istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Release 1.11 announcement post, change and update notes (#10133) 

* add release 1.11 notes draft

* fix issues with changelog items

* fix changelog wording

Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>

* Fix up lint errors, remove empty sections, pick up some remarks

* update changelog wording

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* add in release announcement

* fix spelling issues

* fix istio.io links

* relnote

* remove /latest from relative linkes

* Update content/en/news/releases/1.11.x/announcing-1.11/change-notes/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/change-notes/index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/_index.md

Co-authored-by: craigbox <craigbox@google.com>

* Update content/en/news/releases/1.11.x/announcing-1.11/upgrade-notes/index.md

Co-authored-by: craigbox <craigbox@google.com>

Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>
Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: craigbox <craigbox@google.com>
This commit is contained in:
Ryan King 2021-08-12 17:07:51 -04:00 committed by GitHub
parent 806fe9faec
commit a15e775ffc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 346 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.spelling
View File

@ -28,6 +28,7 @@
1.9.x
1.9.x.
1.10.x
1.11.x
1.x
10ms
10s
@ -272,6 +273,7 @@ Deutsche
devirtualization
Devirtualization
devops
discoverability
discuss.istio.io
distro
Distroless
@ -578,6 +580,7 @@ OpenAPI
OpenCensus
OpenID
OpenID_Connect
OpenMetrics
OpenShift
openusage.org
OpenSSL
@ -725,6 +728,7 @@ sidecar
sidecar.env
SignalFX
sinkInfo
SkyWalking
SLOs
SMEs
Snell-Feikema
@ -794,6 +798,7 @@ trustability
tunneling
UID
UIDs
uint32
ulimit
uncomment
uncommented

8
content/en/news/releases/1.11.x/_index.md Normal file
View File

@ -0,0 +1,8 @@
---
title: 1.11.x Releases
description: Announcements for the 1.11 release and its associated patch releases.
weight: 18
list_by_publishdate: true
layout: release-grid
decoration: dot
---

