istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.5/feed.xml

15896 lines
1.1 MiB
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Istio Blog and News</title><description>Connect, secure, control, and observe services.</description><link>/v1.5</link><image><url>/v1.5/favicons/android-192x192.png</url><link>/v1.5</link></image><category>Service mesh</category><item><title>Announcing Istio 1.5.4</title><description>
&lt;p>This release fixes the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2020-005">our May 12th, 2020 news post&lt;/a>.&lt;/p>
&lt;p>This release note describes what&amp;rsquo;s different between Istio 1.5.4 and Istio 1.5.3.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.5.x/announcing-1.5/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/1.5.4">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://istio.io/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.5.3...1.5.4">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-005&lt;/strong> Denial of Service with Telemetry V2 enabled.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739">CVE-2020-10739&lt;/a>&lt;/strong>: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.&lt;/p></description><pubDate>Wed, 13 May 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.5.x/announcing-1.5.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.5.x/announcing-1.5.4/</guid></item><item><title>ISTIO-SECURITY-2020-005</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739">CVE-2020-10739&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.4 to 1.4.8&lt;br>
1.5 to 1.5.3&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739">CVE-2020-10739&lt;/a>&lt;/strong>:
By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
&lt;ul>
&lt;li>CVSS Score: 7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&amp;amp;version=3.1">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&lt;/a>&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ul>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.4.x deployments: update to &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4.9">Istio 1.4.9&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.5.x deployments: update to &lt;a href="/v1.5/news/releases/1.5.x/announcing-1.5.4">Istio 1.5.4&lt;/a> or later.&lt;/li>
&lt;li>Workaround: Alternatively, you can disable telemetry v2 by running the following:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest apply --set values.telemetry.v2.enabled=false
&lt;/code>&lt;/pre>
&lt;h2 id="credit">Credit&lt;/h2>
&lt;p>We&amp;rsquo;d like to thank &lt;code>Joren Zandstra&lt;/code> for the original bug report.&lt;/p>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 12 May 2020 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2020-005/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2020-005/</guid><category>CVE</category></item><item><title>Announcing Istio 1.5.3</title><description>
&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">DO NOT USE this release. USE release 1.5.4 instead.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Due to a publishing error, the 1.5.3 images do not contain the fix for CVE-2020-10739 as claimed in the original announcement.&lt;/p>
&lt;p>This release contains bug fixes to improve robustness.
This release note describes what&amp;rsquo;s different between Istio 1.5.3 and Istio 1.5.2.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.5.x/announcing-1.5/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.5.3"
data-downloadbuttontext="DOWNLOAD 1.5.3"
data-updateadvice='Before you download 1.5.3, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.5.4'
data-updatehref="/v1.5/news/releases/1.5.x/announcing-1.5.4/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://istio.io/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.5.2...1.5.3">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="changes">Changes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> the Helm installer to install Kiali using a dynamically generated signing key.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> overlaying the generated Kubernetes resources for addon components with user-defined overlays
&lt;a href="https://github.com/istio/istio/issues/23048">(Issue 23048)&lt;/a>&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>istio-sidecar.deb&lt;/code> failing to start on Debian buster with &lt;code>iptables&lt;/code> default &lt;code>nftables&lt;/code> setting &lt;a href="https://github.com/istio/istio/issues/23279">(Issue 23279)&lt;/a>&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> the corresponding hash policy not being updated after the header name specified in &lt;code>DestinationRule.trafficPolicy.loadBalancer.consistentHash.httpHeaderName&lt;/code> is changed &lt;a href="https://github.com/istio/istio/issues/23434">(Issue 23434)&lt;/a>&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> traffic routing when deployed in a namespace other than istio-system &lt;a href="https://github.com/istio/istio/issues/23401">(Issue 23401)&lt;/a>&lt;/li>
&lt;/ul></description><pubDate>Tue, 12 May 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.5.x/announcing-1.5.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.5.x/announcing-1.5.3/</guid></item><item><title>Announcing Istio 1.4.9</title><description>
&lt;p>This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2020-005">our May 12th, 2020 news post&lt;/a>. This release note describes what&amp;rsquo;s different between Istio 1.4.9 and Istio 1.4.8.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/1.4.9">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.8...1.4.9">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-005&lt;/strong> Denial of Service with Telemetry V2 enabled.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739">CVE-2020-10739&lt;/a>&lt;/strong>: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.&lt;/p>
&lt;h2 id="bug-fixes">Bug Fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> the Helm installer to install Kiali using an dynamically generated signing key.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Citadel to ignore namespaces that are not part of the mesh.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> the Istio operator installer to print the name of any resources that are not ready when an installation timeout occurs.&lt;/li>
&lt;/ul></description><pubDate>Tue, 12 May 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.9/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.9/</guid></item><item><title>Support for Istio 1.4 ends on June 5th, 2020</title><description>&lt;p>According to Istio&amp;rsquo;s &lt;a href="/v1.5/about/release-cadence/">support policy&lt;/a>, LTS releases like 1.4 are supported for three months after the next LTS release. Since &lt;a href="/v1.5/news/releases/1.5.x/announcing-1.5/">1.5 was released on March 5th&lt;/a>, support for 1.4 will end on June 5th, 2020.&lt;/p>
&lt;p>At that point we will stop back-porting fixes for security issues and critical bugs to 1.4, so we encourage you to upgrade to the latest version of Istio (1.5.4). If you don&amp;rsquo;t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.&lt;/p>
&lt;p>We care about you and your clusters, so please be kind to yourself and upgrade.&lt;/p></description><pubDate>Tue, 05 May 2020 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.4-eol/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.4-eol/</guid></item><item><title>Announcing Istio 1.5.2</title><description>
&lt;p>This release contains bug fixes to improve robustness. This release note describes whats different between Istio 1.5.1 and Istio 1.5.2.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.5.x/announcing-1.5/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.5.2"
data-downloadbuttontext="DOWNLOAD 1.5.2"
data-updateadvice='Before you download 1.5.2, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.5.4'
data-updatehref="/v1.5/news/releases/1.5.x/announcing-1.5.4/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://istio.io/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.5.1...1.5.2">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="changes">Changes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> Istiod deployment lacking label used by the matching &lt;code>PodDisruptionBudget&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/22267">Issue 22267&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Custom Istio installation with istioctl not working using external charts (&lt;a href="https://github.com/istio/istio/issues/22368">Issue 22368&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Panic in &lt;code>istio-init&lt;/code> with GKE+COS and &lt;code>interceptionMode&lt;/code>: TPROXY (&lt;a href="https://github.com/istio/istio/issues/22500">Issue 22500&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Logging for validation by sending warnings to &lt;code>stdErr&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/22496">Issue 22496&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Kiali not working when external Prometheus link used for the IstioOperator API (&lt;a href="https://github.com/istio/istio/issues/22510">Issue 22510&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Istio agent should calculate grace period based on the cert TTL, not client-side settings (&lt;a href="https://github.com/istio/istio/issues/22226">Issue 22226&lt;/a>]&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Incorrect error message referring to incorrect CLI option for the &lt;code>istioctl kube-inject&lt;/code> command (&lt;a href="https://github.com/istio/istio/issues/22501">Issue 22501&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> IstioOperator validation of slice (&lt;a href="https://github.com/istio/istio/issues/21915">Issue 21915&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Race condition caused by read/write of &lt;code>rootCert&lt;/code> and &lt;code>rootCertExpireTime&lt;/code> not always being protected (&lt;a href="https://github.com/istio/istio/issues/22627">Issue 22627&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> BlackHoleCluster HTTP metrics broken with Telemetry v2 (&lt;a href="https://github.com/istio/istio/issues/21385">Issue 21385&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>istio-init&lt;/code> container failing when Istio CNI is enabled (&lt;a href="https://github.com/istio/istio/issues/22695">Issue 22695&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> istioctl does not set gateway name for multiple gateways (&lt;a href="https://github.com/istio/istio/issues/22703">Issue 22703&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Unstable inbound bind address when configuring a sidecar ingress listener without bind address (&lt;a href="https://github.com/istio/istio/issues/22830">Issue 22830&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Proxy pods for Istio 1.4 not showing up when upgrading from Istio 1.4 to 1.5 using default profile (&lt;a href="https://github.com/istio/istio/issues/22841">Issue 22841&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>PersistentVolumeClaim&lt;/code> for Grafana not being created in the namespace specified in the IstioOperator spec (&lt;a href="https://github.com/istio/istio/issues/22835">Issue 22835&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>istio-sidecar-injector&lt;/code> and istiod related pods crashing when applying new manifest through istioctl because &lt;code>alwaysInjectSelector&lt;/code> and &lt;code>neverInjectSelector&lt;/code> are not correctly indented in the &lt;code>istio-sidecar-injector&lt;/code> config map (&lt;a href="https://github.com/istio/istio/issues/23027">Issue 23027&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Prometheus scraping failing in CNI injected pods because the default &lt;code>excludeInboundPort&lt;/code> configuration does not include port 15090 (&lt;a href="https://github.com/istio/istio/issues/23038">Issue 23038&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>Lightstep&lt;/code> secret volume issue causing the bundled Prometheus to not install correctly with Istio operator (&lt;a href="https://github.com/istio/istio/issues/23078">Issue 23078&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Avoid using host header to extract destination service name at gateway in default Telemetry V2 configuration.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Zipkin: Fix wrongly rendered timestamp value (&lt;a href="https://github.com/istio/istio/issues/22968">Issue 22968&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Add annotations for setting CPU/memory limits on sidecar (&lt;a href="https://github.com/istio/istio/issues/16126">Issue 16126&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Enable &lt;code>rewriteAppHTTPProbe&lt;/code> annotation for liveness probe rewrite by default(&lt;a href="https://github.com/istio/istio/issues/10357">Issue 10357&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Fri, 24 Apr 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.5.x/announcing-1.5.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.5.x/announcing-1.5.2/</guid></item><item><title>Announcing Istio 1.4.8</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes whats different
between Istio 1.4.7 and Istio 1.4.8.&lt;/p>
&lt;p>The fixes below focus on various issues related to installing Istio on OpenShift with CNI. Instructions
for installing Istio on OpenShift with CNI can be found &lt;a href="/v1.5/docs/setup/additional-setup/cni/#instructions-for-istio-1-4-x-and-openshift">here&lt;/a>.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.8"
data-downloadbuttontext="DOWNLOAD 1.4.8"
data-updateadvice='Before you download 1.4.8, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.7...1.4.8">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> Fixed CNI installation on OpenShift (&lt;a href="https://github.com/istio/istio/pull/21421">Issue 21421&lt;/a>) (&lt;a href="https://github.com/istio/istio/issues/22449">Issue 22449&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Not all inbound ports are redirected when CNI is enabled (&lt;a href="https://github.com/istio/istio/issues/22498">Issue 22448&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Syntax errors in gateway templates with GoLang 1.14 (&lt;a href="https://github.com/istio/istio/issues/22366">Issue 22366&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Remove namespace from &lt;code>clusterrole&lt;/code> and &lt;code>clusterrolebinding&lt;/code> (&lt;a href="https://github.com/istio/cni/pull/297">PR 297&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Thu, 23 Apr 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.8/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.8/</guid></item><item><title>ISTIO-SECURITY-2020-004</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764">CVE-2020-1764&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>8.7 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aA%2fAC%3aL%2fPR%3aL%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aN">AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.4 to 1.4.6&lt;br>
1.5&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Istio 1.4 to 1.4.6 and Istio 1.5 contain the following vulnerability:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764">&lt;code>CVE-2020-1764&lt;/code>&lt;/a>&lt;/strong>:
Istio uses a default &lt;code>signing_key&lt;/code> for Kiali. This can allow an attacker to view and modify the Istio configuration.
