[Release 1.5] Upgrade notice for new authentication APIs (#6615)

* Draft upgrade note for new authn * Update content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md Co-Authored-By: Jed Hartman <jed@google.com> * Update content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md Co-Authored-By: Jed Hartman <jed@google.com> * Address comment * Fix link * Attempt to fix the feature link Co-authored-by: Jed Hartman <jed@google.com>
2020-03-05 17:15:03 -08:00 · 2020-03-05 17:15:03 -08:00 · c8a36e611f
parent 8833f7f155
commit c8a36e611f
2 changed files with 14 additions and 1 deletions
--- a/content/en/about/feature-stages/index.md
+++ b/content/en/about/feature-stages/index.md
@ -71,7 +71,7 @@ Below is our list of existing features and their current phases. This informatio
 |-------------------|-------------------
 | [Service-to-service mutual TLS](/docs/concepts/security/#mutual-tls-authentication)         | Stable
 | [Kubernetes: Service Credential Distribution](/docs/concepts/security/#pki)   | Stable
-| [SDS based key and certificate provisioning](/docs/concepts/security/#the-istio-agent-in-kubernetes)  | Stable
+| [SDS based key and certificate provisioning](/docs/concepts/security/#pki)  | Stable
 | [Cert management on Ingress Gateway](/docs/tasks/traffic-management/ingress/secure-ingress-sds) | Stable
 | [Pluggable Key/Cert Support for Istio CA](/docs/tasks/security/plugin-ca-cert/)        | Stable
 | [Authorization](/docs/concepts/security/#authorization)   | Beta
--- a/content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md
+++ b/content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md
@ -69,6 +69,18 @@ Please check [Mixer Deprecation](https://tinyurl.com/mixer-deprecation) notice f
 * Black Hole telemetry for TCP and HTTP protocols is not supported.
 * Histogram buckets are [significantly different](https://github.com/istio/istio/issues/20483) than Mixer Telemetry and cannot be changed.

+## Authentication policy
+
+Istio 1.5 introduces [`PeerAuthentication`](/docs/reference/config/security/peer_authentication/) and [`RequestAuthentication`](/docs/reference/config/security/request_authentication/), which are replacing the alpha version of the Authentication API. For more information about how to use the new API, see the [authentication policy](/docs/tasks/security/authentication/authn-policy) tutorial.
+
+* After you upgrade Istio, your alpha authentication policies remain in place and being used. You can gradually replace them with the equivalent `PeerAuthentication` and `RequestAuthentication`. The new policy will take over the old policy in the scope it is defined. We recommend starting with workload-wide (the most specific scope), then namespace-wide, and finally mesh-wide.
+* After you replace policies for workload, namespace, and mesh, you can safely remove the alpha authentication policies. To delete the alpha policies, use this command:
+
+{{< text bash >}}
+$ kubectl delete policies.authentication.istio.io --all-namespaces --all
+$ kubectl delete meshpolicies.authentication.istio.io --all
+{{< /text >}}
+
 ## Istio workload key and certificate provisioning

 * We have stabilized the SDS certificate and key provisioning flow. Now the Istio workloads are using SDS to provision certificates. The secret volume mount approach is deprecated.
@ -93,3 +105,4 @@ Istio 1.5.0 multicluster setup has several known issues ([27102](https://github.
 ## Helm upgrade

 If you used `helm upgrade` to update your cluster to newer Istio versions, we recommend you to switch to use [`istioctl upgrade`](/docs/setup/upgrade/istioctl-upgrade/) or follow the [helm template](/docs/setup/upgrade/cni-helm-upgrade/) steps.
+