 2021 | 1.16, 1.17, 1.18 | 1.15 |
| 1.6 and earlier | No | | | | |
| Version | Currently Supported | Release Date | End of Life | Supported Kubernetes Versions | Tested, but not supported |
|-----------------|----------------------|-------------------|--------------------------|-------------------------------|---------------------------|
| master | No, development only | | | | |
| 1.13 | Yes | February 11, 2022 | ~October 2022 (Expected) | 1.20, 1.21, 1.22, 1.23 | 1.16, 1.17, 1.18, 1.19 |
| 1.12 | Yes | November 18, 2021 | ~June 2022 (Expected) | 1.19, 1.20, 1.21, 1.22 | 1.16, 1.17, 1.18 |
| 1.11 | Yes | August 12, 2021 | ~Mar 2022 (Expected) | 1.18, 1.19, 1.20, 1.21, 1.22 | 1.16, 1.17 |
| 1.10 | No | May 18, 2021 | Dec 30, 2021 | 1.18, 1.19, 1.20, 1.21 | 1.16, 1.17, 1.22 |
| 1.9 | No | February 9, 2021 | Oct 8, 2021 | 1.17, 1.18, 1.19, 1.20 | 1.15, 1.16 |
| 1.8 | No | November 10, 2020 | May 12, 2021 | 1.16, 1.17, 1.18, 1.19 | 1.15 |
| 1.7 | No | August 21, 2020 | Feb 25, 2021 | 1.16, 1.17, 1.18 | 1.15 |
| 1.6 and earlier | No | | | | |
{{< warning >}}
[Kubernetes 1.22 removed some deprecated APIs](https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/) and as a result versions of Istio prior to 1.10.0 will no longer work. If you are upgrading your Kubernetes version, make sure that your Istio version is still supported.
@ -75,6 +76,7 @@ Please keep up-to-date and use a supported version.
| Minor Releases | Patched versions with no known CVEs |
|----------------------------|--------------------------------------|
| 1.13.x | 1.13.0+ |
| 1.12.x | 1.12.2+ |
| 1.11.x | 1.11.1+ |
| 1.10.x | 1.10.4+ |

9
content/en/news/releases/1.13.x/_index.md Normal file
View File

@ -0,0 +1,9 @@
---
title: 1.13.x Releases
description: Announcements for the 1.13 release and its associated patch releases.
weight: 16
list_by_publishdate: true
layout: release-grid
decoration: dot
---

74
content/en/news/releases/1.13.x/announcing-1.13/_index.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Announcing Istio 1.13
linktitle: 1.13
subtitle: Major Update
description: Istio 1.13 release announcement.
publishdate: 2022-02-11
release: 1.13.0
skip_list: true
aliases:
- /news/announcing-1.13
- /news/announcing-1.13.0
---
We are pleased to announce the release of Istio 1.13!
{{< relnote >}}
This is the first Istio release of 2022. We would like to thank the entire Istio community for helping to get Istio 1.13.0 published. Special thanks are due to the release managers Steven Landow (Google), Lei Tang (Google) and Elizabeth Avelar (SAP), and to Test & Release WG lead Eric Van Norman (IBM) for his help and guidance.
{{< tip >}}
Istio 1.13.0 is officially supported on Kubernetes versions `1.20` to `1.23`.
{{< /tip >}}
Here are some of the highlights of the release:
## Configure the Istio sidecar proxy with the `ProxyConfig` API
Previous versions of Istio allowed configuration of proxy-level Envoy options with the [mesh-wide settings API](/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig).
In 1.13, we have promoted this configuration to its open top-level custom resource, `ProxyConfig`. Like other Istio
configuration APIs, this CR can be configured globally, per-namespace, or per-workload.
In the initial release, you can configure concurrency and proxy image type through the `ProxyConfig` CR. This will
expand in future releases.
For more information, check out the [`ProxyConfig` documentation](/docs/reference/config/networking/proxy-config/).
## Continued improvements to the Telemetry API
We continue to refine the new [Telemetry API](/docs/tasks/observability/telemetry/), introduced
in Istio 1.11. In 1.13, we added support for [logging with `OpenTelemetry`](https://opentelemetry.io/docs/reference/specification/logs/overview/), [filtering access logs](/docs/reference/config/telemetry/#AccessLogging-Filter),
and customizing the trace service name. There are also a large number of bug fixes and improvements.
## Support for hostname based load balancers for multi-network gateways
Up until now, Istio has relied on knowing the IP address for a load balancer used between two networks in an east-west
configuration. The Amazon EKS load balancer provides a hostname instead of an IP address, and users had to
[manually resolve this name and set the IP address](https://szabo.jp/2021/09/22/multicluster-istio-on-eks/) as a workaround.
In 1.13, Istio will now automatically resolve the hostname of a gateway, and Istio can now automatically discover the
gateway of a remote cluster on EKS.
## Feature updates
The [`WorkloadGroup`](/docs/reference/config/networking/workload-group/) API feature, first
introduced in Alpha in Istio 1.8, has been promoted to Beta in this release.
[Authorization policy dry-run mode](/docs/tasks/security/authorization/authz-dry-run/) has also
been promoted from Experimental to Alpha.
## Upgrading to 1.13
Please note that [Istio 1.13.1 will be released on February 22](https://discuss.istio.io/t/upcoming-istio-v1-11-7-v1-12-4-and-v1-13-1-security-releases/12264)
to address various security vulnerabilities.
When you upgrade, we would like to hear from you! Please take a few minutes to respond to a brief [survey](https://forms.gle/pzWZpAvMVBecaQ9h9) to let us know how were doing.
## Join us at IstioCon
[IstioCon 2022](https://events.istio.io/istiocon-2022/), set for April 25-29, will be the second annual conference for the Istio community. This year's conference
will again be 100% virtual, connecting community members across the globe with Istio's ecosystem of developers, partners
and vendors. Visit the [conference website](https://events.istio.io/istiocon-2022/) for all the information related to the event.
You can also join the conversation at [Discuss Istio](https://discuss.istio.io/), or join our [Slack workspace](https://slack.istio.io/).
Would you like to contribute directly to Istio? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us improve.