&lt;ul>
&lt;li>CVSS Score: 8.7 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&amp;amp;version=3.1">AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&lt;/a>&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ul>
&lt;p>In addition, another CVE is fixed in this release, described by this
&lt;a href="https://kiali.io/news/security-bulletins/kiali-security-001/">Kiali security bulletin&lt;/a>.&lt;/p>
&lt;h2 id="detection">Detection&lt;/h2>
&lt;p>Your installation is vulnerable in the following configuration:&lt;/p>
&lt;ul>
&lt;li>The Kiali version is 1.15 or earlier.&lt;/li>
&lt;li>The Kiali login token and signing key is unset.&lt;/li>
&lt;/ul>
&lt;p>To check your Kiali version, run this command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n istio-system -l app=kiali -o yaml | grep image:
&lt;/code>&lt;/pre>
&lt;p>To determine if your login token is unset, run this command and check for blank output:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get deploy kiali -n istio-system -o yaml | grep LOGIN_TOKEN_SIGNING_KEY
&lt;/code>&lt;/pre>
&lt;p>To determine if your signing key is unset, run this command and check for blank output:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get cm kiali -n istio-system -o yaml | grep signing_key
&lt;/code>&lt;/pre>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.4.x deployments: update to &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4.7">Istio 1.4.7&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.5.x deployments: update to &lt;a href="/v1.5/news/releases/1.5.x/announcing-1.5.1">Istio 1.5.1&lt;/a> or later.&lt;/li>
&lt;li>&lt;p>Workaround: You can manually update the signing key to a random token using the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get cm kiali -n istio-system -o yaml | sed &amp;#34;s/server:/login_token:\\\n \
signing_key: $(tr -dc &amp;#39;a-zA-Z0-9&amp;#39; &amp;lt; /dev/urandom | fold -w 20 | head -n 1)\\\nserver:/&amp;#34; \
| kubectl apply -f - ; kubectl delete pod -l app=kiali -n istio-system
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ul></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2020-004/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2020-004/</guid><category>CVE</category></item><item><title>Announcing Istio 1.5.1</title><description>
&lt;p>This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2020-004">our March 25th, 2020 news post&lt;/a>. This release note describes whats different between Istio 1.5.0 and Istio 1.5.1.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.5.x/announcing-1.5/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.5.1"
data-downloadbuttontext="DOWNLOAD 1.5.1"
data-updateadvice='Before you download 1.5.1, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.5.4'
data-updatehref="/v1.5/news/releases/1.5.x/announcing-1.5.4/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://istio.io/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.5.0...1.5.1">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-004&lt;/strong> Istio uses a hard coded &lt;code>signing_key&lt;/code> for Kiali.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764">CVE-2020-1764&lt;/a>&lt;/strong>: Istio uses a default &lt;code>signing key&lt;/code> to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 &lt;a href="https://kiali.io/news/security-bulletins/kiali-security-001/">release&lt;/a>.&lt;/p>
&lt;h2 id="changes">Changes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where Istio Operator instance deletion hangs for in-cluster operator (&lt;a href="https://github.com/istio/istio/issues/22280">Issue 22280&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> istioctl proxy-status should not list differences if just the order of the routes have changed (&lt;a href="https://github.com/istio/istio/issues/21709">Issue 21709&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Incomplete support for array notation in &amp;ldquo;istioctl manifest apply —set&amp;rdquo; (&lt;a href="https://github.com/istio/istio/issues/20950">Issue 20950&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Add possibility to add annotations to services in Kubernetes service spec (&lt;a href="https://github.com/istio/istio/issues/21995">Issue 21995&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Enable setting ILB Gateway using istioctl (&lt;a href="https://github.com/istio/istio/issues/20033">Issue 20033&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> istioctl does not correctly set names on gateways (&lt;a href="https://github.com/istio/istio/issues/21938">Issue 21938&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> OpenID discovery does not work with beta request authentication policy (&lt;a href="https://github.com/istio/istio/issues/21954">Issue 21954&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Issues related to shared control plane multicluster (&lt;a href="https://github.com/istio/istio/pull/22173">Issue 22173&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Ingress port displaying target port instead of actual port (&lt;a href="https://github.com/istio/istio/issues/22125">Issue 22125&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Issue where endpoints were being pruned automatically when installing the Istio Controller (&lt;a href="https://github.com/istio/istio/issues/21495">Issue 21495&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Add istiod port to gateways for mesh expansion(&lt;a href="https://github.com/istio/istio/issues/22027">Issue 22027&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Multicluster secret controller silently ignoring updates to secrets (&lt;a href="https://github.com/istio/istio/issues/18708">Issue 18708&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Autoscaler for mixer-telemetry always being generated when deploying with istioctl or Helm (&lt;a href="https://github.com/istio/istio/issues/20935">Issue 20935&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Prometheus certificate provisioning is broken (&lt;a href="https://github.com/istio/istio/issues/21843">Issue 21843&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Segmentation fault in Pilot with beta mutual TLS (&lt;a href="https://github.com/istio/istio/issues/21816">Issue 21816&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Operator status enumeration not being rendered as a string (&lt;a href="https://github.com/istio/istio/issues/21554">Issue 21554&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> in-cluster operator fails to install control plane after having deleted a prior control plane (&lt;a href="https://github.com/istio/istio/issues/21467">Issue 21467&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> TCP metrics for BlackHole clusters does not work with Telemetry v2 (&lt;a href="https://github.com/istio/istio/issues/21566">Issue 21566&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Add option to enable V8 runtime for telemetry V2 (&lt;a href="https://github.com/istio/istio/pull/21846">Issue 21846&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> compatibility of Helm gateway chart (&lt;a href="https://github.com/istio/istio/pull/22295">Issue 22295&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> operator by adding a Helm installation chart (&lt;a href="https://github.com/istio/istio/issues/21861">Issue 21861&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Support custom CA on istio-agent (&lt;a href="https://github.com/istio/istio/pull/22113">Issue 22113&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Add a flag that supports passing GCP metadata to STS (&lt;a href="https://github.com/istio/istio/issues/21904">Issue 21904&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.5.x/announcing-1.5.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.5.x/announcing-1.5.1/</guid></item><item><title>Announcing Istio 1.4.7</title><description>
&lt;p>This release contains fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2020-004">our March 25th, 2020 news post&lt;/a>. This release note describes whats different between Istio 1.4.6 and Istio 1.4.7.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.7"
data-downloadbuttontext="DOWNLOAD 1.4.7"
data-updateadvice='Before you download 1.4.7, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.6...1.4.7">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security Update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-004&lt;/strong> Istio uses a hard coded &lt;code>signing_key&lt;/code> for Kiali.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764">CVE-2020-1764&lt;/a>&lt;/strong>: Istio uses a default &lt;code>signing key&lt;/code> to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 &lt;a href="https://kiali.io/news/security-bulletins/kiali-security-001/">release&lt;/a>.&lt;/p>
&lt;h2 id="changes">Changes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue causing protocol detection to break HTTP2 traffic to gateways (&lt;a href="https://github.com/istio/istio/issues/21230">Issue 21230&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.7/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.7/</guid></item><item><title>ISTIO-SECURITY-2020-003</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8659">CVE-2020-8659&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8660">CVE-2020-8660&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8661">CVE-2020-8661&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8664">CVE-2020-8664&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=">&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.4 to 1.4.5&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Envoy, and subsequently Istio are vulnerable to four newly discovered vulnerabilities:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8659">CVE-2020-8659&lt;/a>&lt;/strong>: The Envoy proxy may consume excessive memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. Envoy allocates a separate buffer fragment for each incoming or outgoing chunk with the size rounded to the nearest 4Kb and does not release empty chunks after committing data. Processing requests or responses with a lot of small chunks may result in extremely high memory overhead if the peer is slow or unable to read proxied data. The memory overhead could be two to three orders of magnitude more than configured buffer limits.&lt;/p>
&lt;ul>
&lt;li>CVSS Score: 7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:X/RC:X">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F&lt;/a>&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8660">CVE-2020-8660&lt;/a>&lt;/strong>: The Envoy proxy contains a TLS inspector that can be bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) are not inspected, those connections may be matched to a wrong filter chain, possibly bypassing some security restrictions.&lt;/p>
&lt;ul>
&lt;li>CVSS Score: 5.3 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N">AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N&lt;/a>&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8661">CVE-2020-8661&lt;/a>&lt;/strong>: The Envoy proxy may consume excessive amounts of memory when responding to pipelined HTTP/1.1 requests. In the case of illegally formed requests, Envoy sends an internally generated 400 error, which is sent to the &lt;code>Network::Connection&lt;/code> buffer. If the client reads these responses slowly, it is possible to build up a large number of responses, and consume functionally unlimited memory. This bypasses Envoys overload manager, which will itself send an internally generated response when Envoy approaches configured memory thresholds, exacerbating the problem.&lt;/p>
&lt;ul>
&lt;li>CVSS Score: 7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:X/RC:X">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F&lt;/a>&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8664">CVE-2020-8664&lt;/a>&lt;/strong>: For the SDS TLS validation context in the Envoy proxy, the update callback is called only when the secret is received for the first time or when its value changes. This leads to a race condition where other resources referencing the same secret (e.g,. trusted CA) remain unconfigured until the secret&amp;rsquo;s value changes, creating a potentially sizable window where a complete bypass of security checks from the static (&amp;ldquo;default&amp;rdquo;) section can occur.&lt;/p>
&lt;ul>
&lt;li>CVSS Score: 5.3 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N">AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>This vulnerability only affects the SDS implementation of Istio&amp;rsquo;s certificate rotation mechanism for Istio 1.4.5 and earlier which is only when SDS and mutual TLS are enabled. SDS is off by default and must be explicitly enabled by the operator in all versions of Istio prior to Istio 1.5. Istio&amp;rsquo;s default secret distribution implementation based on Kubernetes secret mounts is not affected by this vulnerability.&lt;/p>
&lt;p>&lt;strong>Detection&lt;/strong>&lt;/p>
&lt;p>To determine if SDS is enabled in your system, run:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pod -l app=pilot -o yaml | grep SDS_ENABLED -A 1
&lt;/code>&lt;/pre>
&lt;p>If the output contains:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >- name: SDS_ENABLED
value: &amp;#34;true&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>your system has SDS enabled.&lt;/p>
&lt;p>To determine if mutual TLS is enabled in your system, run:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get destinationrule --all-namespaces -o yaml | grep trafficPolicy -A 2
&lt;/code>&lt;/pre>
&lt;p>If the output contains:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >--
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
&lt;/code>&lt;/pre>
&lt;p>your system has mutual TLS enabled.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.4.x deployments: update to &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4.6">Istio 1.4.6&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.5.x deployments: Istio 1.5.0 will contain the equivalent security fixes.&lt;/li>
&lt;/ul>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 03 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2020-003/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2020-003/</guid><category>CVE</category></item><item><title>Announcing Istio 1.4.6</title><description>
&lt;p>This release contains fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2020-003">our March 3rd, 2020 news post&lt;/a>. This release note describes whats different between Istio 1.4.5 and Istio 1.4.6.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.6"
data-downloadbuttontext="DOWNLOAD 1.4.6"
data-updateadvice='Before you download 1.4.6, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.5...1.4.6">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-003&lt;/strong> Two Uncontrolled Resource Consumption and Two Incorrect Access Control Vulnerabilities in Envoy.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8659">CVE-2020-8659&lt;/a>&lt;/strong>: The Envoy proxy may consume excessive memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. Envoy allocates a separate buffer fragment for each incoming or outgoing chunk with the size rounded to the nearest 4Kb and does not release empty chunks after committing data. Processing requests or responses with a lot of small chunks may result in extremely high memory overhead if the peer is slow or unable to read proxied data. The memory overhead could be two to three orders of magnitude more than configured buffer limits.&lt;/p>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8660">CVE-2020-8660&lt;/a>&lt;/strong>: The Envoy proxy contains a TLS inspector that can be bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) are not inspected, those connections may be matched to a wrong filter chain, possibly bypassing some security restrictions.&lt;/p>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8661">CVE-2020-8661&lt;/a>&lt;/strong>: The Envoy proxy may consume excessive amounts of memory when responding to pipelined HTTP/1.1 requests. In the case of illegally formed requests, Envoy sends an internally generated 400 error, which is sent to the &lt;code>Network::Connection&lt;/code> buffer. If the client reads these responses slowly, it is possible to build up a large number of responses, and consume functionally unlimited memory. This bypasses Envoys overload manager, which will itself send an internally generated response when Envoy approaches configured memory thresholds, exacerbating the problem.&lt;/p>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8664">CVE-2020-8664&lt;/a>&lt;/strong>: For the SDS TLS validation context in the Envoy proxy, the update callback is called only when the secret is received for the first time or when its value changes. This leads to a race condition where other resources referencing the same secret (e.g,. trusted CA) remain unconfigured until the secret&amp;rsquo;s value changes, creating a potentially sizable window where a complete bypass of security checks from the static (&amp;ldquo;default&amp;rdquo;) section can occur.&lt;/p>
&lt;ul>
&lt;li>This vulnerability only affects the SDS implementation of Istio&amp;rsquo;s certificate rotation mechanism for Istio 1.4.5 and earlier which is only when SDS and mutual TLS are enabled. SDS is off by default and must be explicitly enabled by the operator in all versions of Istio prior to Istio 1.5. Istio&amp;rsquo;s default secret distribution implementation based on Kubernetes secret mounts is not affected by this vulnerability.&lt;/li>
&lt;/ul></description><pubDate>Tue, 03 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.6/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.6/</guid></item><item><title>Announcing Istio 1.4.5</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes whats different between Istio 1.4.4 and Istio 1.4.5.&lt;/p>
&lt;p>The fixes below focus on various bugs occurring during node restarts. If you use Istio CNI, or have nodes that restart, you are highly encouraged to upgrade.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.5"
data-downloadbuttontext="DOWNLOAD 1.4.5"
data-updateadvice='Before you download 1.4.5, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.4...1.4.5">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="improvements">Improvements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> a bug triggered by node restart causing Pods to receive incorrect configuration (&lt;a href="https://github.com/istio/istio/issues/20676">Issue 20676&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;a href="/v1.5/docs/setup/additional-setup/cni/">Istio CNI&lt;/a> robustness. Previously, when a node restarted, new pods may be created before the CNI was setup, causing pods to be created without &lt;code>iptables&lt;/code> rules configured (&lt;a href="https://github.com/istio/istio/issues/14327">Issue 14327&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> MCP metrics to include the size of the MCP responses, rather than just requests (&lt;a href="https://github.com/istio/istio/issues/21049">Issue 21049&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Tue, 18 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.5/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.5/</guid></item><item><title>Support for Istio 1.3 has ended</title><description>&lt;p>As &lt;a href="/v1.5/news/support/announcing-1.3-eol/">previously announced&lt;/a>, support for Istio 1.3 has now officially ended.&lt;/p>
&lt;p>At this point we will no longer back-port fixes for security issues and critical bugs to 1.3, so we heartily encourage you to upgrade to the latest version of Istio (1.5.4) if you haven&amp;rsquo;t already.&lt;/p></description><pubDate>Fri, 14 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.3-eol-final/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.3-eol-final/</guid></item><item><title>ISTIO-SECURITY-2020-002</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843">CVE-2020-8843&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.4 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aH%2fI%3aH%2fA%3aN">AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.3 to 1.3.6&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Istio 1.3 to 1.3.6 contain a vulnerability affecting Mixer policy checks.&lt;/p>
&lt;p>Note: We regret that the vulnerability was silently fixed in Istio 1.4.0 and Istio 1.3.7.
An &lt;a href="https://github.com/istio/istio/issues/12063">issue was raised&lt;/a> and &lt;a href="https://github.com/istio/istio/pull/17692">fixed&lt;/a> in Istio 1.4.0 as a non-security issue. We reclassified the issue as a vulnerability in Dec 2019.&lt;/p>
&lt;ul>
&lt;li>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843">CVE-2020-8843&lt;/a>&lt;/strong>: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts &lt;code>x-istio-attributes&lt;/code> header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress.
