istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Edit release notes for consistency and clarity. (#3737) 

Signed-off-by: rcaballeromx <grca@google.com>
This commit is contained in:
Rigs Caballero 2019-03-18 10:52:40 -07:00 committed by istio-bot
parent 0a18a02929
commit e5499e77e9
1 changed files with 129 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
content/about/notes/1.1/index.md
View File

@ -4,10 +4,13 @@ publishdate: 2019-03-20
icon: notes icon: notes
--- ---
We're proud to release Istio 1.1! We have spent the last 8 months making some significant improvements to the overall We're proud to release Istio 1.1!
product, with fixes & features from Google, IBM, VMware, Huawei, RedHat, Cisco, SAP, Salesforce, Pivotal, SUSE, Datadog
and LightStep, to name a few. Special thanks to all of our end-users for providing feedback, feature requests and We have spent the last 8 months making some significant improvements to the
testing the release candidates at various scales. overall product, with fixes and features from Google, IBM, VMware, Huawei,
RedHat, Cisco, SAP, Salesforce, Pivotal, SUSE, Datadog and LightStep, to name a
few. Special thanks to all of our end-users for providing feedback, feature
requests, and testing the release candidates at various scales.
These release notes describe what's different between Istio 1.0.6 and Istio 1.1. These release notes describe what's different between Istio 1.0.6 and Istio 1.1.
@ -16,106 +19,141 @@ These release notes describe what's different between Istio 1.0.6 and Istio 1.1.
## Upgrades ## Upgrades
- We recommend a manual upgrade of the control plane and data plane to 1.1. See - We recommend a manual upgrade of the control plane and data plane to 1.1. See
[upgrades](/docs/setup/kubernetes/upgrade/) for more information. the [upgrades documents](/docs/setup/kubernetes/upgrade/) for more
information.
{{< warning >}} {{< warning >}}
Be sure to check out the [upgrade notice](/docs/setup/upgrade-notice) for a concise list of things you should know before Be sure to check out the [upgrade notice](/docs/setup/upgrade-notice) for a
upgrading your deployment to Istio 1.1. concise list of things you should know before upgrading your deployment to
Istio 1.1.
{{< /warning >}} {{< /warning >}}
## Installation ## Installation
- **CRD Install Separated from Istio Install**. Istios CRDs have been placed into their own Helm chart `istio-init`. - **CRD Install Separated from Istio Install**. Placed Istios Custom Resource
By placing CRDs in their own Helm chart, data continuity of custom resource content is preserved during the upgrade Definitions (CRDs) into the `istio-init` Helm chart. Placing the CRDs in
process and further enables Istio to evolve beyond a Helm-based installation. their own Helm chart preserves the data continuity of the custom resource
content during the upgrade process and further enables Istio to evolve beyond
a Helm-based installation.
- **Installation Configuration Profiles**. Several installation configuration profiles have been added to - **Installation Configuration Profiles**. Added several installation
simplify the installation process using well-known and well-tested patterns. Learn more about the better configuration profiles to simplify the installation process using well-known
user experience afforded by the [installation profile feature](/docs/setup/kubernetes/additional-setup/config-profiles/). and well-tested patterns. Learn more about the better user experience
afforded by the [installation profile feature](/docs/setup/kubernetes/additional-setup/config-profiles/).
- **Improved Multicluster Integration**. The 1.0 `istio-remote` chart previously used for - **Improved Multicluster Integration**. Consolidated the 1.0 `istio-remote`
chart previously used for
[multicluster VPN](/docs/setup/kubernetes/install/multicluster/vpn/) and [multicluster VPN](/docs/setup/kubernetes/install/multicluster/vpn/) and
[multicluster split horizon](/docs/examples/multicluster/split-horizon-eds/) remote cluster installation [multicluster split horizon](/docs/examples/multicluster/split-horizon-eds/) remote cluster installation
has been consolidated into the Istio Helm chart simplifying the operational experience. into the Istio Helm chart simplifying the operational experience.
## Traffic management ## Traffic management
- **New `Sidecar` Resource**. Added support to limit the set of services visible to sidecar proxies in a given namespace using the `Sidecar` resource. - **New `Sidecar` Resource**. Added support to limit the set of services
This limit reduces the amount of configuration computed and transmitted to the proxy. On large clusters, we recommend adding visible to sidecar proxies in a given namespace using the `Sidecar` resource.
a sidecar resource per namespace. This limit reduces the amount of configuration computed and transmitted to
the proxy. On large clusters, we recommend adding a sidecar resource per
namespace.