82
content/en/news/releases/1.11.x/announcing-1.11/_index.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Announcing Istio 1.11
linktitle: "1.11"
subtitle: Major Update
description: Istio 1.11 release announcement.
publishdate: 2021-08-12
release: 1.11.0
skip_list: true
aliases:
- /news/announcing-1.11
- /news/announcing-1.11.0
---
We are pleased to announce the release of Istio 1.11!
{{< relnote >}}
This is the third Istio release of 2021. We would like to thank the entire Istio community, and especially the release managers [John Wendell](https://github.com/jwendell) from Red Hat, [Ryan King](https://github.com/ryantking) from Solo.io and [Steve Zhang](https://github.com/zhlsunshine) from Intel, for helping to get Istio 1.11.0 published.
{{< tip >}}
Istio 1.11.0 is officially supported on Kubernetes versions `1.18.0` to `1.22.x`.
{{< /tip >}}
Here are some highlights for this release:
## CNI plugin (Beta)
By default Istio injects an [init container](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) in pods deployed in the mesh. The `istio-init` container sets up the pod network traffic redirection to/from the Istio sidecar proxy using iptables. This requires the user or service account deploying pods in the mesh to have sufficient permissions to deploy [containers with the `NET_ADMIN` and `NET_RAW` capabilities](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container). Requiring Istio users to have elevated Kubernetes privileges can be problematic for security compliance within an organization. The Istio CNI plugin is a replacement for the `istio-init` container that performs the same networking functionality, but without requiring Istio users to enable elevated Kubernetes permissions.
The CNI plugin can be chained with other plugins, and supports most hosted Kubernetes implementations.
In this release, we have promoted the CNI plugin functionality to Beta by improving our documentation and testing to ensure users can enable this feature safely in production. [Learn how to install Istio with the CNI plugin.](/docs/setup/additional-setup/cni/)
## External control plane (Beta)
Last year we introduced a [new deployment model for Istio](/blog/2020/new-deployment-model/) where the control plane for a cluster was managed outside of that cluster. This allows for separation of concerns between a mesh owner, who administers the control plane, and the mesh users, who deploy and configure services in the mesh. An external control plane, running in a separate cluster, can control a single data plane cluster or more than one cluster of a multicluster mesh.
In 1.11, this feature has been promoted to Beta. [Learn how you can set up a mesh with an external control plane](/docs/setup/install/external-controlplane/).
## Gateway injection
Istio provides gateways as a way to interface with the outside world. You can deploy [ingress gateways](/docs/tasks/traffic-management/ingress/ingress-control/), for incoming traffic originating outside your cluster, and [egress gateways](/docs/tasks/traffic-management/egress/egress-gateway/), for outgoing traffic from your applications to services deployed outside your cluster.
In the past, an Istio version would deploy a gateway as a Deployment which had a completely separate proxy configuration to all the rest of the sidecar proxies in the cluster. This made management and upgrade of the gateway complex, especially when multiple gateways were deployed in the cluster. One common issue was that settings from the control plane passed down to sidecar proxies and the gateways could drift, causing unexpected issues.
Gateway injection moves the management of gateways to the same method as sidecar proxies. Configuration that you set on your proxies globally will apply to your gateways, and complex configurations that weren't possible (for example, running a gateway as a DaemonSet) are now easy. You can also update your gateways to the latest version after a cluster upgrade simply by restarting the pods.
In addition to these changes, we have released new [Installing Gateways](/docs/setup/additional-setup/gateway/) documentation, which covers best practices for installation, management, and upgrade of gateways.
## Updates to revision and tag deployments
In Istio 1.6 we added support for running multiple control planes simultaneously, which allows you to do a [canary deployment of a new Istio version](/blog/2020/multiple-control-planes/). In 1.10, we introduced [revision tags](/blog/2021/revision-tags/), which lets you mark a revision as "production" or "testing" and minimizes the chance of error when upgrading.
The `istioctl tag` command has graduated out of experimental in 1.11. You can also now specify a default revision for the control plane. This helps further simplify the canary upgrade from a non-revisioned control plane to a new version.
We also fixed an [outstanding issue](https://github.com/istio/istio/issues/28880) with upgrades - you can safely perform a canary upgrade of your control plane regardless of whether or not it was installed using a revision.
To improve the sidecar injection experience, `istio-injection` and `sidecar.istio.io/inject` labels were introduced. We recommend you to switch to using injection labels, as they perform better than injection annotations. We intend to deprecate the injection annotations in a future release.
## Kubernetes Multi-cluster Services (MCS) support (Experimental)
The Kubernetes project is building an [multi-cluster services API](https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api) that allows service owners or mesh admins to control the export of services and their endpoints across the mesh.
Istio 1.11 adds experimental support for multi-cluster services. Once enabled, the discoverability of service endpoints is determined by client location and whether the service has been exported. Endpoints residing within the same cluster as the client will always be discoverable. Endpoints within a different cluster, however, will only be discoverable by the client if they were exported to the mesh.
Note that Istio does not yet support the behavior for the `cluster.local` and `clusterset.local` hosts as defined by the MCS spec. Clients should continue to address services using either `cluster.local` or `svc.namespace`.
This is the first phase in [our plan](https://docs.google.com/document/d/1K8hvQ83UcJ9a7U8oqXIefwr6pFJn-VBEi40Ak-fwQtk/edit) to support MCS. Stay tuned!
## Sneak peek: new APIs
A number of Istio features can only be configured by [`EnvoyFilter`](/docs/reference/config/networking/envoy-filter/), which allows you to set proxy configuration. We're working on new APIs for common use cases - such as configuring telemetry settings and WebAssembly (Wasm) extension deployment, and you can expect to see these become available to users in the 1.12 release. If you're interested in helping us test the implementations as they are built, [please join the appropriate working group meeting](https://github.com/istio/community/blob/master/WORKING-GROUPS.md).
## Join the Istio community
You can also join the conversation at [Discuss Istio](https://discuss.istio.io/), or join our [Slack workspace](https://slack.istio.io/).
Would you like to get involved? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help improve Istio.
## Istio 1.11 Upgrade Survey
If you have completed your upgrade to Istio 1.11, we would like to hear from you! Please take a few minutes to respond to our brief [survey](https://forms.gle/pquMQs4Qxujus6jB9) to tell us how were doing.