To be vulnerable, Istio must have Mixer Policy enabled and used in the specified way. This feature is disabled by default in Istio 1.3 and 1.4.&lt;/li>
&lt;/ul>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.3.x deployments: update to &lt;a href="/v1.5/news/releases/1.3.x/announcing-1.3.7">Istio 1.3.7&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="credit">Credit&lt;/h2>
&lt;p>The Istio team would like to thank Krishnan Anantheswaran and Eric Zhang of &lt;a href="https://www.splunk.com/">Splunk&lt;/a> for the private bug report.&lt;/p>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 11 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2020-002/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2020-002/</guid><category>CVE</category></item><item><title>ISTIO-SECURITY-2020-001</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595">CVE-2020-8595&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>9.0 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aH">AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.3 to 1.3.7&lt;br>
1.4 to 1.4.3&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Istio 1.3 to 1.3.7 and 1.4 to 1.4.3 are vulnerable to a newly discovered vulnerability affecting &lt;a href="/v1.5/docs/reference/config/security/istio.authentication.v1alpha1/#Policy">Authentication Policy&lt;/a>:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595">CVE-2020-8595&lt;/a>&lt;/strong>: A bug in Istio&amp;rsquo;s Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token. This bug affects all versions of Istio that support JWT Authentication Policy with path based trigger rules. The logic for the exact path match in the Istio JWT filter includes query strings or fragments instead of stripping them off before matching. This means attackers can bypass the JWT validation by appending &lt;code>?&lt;/code> or &lt;code>#&lt;/code> characters after the protected paths.&lt;/li>
&lt;/ul>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.3.x deployments: update to &lt;a href="/v1.5/news/releases/1.3.x/announcing-1.3.8">Istio 1.3.8&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.4.x deployments: update to &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4.4">Istio 1.4.4&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="credit">Credit&lt;/h2>
&lt;p>The Istio team would like to thank &lt;a href="https://aspenmesh.com/2H8qf3r">Aspen Mesh&lt;/a> for the original bug report and code fix of &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595">CVE-2020-8595&lt;/a>.&lt;/p>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 11 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2020-001/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2020-001/</guid><category>CVE</category></item><item><title>Announcing Istio 1.4.4</title><description>
&lt;p>This release includes bug fixes to improve robustness and user experience as well as a fix for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2020-001">our February 11th, 2020 news post&lt;/a>. This release note describes whats different between Istio 1.4.3 and Istio 1.4.4.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.4"
data-downloadbuttontext="DOWNLOAD 1.4.4"
data-updateadvice='Before you download 1.4.4, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.3...1.4.4">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-001&lt;/strong> An improper input validation has been discovered in &lt;code>AuthenticationPolicy&lt;/code>.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595">CVE-2020-8595&lt;/a>&lt;/strong>: A bug in Istio&amp;rsquo;s &lt;a href="/v1.5/docs/reference/config/security/istio.authentication.v1alpha1/#Policy">Authentication Policy&lt;/a> exact path matching logic allows unauthorized access to resources without a valid JWT token.&lt;/p>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> Debian packaging of &lt;code>iptables&lt;/code> scripts (&lt;a href="https://github.com/istio/istio/issues/19615">Issue 19615&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where Pilot generated a wrong Envoy configuration when the same port was used more than once (&lt;a href="https://github.com/istio/istio/issues/19935">Issue 19935&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where running multiple instances of Pilot could lead to a crash (&lt;a href="https://github.com/istio/istio/issues/20047">Issue 20047&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> a potential flood of configuration pushes from Pilot to Envoy when scaling the deployment to zero (&lt;a href="https://github.com/istio/istio/issues/17957">Issue 17957&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where Mixer could not fetch the correct information from the request/response when pod contains a dot in its name (&lt;a href="https://github.com/istio/istio/issues/20028">Issue 20028&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where Pilot sometimes would not send a correct pod configuration to Envoy (&lt;a href="https://github.com/istio/istio/issues/19025">Issue 19025&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where sidecar injector with SDS enabled was overwriting pod &lt;code>securityContext&lt;/code> section, instead of just patching it (&lt;a href="https://github.com/istio/istio/issues/20409">Issue 20409&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="improvements">Improvements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> Better compatibility with Google CA. (Issues &lt;a href="https://github.com/istio/istio/issues/20530">20530&lt;/a>, &lt;a href="https://github.com/istio/istio/issues/20560">20560&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Added analyzer error message when Policies using JWT are not configured properly (Issues &lt;a href="https://github.com/istio/istio/issues/20884">20884&lt;/a>, &lt;a href="https://github.com/istio/istio/issues/20767">20767&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Tue, 11 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.4/</guid></item><item><title>Announcing Istio 1.3.8</title><description>
&lt;p>This release contains a fix for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2020-001">our February 11th, 2020 news post&lt;/a>. This release note describes what&amp;rsquo;s different between Istio 1.3.7 and Istio 1.3.8.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/1.3.8">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.7...1.3.8">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2020-001&lt;/strong> Improper input validation have been discovered in &lt;code>AuthenticationPolicy&lt;/code>.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595">CVE-2020-8595&lt;/a>&lt;/strong>: A bug in Istio&amp;rsquo;s &lt;a href="/v1.5/docs/reference/config/security/istio.authentication.v1alpha1/#Policy">Authentication Policy&lt;/a> exact path matching logic allows unauthorized access to resources without a valid JWT token.&lt;/p></description><pubDate>Tue, 11 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.8/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.8/</guid></item><item><title>Announcing Istio 1.3.7</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes what&amp;rsquo;s different between Istio 1.3.6 and Istio 1.3.7.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.7"
data-downloadbuttontext="DOWNLOAD 1.3.7"
data-updateadvice='Before you download 1.3.7, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.6...1.3.7">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> root certificate rotation in Citadel to reuse values from the expiring root certificate into the new root certificate (&lt;a href="https://github.com/istio/istio/issues/19644">Issue 19644&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> telemetry to ignore forwarded attributes at the gateway.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> sidecar injection into pods with containers that export no port (&lt;a href="https://github.com/istio/istio/issues/18594">Issue 18594&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> telemetry support for pod names containing periods (&lt;a href="https://github.com/istio/istio/issues/19015">Issue 19015&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for generating &lt;code>PKCS#8&lt;/code> private keys in Citadel agent (&lt;a href="https://github.com/istio/istio/issues/19948">Issue 19948&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="minor-enhancements">Minor enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> injection template to fully specify &lt;code>securityContext&lt;/code>, allowing &lt;code>PodSecurityPolicies&lt;/code> to properly validate injected deployments (&lt;a href="https://github.com/istio/istio/issues/17318">Issue 17318&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for setting the &lt;code>lifecycle&lt;/code> for proxy containers.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for setting the Mesh UID in the Stackdriver Mixer adapter (&lt;a href="https://github.com/istio/istio/issues/17952">Issue 17952&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="/v1.5/news/security/istio-security-2020-002">&lt;strong>ISTIO-SECURITY-2020-002&lt;/strong>&lt;/a> Mixer policy check bypass caused by improperly accepting certain request headers.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843">CVE-2020-8843&lt;/a>&lt;/strong>: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts &lt;code>x-istio-attributes&lt;/code> header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. Istio 1.3 to 1.3.6 is vulnerable.&lt;/p></description><pubDate>Tue, 04 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.7/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.7/</guid></item><item><title>Support for Istio 1.3 ends on February 14th, 2020</title><description>&lt;p>According to Istio&amp;rsquo;s &lt;a href="/v1.5/about/release-cadence/">support policy&lt;/a>, LTS releases like 1.3 are supported for three months after the next LTS release. Since &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4/">1.4 was released on November 14th&lt;/a>, support for 1.3 will end on February 14th, 2020.&lt;/p>
&lt;p>At that point we will stop back-porting fixes for security issues and critical bugs to 1.3, so we encourage you to upgrade to the latest version of Istio (1.5.4). If you don&amp;rsquo;t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.&lt;/p>
&lt;p>We care about you and your clusters, so please be kind to yourself and upgrade.&lt;/p></description><pubDate>Wed, 15 Jan 2020 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.3-eol/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.3-eol/</guid></item><item><title>Announcing Istio 1.4.3</title><description>
&lt;p>This release includes bug fixes to improve robustness and user experience. This release note describes whats different between Istio 1.4.2 and Istio 1.4.3.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.3"
data-downloadbuttontext="DOWNLOAD 1.4.3"
data-updateadvice='Before you download 1.4.3, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.2...1.4.3">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where Mixer creates too many watches, overloading &lt;code>kube-apiserver&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/19481">Issue 19481&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with injection when pod has multiple containers without exposed ports (&lt;a href="https://github.com/istio/istio/issues/18594">Issue 18594&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> overly restrictive validation of &lt;code>regex&lt;/code> field (&lt;a href="https://github.com/istio/istio/pull/19212">Issue 19212&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an upgrade issue with &lt;code>regex&lt;/code> field (&lt;a href="https://github.com/istio/istio/pull/19665">Issue 19665&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>istioctl&lt;/code> install to properly send logs to &lt;code>stderr&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/17743">Issue 17743&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where a file and profile could not be specified for &lt;code>istioctl&lt;/code> installs (&lt;a href="https://github.com/istio/istio/issues/19503">Issue 19503&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue preventing certain objects from being installed for &lt;code>istioctl&lt;/code> installs (&lt;a href="https://github.com/istio/istio/issues/19371">Issue 19371&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue preventing using certain JWKS with EC keys in JWT policy (&lt;a href="https://github.com/istio/istio/issues/19424">Issue 19424&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="improvements">Improvements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> injection template to fully specify &lt;code>securityContext&lt;/code>, allowing &lt;code>PodSecurityPolicies&lt;/code> to properly validate injected deployments (&lt;a href="https://github.com/istio/istio/issues/17318">Issue 17318&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> telemetry v2 configuration to support Stackdriver and forward compatibility (&lt;a href="https://github.com/istio/installer/pull/591">Issue 591&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> output of &lt;code>istioctl&lt;/code> installation (&lt;a href="https://github.com/istio/istio/issues/19451">Issue 19451&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;code>istioctl&lt;/code> installation to set exit code upon failure (&lt;a href="https://github.com/istio/istio/issues/19747">Issue 19747&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Wed, 08 Jan 2020 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.3/</guid></item><item><title>Support for Istio 1.2 has ended</title><description>&lt;p>As &lt;a href="/v1.5/news/support/announcing-1.2-eol/">previously announced&lt;/a>, support for Istio 1.2 has now officially ended.&lt;/p>
&lt;p>At this point we will no longer back-port fixes for security issues and critical bugs to 1.2, so we heartily encourage you to upgrade to the latest version of Istio (1.5.4) if you haven&amp;rsquo;t already.&lt;/p></description><pubDate>Fri, 13 Dec 2019 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.2-eol-final/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.2-eol-final/</guid></item><item><title>ISTIO-SECURITY-2019-007</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801">CVE-2019-18801&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802">CVE-2019-18802&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>9.0 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aH%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aH">CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.2 to 1.2.9&lt;br>
1.3 to 1.3.5&lt;br>
1.4 to 1.4.1&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Envoy, and subsequently Istio are vulnerable to two newly discovered vulnerabilities:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801">CVE-2019-18801&lt;/a>&lt;/strong>: This vulnerability affects Envoys HTTP/1 codec in its way it processes downstream&amp;rsquo;s requests with large HTTP/2 headers. A successful exploitation of this vulnerability could lead to a denial of Service, escalation of privileges, or information disclosure.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802">CVE-2019-18802&lt;/a>&lt;/strong>: HTTP/1 codec incorrectly fails to trim whitespace after header values. This could allow an attacker to bypass Istio&amp;rsquo;s policy either for information disclosure or escalation of privileges.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838">CVE-2019-18838&lt;/a>&lt;/strong>: Upon receipt of a malformed HTTP request without the &amp;ldquo;Host&amp;rdquo; header, an encoder filter invoking Envoy&amp;rsquo;s route manager APIs that access request&amp;rsquo;s &amp;ldquo;Host&amp;rdquo; header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases where downstream&amp;rsquo;s requests are HTTP/2 while upstream&amp;rsquo;s are HTTP/1, then your cluster is vulnerable. We expect this to be true of most clusters.&lt;/p>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.2.x deployments: update to &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2.10">Istio 1.2.10&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.3.x deployments: update to &lt;a href="/v1.5/news/releases/1.3.x/announcing-1.3.6">Istio 1.3.6&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.4.x deployments: update to &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4.2">Istio 1.4.2&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 10 Dec 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-007/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-007/</guid><category>CVE</category></item><item><title>Announcing Istio 1.4.2</title><description>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-007">our December 10th, 2019 news post&lt;/a>. This release note describes whats different between Istio 1.4.1 and Istio 1.4.2.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.2"
data-downloadbuttontext="DOWNLOAD 1.4.2"
data-updateadvice='Before you download 1.4.2, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.1...1.4.2">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2019-007&lt;/strong> A heap overflow and improper input validation have been discovered in Envoy.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801">CVE-2019-18801&lt;/a>&lt;/strong>: Fix a vulnerability affecting Envoy&amp;rsquo;s processing of large HTTP/2 request headers. A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802">CVE-2019-18802&lt;/a>&lt;/strong>: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio&amp;rsquo;s policy checks, potentially resulting in information disclosure or escalation of privileges.
&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838">CVE-2019-18838&lt;/a>&lt;/strong>: Fix a vulnerability resulting from malformed HTTP request missing the &amp;ldquo;Host&amp;rdquo; header. An encoder filter that invokes Envoy&amp;rsquo;s route manager APIs that access request&amp;rsquo;s &amp;ldquo;Host&amp;rdquo; header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.&lt;/p></description><pubDate>Tue, 10 Dec 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.2/</guid></item><item><title>Announcing Istio 1.3.6</title><description>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-007">our December 10th, 2019 news post&lt;/a> as well as bug fixes to improve robustness. This release note describes what&amp;rsquo;s different between Istio 1.3.5 and Istio 1.3.6.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.6"
data-downloadbuttontext="DOWNLOAD 1.3.6"
data-updateadvice='Before you download 1.3.6, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.5...1.3.6">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2019-007&lt;/strong> A heap overflow and improper input validation have been discovered in Envoy.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801">CVE-2019-18801&lt;/a>&lt;/strong>: Fix a vulnerability affecting Envoy&amp;rsquo;s processing of large HTTP/2 request headers. A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802">CVE-2019-18802&lt;/a>&lt;/strong>: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio&amp;rsquo;s policy checks, potentially resulting in information disclosure or escalation of privileges.
&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838">CVE-2019-18838&lt;/a>&lt;/strong>: Fix a vulnerability resulting from malformed HTTP request missing the &amp;ldquo;Host&amp;rdquo; header. An encoder filter that invokes Envoy&amp;rsquo;s route manager APIs that access request&amp;rsquo;s &amp;ldquo;Host&amp;rdquo; header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.&lt;/p>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where a duplicate listener was generated for a proxy&amp;rsquo;s IP address when using a headless &lt;code>TCP&lt;/code> service. (&lt;a href="https://github.com/istio/istio/issues/17748">Issue 17748&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with the &lt;code>destination_service&lt;/code> label in HTTP related metrics incorrectly falling back to &lt;code>request.host&lt;/code> which can cause a metric cardinality explosion for ingress traffic. (&lt;a href="https://github.com/istio/istio/issues/18818">Issue 18818&lt;/a>)&lt;/li>
&lt;/ul>
&lt;h2 id="minor-enhancements">Minor enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> load-shedding options for Mixer. Added support for a &lt;code>requests-per-second&lt;/code> threshold for load-shedding enforcement. This allows operators to turn off load-shedding for Mixer in low traffic scenarios.&lt;/li>
&lt;/ul></description><pubDate>Tue, 10 Dec 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.6/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.6/</guid></item><item><title>Announcing Istio 1.2.10</title><description>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-007">our December 10th, 2019 news post&lt;/a>. This release note describes whats different between Istio 1.2.9 and Istio 1.2.10.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/1.2.10">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.9...1.2.10">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2019-007&lt;/strong> A heap overflow and improper input validation have been discovered in Envoy.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801">CVE-2019-18801&lt;/a>&lt;/strong>: Fix a vulnerability affecting Envoy&amp;rsquo;s processing of large HTTP/2 request headers. A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802">CVE-2019-18802&lt;/a>&lt;/strong>: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio&amp;rsquo;s policy checks, potentially resulting in information disclosure or escalation of privileges.
&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838">CVE-2019-18838&lt;/a>&lt;/strong>: Fix a vulnerability resulting from malformed HTTP request missing the &amp;ldquo;Host&amp;rdquo; header. An encoder filter that invokes Envoy&amp;rsquo;s route manager APIs that access request&amp;rsquo;s &amp;ldquo;Host&amp;rdquo; header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.&lt;/p>
&lt;h2 id="bug-fix">Bug fix&lt;/h2>
&lt;ul>
&lt;li>Add support for Citadel to automatically rotate root cert. (&lt;a href="https://github.com/istio/istio/issues/17059">Issue 17059&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Tue, 10 Dec 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.10/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.10/</guid></item><item><title>Announcing Istio 1.4.1</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes whats different between Istio 1.4.0 and Istio 1.4.1.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.4.1"
data-downloadbuttontext="DOWNLOAD 1.4.1"
data-updateadvice='Before you download 1.4.1, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.4.9'
data-updatehref="/v1.5/news/releases/1.4.x/announcing-1.4.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.4.0...1.4.1">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>istioctl&lt;/code> installation on Windows (&lt;a href="https://github.com/istio/istio/pull/19020">Issue 19020&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with route matching order when using cert-manager with Kubernetes Ingress (&lt;a href="https://github.com/istio/istio/pull/19000">Issue 19000&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Mixer source namespace attribute when the pod name contains a period (&lt;a href="https://github.com/istio/istio/issues/19015">Issue 19015&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> excessive metrics generated by Galley (&lt;a href="https://github.com/istio/istio/issues/19165">Issue 19165&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> tracing Service port to correctly listen on port 80 (&lt;a href="https://github.com/istio/istio/issues/19227">Issue 19227&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> missing &lt;code>istioctl&lt;/code> auto-completion files (&lt;a href="https://github.com/istio/istio/issues/19297">Issue 19297&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Thu, 05 Dec 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4.1/</guid></item><item><title>Support for Istio 1.2 ends on December 13th, 2019</title><description>&lt;p>According to Istio&amp;rsquo;s &lt;a href="/v1.5/about/release-cadence/">support policy&lt;/a>, LTS releases like 1.2 are supported for three months after the next LTS release. Since &lt;a href="/v1.5/news/releases/1.3.x/announcing-1.3/">1.3 was released on September 12th&lt;/a>, support for 1.2 will end on December 13th, 2019.&lt;/p>
&lt;p>At that point we will stop back-porting fixes for security issues and critical bugs to 1.2, so we encourage you to upgrade to the latest version of Istio (1.5.4). If you don&amp;rsquo;t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.&lt;/p>
&lt;p>We care about you and your clusters, so please be kind to yourself and upgrade.&lt;/p></description><pubDate>Mon, 11 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.2-eol/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.2-eol/</guid></item><item><title>Announcing Istio 1.3.5</title><description>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-006">our November 11, 2019 news post&lt;/a> as well as bug fixes to improve robustness. This release note describes what&amp;rsquo;s different between Istio 1.3.4 and Istio 1.3.5.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.5"
data-downloadbuttontext="DOWNLOAD 1.3.5"
data-updateadvice='Before you download 1.3.5, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.4...1.3.5">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>ISTIO-SECURITY-2019-006&lt;/strong> A DoS vulnerability has been discovered in Envoy.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18817">CVE-2019-18817&lt;/a>&lt;/strong>: An infinite loop can be triggered in Envoy if the option &lt;code>continue_on_listener_filters_timeout&lt;/code> is set to True, which is the case in Istio. This vulnerability could be leveraged for a DoS attack. If you applied the mitigation mentioned in &lt;a href="/v1.5/news/security/istio-security-2019-006">our November 11, 2019 news post&lt;/a>, you can remove the mitigation once you upgrade to Istio 1.3.5 or newer.&lt;/p>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> Envoy listener configuration for TCP headless services. (&lt;a href="https://github.com/istio/istio/issues/17748">Issue #17748&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue which caused stale endpoints to remain even when a deployment was scaled to 0 replicas. (&lt;a href="https://github.com/istio/istio/issues/14336">Issue #14436&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Pilot to no longer crash when an invalid Envoy configuration is generated. (&lt;a href="https://github.com/istio/istio/issues/17266">Issue 17266&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with the &lt;code>destination_service_name&lt;/code> label not getting populated for TCP metrics related to BlackHole/Passthrough clusters. (&lt;a href="https://github.com/istio/istio/issues/17271">Issue 17271&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with telemetry not reporting metrics for BlackHole/Passthrough clusters when fall through filter chains were invoked. This occurred when explicit &lt;code>ServiceEntries&lt;/code> were configured for external services. (&lt;a href="https://github.com/istio/istio/issues/17759">Issue 17759&lt;/a>)&lt;/li>
&lt;/ul>
&lt;h2 id="minor-enhancements">Minor enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> support for Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. (&lt;a href="https://github.com/istio/istio/issues/17059">Issue 17059&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>PILOT_BLOCK_HTTP_ON_443&lt;/code> boolean environment variable to Pilot. If enabled, this flag prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services. This is disabled by default. (&lt;a href="https://github.com/istio/istio/issues/16458">Issue 16458&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Mon, 11 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.5/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.5/</guid></item><item><title>ISTIO-SECURITY-2019-006</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18817">CVE-2019-18817&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.1%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH%2fE%3aH%2fRL%3aO%2fRC%3aC">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.3 to 1.3.4&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Envoy, and subsequently Istio, are vulnerable to the following DoS attack.