- **Restrict Visibility of Networking Resources**. Added the new `exportTo` field to all networking resources - **Restrict Visibility of Networking Resources**. Added the new `exportTo`
which lets you control the visibility of individual resources to specific namespaces. field to all networking resources which lets you control the visibility of
individual resources to specific namespaces.
- **Updates to `ServiceEntry` Resources**. Added support to specify the locality of a service - **Updates to `ServiceEntry` Resources**. Added support to specify the
and the associated SAN to use with mutual TLS. Service entries with HTTPS ports no locality of a service and the associated SAN to use with mutual TLS. Service
longer need an additional virtual service to enable SNI-based routing. entries with HTTPS ports no longer need an additional virtual service to
enable SNI-based routing.
- **Locality-Aware Routing**. Added full support for routing to services in the same locality before picking services in other localities. - **Locality-Aware Routing**. Added full support for routing to services in the
same locality before picking services in other localities.
- **Refined Multicluster Routing**. Simplified the multicluster setup and enabled additional deployment modes. You can now - **Refined Multicluster Routing**. Simplified the multicluster setup and
connect multiple clusters simply using their ingress gateways without needing pod-level VPNs, deploy control planes in each enabled additional deployment modes. You can now connect multiple clusters
cluster for high-availability cases, and span a namespace across several clusters simply using their ingress gateways without needing pod-level VPNs, deploy
to create global namespaces. Locality-aware routing is enabled by default in the high-availability control plane solution. control planes in each cluster for high-availability cases, and span a
namespace across several clusters to create global namespaces. Locality-aware
routing is enabled by default in the high-availability control plane
solution.
- **Istio Ingress Deprecated**. Removed the previously deprecated Istio ingress. Refer to the - **Istio Ingress Deprecated**. Removed the previously deprecated Istio
[Securing Kubernetes Ingress with Cert-Manager](/docs/examples/advanced-gateways/ingress-certmgr/) example for more details ingress. Refer to the [Securing Kubernetes Ingress with Cert-Manager](/docs/examples/advanced-gateways/ingress-certmgr/)
on how to use Kubernetes Ingress resources with [gateways](/docs/concepts/traffic-management/#gateways). example for more details on how to use Kubernetes Ingress resources with
[gateways](/docs/concepts/traffic-management/#gateways).
- **Performance and Scalability Improvements**. The performance and scalability of Istio and Envoy have been highly tuned. - **Performance and Scalability Improvements**. Tuned the performance and
Read more about [Performance & Scalability](/docs/concepts/performance-and-scalability/) enhancements. scalability of Istio and Envoy. Read more about [Performance and Scalability](/docs/concepts/performance-and-scalability/)
enhancements.
- **Access Logging Off by Default**. The access logs for all Envoy sidecars have been disabled by default to improve - **Access Logging Off by Default**. Disabled the access logs for all Envoy
performance. sidecars by default to improve performance.
## Security ## Security
- **Readiness and Liveness Probes**. Added support for Kubernetes' HTTP [readiness and liveness probes when mutual TLS is enabled](/help/faq/security/#k8s-health-checks). - **Readiness and Liveness Probes**. Added support for Kubernetes' HTTP
[readiness and liveness probes](/help/faq/security/#k8s-health-checks) when
mutual TLS is enabled.
- **Cluster RBAC Configuration**. Replaced the `RbacConfig` resource with the `ClusterRbacConfig` resource to implement the correct cluster scope. - **Cluster RBAC Configuration**. Replaced the `RbacConfig` resource with the
See [Migrating `RbacConfig` to `ClusterRbacConfig`](/docs/setup/kubernetes/upgrade/#migrating-from-rbacconfig-to-clusterrbacconfig). `ClusterRbacConfig` resource to implement the correct cluster scope. See
for migration instructions. [Migrating `RbacConfig` to `ClusterRbacConfig`](/docs/setup/kubernetes/upgrade/#migrating-from-rbacconfig-to-clusterrbacconfig).
for migration instructions.