169
content/en/news/releases/1.11.x/announcing-1.11/change-notes/index.md Normal file
View File

@ -0,0 +1,169 @@
---
title: Istio 1.11 Change Notes
linktitle: 1.11.0
subtitle: Minor Release
description: Istio 1.11.0 release notes.
publishdate: 2021-08-12
release: 1.11.0
weight: 10
aliases:
- /news/announcing-1.11.0
---
## Traffic Management
- **Promoted** [CNI](/docs/setup/additional-setup/cni/) to beta. ([Issue #86](https://github.com/istio/enhancements/issues/86))
- **Improved** resolution of headless services via in-agent DNS to include endpoints
from other clusters that are on the same network.
([Issue #27342](https://github.com/istio/istio/issues/27342))
- **Improved** usage of `AUTO_PASSTHROUGH` Gateways to no longer require configuring the `ISTIO_META_ROUTER_MODE` environment variable on the gateway deployment; instead, it is automatically detected.
([Issue #33127](https://github.com/istio/istio/issues/33127))
- **Improved** CNI network plugin to send logs to the CNI DaemonSet. This allows viewing CNI logs using `kubectl logs`, instead of looking at kubelet logs.
([Issue #32437](https://github.com/istio/istio/issues/32437))
- **Improved** service conflict resolution to favor Kubernetes Services over `ServiceEntries` with the same hostname.
- **Updated** CNI install container and race condition repair container are combined into one container.
([Issue #33712](https://github.com/istio/istio/issues/33712))
- **Updated** the Istiod debug interface to be only accessible over localhost or with proper authentication (mTLS or JWT).
The recommended way to access the debug interface is through `istioctl experimental internal-debug`, which handles
this automatically.
- **Added** the `shutdownDuration` flag to [pilot-discovery](/docs/reference/commands/pilot-discovery/) so that users can configure the duration istiod needs to terminate gracefully. The default value is 10s.
- **Added** an environment variable `PILOT_STATUS_UPDATE_INTERVAL` that is the interval to update the XDS distribution status and its default value is `500ms`.
- **Added** the HTTP endpoint localhost:15004/debug/\<`typeurl`\> to the Istio sidecar agent. GET requests
to that URL will be resolved by sending an xDS discovery "event" to istiod. This can be disabled by setting
the following in the Istio Operator: `meshConfig.defaultConfig.proxyMetadata.PROXY_XDS_DEBUG_VIA_AGENT=false`.
([Issue #22274](https://github.com/istio/istio/issues/22274))
- **Added** support for overriding the locality of the `WorkloadGroup` template in
an auto registered `WorkloadEntry`. Locality overrides can be passed in through
Envoy bootstrap configuration.
([Issue #33426](https://github.com/istio/istio/pull/33426)),([Issue #33426](https://github.com/istio/istio/issues/33426))
- **Added** new metric for tracking distribution of configuration resource sizes being pushed by istiod.
([Issue #31772](https://github.com/istio/istio/issues/31772))
- **Added** experimental support for the Kubernetes Multi-Cluster Services (MCS) host (`clusterset.local`).
This feature is off by default, but can be enabled by setting the following environment variables for your Istiod deployment:
`ENABLE_MCS_HOST` and `ENABLE_MCS_SERVICE_DISCOVERY`. When enabled Istio will include the MCS host as a
domain in the service's HTTP route. Additionally, Istio will support the MCS host during a DNS lookup.
For now, the MCS host is just an alias for `cluster.local` and resolves to the same service IP.
Future work will give the MCS host a separate IP as is defined by the MCS spec. ([Issue #33949](https://github.com/istio/istio/issues/33949))
- **Added** experimental support for controlling service endpoint discoverability with Kubernetes Multi-Cluster
Services (MCS). This feature is off by default, but can be enabled by setting the
`ENABLE_MCS_SERVICE_DISCOVERY` flag in Istio. When enabled, Istio will make service endpoints
only discoverable from within the same cluster by default. To make the service endpoints within a cluster
discoverable throughout the mesh, a `ServiceExport` CR must be created within the same cluster as the service
endpoints. this process can be automated by enabling the Istio flag `ENABLE_MCS_AUTOEXPORT`. With this enabled,
Istio will automatically create `ServiceExport` in all clusters for each service.
([Issue #29384](https://github.com/istio/istio/issues/29384))
- **Fixed** an issue to `enableCoreDump` using the sidecar annotation.
([reference]( https://istio.io/latest/docs/reference/config/annotations/)) ([Issue #26668](https://github.com/istio/istio/issues/26668))
- **Fixed** where both inbound and outbound apps were unable to intercept traffic when using `podIP` in TPROXY interception mode.
([Issue #31095](https://github.com/istio/istio/issues/31095))
- **Fixed** an issue where subject alternate names specified in service entry are not considered while building TLS context.
([Issue #32539](https://github.com/istio/istio/issues/32539))