An infinite loop can be triggered in Envoy if the option &lt;code>continue_on_listener_filters_timeout&lt;/code> is set to &lt;code>True&lt;/code>. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3
A remote attacker may trivially trigger that vulnerability, effectively exhausting Envoys CPU resources and causing a denial-of-service attack.&lt;/p>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases, your cluster is vulnerable.&lt;/p>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in &lt;a href="/v1.5/docs/reference/config/installation-options/#pilot-options">installation options&lt;/a> ), using Helm to override the following options:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>For Istio 1.3.x deployments: update to &lt;a href="/v1.5/news/releases/1.3.x/announcing-1.3.5">Istio 1.3.5&lt;/a> or later.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Thu, 07 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-006/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-006/</guid><category>CVE</category></item><item><title>Announcing Istio 1.2.9</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.9. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.9"
data-downloadbuttontext="DOWNLOAD 1.2.9"
data-updateadvice='Before you download 1.2.9, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.8...1.2.9">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix a proxy startup race condition.&lt;/li>
&lt;/ul>
&lt;h2 id="features">Features&lt;/h2>
&lt;ul>
&lt;li>Adding support for Citadel automatic root certificate rotation (&lt;a href="https://github.com/istio/istio/issues/17059">Issue 17059&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Wed, 06 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.9/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.9/</guid></item><item><title>Announcing Istio 1.3.4</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes what&amp;rsquo;s different between Istio 1.3.3 and Istio 1.3.4.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.4"
data-downloadbuttontext="DOWNLOAD 1.3.4"
data-updateadvice='Before you download 1.3.4, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.3...1.3.4">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> a crashing bug in the Google node agent provider. (&lt;a href="https://github.com/istio/istio/pull/18260">Pull Request #18296&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Prometheus annotations and updated Jaeger to 1.14. (&lt;a href="https://github.com/istio/istio/pull/18274">Pull Request #18274&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> in-bound listener reloads that occur on 5 minute intervals. (&lt;a href="https://github.com/istio/istio/issues/18088">Issue #18138&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> validation of key and certificate rotation. (&lt;a href="https://github.com/istio/istio/issues/17718">Issue #17718&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> invalid internal resource garbage collection. (&lt;a href="https://github.com/istio/istio/issues/16818">Issue #16818&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> webhooks that were not updated on a failure. (&lt;a href="https://github.com/istio/istio/pull/17820">Pull Request #17820&lt;/a>&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> performance of OpenCensus tracing adapter. (&lt;a href="https://github.com/istio/istio/issues/18042">Issue #18042&lt;/a>)&lt;/li>
&lt;/ul>
&lt;h2 id="minor-enhancements">Minor enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> reliability of the SDS service. (&lt;a href="https://github.com/istio/istio/issues/17409">Issue #17409&lt;/a>, &lt;a href="https://github.com/istio/istio/issues/17905">Issue #17905&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> stable versions of failure domain labels. (&lt;a href="https://github.com/istio/istio/pull/17755">Pull Request #17755&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> update of the global mesh policy on upgrades. (&lt;a href="https://github.com/istio/istio/pull/17033">Pull Request #17033&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Fri, 01 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.4/</guid></item><item><title>Announcing Istio 1.2.8</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.8. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.8"
data-downloadbuttontext="DOWNLOAD 1.2.8"
data-updateadvice='Before you download 1.2.8, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.7...1.2.8">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Fix a bug introduced by &lt;a href="/v1.5/news/security/istio-security-2019-005">our October 8th security release&lt;/a> which incorrectly calculated HTTP header and body sizes (&lt;a href="https://github.com/istio/istio/issues/17735">Issue 17735&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix a minor bug where endpoints still remained in /clusters while scaling a deployment to 0 replica (&lt;a href="https://github.com/istio/istio/issues/14336">Issue 14336&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix Helm upgrade process to correctly update mesh policy for mutual TLS (&lt;a href="https://github.com/istio/istio/issues/16170">Issue 16170&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix inconsistencies in the destination service label for TCP connection opened/closed metrics (&lt;a href="https://github.com/istio/istio/issues/17234">Issue 17234&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix the Istio secret cleanup mechanism (&lt;a href="https://github.com/istio/istio/issues/17122">Issue 17122&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix the Mixer Stackdriver adapter encoding process to handle invalid UTF-8 (&lt;a href="https://github.com/istio/istio/issues/16966">Issue 16966&lt;/a>).&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="features">Features&lt;/h2>
&lt;ul>
&lt;li>Add &lt;code>pilot&lt;/code> support for the new failure domain labels: &lt;code>zone&lt;/code> and &lt;code>region&lt;/code>.&lt;/li>
&lt;/ul></description><pubDate>Wed, 23 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.8/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.8/</guid></item><item><title>Support for Istio 1.1 has ended</title><description>&lt;p>As &lt;a href="/v1.5/news/support/announcing-1.1-eol/">previously announced&lt;/a>, support for Istio 1.1 has now officially ended.&lt;/p>
&lt;p>Since we learned of the security vulnerability &lt;a href="/v1.5/news/security/istio-security-2019-005">behind our October 8th security release&lt;/a> while still barely within the 1.1 support period, we decided to extend the 1.1 support period beyond the original announcement and release &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.16">1.1.16&lt;/a>. Then we discovered a &lt;a href="https://github.com/istio/istio/issues/17735">bug in HTTP header size calculation&lt;/a> was introduced by the security release, so we decided to release a fix in one last &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.17">1.1.17&lt;/a> release before closing out the 1.1 series for good.&lt;/p>
&lt;p>At this point we will no longer back-port fixes for security issues and critical bugs to 1.1, so we heartily encourage you to upgrade to the latest version of Istio (1.5.4) if you haven&amp;rsquo;t already.&lt;/p></description><pubDate>Mon, 21 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.1-eol-final/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.1-eol-final/</guid></item><item><title>Announcing Istio 1.1.17</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.17. This will be the last 1.1.x patch release. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/1.1.17">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.16...1.1.17">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix a bug introduced by &lt;a href="/v1.5/news/security/istio-security-2019-005">our October 8th security release&lt;/a> which incorrectly calculated HTTP header and body sizes (&lt;a href="https://github.com/istio/istio/issues/17735">Issue 17735&lt;/a>.&lt;/li>
&lt;/ul></description><pubDate>Mon, 21 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.17/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.17/</guid></item><item><title>Announcing Istio 1.3.3</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes what&amp;rsquo;s different between Istio 1.3.2 and Istio 1.3.3.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.3"
data-downloadbuttontext="DOWNLOAD 1.3.3"
data-updateadvice='Before you download 1.3.3, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.2...1.3.3">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue which caused Prometheus to install improperly when using &lt;code>istioctl x manifest apply&lt;/code>. (&lt;a href="https://github.com/istio/istio/issues/16970">Issue 16970&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> a bug where locality load balancing can not read locality information from the node. (&lt;a href="https://github.com/istio/istio/issues/17337">Issue 17337&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> a bug where long-lived connections were getting dropped by the Envoy proxy as the listeners were getting reconfigured without any user configuration changes. (&lt;a href="https://github.com/istio/istio/issues/17383">Issue 17383&lt;/a>, &lt;a href="https://github.com/istio/istio/issues/17139">Issue 17139&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> a crash in &lt;code>istioctl x analyze&lt;/code> command. (&lt;a href="https://github.com/istio/istio/issues/17449">Issue 17449&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>istioctl x manifest diff&lt;/code> to diff text blocks in ConfigMaps. (&lt;a href="https://github.com/istio/istio/issues/16828">Issue 16828&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> a segmentation fault crash in the Envoy proxy. (&lt;a href="https://github.com/istio/istio/issues/17699">Issue 17699&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Mon, 14 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.3/</guid></item><item><title>ISTIO-SECURITY-2019-005</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226">CVE-2019-15226&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.1 to 1.1.15&lt;br>
1.2 to 1.2.6&lt;br>
1.3 to 1.3.1&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Envoy, and subsequently Istio, are vulnerable to the following DoS attack. Upon receiving each incoming request, Envoy will iterate over the request headers to verify that the total size of the headers stays below a maximum limit. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.&lt;/p>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases, your cluster is vulnerable.&lt;/p>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then &lt;a href="/v1.5/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade">upgrade the data plane&lt;/a> to &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.16">Istio 1.1.16&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then &lt;a href="/v1.5/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade">upgrade the data plane&lt;/a> to &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2.7">Istio 1.2.7&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then &lt;a href="/v1.5/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade">upgrade the data plane&lt;/a> to &lt;a href="/v1.5/news/releases/1.3.x/announcing-1.3.2">Istio 1.3.2&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 08 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-005/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-005/</guid><category>CVE</category></item><item><title>Announcing Istio 1.3.2</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.3.2. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.2"
data-downloadbuttontext="DOWNLOAD 1.3.2"
data-updateadvice='Before you download 1.3.2, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.1...1.3.2">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-005">our October 8th, 2019 news post&lt;/a>. Specifically:&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-005&lt;/strong>: A DoS vulnerability has been discovered by the Envoy community.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226">CVE-2019-15226&lt;/a>&lt;/strong>: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio if an attacker uses a high quantity of very small headers.&lt;/p>
&lt;p>Nothing else is included in this release except for the above security fix. Distroless images will be available in a few days.&lt;/p></description><pubDate>Tue, 08 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.2/</guid></item><item><title>Announcing Istio 1.2.7</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.7. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.7"
data-downloadbuttontext="DOWNLOAD 1.2.7"
data-updateadvice='Before you download 1.2.7, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.6...1.2.7">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-005">our October 8th, 2019 news post&lt;/a>. Specifically:&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-005&lt;/strong>: A DoS vulnerability has been discovered by the Envoy community.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226">CVE-2019-15226&lt;/a>&lt;/strong>: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio if an attacker uses a high quantity of very small headers.&lt;/p>
&lt;h2 id="bug-fix">Bug fix&lt;/h2>
&lt;ul>
&lt;li>Fix a bug where &lt;code>nodeagent&lt;/code> was failing to start when using citadel (&lt;a href="https://github.com/istio/istio/issues/17108">Issue 15876&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Tue, 08 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.7/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.7/</guid></item><item><title>Announcing Istio 1.1.16</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.16. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.16"
data-downloadbuttontext="DOWNLOAD 1.1.16"
data-updateadvice='Before you download 1.1.16, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.15...1.1.16">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>This release contains fixes for the security vulnerability described in &lt;a href="/v1.5/news/security/istio-security-2019-005">our October 8th, 2019 news post&lt;/a>. Specifically:&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-005&lt;/strong>: A DoS vulnerability has been discovered by the Envoy community.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226">CVE-2019-15226&lt;/a>&lt;/strong>: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio if an attacker uses a high quantity of very small headers.&lt;/p>
&lt;p>Nothing else is included in this release except for the above security fix.&lt;/p></description><pubDate>Tue, 08 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.16/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.16/</guid></item><item><title>Announcing Istio 1.3.1</title><description>
&lt;p>This release includes bug fixes to improve robustness. This release note describes whats different between Istio 1.3.0 and Istio 1.3.1.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.3.1"
data-downloadbuttontext="DOWNLOAD 1.3.1"
data-updateadvice='Before you download 1.3.1, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.3.8'
data-updatehref="/v1.5/news/releases/1.3.x/announcing-1.3.8/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.3.0...1.3.1">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue which caused the secret cleanup job to erroneously run during upgrades (&lt;a href="https://github.com/istio/istio/issues/16873">Issue 16873&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where the default configuration disabled Kubernetes Ingress support (&lt;a href="https://github.com/istio/istio/issues/17148">Issue 17148&lt;/a>)&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with handling invalid &lt;code>UTF-8&lt;/code> characters in the Stackdriver logging adapter (&lt;a href="https://github.com/istio/istio/issues/16966">Issue 16966&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue which caused the &lt;code>destination_service&lt;/code> label in HTTP metrics not to be set for &lt;code>BlackHoleCluster&lt;/code> and &lt;code>PassThroughCluster&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/16629">Issue 16629&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue with the &lt;code>destination_service&lt;/code> label in the &lt;code>istio_tcp_connections_closed_total&lt;/code> and &lt;code>istio_tcp_connections_opened_total&lt;/code> metrics which caused them to not be set correctly (&lt;a href="https://github.com/istio/istio/issues/17234">Issue 17234&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an Envoy crash introduced in Istio 1.2.4 (&lt;a href="https://github.com/istio/istio/issues/16357">Issue 16357&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> Istio CNI sidecar initialization when IPv6 is disabled on the node (&lt;a href="https://github.com/istio/istio/issues/15895">Issue 15895&lt;/a>).&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> a regression affecting support of RS384 and RS512 algorithms in JWTs (&lt;a href="https://github.com/istio/istio/issues/15380">Issue 15380&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="minor-enhancements">Minor enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> support for &lt;code>.Values.global.priorityClassName&lt;/code> to the telemetry deployment.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> annotations for Datadog tracing that controls extra features in sidecars.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the &lt;code>pilot_xds_push_time&lt;/code> metric to report Pilot xDS push time.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>istioctl experimental analyze&lt;/code> to support multi-resource analysis and validation.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for running metadata exchange and stats extensions in a WebAssembly sandbox.&lt;/li>
&lt;li>&lt;strong>Removed&lt;/strong> time diff info in the proxy-status command.&lt;/li>
&lt;/ul></description><pubDate>Fri, 27 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3.1/</guid></item><item><title>Announcing Istio 1.2.6</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.6. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.6"
data-downloadbuttontext="DOWNLOAD 1.2.6"
data-updateadvice='Before you download 1.2.6, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.5...1.2.6">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix &lt;code>redisquota&lt;/code> inconsistency in regards to &lt;code>memquota&lt;/code> counting (&lt;a href="https://github.com/istio/istio/issues/15543">Issue 15543&lt;/a>).&lt;/li>
&lt;li>Fix an Envoy crash introduced in Istio 1.2.5 (&lt;a href="https://github.com/istio/istio/issues/16357">Issue 16357&lt;/a>).&lt;/li>
&lt;li>Fix Citadel health check broken in the context of plugin certs (with intermediate certs) (&lt;a href="https://github.com/istio/istio/issues/16593">Issue 16593&lt;/a>).&lt;/li>
&lt;li>Fix Stackdriver Mixer Adapter error log verbosity (&lt;a href="https://github.com/istio/istio/issues/16782">Issue 16782&lt;/a>).&lt;/li>
&lt;li>Fix a bug where the service account map would be erased for service hostnames with more than one port.&lt;/li>
&lt;li>Fix incorrect &lt;code>filterChainMatch&lt;/code> wildcard hosts duplication produced by Pilot (&lt;a href="https://github.com/istio/istio/issues/16573">Issue 16573&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Expose &lt;code>sidecarToTelemetrySessionAffinity&lt;/code> (required for Mixer V1) when it talks to services like Stackdriver. (&lt;a href="https://github.com/istio/istio/issues/16862">Issue 16862&lt;/a>).&lt;/li>
&lt;li>Expose &lt;code>HTTP/2&lt;/code> window size settings as Pilot environment variables (&lt;a href="https://github.com/istio/istio/issues/17117">Issue 17117&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Tue, 17 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.6/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.6/</guid></item><item><title>Announcing Istio 1.1.15</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.15. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.15"
data-downloadbuttontext="DOWNLOAD 1.1.15"
data-updateadvice='Before you download 1.1.15, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.14...1.1.15">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix an Envoy crash introduced in Istio 1.1.14 (&lt;a href="https://github.com/istio/istio/issues/16357">Issue 16357&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Expose &lt;code>HTTP/2&lt;/code> window size settings as Pilot environment variables (&lt;a href="https://github.com/istio/istio/issues/17117">Issue 17117&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Mon, 16 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.15/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.15/</guid></item><item><title>Istio 1.2.4 sidecar image vulnerability</title><description>
&lt;p>To the Istios user community,&lt;/p>
&lt;p>For the period between Aug 23rd 2019 09:16PM PST and Sep 6th 2019 09:26AM PST a Docker image shipped as Istio &lt;code>proxyv2&lt;/code> 1.2.4 (c.f. &lt;a href="https://hub.docker.com/r/istio/proxyv2">https://hub.docker.com/r/istio/proxyv2&lt;/a> )
contained a faulty version of the proxy against the vulnerabilities &lt;a href="/v1.5/news/security/istio-security-2019-003/">ISTIO-SECURITY-2019-003&lt;/a> and
&lt;a href="/v1.5/news/security/istio-security-2019-004/">ISTIO-SECURITY-2019-004&lt;/a>.&lt;/p>
&lt;p>If you have installed Istio 1.2.4 during that time, please consider upgrading to Istio 1.2.5 that also contains additional security fixes.&lt;/p>
&lt;h2 id="detailed-explanation">Detailed explanation&lt;/h2>
&lt;p>Because of the communication embargo that we have exercised when fixing the recent HTTP2 DoS vulnerabilities, as it is usual for this type of release, we have built, in advance, a fixed image of the sidecar privately. At the moment of the public disclosure, we pushed that image manually on Docker hub.&lt;/p>
&lt;p>For any release that isnt fixing a privately disclosed security vulnerability, this Docker image is usually pushed through our release pipeline job, entirely automatically.&lt;/p>
&lt;p>Our automated release process does not work correctly with the manual interactions required by the vulnerability disclosure embargo: the release pipeline code kept a reference to an outdated version of the Istio repository.&lt;/p>
&lt;p>For a problem to occur, an automated build needed to be launched on an old version, this is what happened during the release of Istio 1.2.5: we have experienced a problem that required a &lt;a href="https://github.com/istio-releases/pipeline/commit/635d276ad7eac01bef9c3f195520a0f722626c0f">revert commit&lt;/a> which triggered a rebuild of 1.2.4 against an outdated version of Istios code.&lt;/p>
&lt;p>This revert commit happened on Aug 23rd 2019 09:16PM PST.