182
content/en/news/releases/1.13.x/announcing-1.13/change-notes/index.md Normal file
View File

@ -0,0 +1,182 @@
---
title: Istio 1.13 Change Notes
linktitle: 1.13.0
subtitle: Minor Release
description: Istio 1.13.0 change notes.
publishdate: 2022-02-11
release: 1.13.0
weight: 10
aliases:
- /news/announcing-1.13.0
---
## Traffic Management
- **Added** an API (CRD) for configuring `ProxyConfig` values containing a stable subset of the configuration from `MeshConfig.DefaultConfig`.
- **Added** support for hostname-based multi-network gateways for east-west traffic. The hostname will be resolved in
the control plane and each of the IPs will be used as an endpoint. This behavior can be disabled by setting
`RESOLVE_HOSTNAME_GATEWAYS=false` for istiod. ([Issue #29359](https://github.com/istio/istio/issues/29359))
- **Added** support for rewriting gRPC probes.
- **Added** a feature flag `PILOT_LEGACY_INGRESS_BEHAVIOR`, default to false.
If this is set to true, Istio ingress will perform the legacy behavior, which does not meet the
[Kubernetes specification](https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches).
([Issue #35033](https://github.com/istio/istio/issues/35033))
- **Added** support for listeners to balance between Envoy worker threads via `proxyMetadata`. ([Issue #18152](https://github.com/istio/istio/issues/18152))
- **Promoted** `WorkloadGroup` to v1beta1.
([Issue #25652](https://github.com/istio/istio/issues/25652))
- **Improved** istio-agent health probe rewrite to not re-use connections, mirroring Kubernetes' probing behavior.
([Issue #36390](https://github.com/istio/istio/issues/36390))
- **Improved** the default `PILOT_MAX_REQUESTS_PER_SECOND`, which limits the number of **new** XDS connections per second,
to 25 (from 100). This has been shown to improve performance under high load.
- **Updated** the control plane to read `EndpointSlice` instead of `Endpoints`
for service discovery for Kubernetes 1.21 or later. To switch back to the old
`Endpoints` based behavior set `PILOT_USE_ENDPOINT_SLICE=false` in istiod.
- **Fixed** an issue where specifying conflict protocols for a service target port
will cause unstable protocol selection for that port.
([Issue #36462](https://github.com/istio/istio/issues/36462))
- **Fixed** an issue where scaling endpoint for a service from 0 to 1
might cause client side service account verification populated incorrectly.
([Issue #36456](https://github.com/istio/istio/issues/36456))
- **Fixed** an issue where the `TcpKeepalive` setting at mesh config is not honored.
([Issue #36499](https://github.com/istio/istio/issues/36499))
- **Fixed** an issue where stale endpoints can be configured when a service gets deleted and created again.
([Issue #36510](https://github.com/istio/istio/issues/36510))
- **Fixed** an issue where istiod crashes if prioritized leader election (controlled via `PRIORITIZED_LEADER_ELECTION` env variable) is disabled. ([Issue #36541](https://github.com/istio/istio/issues/36541))
- **Fixed** an issue that sidecar iptables will cause intermittent connection reset due to the out of window packet.
Introduced a flag `meshConfig.defaultConfig.proxyMetadata.INVALID_DROP` to control this setting.
([Issue #36566](https://github.com/istio/istio/pull/36566))
- **Fixed** an issue where an in-place upgrade will cause TCP connections between a <1.12 proxy and a 1.12 proxy to fail.
([Issue #36797](https://github.com/istio/istio/pull/36797))
- **Fixed** an issue where `EnvoyFilter` with ANY patch context will skip adding new clusters and listeners at gateway.
- **Fixed** an issue causing HTTP/1.0 requests to be rejected (with a `426 Upgrade Required` error) in some cases.
([Issue #36707](https://github.com/istio/istio/issues/36707))
- **Fixed** an issue where using `ISTIO_MUTUAL` TLS mode in Gateways while also setting `credentialName` cause mutual TLS to not be configured.
This configuration is now rejected, as `ISTIO_MUTUAL` is intended to be used without `credentialName` set.
The old behavior can be retained by configuring the `PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME=true` environment variable in Istiod.
- **Fixed** an issue where changes in a delegate VirtualService do not take effect when RDS cache is enabled.
([Issue #36525](https://github.com/istio/istio/issues/36525))
- **Fixed** an issue causing mTLS errors for traffic on port 22, by including port 22 in iptables by default.
([Issue #35733](https://github.com/istio/istio/issues/35733))
- **Fixed** an issue causing hostnames overlapping the cluster domain (such as `example.local`) to generate invalid routes.
([Issue #35676](https://github.com/istio/istio/issues/35676))
- **Fixed** an issue that if duplicated cipher suites were configured in Gateway, they were pushed to Envoy configuration. With this fix, duplicated cipher
suites will be ignored and logged.