- **Fixed** a bug where multiple gateways on the same port with `SIMPLE` and `PASSTHROUGH` modes was not working correctly. ([Issue #33405](https://github.com/istio/istio/issues/33405))
- **Fixed** a bug where Istio config generation fails when the sum of endpoint weights was over uint32 max. ([Issue #33536](https://github.com/istio/istio/issues/33536))
- **Fixed** smart DNS support in Istio CNI.
([Issue #29511](https://github.com/istio/istio/issues/29511))
- **Fixed** a bug in Kubernetes Ingress causing paths with prefixes of the form `/foo` to
match the route `/foo/` but not the route `/foo`.
- **Fixed** an issue allowing a `ServiceEntry` to act as an instance in other namespaces.
- **Fixed** an issue causing proxies to send `Transfer-Encoding` headers with `1xx` and `204` responses.
- **Fixed** reconciliation logic in the validation webhook controller to rate-limit
the retries in the loop. This should drastically reduce churn (and generated logs)
in cases of misconfiguration.
([Issue #32210](https://github.com/istio/istio/issues/32210))
- **Optimized** generated routing configuration to merge virtual hosts with the same routing configuration. This improves performance for Virtual Services with multiple hostnames defined.
([Issue #28659](https://github.com/istio/istio/issues/28659))
## Security
- **Added** validation for the `jwks` field in the request authentication policy. ([Issue #33053](https://github.com/istio/istio/issues/33053))
## Telemetry
- **Updated** Prometheus telemetry behavior for inbound traffic to disable host header fallback by default. This will
prevent traffic coming from out-of-mesh locations from potentially polluting the `destination_service` dimension in
metrics with junk data (and exploding metrics cardinality). With this change, it is possible that users relying on
host headers for labeling the destination service for inbound traffic from out-of-mesh workloads will see that traffic
labeled as `unknown`. The behavior can be restored by modifying Istio configuration to remove the `disable_host_header_fallback: true`
configuration.
- **Added** support for [Apache SkyWalking](https://skywalking.apache.org/) tracer. Now you can run the `istioctl dashboard skywalking` command to view SkyWalking dashboard UI.
([Issue #32588](https://github.com/istio/istio/pull/32588))
- **Added** a new metric to `istiod` to report server uptime.
- **Added** a new metric (`istiod_managed_clusters`) to `istiod` to track the number of clusters managed by an
`istiod` instance.
- **Fixed** Prometheus [metrics merging](/docs/ops/integrations/prometheus/#option-1-metrics-merging) to
correctly handle the case where the application metrics are exposed as [OpenMetrics](https://github.com/OpenObservability/OpenMetrics).
([Issue #33474](https://github.com/istio/istio/issues/33474))
## Installation
- **Promoted** [external control plane](/docs/setup/install/external-controlplane/) to beta.
([Pull Request #93](https://github.com/istio/enhancements/pull/93))
- **Improved** the installation of Istio on remote clusters using an external control plane.
The `istiodRemote` component now includes all of the resources needed for either a basic remote or config cluster.
([Issue #33455](https://github.com/istio/istio/issues/33455))
- **Improved** the size of container images, decreasing each image by up to 50Mb. As a result, the `linux-tools-generic` package, as well as dependencies (including `python`) are no longer installed.
- **Updated** the base image versions to be built on `ubuntu:focal` and `debian10` (for distroless).
- **Updated** Jaeger addon to version 1.22.
- **Fixed** the upgrade and downgrade message of the control plane.
([Issue #32749](https://github.com/istio/istio/issues/32749))
- **Removed** the empty `caBundle` default value from Chart to allow a GitOps approach.
([Issue #33052](https://github.com/istio/istio/issues/33052))
## istioctl
- **Promoted** the `istioctl experimental revision tag` command group to `istioctl tag`.
- **Added** `--workloadIP` flag to `istioctl x workload entry configure`, which sets the configuration for the workload IP that the sidecar proxy uses to auto register a workload Entry.
Usually required when the VM workloads aren't in the same network as the primary cluster to which they register.
([Issue #32462](https://github.com/istio/istio/issues/32462))
- **Added** `--dry-run` flag for `istioctl x uninstall`.
([Issue #32513](https://github.com/istio/istio/issues/32513))
- **Added** `istioctl proxy-config bootstrap` now has a short output option (`-o short`) that shows the Istio and Envoy version summary.
([Issue #21517](https://github.com/istio/istio/issues/21517))
- **Added** a new analyzer to check for `image: auto` in Pods and Deployments that will not be injected.
- **Added** support for auto-completion of the namespace for istioctl.
- **Added** istioctl now supports completion for Kubernetes pods, services.
- **Added** `--vklog` option to enable verbose logging in client-go.
([Issue #28231](https://github.com/istio/istio/issues/28231))
- **Fixed** user-agent in all Istio binaries to include version.