We have noticed this problem and pushed back the fixed image on Sep 6th 2019 09:26AM PST.&lt;/p>
&lt;p>We are sorry for any inconvenience you may have experienced due to this incident, and &lt;a href="https://github.com/istio/istio/issues/16887">are working towards a better release system&lt;/a>, as well as a more efficient way to deal with vulnerability reports.&lt;/p>
&lt;ul>
&lt;li>The release managers for 1.2&lt;/li>
&lt;/ul></description><pubDate>Tue, 10 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/incorrect-sidecar-image-1.2.4/</link><author/><guid isPermaLink="true">/v1.5/news/security/incorrect-sidecar-image-1.2.4/</guid><category>community</category><category>blog</category><category>security</category></item><item><title>Announcing Istio 1.2.5</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.5. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.5"
data-downloadbuttontext="DOWNLOAD 1.2.5"
data-updateadvice='Before you download 1.2.5, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.4...1.2.5">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>Following the previous fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2019-003/">ISTIO-SECURITY-2019-003&lt;/a>
and &lt;a href="/v1.5/news/security/istio-security-2019-004">ISTIO-SECURITY-2019-004&lt;/a>, we are now addressing the internal control plane communication surface.
These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.&lt;/p>
&lt;p>You can find the gRPC vulnerability fix description on their mailing list (c.f.
&lt;a href="https://groups.google.com/forum/#!topic/grpc-io/w5jPamxdda4">HTTP/2 Security Vulnerabilities&lt;/a>).&lt;/p>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix an Envoy bug that breaks &lt;code>java.net.http.HttpClient&lt;/code> and other clients that attempt to upgrade from &lt;code>HTTP/1.1&lt;/code> to &lt;code>HTTP/2&lt;/code> using the &lt;code>Upgrade: h2c&lt;/code> header (&lt;a href="https://github.com/istio/istio/issues/16391">Issue 16391&lt;/a>).&lt;/li>
&lt;li>Fix a memory leak on send timeout (&lt;a href="https://github.com/istio/istio/issues/15876">Issue 15876&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Mon, 26 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.5/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.5/</guid></item><item><title>Announcing Istio 1.1.14</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.14. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.14"
data-downloadbuttontext="DOWNLOAD 1.1.14"
data-updateadvice='Before you download 1.1.14, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.13...1.1.14">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>Following the previous fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2019-003/">ISTIO-SECURITY-2019-003&lt;/a>
and &lt;a href="/v1.5/news/security/istio-security-2019-004/">ISTIO-SECURITY-2019-004&lt;/a>, we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.&lt;/p>
&lt;p>You can find the gRPC vulnerability fix description on their mailing list (c.f.
&lt;a href="https://groups.google.com/forum/#!topic/grpc-io/w5jPamxdda4">HTTP/2 Security Vulnerabilities&lt;/a>).&lt;/p>
&lt;h2 id="bug-fix">Bug fix&lt;/h2>
&lt;ul>
&lt;li>Fix an Envoy bug that breaks &lt;code>java.net.http.HttpClient&lt;/code> and other clients that attempt to upgrade from &lt;code>HTTP/1.1&lt;/code> to &lt;code>HTTP/2&lt;/code> using the &lt;code>Upgrade: h2c&lt;/code> header (&lt;a href="https://github.com/istio/istio/issues/16391">Issue 16391&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Mon, 26 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.14/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.14/</guid></item><item><title>Support for Istio 1.1 ends on September 19th, 2019</title><description>&lt;p>According to Istio&amp;rsquo;s &lt;a href="/v1.5/about/release-cadence/">support policy&lt;/a>, LTS releases like 1.1 are supported for three months after the next LTS release. Since &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2/">1.2 was released on June 18th&lt;/a>, support for 1.1 will end on September 19th, 2019.&lt;/p>
&lt;p>At that point we will stop back-porting fixes for security issues and critical bugs to 1.1, so we encourage you to upgrade to the latest version of Istio (1.5.4). If you don&amp;rsquo;t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.&lt;/p>
&lt;p>We care about you and your clusters, so please be kind to yourself and upgrade.&lt;/p></description><pubDate>Thu, 15 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.1-eol/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.1-eol/</guid></item><item><title>ISTIO-SECURITY-2019-004</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512">CVE-2019-9512&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513">CVE-2019-9513&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514">CVE-2019-9514&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515">CVE-2019-9515&lt;/a>&lt;br>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518">CVE-2019-9518&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.1 to 1.1.12&lt;br>
1.2 to 1.2.3&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:&lt;/p>
&lt;ul>
&lt;li>HTTP/2 flood using PING frames and queuing of response PING ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).&lt;/li>
&lt;li>HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.&lt;/li>
&lt;li>HTTP/2 flood using HEADERS frames with invalid HTTP headers and queuing of response &lt;code>RST_STREAM&lt;/code> frames that results in unbounded memory growth (which can lead to out of memory conditions).&lt;/li>
&lt;li>HTTP/2 flood using SETTINGS frames and queuing of SETTINGS ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).&lt;/li>
&lt;li>HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.&lt;/li>
&lt;/ul>
&lt;p>Those vulnerabilities were reported externally and affect multiple proxy implementations.
See &lt;a href="https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md">this security bulletin&lt;/a> for more information.&lt;/p>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>If Istio terminates externally originated HTTP then it is vulnerable. If Istio is instead fronted by an intermediary that terminates HTTP (e.g., a HTTP load balancer), then that intermediary would protect Istio, assuming the intermediary is not itself vulnerable to the same HTTP/2 exploits.&lt;/p>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.1.x deployments: update to a &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.13">Istio 1.1.13&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.2.x deployments: update to a &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2.4">Istio 1.2.4&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 13 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-004/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-004/</guid><category>CVE</category></item><item><title>ISTIO-SECURITY-2019-003</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993">CVE-2019-14993&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.1 to 1.1.12&lt;br>
1.2 to 1.2.3&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>An Envoy user reported publicly an issue (c.f. &lt;a href="https://github.com/envoyproxy/envoy/issues/7728">Envoy Issue 7728&lt;/a>) about regular expressions (or regex) matching
that crashes Envoy with very large URIs. After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: &lt;code>JWT&lt;/code>, &lt;code>VirtualService&lt;/code>, &lt;code>HTTPAPISpecBinding&lt;/code>, &lt;code>QuotaSpecBinding&lt;/code>.&lt;/p>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>To detect if there is any regular expressions used in Istio APIs in your cluster, run the following command which prints either of the following output:&lt;/p>
&lt;ul>
&lt;li>YOU ARE AFFECTED: found regex used in &lt;code>AuthenticationPolicy&lt;/code> or &lt;code>VirtualService&lt;/code>&lt;/li>
&lt;li>YOU ARE NOT AFFECTED: did not find regex usage&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;&amp;#39;EOF&amp;#39; | bash -
set -e
set -u
set -o pipefail
red=`tput setaf 1`
green=`tput setaf 2`
reset=`tput sgr0`
echo &amp;#34;Checking regex usage in Istio API ...&amp;#34;
AFFECTED=()
JWT_REGEX=()
JWT_REGEX+=($(kubectl get Policy --all-namespaces -o jsonpath=&amp;#39;{..regex}&amp;#39;))
JWT_REGEX+=($(kubectl get MeshPolicy --all-namespaces -o jsonpath=&amp;#39;{..regex}&amp;#39;))
if [ &amp;#34;${#JWT_REGEX[@]}&amp;#34; != 0 ]; then
AFFECTED+=(&amp;#34;AuthenticationPolicy&amp;#34;)
fi
VS_REGEX=()
VS_REGEX+=($(kubectl get VirtualService --all-namespaces -o jsonpath=&amp;#39;{..regex}&amp;#39;))
if [ &amp;#34;${#VS_REGEX[@]}&amp;#34; != 0 ]; then
AFFECTED+=(&amp;#34;VirtualService&amp;#34;)
fi
HTTPAPI_REGEX=()
HTTPAPI_REGEX+=($(kubectl get HTTPAPISpec --all-namespaces -o jsonpath=&amp;#39;{..regex}&amp;#39;))
if [ &amp;#34;${#HTTPAPI_REGEX[@]}&amp;#34; != 0 ]; then
AFFECTED+=(&amp;#34;HTTPAPISpec&amp;#34;)
fi
QUOTA_REGEX=()
QUOTA_REGEX+=($(kubectl get QuotaSpec --all-namespaces -o jsonpath=&amp;#39;{..regex}&amp;#39;))
if [ &amp;#34;${#QUOTA_REGEX[@]}&amp;#34; != 0 ]; then
AFFECTED+=(&amp;#34;QuotaSpec&amp;#34;)
fi
if [ &amp;#34;${#AFFECTED[@]}&amp;#34; != 0 ]; then
echo &amp;#34;${red}YOU ARE AFFECTED: found regex used in ${AFFECTED[@]}${reset}&amp;#34;
exit 1
fi
echo &amp;#34;${green}YOU ARE NOT AFFECTED: did not find regex usage${reset}&amp;#34;
EOF
&lt;/code>&lt;/pre>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>For Istio 1.1.x deployments: update to &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.13">Istio 1.1.13&lt;/a> or later&lt;/li>
&lt;li>For Istio 1.2.x deployments: update to &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2.4">Istio 1.2.4&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 13 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-003/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-003/</guid><category>CVE</category></item><item><title>Announcing Istio 1.2.4</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.4. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.4"
data-downloadbuttontext="DOWNLOAD 1.2.4"
data-updateadvice='Before you download 1.2.4, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.3...1.2.4">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>This release contains fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2019-003/">ISTIO-SECURITY-2019-003&lt;/a>]
&lt;a href="/v1.5/news/security/istio-security-2019-004/">ISTIO-SECURITY-2019-004&lt;/a>. Specifically:&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-003&lt;/strong>: An Envoy user reported publicly an issue (c.f. &lt;a href="https://github.com/envoyproxy/envoy/issues/7728">Envoy Issue 7728&lt;/a>) about regular expressions matching that crashes Envoy with very large URIs.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993">CVE-2019-14993&lt;/a>&lt;/strong>: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: &lt;code>JWT&lt;/code>, &lt;code>VirtualService&lt;/code>, &lt;code>HTTPAPISpecBinding&lt;/code>, &lt;code>QuotaSpecBinding&lt;/code>.&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-004&lt;/strong>: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512">CVE-2019-9512&lt;/a>&lt;/strong>: HTTP/2 flood using &lt;code>PING&lt;/code> frames and queuing of response &lt;code>PING&lt;/code> ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513">CVE-2019-9513&lt;/a>&lt;/strong>: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514">CVE-2019-9514&lt;/a>&lt;/strong>: HTTP/2 flood using &lt;code>HEADERS&lt;/code> frames with invalid HTTP headers and queuing of response &lt;code>RST_STREAM&lt;/code> frames that results in unbounded memory growth (which can lead to out of memory conditions).
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515">CVE-2019-9515&lt;/a>&lt;/strong>: HTTP/2 flood using &lt;code>SETTINGS&lt;/code> frames and queuing of &lt;code>SETTINGS&lt;/code> ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518">CVE-2019-9518&lt;/a>&lt;/strong>: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.&lt;/p>
&lt;p>Nothing else is included in this release except for the above security fixes.&lt;/p></description><pubDate>Tue, 13 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.4/</guid></item><item><title>Announcing Istio 1.1.13</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.13. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.13"
data-downloadbuttontext="DOWNLOAD 1.1.13"
data-updateadvice='Before you download 1.1.13, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.12...1.1.13">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>This release contains fixes for the security vulnerabilities described in &lt;a href="/v1.5/news/security/istio-security-2019-003/">ISTIO-SECURITY-2019-003&lt;/a> and
&lt;a href="/v1.5/news/security/istio-security-2019-004/">ISTIO-SECURITY-2019-004&lt;/a>. Specifically:&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-003&lt;/strong>: An Envoy user reported publicly an issue (c.f. &lt;a href="https://github.com/envoyproxy/envoy/issues/7728">Envoy Issue 7728&lt;/a>) about regular expressions matching that crashes Envoy with very large URIs.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993">CVE-2019-14993&lt;/a>&lt;/strong>: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: &lt;code>JWT&lt;/code>, &lt;code>VirtualService&lt;/code>, &lt;code>HTTPAPISpecBinding&lt;/code>, &lt;code>QuotaSpecBinding&lt;/code>.&lt;/p>
&lt;p>&lt;strong>ISTIO-SECURITY-2019-004&lt;/strong>: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512">CVE-2019-9512&lt;/a>&lt;/strong>: HTTP/2 flood using &lt;code>PING&lt;/code> frames and queuing of response &lt;code>PING&lt;/code> ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513">CVE-2019-9513&lt;/a>&lt;/strong>: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514">CVE-2019-9514&lt;/a>&lt;/strong>: HTTP/2 flood using &lt;code>HEADERS&lt;/code> frames with invalid HTTP headers and queuing of response &lt;code>RST_STREAM&lt;/code> frames that results in unbounded memory growth (which can lead to out of memory conditions).