- **Identity Provisioning Through SDS**. Provides stronger security with on-node key generation and dynamic certificate rotation without restarting Envoy. - **Identity Provisioning Through SDS**. Added SDS support to provide stronger
See [Provisioning Identity through SDS](/docs/tasks/security/auth-sds) for more information. security with on-node key generation and dynamic certificate rotation without
restarting Envoy. See [Provisioning Identity through SDS](/docs/tasks/security/auth-sds)
for more information.
- **Authorization for TCP Services**. Supports authorization for TCP services in addition to HTTP and gRPC services. - **Authorization for TCP Services**. Added support of authorization for TCP
See [Authorization for TCP Services](/docs/tasks/security/authz-tcp) for more information. services in addition to HTTP and gRPC services. See [Authorization for TCP Services](/docs/tasks/security/authz-tcp)
for more information.
- **Authorization for End-User Groups**. Allows authorization based on `groups` claim or any list-typed claims in JWT. - **Authorization for End-User Groups**. Added authorization based on `groups`
See [Authorization for groups and list claims](/docs/tasks/security/rbac-groups/) for more information. claim or any list-typed claims in JWT. See [Authorization for groups and list claims](/docs/tasks/security/rbac-groups/)
for more information.
- **External Certificate Management on Ingress Gateway Controller**. Dynamically loads and rotates external certificates. - **External Certificate Management on Ingress Gateway Controller**.
Added a controller to dynamically load and rotate external certificates.
- **Vault PKI Integration**. Provides stronger security with Vault-protected signing keys and facilitates integration with existing Vault PKIs. - **Vault PKI Integration**. Added Vault PKI integration to provides stronger
See [Istio Vault CA Integration](/docs/tasks/security/vault-ca) for more information. security with Vault-protected signing keys and facilitates integration with
existing Vault PKIs. See [Istio Vault CA Integration](/docs/tasks/security/vault-ca)
for more information.
- **Customized (non `cluster.local`) Trust Domains**. Supports organization- or cluster-specific trust domains in the identities. - **Customized (non `cluster.local`) Trust Domains**. Added support for
organization- or cluster-specific trust domains in the identities.
## Policies and telemetry ## Policies and telemetry
- **Policy Checks Off By Default**. Changed policy checks to be turned off by default which improves performance for most customer scenarios. - **Policy Checks Off By Default**. Changed policy checks to be turned off by
[Enabling Policy Enforcement](/docs/tasks/policy-enforcement/enabling-policy/) details how to turn on Istio policy checks, if needed. default to improve performance for most customer scenarios. [Enabling Policy Enforcement](/docs/tasks/policy-enforcement/enabling-policy/)
details how to turn on Istio policy checks, if needed.
- **Kiali**. Replaced the [Service Graph addon](https://github.com/istio/istio/issues/9066) with [Kiali](https://www.kiali.io) to provide - **Kiali**. Replaced the [Service Graph addon](https://github.com/istio/istio/issues/9066)
a richer visualization experience. See the [Kiali task](/docs/tasks/telemetry/kiali/) for more details. with [Kiali](https://www.kiali.io) to provide a richer visualization
experience. See the [Kiali task](/docs/tasks/telemetry/kiali/) for more
details.
- **Reduced Overhead**. Added several performance and scale improvements including: - **Reduced Overhead**. Added several performance and scale improvements
including:
- Significant reduction in default collection of Envoy-generated statistics. - Significant reduction in default collection of Envoy-generated
statistics.
- Added load-shedding functionality to Mixer workloads. - Added load-shedding functionality to Mixer workloads.
- Improved the protocol between Envoy and Mixer. - Improved the protocol between Envoy and Mixer.
- **Control Headers and Routing**. Added the option to create adapters to influence - **Control Headers and Routing**. Added the option to create adapters to
an incoming request's headers and routing. See [Control Headers and Routing](/docs/tasks/policy-enforcement/control-headers) task influence the headers and routing of an incoming request. See the [Control Headers and Routing](/docs/tasks/policy-enforcement/control-headers)
for more information. task for more information.
- **Out of Process Adapters**. The out-of-process adapter functionality is now ready for production use. As a result, the in-process - **Out of Process Adapters**. Added the out-of-process adapter functionality
adapter model is being deprecated in this release. All new adapter development should use the out-of-process model moving forward. for production use. As a result, we deprecated the in-process adapter model
in this release. All new adapter development should use the out-of-process
model moving forward.