82
content/en/news/releases/1.11.x/announcing-1.11/upgrade-notes/index.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Istio 1.11 Upgrade Notes
description: Important changes to consider when upgrading to Istio 1.11.0.
publishdate: 2021-08-12
weight: 20
---
When you upgrade from Istio 1.10.0 to Istio 1.11.0, you need to consider the changes on this page.
These notes detail the changes which purposefully break backwards compatibility with Istio 1.10.0.
The notes also mention changes which preserve backwards compatibility while introducing new behavior.
Changes are only included if the new behavior would be unexpected to a user of Istio 1.10.0.
## The `istiodRemote` installation component now includes config cluster resources
Installing Istio on a remote cluster that is using an external control plane was previously done by disabling the `base` and `pilot`
components and enabling the `istiodRemote` component in the IOP:
{{< text yaml >}}
components:
base:
enabled: false
pilot:
enabled: false
istiodRemote:
enabled: true
values:
global:
externalIstiod: true
{{< /text >}}
If the remote cluster also serves as the config cluster for the external control plane,
the `base` component would also be enabled:
{{< text yaml >}}
components:
base:
enabled: true
pilot:
enabled: false
istiodRemote:
enabled: true
values:
global:
externalIstiod: true
{{< /text >}}
To simplify the implementation and to completely separate the remote installation from the `base` component,
the `istiodRemote` component now includes all of the charts needed for any remote cluster, whether it serves as a config
cluster or not. A new variable `values.global.configCluster` is used to enable/disable the resources needed
in a config cluster:
{{< text yaml >}}
components:
base:
enabled: false
pilot:
enabled: false
istiodRemote:
enabled: true
values:
global:
externalIstiod: true
configCluster: true
{{< /text >}}
## Host header fallback disabled by default for Prometheus metrics for *all* inbound traffic
Host header fallback for determining values for Prometheus `destination_service` labels has been disabled for all incoming traffic.
Previously, this was disabled *only* for traffic arriving at Gateways. If you are relying on host header fallback behavior to properly
label the `destination_service` in Prometheus metrics for traffic originating from out-of-mesh workloads, then you will need to update the telemetry
configuration to enable host header fallback.
## `EnvoyFilter` `match.routeConfiguration.vhost.name` semantics change
`EnvoyFilter` matches rely on internal implementation details to match generated xDS segments, which is subject to change at any time.
In this release, the [virtual host name match](/docs/reference/config/networking/envoy-filter/#EnvoyFilter-RouteConfigurationMatch-VirtualHostMatch) may have different results.
Previously, each domain name had its own virtual host. As an optimization, multiple domains may use a single virtual host.
This means that an Envoy Filter previously matching a specific virtual host may now apply to more domains than in previous releases.
This optimization may be temporarily disabled by setting `PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION=false` on the Istiod deployment.