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515">CVE-2019-9515&lt;/a>&lt;/strong>: HTTP/2 flood using &lt;code>SETTINGS&lt;/code> frames and queuing of &lt;code>SETTINGS&lt;/code> ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* &lt;strong>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518">CVE-2019-9518&lt;/a>&lt;/strong>: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.&lt;/p>
&lt;p>Nothing else is included in this release except for the above security fixes.&lt;/p></description><pubDate>Tue, 13 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.13/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.13/</guid></item><item><title>Announcing Istio 1.2.3</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.3. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.3"
data-downloadbuttontext="DOWNLOAD 1.2.3"
data-updateadvice='Before you download 1.2.3, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.2...1.2.3">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix a bug where the sidecar could infinitely forward requests to itself when pod defines a port undefined for service (&lt;a href="https://github.com/istio/istio/issues/14443">Issue 14443&lt;/a>) and (&lt;a href="https://github.com/istio/istio/issues/14242">Issue 14242&lt;/a>)&lt;/li>
&lt;li>Fix a bug where Stackdriver adapter shuts down after telemetry is started.&lt;/li>
&lt;li>Fix Redis connectivity issues.&lt;/li>
&lt;li>Fix case-sensitivity in regex-based HTTP URI matching for Virtual Service (&lt;a href="https://github.com/istio/istio/issues/14983">Issue 14983&lt;/a>)&lt;/li>
&lt;li>Fix HPA and CPU settings for demo profile (&lt;a href="https://github.com/istio/istio/issues/15338">Issue 15338&lt;/a>)&lt;/li>
&lt;li>Relax Keep-Alive enforcement policy to avoid dropping connections under load (&lt;a href="https://github.com/istio/istio/issues/15088">Issue 15088&lt;/a>)&lt;/li>
&lt;li>When SDS is not used, skip Kubernetes JWT authentication to mitigate the risk of compromised (untrustworthy) JWTs being used.&lt;/li>
&lt;/ul>
&lt;h2 id="tests-upgrade">Tests upgrade&lt;/h2>
&lt;ul>
&lt;li>Update base image version for Bookinfo reviews sample app (&lt;a href="https://github.com/istio/istio/issues/15477">Issue 15477&lt;/a>)&lt;/li>
&lt;li>Bookinfo samples image qualification (&lt;a href="https://github.com/istio/istio/issues/14237">Issue 14237&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Fri, 02 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.3/</guid></item><item><title>Announcing Istio 1.1.12</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.12. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.12"
data-downloadbuttontext="DOWNLOAD 1.1.12"
data-updateadvice='Before you download 1.1.12, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.11...1.1.12">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix a bug where the sidecar could infinitely forward requests to itself when a &lt;code>Pod&lt;/code> resource defines a port that isn&amp;rsquo;t defined for a service (&lt;a href="https://github.com/istio/istio/issues/14443">Issue 14443&lt;/a>) and (&lt;a href="https://github.com/istio/istio/issues/14242">Issue 14242&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Fri, 02 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.12/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.12/</guid></item><item><title>Announcing Istio 1.1.11</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.11. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.11"
data-downloadbuttontext="DOWNLOAD 1.1.11"
data-updateadvice='Before you download 1.1.11, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.10...1.1.11">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Add ability to enable &lt;code>HTTP/1.0&lt;/code> support in ingress gateway (&lt;a href="https://github.com/istio/istio/issues/13085">Issue 13085&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Wed, 03 Jul 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.11/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.11/</guid></item><item><title>ISTIO-SECURITY-2019-002</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12995">CVE-2019-12995&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>7.5 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH%2fE%3aF%2fRL%3aO%2fRC%3aC">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.0 to 1.0.8&lt;br>
1.1 to 1.1.9&lt;br>
1.2 to 1.2.1&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>A bug in Istios JWT validation filter causes Envoy to crash in certain cases when the request contains a malformed JWT token. The bug was discovered and reported by a user &lt;a href="https://github.com/istio/istio/issues/15084">on GitHub&lt;/a> on June 23, 2019.&lt;/p>
&lt;p>This bug affects all versions of Istio that are using the JWT authentication policy.&lt;/p>
&lt;p>The symptoms of the bug are an HTTP 503 error seen by the client, and&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >Epoch 0 terminated with an error: signal: segmentation fault (core dumped)
&lt;/code>&lt;/pre>
&lt;p>in the Envoy logs.&lt;/p>
&lt;p>The Envoy crash can be triggered using a malformed JWT without a valid signature, and on any URI being accessed regardless of the &lt;code>trigger_rules&lt;/code> in the JWT specification. Thus, this bug makes Envoy vulnerable to a potential DoS attack.&lt;/p>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>Envoy is vulnerable if the following two conditions are satisfied:&lt;/p>
&lt;ul>
&lt;li>A JWT authentication policy is applied to it.&lt;/li>
&lt;li>The JWT issuer (specified by &lt;code>jwksUri&lt;/code>) uses the RSA algorithm for signature verification&lt;/li>
&lt;/ul>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">The RSA algorithm used for signature verification does not contain any known security vulnerability. This CVE is triggered only when using this algorithm but is unrelated to the security of the system.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>If JWT policy is applied to the Istio ingress gateway, please be aware that any external user who has access to the ingress gateway could crash it with a single HTTP request.&lt;/p>
&lt;p>If JWT policy is applied to the sidecar only, please keep in mind it might still be vulnerable. For example, the Istio ingress gateway might forward the JWT token to the sidecar which could be a malformed JWT token that crashes the sidecar.&lt;/p>
&lt;p>A vulnerable Envoy will crash on an HTTP request with a malformed JWT token. When Envoy crashes, all existing connections will be disconnected immediately. The &lt;code>pilot-agent&lt;/code> will restart the crashed Envoy automatically and it may take a few seconds to a few minutes for the restart. pilot-agent will stop restarting Envoy after it crashed more than ten times. In this case, Kubernetes will redeploy the pod, including the workload behind Envoy.&lt;/p>
&lt;p>To detect if there is any JWT authentication policy applied in your cluster, run the following command which print either of the following output:&lt;/p>
&lt;ul>
&lt;li>Found JWT in authentication policy, &lt;strong>YOU ARE AFFECTED&lt;/strong>&lt;/li>
&lt;li>Did NOT find JWT in authentication policy, &lt;em>YOU ARE NOT AFFECTED&lt;/em>&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;&amp;#39;EOF&amp;#39; | bash -
set -e
set -u
set -o pipefail
red=`tput setaf 1`
green=`tput setaf 2`
reset=`tput sgr0`
echo &amp;#34;Checking authentication policy...&amp;#34;
JWKS_URI=()
JWKS_URI+=($(kubectl get policy --all-namespaces -o jsonpath=&amp;#39;{range .items[*]}{.spec.origins[*].jwt.jwksUri}{&amp;#34; &amp;#34;}{end}&amp;#39;))
JWKS_URI+=($(kubectl get meshpolicy --all-namespaces -o jsonpath=&amp;#39;{range .items[*]}{.spec.origins[*].jwt.jwksUri}{&amp;#34; &amp;#34;}{end}&amp;#39;))
if [ &amp;#34;${#JWKS_URI[@]}&amp;#34; != 0 ]; then
echo &amp;#34;${red}Found JWT in authentication policy, YOU ARE AFFECTED${reset}&amp;#34;
exit 1
fi
echo &amp;#34;${green}Did NOT find JWT in authentication policy, YOU ARE NOT AFFECTED${reset}&amp;#34;
EOF
&lt;/code>&lt;/pre>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;p>This bug is fixed in the following Istio releases:&lt;/p>
&lt;ul>
&lt;li>For Istio 1.0.x deployments: update to &lt;a href="/v1.5/news/releases/1.0.x/announcing-1.0.9">Istio 1.0.9&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.1.x deployments: update to &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.10">Istio 1.1.10&lt;/a> or later.&lt;/li>
&lt;li>For Istio 1.2.x deployments: update to &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2.2">Istio 1.2.2&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;p>If you cannot immediately upgrade to one of these releases, you have the additional option of injecting a
&lt;a href="https://github.com/istio/tools/tree/master/examples/luacheck">Lua filter&lt;/a> into older releases of Istio.
This filter has been verified to work with Istio 1.1.9, 1.0.8, 1.0.6, and 1.1.3.&lt;/p>
&lt;p>The Lua filter is injected &lt;em>before&lt;/em> the Istio &lt;code>jwt-auth&lt;/code> filter.
If a JWT token is presented on an http request, the &lt;code>Lua&lt;/code> filter will check if the JWT token header contains alg:ES256. If the filter finds such a JWT token, the request is rejected.&lt;/p>
&lt;p>To install the Lua filter, please invoke the following commands:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ git clone git@github.com:istio/tools.git
$ cd tools/examples/luacheck/
$ ./setup.sh
&lt;/code>&lt;/pre>
&lt;p>The setup script uses helm template to produce an &lt;code>envoyFilter&lt;/code> resource that deploys to gateways. You may change the listener type to &lt;code>ANY&lt;/code> to also apply it to sidecars. You should only do this if you enforce JWT policies on sidecars &lt;em>and&lt;/em> sidecars receive direct traffic from the outside.&lt;/p>
&lt;h2 id="credit">Credit&lt;/h2>
&lt;p>The Istio team would like to thank Divya Raj for the original bug report.&lt;/p>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Fri, 28 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-002/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-002/</guid><category>CVE</category></item><item><title>Announcing Istio 1.2.2</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.2. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.2"
data-downloadbuttontext="DOWNLOAD 1.2.2"
data-updateadvice='Before you download 1.2.2, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.1...1.2.2">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix crash in Istio&amp;rsquo;s JWT Envoy filter caused by malformed JWT (&lt;a href="https://github.com/istio/istio/issues/15084">Issue 15084&lt;/a>)&lt;/li>
&lt;li>Fix incorrect overwrite of x-forwarded-proto header (&lt;a href="https://github.com/istio/istio/issues/15124">Issue 15124&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Fri, 28 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.2/</guid></item><item><title>Announcing Istio 1.1.10</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.10. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.10"
data-downloadbuttontext="DOWNLOAD 1.1.10"
data-updateadvice='Before you download 1.1.10, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.9...1.1.10">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Eliminate 503 errors caused by Envoy not being able to talk to the SDS Node Agent after a restart (&lt;a href="https://github.com/istio/istio/issues/14853">Issue 14853&lt;/a>).&lt;/li>
&lt;li>Fix cause of &amp;lsquo;TLS error: Secret is not supplied by SDS&amp;rsquo; errors during upgrade (&lt;a href="https://github.com/istio/istio/issues/15020">Issue 15020&lt;/a>).&lt;/li>
&lt;li>Fix crash in Istio&amp;rsquo;s JWT Envoy filter caused by malformed JWT (&lt;a href="https://github.com/istio/istio/issues/15084">Issue 15084&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Fri, 28 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.10/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.10/</guid></item><item><title>Announcing Istio 1.0.9</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.9. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/1.0.9">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.8...1.0.9">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix crash in Istio&amp;rsquo;s JWT Envoy filter caused by malformed JWT (&lt;a href="https://github.com/istio/istio/issues/15084">Issue 15084&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Fri, 28 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.9/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.9/</guid></item><item><title>Announcing Istio 1.2.1</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.2.1. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.2.1"
data-downloadbuttontext="DOWNLOAD 1.2.1"
data-updateadvice='Before you download 1.2.1, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.2.10'
data-updatehref="/v1.5/news/releases/1.2.x/announcing-1.2.10/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.2/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.2.0...1.2.1">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix duplicate CRD being generated in the install (&lt;a href="https://github.com/istio/istio/issues/14976">Issue 14976&lt;/a>)&lt;/li>
&lt;li>Fix Mixer unable to start when Galley is disabled (&lt;a href="https://github.com/istio/istio/issues/14841">Issue 14841&lt;/a>)&lt;/li>
&lt;li>Fix environment variable shadowing (NAMESPACE is used for listened namespaces and overwrites Citadel storage namespace (istio-system))&lt;/li>
&lt;li>Fix cause of &amp;lsquo;TLS error: Secret is not supplied by SDS&amp;rsquo; errors during upgrade (&lt;a href="https://github.com/istio/istio/issues/15020">Issue 15020&lt;/a>)&lt;/li>
&lt;/ul>
&lt;h2 id="minor-enhancements">Minor enhancements&lt;/h2>
&lt;ul>
&lt;li>Allow users to disable Istio default retries by setting retries to 0 (&lt;a href="https://github.com/istio/istio/issues/14900">Issue 14900&lt;/a>)&lt;/li>
&lt;li>Introduction of a Redis filter (this feature is guarded with the environment feature flag &lt;code>PILOT_ENABLE_REDIS_FILTER&lt;/code>, disabled by default)&lt;/li>
&lt;li>Add HTTP/1.0 support to gateway configuration generation (&lt;a href="https://github.com/istio/istio/issues/13085">Issue 13085&lt;/a>)&lt;/li>
&lt;li>Add &lt;a href="https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/">toleration&lt;/a> for Istio components (&lt;a href="https://github.com/istio/istio/pull/15081">Pull Request 15081&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Thu, 27 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2.1/</guid></item><item><title>Support for Istio 1.0 has ended</title><description>&lt;p>As &lt;a href="/v1.5/news/support/announcing-1.0-eol/">previously announced&lt;/a>, support for Istio 1.0 has now officially ended.&lt;/p>
&lt;p>We will no longer back-port fixes for security issues and critical bugs to 1.0, so we encourage you to upgrade to the latest version of Istio (1.5.4) if you haven&amp;rsquo;t already.&lt;/p></description><pubDate>Wed, 19 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.0-eol-final/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.0-eol-final/</guid></item><item><title>Announcing Istio 1.1.9</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.9. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.9"
data-downloadbuttontext="DOWNLOAD 1.1.9"
data-updateadvice='Before you download 1.1.9, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.8...1.1.9">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Prevent overly large strings from being sent to Prometheus (&lt;a href="https://github.com/istio/istio/issues/14642">Issue 14642&lt;/a>).&lt;/li>
&lt;li>Reuse previously cached JWT public keys if transport errors are encountered during renewal (&lt;a href="https://github.com/istio/istio/issues/14638">Issue 14638&lt;/a>).&lt;/li>
&lt;li>Bypass JWT authentication for HTTP OPTIONS methods to support CORS requests.&lt;/li>
&lt;li>Fix Envoy crash caused by the Mixer filter (&lt;a href="https://github.com/istio/istio/issues/14707">Issue 14707&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Expose cryptographic signature verification functions to &lt;code>Lua&lt;/code> Envoy filters (&lt;a href="https://github.com/envoyproxy/envoy/issues/7009">Envoy Issue 7009&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Mon, 17 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.9/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.9/</guid></item><item><title>Announcing Istio 1.0.8</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.8. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.8"
data-downloadbuttontext="DOWNLOAD 1.0.8"
data-updateadvice='Before you download 1.0.8, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.7...1.0.8">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix issue where Citadel could generate a new root CA if it cannot contact the Kubernetes API server, causing mutual TLS verification to incorrectly fail (&lt;a href="https://github.com/istio/istio/issues/14512">Issue 14512&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Update Citadel&amp;rsquo;s default root CA certificate TTL from 1 year to 10 years.&lt;/li>
&lt;/ul></description><pubDate>Fri, 07 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.8/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.8/</guid></item><item><title>Announcing Istio 1.1.8</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.8. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.8"
data-downloadbuttontext="DOWNLOAD 1.1.8"
data-updateadvice='Before you download 1.1.8, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.7...1.1.8">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix &lt;code>PASSTHROUGH DestinationRules&lt;/code> for CDS clusters (&lt;a href="https://github.com/istio/istio/issues/13744">Issue 13744&lt;/a>).&lt;/li>
&lt;li>Make the &lt;code>appVersion&lt;/code> and &lt;code>version&lt;/code> fields in the Helm charts display the correct Istio version (&lt;a href="https://github.com/istio/istio/issues/14290">Issue 14290&lt;/a>).&lt;/li>
&lt;li>Fix Mixer crash affecting both policy and telemetry servers (&lt;a href="https://github.com/istio/istio/issues/14235">Issue 14235&lt;/a>).&lt;/li>
&lt;li>Fix multicluster issue where two pods in different clusters could not share the same IP address (&lt;a href="https://github.com/istio/istio/issues/14066">Issue 14066&lt;/a>).&lt;/li>
&lt;li>Fix issue where Citadel could generate a new root CA if it cannot contact the Kubernetes API server, causing mutual TLS verification to incorrectly fail (&lt;a href="https://github.com/istio/istio/issues/14512">Issue 14512&lt;/a>).&lt;/li>
&lt;li>Improve Pilot validation to reject different &lt;code>VirtualServices&lt;/code> with the same domain since Envoy will not accept them (&lt;a href="https://github.com/istio/istio/issues/13267">Issue 13267&lt;/a>).&lt;/li>
&lt;li>Fix locality load balancing issue where only one replica in a locality would receive traffic (&lt;a href="https://github.com/istio/istio/issues/13994">13994&lt;/a>).&lt;/li>
&lt;li>Fix issue where Pilot Agent might not notice a TLS certificate rotation (&lt;a href="https://github.com/istio/istio/issues/14539">Issue 14539&lt;/a>).&lt;/li>
&lt;li>Fix a &lt;code>LuaJIT&lt;/code> panic in Envoy (&lt;a href="https://github.com/envoyproxy/envoy/pull/6994">Envoy Issue 6994&lt;/a>).&lt;/li>
&lt;li>Fix a race condition where Envoy might reuse a HTTP/1.1 connection after the downstream peer had already closed the TCP connection, causing 503 errors and retries (&lt;a href="https://github.com/istio/istio/issues/14037">Issue 14037&lt;/a>).&lt;/li>
&lt;li>Fix a tracing issue in Mixer&amp;rsquo;s Zipkin adapter causing missing spans (&lt;a href="https://github.com/istio/istio/issues/13391">Issue 13391&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Reduce Pilot log spam by logging the &lt;code>the endpoints within network ... will be ignored for no network configured&lt;/code> message at &lt;code>DEBUG&lt;/code>.&lt;/li>
&lt;li>Make it easier to rollback by making pilot-agent ignore unknown flags.&lt;/li>
&lt;li>Update Citadel&amp;rsquo;s default root CA certificate TTL from 1 year to 10 years.&lt;/li>
&lt;/ul></description><pubDate>Thu, 06 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.8/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.8/</guid></item><item><title>ISTIO-SECURITY-2019-001</title><description>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th colspan="2">Disclosure Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>CVE(s)&lt;/td>
&lt;td>
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12243">CVE-2019-12243&lt;/a>&lt;br>
&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>CVSS Impact Score&lt;/td>
&lt;td>8.9 &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS%3a3.0%2fAV%3aA%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aC%2fC%3aH%2fI%3aH%2fA%3aN%2fE%3aH%2fRL%3aO%2fRC%3aC">CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Affected Releases&lt;/td>
&lt;td>
1.1 to 1.1.6&lt;br>
&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>During review of the &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.7">Istio 1.1.7&lt;/a> release notes, we realized that &lt;a href="https://github.com/istio/istio/issues/13868">issue 13868&lt;/a>,
which is fixed in the release, actually represents a security vulnerability.&lt;/p>
&lt;p>Initially we thought the bug was impacting the &lt;a href="/v1.5/about/feature-stages/#security-and-policy-enforcement">TCP Authorization&lt;/a> feature advertised
as alpha stability, which would not have required invoking this security advisory process, but we later realized that the
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/denier/">Deny Checker&lt;/a> and
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/list/">List Checker&lt;/a> feature were affected and those are considered stable features.