- **Tracing Improvements**. There have been many improvements in our overall tracing story: - **Tracing Improvements**. Performed many improvements in our overall tracing
story:
- Trace ids are now 128 bit wide. - Trace ids are now 128 bit wide.
@ -127,34 +165,47 @@ adapter model is being deprecated in this release. All new adapter development s
- **Default TCP Metrics**. Added default metrics for tracking TCP connections. - **Default TCP Metrics**. Added default metrics for tracking TCP connections.
- **Reduced Load Balancer Requirements for Addons**. Addons are no longer exposed via separate load balancers. - **Reduced Load Balancer Requirements for Addons**. Stopped exposing addons
Instead addons are exposed via the Istio gateway. To expose addons externally using either HTTP or HTTPS protocols, via separate load balancers. Instead, addons are exposed via the Istio
gateway. To expose addons externally using either HTTP or HTTPS protocols,
please use the [Addon Gateway documentation](/docs/tasks/telemetry/gateways/). please use the [Addon Gateway documentation](/docs/tasks/telemetry/gateways/).
- **Secure Addon Credentials**. Grafana, Kiali, and Jaeger passwords and username are now stored in - **Secure Addon Credentials**. Changed storage of the addon credentials.
[Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) for improved security and compliance. Grafana, Kiali, and Jaeger passwords and username are now stored in
[Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
for improved security and compliance.
- **More Flexibility with `statsd` Collector**. The built-in `statsd` collector has been removed. - **More Flexibility with `statsd` Collector**. Removed the built-in `statsd`
Istio now supports bring your own `statsd` for improved flexibility with existing Kubernetes deployments. collector. Istio now supports bring your own `statsd` for
improved flexibility with existing Kubernetes deployments.
## Configuration management ## Configuration management
- **Galley**. Added [Galley](/docs/concepts/what-is-istio/#galley) as the primary configuration ingestion and distribution mechanism within Istio. It provides - **Galley**. Added [Galley](/docs/concepts/what-is-istio/#galley) as the
a robust model to validate, transform, and distribute configuration state to Istio components insulating the Istio components primary configuration ingestion and distribution mechanism within Istio. It
from Kubernetes details. Galley uses the [Mesh Configuration Protocol (MCP)](https://github.com/istio/api/tree/{{< source_branch_name >}}/mcp) to interact with components. provides a robust model to validate, transform, and distribute configuration
states to Istio components insulating the Istio components from Kubernetes
details. Galley uses the [Mesh Configuration Protocol (MCP)](https://github.com/istio/api/tree/{{< source_branch_name >}}/mcp)
to interact with components.
- **Monitoring Port**. Changed Galley's default monitoring port from 9093 to 15014. - **Monitoring Port**. Changed Galley's default monitoring port from 9093 to
15014.
## `istioctl` and `kubectl` ## `istioctl` and `kubectl`
- **Validate Command**. Added the [`istioctl validate`](/docs/reference/commands/istioctl/#istioctl-validate) - **Validate Command**. Added the [`istioctl validate`](/docs/reference/commands/istioctl/#istioctl-validate)
command for offline validation of Istio Kubernetes resources. command for offline validation of Istio Kubernetes resources.
- **Verify-Install Command**. Added the [`istioctl experimental verify-install`](/docs/reference/commands/istioctl/#istioctl-experimental-verify-install) command to verify the status of an - **Verify-Install Command**. Added the [`istioctl experimental verify-install`](/docs/reference/commands/istioctl/#istioctl-experimental-verify-install)
Istio installation given a specified installation YAML file. command to verify the status of an Istio installation given a specified
installation YAML file.
- **Deprecated Commands**. Deprecated the `istioctl create`, `istioctl replace`, `istioctl get`, and `istioctl delete` commands. Use the [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl) equivalents instead. - **Deprecated Commands**. Deprecated the `istioctl create`, `istioctl
Deprecated the `istioctl gen-deploy` command too. Use a [`helm template`](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template) instead. replace`, `istioctl get`, and `istioctl delete` commands. Use the
These commands will be removed in the 1.2 release. [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl)
equivalents instead. Deprecated the `istioctl gen-deploy` command too. Use a
[`helm template`](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template)
instead. Release 1.2 will remove these commands.
- **Short Commands**. Included short commands in `kubectl` for gateways, virtual services, destination rules and service entries. - **Short Commands**. Included short commands in `kubectl` for gateways,
virtual services, destination rules and service entries.