([Issue #36805](https://github.com/istio/istio/issues/36805))
## Security
- **Added** TLS settings to the sidecar API in order to enable TLS/mTLS termination on the sidecar proxy for requests
coming from outside the mesh. ([Issue #35111](https://github.com/istio/istio/issues/35111))
- **Promoted** [authorization policy dry-run mode](/docs/tasks/security/authorization/authz-dry-run/) to Alpha. ([Issue #112](https://github.com/istio/enhancements/pull/112))
- **Fixed** a couple of issues in the ext-authz filter affecting the behavior of the gRPC check response API. Please
see the [Envoy release note](https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.20.0#bug-fixes) for more
details of the bug fixes if you are using authorization policies with the ext-authz gRPC extension provider in Istio.
([Issue #35480](https://github.com/istio/istio/issues/35480))
## Telemetry
- **Added** configuration for selecting service name generation scheme in Envoy-generated trace spans.
([Issue #36162](https://github.com/istio/istio/issues/36162) and [#12644](https://github.com/istio/istio/issues/12644))
- **Added** Common Expression Language (CEL) filter support for access logs.
([Issue #36514](https://github.com/istio/istio/issues/36514))
- **Added** access logging providers and controls for access log filtering to
the Telemetry API.
- **Added** an option to set whether the Request ID generated by the sidecar should be used when determining the sampling strategy for tracing.
- **Added** configurable service-cluster naming scheme support.
([Issue #36162](https://github.com/istio/istio/issues/36162))
- **Improved** Istiod `JWTRule`: Failed `JWKS` requests are now logged with truncation to 100 characters.
([Issue #35663](https://github.com/istio/istio/issues/35663))
## Installation
- **Added** a privileged flag to Istio-CNI Helm charts to set `securityContext` flag.
([Issue #34211](https://github.com/istio/istio/issues/34211))
- **Removed** support for a number of nonstandard `kubeconfig` authentication methods when using multicluster secrets.
- **Updated** istiod deployment to respect `values.pilot.nodeSelector`.
([Issue #36110](https://github.com/istio/istio/issues/36110))
- **Fixed** an issue where the in-cluster operator can't prune resources when the Istio control plane has active proxies connected.
([Issue #35657](https://github.com/istio/istio/issues/35657))
- **Fixed** omission of the `.Values.sidecarInjectiorWebhook.enableNamespacesByDefault` setting in the default revision mutating webhook, and added `--auto-inject-namespaces` flag to `istioctl tag` controlling this setting.
([Issue #36258](https://github.com/istio/istio/issues/36258))
- **Fixed** an issue where setting `includeInboundPorts` with Helm values did not take effect.
([Issue #36644](https://github.com/istio/istio/issues/36644))
- **Fixed** an issue that was preventing the Helm chart to be used as a chart dependency.
([Issue #35495](https://github.com/istio/istio/issues/35495))
- **Fixed** that the Helm chart generated an invalid manifest when given boolean or numeric values for environment variables.
([Issue #36946](https://github.com/istio/istio/issues/36946))
- **Fixed** detection of `prometheus.io.scrape` annotations when merging metrics.
([Issue #31187](https://github.com/istio/istio/issues/31187))
## istioctl
- **Added** `istioctl analyze` will display a warning when service of type ExternalName have invalid port name or port name is tcp.
([Issue #35429](https://github.com/istio/istio/issues/35429))
- **Added** log options to `istioctl install` to prevent unexpected messages.
([Issue #35770](https://github.com/istio/istio/issues/35770))
- **Added** `CLUSTER` column in the output of `istioctl ps` command.
- **Added** the global wildcard pattern match for the bug report `--include` and `--exclude` flag.
- **Added** the output format flag to `operator dump`.
- **Added** `--operatorFileName` flag to `kube-inject` to support `IstioOperator` files.
([Issue #36472](https://github.com/istio/istio/issues/36472))
- **Added** `istioctl analyze` now supports `--ignore-unknown`, which suppresses
errors when non-k8s yaml files are found in a file or directory.
([Issue #36471](https://github.com/istio/istio/issues/36471))
- **Added** stats command `istioctl experimental envoy-stats` for retrieving istio-proxy envoy metrics.
- **Fixed** the `--duration` flag never gets used in the `istioctl bug-report` command.
- **Fixed** using flags in `istioctl bug-report` results in errors.
([Issue #36103](https://github.com/istio/istio/issues/36103))
- **Fixed** `operator init --dry-run` creates unexpected namespaces.
- **Fixed** error format after json marshal in virtual machine config.
([Issue #36358](https://github.com/istio/istio/issues/36358))
## Documentation changes
- **Fixed** formatting of the telemetry configuration reference page.