We are revisiting our processes to flag vulnerabilities that are initially reported as bugs instead of through the
&lt;a href="/v1.5/about/security-vulnerabilities/">private disclosure process&lt;/a>.&lt;/p>
&lt;p>We tracked the bug to a code change introduced in Istio 1.1 and affecting all releases up to 1.1.6.&lt;/p>
&lt;h2 id="impact-and-detection">Impact and detection&lt;/h2>
&lt;p>Since Istio 1.1, In the default Istio installation profile, policy enforcement is disabled by default.&lt;/p>
&lt;p>You can check the status of policy enforcement for your mesh with the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system get cm istio -o jsonpath=&amp;#34;{@.data.mesh}&amp;#34; | grep disablePolicyChecks
disablePolicyChecks: true
&lt;/code>&lt;/pre>
&lt;p>You are not impacted by this vulnerability if &lt;code>disablePolicyChecks&lt;/code> is set to true.&lt;/p>
&lt;p>You are impacted by the vulnerability issue if the following conditions are all true:&lt;/p>
&lt;ul>
&lt;li>You are running one of the affected Istio releases.&lt;/li>
&lt;li>&lt;code>disablePolicyChecks&lt;/code> is set to false (follow the steps mentioned above to check)&lt;/li>
&lt;li>Your workload is NOT using HTTP, HTTP/2, or gRPC protocols&lt;/li>
&lt;li>A mixer adapter (e.g., Deny Checker, List Checker) is used to provide authorization for your backend TCP service.&lt;/li>
&lt;/ul>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;ul>
&lt;li>Users of Istio 1.0.x are not affected.&lt;/li>
&lt;li>For Istio 1.1.x deployments: update to &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.7">Istio 1.1.7&lt;/a> or later.&lt;/li>
&lt;/ul>
&lt;h2 id="credit">Credit&lt;/h2>
&lt;p>The Istio team would like to thank &lt;code>Haim Helman&lt;/code> for the original bug report.&lt;/p>
&lt;h2 id="reporting-vulnerabilities">Reporting vulnerabilities&lt;/h2>
&lt;p>Wed like to remind our community to follow the &lt;a href="/v1.5/about/security-vulnerabilities/">vulnerability reporting process&lt;/a> to report any bug that can result in a
security vulnerability.</description><pubDate>Tue, 28 May 2019 00:00:00 +0000</pubDate><link>/v1.5/news/security/istio-security-2019-001/</link><author/><guid isPermaLink="true">/v1.5/news/security/istio-security-2019-001/</guid><category>CVE</category></item><item><title>Support for Istio 1.0 ends on June 19th, 2019</title><description>&lt;p>According to Istio&amp;rsquo;s &lt;a href="/v1.5/about/release-cadence/">support policy&lt;/a>, LTS releases like 1.0 are supported for three months after the next LTS release. Since &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1/">1.1 was released on March 19th&lt;/a>, support for 1.0 will end on June 19th, 2019.&lt;/p>
&lt;p>At that point we will stop back-porting fixes for security issues and critical bugs to 1.0, so we encourage you to upgrade to the latest version of Istio (1.5.4). If you don&amp;rsquo;t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.&lt;/p>
&lt;p>We care about you and your clusters, so please be kind to yourself and upgrade.&lt;/p></description><pubDate>Thu, 23 May 2019 00:00:00 +0000</pubDate><link>/v1.5/news/support/announcing-1.0-eol/</link><author/><guid isPermaLink="true">/v1.5/news/support/announcing-1.0-eol/</guid></item><item><title>Announcing Istio 1.1.7</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.7. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.7"
data-downloadbuttontext="DOWNLOAD 1.1.7"
data-updateadvice='Before you download 1.1.7, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.6...1.1.7">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>This release fixes &lt;a href="/v1.5/news/security/istio-security-2019-001">CVE 2019-12243&lt;/a>.&lt;/p>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix issue where two gateways with overlapping hosts, created at the same second, can cause Pilot to fail to generate routes correctly and lead to Envoy listeners stuck indefinitely at startup in a warming state.&lt;/li>
&lt;li>Improve the robustness of the SDS node agent: if Envoy sends a SDS request with an empty &lt;code>ResourceNames&lt;/code>, ignore it and wait for the next request instead of closing the connection (&lt;a href="https://github.com/istio/istio/issues/13853">Issue 13853&lt;/a>).&lt;/li>
&lt;li>In prior releases Pilot automatically injected the experimental &lt;code>envoy.filters.network.mysql_proxy&lt;/code> filter into the outbound filter chain if the service port name is &lt;code>mysql&lt;/code>. This was surprising and caused issues for some operators, so Pilot will now automatically inject the &lt;code>envoy.filters.network.mysql_proxy&lt;/code> filter only if the &lt;code>PILOT_ENABLE_MYSQL_FILTER&lt;/code> environment variable is set to &lt;code>1&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/13998">Issue 13998&lt;/a>).&lt;/li>
&lt;li>Fix issue where Mixer policy checks were incorrectly disabled for TCP (&lt;a href="https://github.com/istio/istio/issues/13868">Issue 13868&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Add &lt;code>--applicationPorts&lt;/code> option to the &lt;code>ingressgateway&lt;/code> Helm charts. When set to a comma-delimited list of ports, readiness checks will fail until all the ports become active. When configured, traffic will not be sent to Envoys stuck in the warming state.&lt;/li>
&lt;li>Increase memory limit in the &lt;code>ingressgateway&lt;/code> Helm chart to 1GB and add resource &lt;code>request&lt;/code> and &lt;code>limits&lt;/code> to the SDS node agent container to support HPA autoscaling.&lt;/li>
&lt;/ul></description><pubDate>Fri, 17 May 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.7/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.7/</guid></item><item><title>Announcing Istio 1.1.6</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.6. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.6"
data-downloadbuttontext="DOWNLOAD 1.1.6"
data-updateadvice='Before you download 1.1.6, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.5...1.1.6">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix Galley Helm charts so that the &lt;code>validatingwebhookconfiguration&lt;/code> object can now deployed to a namespace other than &lt;code>istio-system&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/13625">Issue 13625&lt;/a>).&lt;/li>
&lt;li>Additional Helm chart fixes for anti-affinity support: fix &lt;code>gatewaypodAntiAffinityRequiredDuringScheduling&lt;/code> and &lt;code>podAntiAffinityLabelSelector&lt;/code> match expressions and fix the default value for &lt;code>podAntiAffinityLabelSelector&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/13892">Issue 13892&lt;/a>).&lt;/li>
&lt;li>Make Pilot handle a condition where Envoy continues to request routes for a deleted gateway while listeners are still draining (&lt;a href="https://github.com/istio/istio/issues/13739">Issue 13739&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>If access logs are enabled, &lt;code>passthrough&lt;/code> listener requests will be logged.&lt;/li>
&lt;li>Make Pilot tolerate unknown JSON fields to make it easier to rollback to older versions during upgrade.&lt;/li>
&lt;li>Add support for fallback secrets to &lt;code>SDS&lt;/code> which Envoy can use instead of waiting indefinitely for late or non-existent secrets during startup (&lt;a href="https://github.com/istio/istio/issues/13853">Issue 13853&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Sat, 11 May 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.6/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.6/</guid></item><item><title>Announcing Istio 1.1.5</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.5. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.5"
data-downloadbuttontext="DOWNLOAD 1.1.5"
data-updateadvice='Before you download 1.1.5, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.4...1.1.5">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Add additional validation to Pilot to reject gateway configuration with overlapping hosts matches (&lt;a href="https://github.com/istio/istio/issues/13717">Issue 13717&lt;/a>).&lt;/li>
&lt;li>Build against the latest stable version of &lt;code>istio-cni&lt;/code> instead of the latest daily build (&lt;a href="https://github.com/istio/istio/issues/13171">Issue 13171&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>Add additional logging to help diagnose hostname resolution failures (&lt;a href="https://github.com/istio/istio/issues/13581">Issue 13581&lt;/a>).&lt;/li>
&lt;li>Improve ease of installing &lt;code>prometheus&lt;/code> by removing unnecessary use of &lt;code>busybox&lt;/code> image (&lt;a href="https://github.com/istio/istio/issues/13501">Issue 13501&lt;/a>).&lt;/li>
&lt;li>Make Pilot Agent&amp;rsquo;s certificate paths configurable (&lt;a href="https://github.com/istio/istio/issues/11984">Issue 11984&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Fri, 03 May 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.5/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.5/</guid></item><item><title>Announcing Istio 1.1.4</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.4. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.4"
data-downloadbuttontext="DOWNLOAD 1.1.4"
data-updateadvice='Before you download 1.1.4, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.3...1.1.4">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="behavior-change">Behavior change&lt;/h2>
&lt;ul>
&lt;li>Changed the default behavior for Pilot to allow traffic to outside the mesh, even if it is on the same port as an internal service.
This behavior can be controlled by the &lt;code>PILOT_ENABLE_FALLTHROUGH_ROUTE&lt;/code> environment variable.&lt;/li>
&lt;/ul>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Fixed egress route generation for services of type &lt;code>ExternalName&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added support for configuring Envoy&amp;rsquo;s idle connection timeout, which prevents running out of
memory or IP ports over time (&lt;a href="https://github.com/istio/istio/issues/13355">Issue 13355&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a crashing bug in Pilot in failover handling of locality-based load balancing.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a crashing bug in Pilot when it was given custom certificate paths.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a bug in Pilot where it was ignoring short names used as service entry hosts (&lt;a href="https://github.com/istio/istio/issues/13436">Issue 13436&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Added missing &lt;code>https_protocol_options&lt;/code> to the envoy-metrics-service cluster configuration.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a bug in Pilot where it didn&amp;rsquo;t handle https traffic correctly in the fall through route case (&lt;a href="https://github.com/istio/istio/issues/13386">Issue 13386&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a bug where Pilot didn&amp;rsquo;t remove endpoints from Envoy after they were removed from Kubernetes (&lt;a href="https://github.com/istio/istio/issues/13402">Issue 13402&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a crashing bug in the node agent (&lt;a href="https://github.com/istio/istio/issues/13325">Issue 13325&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Added missing validation to prevent gateway names from containing dots (&lt;a href="https://github.com/istio/istio/issues/13211">Issue 13211&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed bug where &lt;a href="/v1.5/docs/reference/config/networking/destination-rule#LoadBalancerSettings-ConsistentHashLB">&lt;code>ConsistentHashLB.minimumRingSize&lt;/code>&lt;/a>
was defaulting to 0 instead of the documented 1024 (&lt;a href="https://github.com/istio/istio/issues/13261">Issue 13261&lt;/a>).&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Updated to the latest version of the &lt;a href="https://www.kiali.io">Kiali&lt;/a> add-on.&lt;/p>&lt;/li>
&lt;li>&lt;p>Updated to the latest version of &lt;a href="https://grafana.com">Grafana&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added validation to ensure Citadel is only deployed with a single replica (&lt;a href="https://github.com/istio/istio/issues/13383">Issue 13383&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Added support to configure the logging level of the proxy and Istio control plane ((&lt;a href="https://github.com/istio/istio/issues/11847">Issue 11847&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Allow sidecars to bind to any loopback address and not just 127.0.0.1 (&lt;a href="https://github.com/istio/istio/issues/13201">Issue 13201&lt;/a>).&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Wed, 24 Apr 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.4/</guid></item><item><title>Announcing Istio 1.1.3</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.3. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.3"
data-downloadbuttontext="DOWNLOAD 1.1.3"
data-updateadvice='Before you download 1.1.3, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.2...1.1.3">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="known-issues-with-1-1-3">Known issues with 1.1.3&lt;/h2>
&lt;ul>
&lt;li>A &lt;a href="https://github.com/istio/istio/issues/13325">panic in the Node Agent&lt;/a> was discovered late in the 1.1.3 qualification process. The panic only occurs in clusters with the alpha-quality SDS certificate rotation feature enabled. Since this is the first time we have included SDS certificate rotation in our long-running release tests, we don&amp;rsquo;t know whether this is a latent bug or a new regression. Considering SDS certificate rotation is in alpha, we have decided to release 1.1.3 with this issue and target a fix for the 1.1.4 release.&lt;/li>
&lt;/ul>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Istio-specific back-ports of Envoy patches for &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900">&lt;code>CVE-2019-9900&lt;/code>&lt;/a> and
&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901">&lt;code>CVE-2019-9901&lt;/code>&lt;/a> included in Istio 1.1.2 have been dropped in favor of an
Envoy update which contains the final version of the patches.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix load balancer weight setting for split horizon &lt;code>EDS&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix typo in the default Envoy &lt;code>JSON&lt;/code> log format (&lt;a href="https://github.com/istio/istio/issues/12232">Issue 12232&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Correctly reload out-of-process adapter address upon configuration change (&lt;a href="https://github.com/istio/istio/issues/12488">Issue 12488&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Restore Kiali settings that were accidentally deleted (&lt;a href="https://github.com/istio/istio/issues/3660">Issue 3660&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Prevent services with same target port resulting in duplicate inbound listeners (&lt;a href="https://github.com/istio/istio/issues/9504">Issue 9504&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix issue with configuring &lt;code>Sidecar egress&lt;/code> ports for namespaces other than &lt;code>istio-system&lt;/code> resulting in a &lt;code>envoy.tcp_proxy&lt;/code> filter of &lt;code>BlackHoleCluster&lt;/code> by auto binding
to services for &lt;code>Sidecar&lt;/code> listeners (&lt;a href="https://github.com/istio/istio/issues/12536">Issue 12536&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix gateway &lt;code>vhost&lt;/code> configuration generation issue by favoring more specific host matches (&lt;a href="https://github.com/istio/istio/issues/12655">Issue 12655&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix &lt;code>ALLOW_ANY&lt;/code> so it now allows external traffic if there is already an http service present on a port.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix validation logic so that &lt;code>port.name&lt;/code> is no longer a valid &lt;code>PortSelection&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-proxy-config-cluster">&lt;code>istioctl proxy-config cluster&lt;/code>&lt;/a> cluster type column rendering (&lt;a href="https://github.com/istio/istio/issues/12455">Issue 12455&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix SDS secret mount configuration.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix incorrect Istio version in the Helm charts.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix partial DNS failures in the presence of overlapping ports (&lt;a href="https://github.com/istio/istio/issues/11658">Issue 11658&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix Helm &lt;code>podAntiAffinity&lt;/code> template error (&lt;a href="https://github.com/istio/istio/issues/12790">Issue 12790&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix bug with the original destination service discovery not using the original destination load balancer.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fix SDS memory leak in the presence of invalid or missing keying materials (&lt;a href="https://github.com/istio/istio/issues/13197">Issue 13197&lt;/a>).&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Hide &lt;code>ServiceAccounts&lt;/code> from &lt;code>PushContext&lt;/code> log to reduce log volume.&lt;/p>&lt;/li>
