diff --git a/content/en/about/feature-stages/index.md b/content/en/about/feature-stages/index.md index cdb2dc8a5b..7433200290 100644 --- a/content/en/about/feature-stages/index.md +++ b/content/en/about/feature-stages/index.md @@ -71,7 +71,7 @@ Below is our list of existing features and their current phases. This informatio |-------------------|------------------- | [Service-to-service mutual TLS](/docs/concepts/security/#mutual-tls-authentication) | Stable | [Kubernetes: Service Credential Distribution](/docs/concepts/security/#pki) | Stable -| [SDS based key and certificate provisioning](/docs/concepts/security/#the-istio-agent-in-kubernetes) | Stable +| [SDS based key and certificate provisioning](/docs/concepts/security/#pki) | Stable | [Cert management on Ingress Gateway](/docs/tasks/traffic-management/ingress/secure-ingress-sds) | Stable | [Pluggable Key/Cert Support for Istio CA](/docs/tasks/security/plugin-ca-cert/) | Stable | [Authorization](/docs/concepts/security/#authorization) | Beta diff --git a/content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md b/content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md index 379b1e37b0..83888d352a 100644 --- a/content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md +++ b/content/en/news/releases/1.5.x/announcing-1.5/upgrade-notes/index.md @@ -69,6 +69,18 @@ Please check [Mixer Deprecation](https://tinyurl.com/mixer-deprecation) notice f * Black Hole telemetry for TCP and HTTP protocols is not supported. * Histogram buckets are [significantly different](https://github.com/istio/istio/issues/20483) than Mixer Telemetry and cannot be changed. +## Authentication policy + +Istio 1.5 introduces [`PeerAuthentication`](/docs/reference/config/security/peer_authentication/) and [`RequestAuthentication`](/docs/reference/config/security/request_authentication/), which are replacing the alpha version of the Authentication API. For more information about how to use the new API, see the [authentication policy](/docs/tasks/security/authentication/authn-policy) tutorial. + +* After you upgrade Istio, your alpha authentication policies remain in place and being used. You can gradually replace them with the equivalent `PeerAuthentication` and `RequestAuthentication`. The new policy will take over the old policy in the scope it is defined. We recommend starting with workload-wide (the most specific scope), then namespace-wide, and finally mesh-wide. +* After you replace policies for workload, namespace, and mesh, you can safely remove the alpha authentication policies. To delete the alpha policies, use this command: + +{{< text bash >}} +$ kubectl delete policies.authentication.istio.io --all-namespaces --all +$ kubectl delete meshpolicies.authentication.istio.io --all +{{< /text >}} + ## Istio workload key and certificate provisioning * We have stabilized the SDS certificate and key provisioning flow. Now the Istio workloads are using SDS to provision certificates. The secret volume mount approach is deprecated. @@ -93,3 +105,4 @@ Istio 1.5.0 multicluster setup has several known issues ([27102](https://github. ## Helm upgrade If you used `helm upgrade` to update your cluster to newer Istio versions, we recommend you to switch to use [`istioctl upgrade`](/docs/setup/upgrade/istioctl-upgrade/) or follow the [helm template](/docs/setup/upgrade/cni-helm-upgrade/) steps. +