45
content/en/news/releases/1.13.x/announcing-1.13/upgrade-notes/index.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Istio 1.13 Upgrade Notes
description: Important changes to consider when upgrading to Istio 1.13.0.
publishdate: 2022-02-11
weight: 20
---
When you upgrade from Istio 1.12.x to Istio 1.13.0, you need to consider the changes on this page.
These notes detail the changes which purposefully break backwards compatibility with Istio 1.13.0.
The notes also mention changes which preserve backwards compatibility while introducing new behavior.
Changes are only included if the new behavior would be unexpected to a user of Istio `1.12.x`.
## Health Probes will no longer re-use connections
Health probes using the istio-agent [health probe rewrite](/docs/ops/configuration/mesh/app-health-check/) will
now no longer re-use connections for the probe. This behavior was changed to match probing behavior of Kubernetes',
and may also improve probe reliability for applications using short idle timeouts.
As a result, your application may see more connections (but the same number of HTTP requests) from probes.
For most applications, this will not be noticeably different.
If you need to revert to the old behavior, the `ENABLE_PROBE_KEEPALIVE_CONNECTION=true` environment variable in the proxy may be set.
## Multicluster Secret Authentication Changes
When kubeconfig files are created to [enable endpoint discovery](/docs/setup/install/multicluster/multi-primary/#enable-endpoint-discovery)
in multicluster installations, the authentication methods allowed in the configuration are now limited to improve the security.
The two authentication methods output but `istioctl create-remote-secret` (`oidc` and `token`), are not impacted.
As a result, only users that are creating custom kubeconfig files will be impacted.
A new environment variable, `PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS`, is added to Istiod to enable the methods that were removed.
For example, if `exec` authentication is used, set `PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS=exec`.
## Port 22 iptables capture changes
In previous versions, port 22 was excluded from iptables capture. This mitigates risk of getting locked out of a VM
when using Istio on VMs. This configuration was hard coded into the iptables logic, meaning there was no way to
capture traffic on port 22.
The iptables logic now no longer has special logic on port 22. Instead, the `istioctl x workload entry configure`
command will automatically configure `ISTIO_LOCAL_EXCLUDE_PORTS` to include port 22. This means that VM users will
continue to have port 22 excluded, while Kubernetes users will have port 22 included now.
If this behavior is undesirable, the port can be explicitly opted out in Kubernetes with the `traffic.sidecar.istio.io/excludeInboundPorts` annotation.

2
data/args.yml
View File

@ -29,7 +29,7 @@ source_branch_name: release-1.13
doc_branch_name: master
# The list of supported versions described by the docs
supported_kubernetes_versions: ["1.19", "1.20", "1.21", "1.22"]
supported_kubernetes_versions: ["1.20", "1.21", "1.22", "1.23"]
####### Static values