&lt;li>&lt;p>Configure &lt;code>localityLbSetting&lt;/code> in &lt;code>values.yaml&lt;/code> by passing it through to the mesh configuration.&lt;/p>&lt;/li>
&lt;li>&lt;p>Remove the soon-to-be deprecated &lt;code>critical-pod&lt;/code> annotation from Helm charts (&lt;a href="https://github.com/istio/istio/issues/12650">Issue 12650&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Support pod anti-affinity annotations to improve control plane availability (&lt;a href="https://github.com/istio/istio/issues/11333">Issue 11333&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Pretty print &lt;code>IP&lt;/code> addresses in access logs.&lt;/p>&lt;/li>
&lt;li>&lt;p>Remove redundant write header to further reduce log volume.&lt;/p>&lt;/li>
&lt;li>&lt;p>Improve destination host validation in Pilot.&lt;/p>&lt;/li>
&lt;li>&lt;p>Explicitly configure &lt;code>istio-init&lt;/code> to run as root so use of pod-level &lt;code>securityContext.runAsUser&lt;/code> doesn&amp;rsquo;t break it (&lt;a href="https://github.com/istio/istio/issues/5453">Issue 5453&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Add configuration samples for Vault integration.&lt;/p>&lt;/li>
&lt;li>&lt;p>Respect locality load balancing weight settings from &lt;code>ServiceEntry&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Make the TLS certificate location watched by Pilot Agent configurable (&lt;a href="https://github.com/istio/istio/issues/11984">Issue 11984&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Add support for Datadog tracing.&lt;/p>&lt;/li>
&lt;li>&lt;p>Add alias to &lt;code>istioctl&lt;/code> so &amp;lsquo;x&amp;rsquo; can be used instead of &amp;lsquo;experimental&amp;rsquo;.&lt;/p>&lt;/li>
&lt;li>&lt;p>Provide improved distribution of sidecar certificate by adding jitter to their CSR requests.&lt;/p>&lt;/li>
&lt;li>&lt;p>Allow weighted load balancing registry locality to be configured.&lt;/p>&lt;/li>
&lt;li>&lt;p>Add support for standard CRDs for compiled-in Mixer adapters.&lt;/p>&lt;/li>
&lt;li>&lt;p>Reduce Pilot resource requirements for demo configuration.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fully populate Galley dashboard by adding data source (&lt;a href="https://github.com/istio/istio/issues/13040">Issue 13040&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Propagate Istio 1.1 &lt;code>sidecar&lt;/code> performance tuning to the &lt;code>istio-gateway&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Improve destination host validation by rejecting &lt;code>*&lt;/code> hosts (&lt;a href="https://github.com/istio/istio/issues/12794">Issue 12794&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Expose upstream &lt;code>idle_timeout&lt;/code> in cluster definition so dead connections can sometimes be removed from connection pools before they are used
(&lt;a href="https://github.com/istio/istio/issues/9113">Issue 9113&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>When registering a &lt;code>Sidecar&lt;/code> resource to restrict what a pod can see, the restrictions are now applied if the spec contains a
&lt;code>workloadSelector&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/11818">Issue 11818&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Update the Bookinfo example to use port 80 for TLS origination.&lt;/p>&lt;/li>
&lt;li>&lt;p>Add liveness probe for Citadel.&lt;/p>&lt;/li>
&lt;li>&lt;p>Improve AWS ELB interoperability by making 15020 the first port listed in the &lt;code>ingressgateway&lt;/code> service (&lt;a href="https://github.com/istio/istio/issues/12503">Issue 12502&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Use outlier detection for failover mode but not for distribute mode for locality weighted load balancing (&lt;a href="https://github.com/istio/istio/issues/12961">Issues 12965&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>Replace generation of Envoy&amp;rsquo;s deprecated &lt;code>enabled&lt;/code> field in &lt;code>CorsPolicy&lt;/code> with the replacement &lt;code>filter_enabled&lt;/code> field for 1.1.0+ sidecars only.&lt;/p>&lt;/li>
&lt;li>&lt;p>Standardize labels on Mixer&amp;rsquo;s Helm charts.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Mon, 15 Apr 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.3/</guid></item><item><title>Announcing Istio 1.1.2 with Important Security Update</title><description>
&lt;p>We&amp;rsquo;re announcing immediate availability of Istio 1.1.2 which contains some important security updates. Please see below for details.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.2"
data-downloadbuttontext="DOWNLOAD 1.1.2"
data-updateadvice='Before you download 1.1.2, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.1...1.1.2">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>Two security vulnerabilities have recently been identified in the Envoy proxy
(&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900">CVE 2019-9900&lt;/a> and &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901">CVE 2019-9901&lt;/a>). The
vulnerabilities have now been patched in Envoy version 1.9.1, and correspondingly in the Envoy builds
embedded in Istio 1.1.2 and Istio 1.0.7. Since Envoy is an integral part of Istio, users are advised to update Istio
immediately to mitigate security risks arising from these vulnerabilities.&lt;/p>
&lt;p>The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These
vulnerabilities impact Istio features that rely on Envoy to enforce any of authorization, routing, or rate limiting.&lt;/p>
&lt;h2 id="affected-istio-releases">Affected Istio releases&lt;/h2>
&lt;p>The following Istio releases are vulnerable:&lt;/p>
&lt;ul>
&lt;li>&lt;p>1.1, 1.1.1&lt;/p>
&lt;ul>
&lt;li>These releases can be patched to Istio 1.1.2.&lt;/li>
&lt;li>1.1.2 is built from the same source as 1.1.1 with the addition of Envoy patches minimally sufficient to address the CVEs.&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6&lt;/p>
&lt;ul>
&lt;li>These releases can be patched to Istio 1.0.7&lt;/li>
&lt;li>1.0.7 is built from the same source as 1.0.6 with the addition of Envoy patches minimally sufficient to address the CVEs.&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8&lt;/p>
&lt;ul>
&lt;li>These releases are no longer supported and will not be patched. Please upgrade to a supported release with the necessary fixes.&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ul>
&lt;h2 id="vulnerability-impact">Vulnerability impact&lt;/h2>
&lt;p>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900">CVE 2019-9900&lt;/a> and &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901">CVE 2019-9901&lt;/a>
allow remote attackers access to unauthorized resources by using specially crafted request URI paths (9901) and NUL bytes in
HTTP/1.1 headers (9900), potentially circumventing DoS prevention systems such as rate limiting, or routing to a unexposed upstream system. Refer to
&lt;a href="https://github.com/envoyproxy/envoy/issues/6434">issue 6434&lt;/a>
and &lt;a href="https://github.com/envoyproxy/envoy/issues/6435">issue 6435&lt;/a> for more information.&lt;/p>
&lt;p>As Istio is based on Envoy, Istio customers can be affected by these vulnerabilities based on whether paths and request headers are used within Istio
policies or routing rules and how the backend HTTP implementation resolves them. If prefix path matching rules are used by Mixer or by Istio authorization
policies or the routing rules, an attacker could exploit these vulnerabilities to gain access to unauthorized paths on certain HTTP backends.&lt;/p>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;p>Eliminating the vulnerabilities requires updating to a corrected version of Envoy. Weve incorporated the necessary updates in the latest Istio patch releases.&lt;/p>
&lt;p>For Istio 1.1.x deployments: update to a minimum of &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.2">Istio 1.1.2&lt;/a>&lt;/p>
&lt;p>For Istio 1.0.x deployments: update to a minimum of &lt;a href="/v1.5/news/releases/1.0.x/announcing-1.0.7">Istio 1.0.7&lt;/a>&lt;/p>
&lt;p>While Envoy 1.9.1 requires opting in to path normalization to address CVE 2019-9901, the version of Envoy embedded in Istio 1.1.2 and 1.0.7 enables path
normalization by default.&lt;/p>
&lt;h2 id="detection-of-nul-header-exploit">Detection of NUL header exploit&lt;/h2>
&lt;p>Based on current information, this only affects HTTP/1.1 traffic. If this is not structurally possible in your network or configuration, then it is unlikely
that this vulnerability applies.&lt;/p>
&lt;p>File-based access logging uses the &lt;code>c_str()&lt;/code> representation for header values, as does gRPC access logging, so there will be no trivial detection via
Envoys access logs by scanning for NUL. Instead, operators might look for inconsistencies in logs between the routing that Envoy performs and the logic
intended in the &lt;code>RouteConfiguration&lt;/code>.&lt;/p>
&lt;p>External authorization and rate limit services can check for NULs in headers. Backend servers might have sufficient logging to detect NULs or unintended
access; its likely that many will simply reject NULs in this scenario via 400 Bad Request, as per RFC 7230.&lt;/p>
&lt;h2 id="detection-of-path-traversal-exploit">Detection of path traversal exploit&lt;/h2>
&lt;p>Envoys access logs (whether file-based or gRPC) will contain the unnormalized path, so it is possible to examine these logs to detect suspicious patterns and
requests that are incongruous with the intended operator configuration intent. In addition, unnormalized paths are available at &lt;code>ext_authz&lt;/code>, rate limiting
and backend servers for log inspection.&lt;/p></description><pubDate>Fri, 05 Apr 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.2/</guid></item><item><title>Announcing Istio 1.0.7 with Important Security Update</title><description>
&lt;p>We&amp;rsquo;re announcing immediate availability of Istio 1.0.7 which contains some important security updates. Please see below for details.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.7"
data-downloadbuttontext="DOWNLOAD 1.0.7"
data-updateadvice='Before you download 1.0.7, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.6...1.0.7">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="security-update">Security update&lt;/h2>
&lt;p>Two security vulnerabilities have recently been identified in the Envoy proxy
(&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900">CVE 2019-9900&lt;/a> and &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901">CVE 2019-9901&lt;/a>). The
vulnerabilities have now been patched in Envoy version 1.9.1, and correspondingly in the Envoy builds
embedded in Istio 1.1.2 and Istio 1.0.7. Since Envoy is an integral part of Istio, users are advised to update Istio
immediately to mitigate security risks arising from these vulnerabilities.&lt;/p>
&lt;p>The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These
vulnerabilities impact Istio features that rely on Envoy to enforce any of authorization, routing, or rate limiting.&lt;/p>
&lt;h2 id="affected-istio-releases">Affected Istio releases&lt;/h2>
&lt;p>The following Istio releases are vulnerable:&lt;/p>
&lt;ul>
&lt;li>&lt;p>1.1, 1.1.1&lt;/p>
&lt;ul>
&lt;li>These releases can be patched to Istio 1.1.2.&lt;/li>
&lt;li>1.1.2 is built from the same source as 1.1.1 with the addition of Envoy patches minimally sufficient to address the CVEs.&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6&lt;/p>
&lt;ul>
&lt;li>These releases can be patched to Istio 1.0.7&lt;/li>
&lt;li>1.0.7 is built from the same source as 1.0.6 with the addition of Envoy patches minimally sufficient to address the CVEs.&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8&lt;/p>
&lt;ul>
&lt;li>These releases are no longer supported and will not be patched. Please upgrade to a supported release with the necessary fixes.&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ul>
&lt;h2 id="vulnerability-impact">Vulnerability impact&lt;/h2>
&lt;p>&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900">CVE 2019-9900&lt;/a> and &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901">CVE 2019-9901&lt;/a>
allow remote attackers access to unauthorized resources by using specially crafted request URI paths (9901) and NUL bytes in
HTTP/1.1 headers (9900), potentially circumventing DoS prevention systems such as rate limiting, or routing to a unexposed upstream system. Refer to
&lt;a href="https://github.com/envoyproxy/envoy/issues/6434">issue 6434&lt;/a>
and &lt;a href="https://github.com/envoyproxy/envoy/issues/6435">issue 6435&lt;/a> for more information.&lt;/p>
&lt;p>As Istio is based on Envoy, Istio customers can be affected by these vulnerabilities based on whether paths and request headers are used within Istio
policies or routing rules and how the backend HTTP implementation resolves them. If prefix path matching rules are used by Mixer or by Istio authorization
policies or the routing rules, an attacker could exploit these vulnerabilities to gain access to unauthorized paths on certain HTTP backends.&lt;/p>
&lt;h2 id="mitigation">Mitigation&lt;/h2>
&lt;p>Eliminating the vulnerabilities requires updating to a corrected version of Envoy. Weve incorporated the necessary updates in the latest Istio patch releases.&lt;/p>
&lt;p>For Istio 1.1.x deployments: update to a minimum of &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1.2">Istio 1.1.2&lt;/a>&lt;/p>
&lt;p>For Istio 1.0.x deployments: update to a minimum of &lt;a href="/v1.5/news/releases/1.0.x/announcing-1.0.7">Istio 1.0.7&lt;/a>&lt;/p>
&lt;p>While Envoy 1.9.1 requires opting in to path normalization to address CVE 2019-9901, the version of Envoy embedded in Istio 1.1.2 and 1.0.7 enables path
normalization by default.&lt;/p>
&lt;h2 id="detection-of-nul-header-exploit">Detection of NUL header exploit&lt;/h2>
&lt;p>Based on current information, this only affects HTTP/1.1 traffic. If this is not structurally possible in your network or configuration, then it is unlikely
that this vulnerability applies.&lt;/p>
&lt;p>File-based access logging uses the &lt;code>c_str()&lt;/code> representation for header values, as does gRPC access logging, so there will be no trivial detection via
Envoys access logs by scanning for NUL. Instead, operators might look for inconsistencies in logs between the routing that Envoy performs and the logic
intended in the &lt;code>RouteConfiguration&lt;/code>.&lt;/p>
&lt;p>External authorization and rate limit services can check for NULs in headers. Backend servers might have sufficient logging to detect NULs or unintended
access; its likely that many will simply reject NULs in this scenario via 400 Bad Request, as per RFC 7230.&lt;/p>
&lt;h2 id="detection-of-path-traversal-exploit">Detection of path traversal exploit&lt;/h2>
&lt;p>Envoys access logs (whether file-based or gRPC) will contain the unnormalized path, so it is possible to examine these logs to detect suspicious patterns and
requests that are incongruous with the intended operator configuration intent. In addition, unnormalized paths are available at &lt;code>ext_authz&lt;/code>, rate limiting
and backend servers for log inspection.&lt;/p></description><pubDate>Fri, 05 Apr 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.7/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.7/</guid></item><item><title>Announcing Istio 1.1.1</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.1.1. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/">
&lt;h5>BEFORE YOU UPGRADE&lt;/h5>
&lt;p>Things to know and prepare before upgrading.&lt;/p>
&lt;/a>
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.1.1"
data-downloadbuttontext="DOWNLOAD 1.1.1"
data-updateadvice='Before you download 1.1.1, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.1.17'
data-updatehref="/v1.5/news/releases/1.1.x/announcing-1.1.17/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.1/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.1.0...1.1.1">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes-and-minor-enhancements">Bug fixes and minor enhancements&lt;/h2>
&lt;ul>
&lt;li>Configure Prometheus to monitor Citadel (&lt;a href="https://github.com/istio/istio/pull/12175">Issue 12175&lt;/a>)&lt;/li>
&lt;li>Improve output of &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-verify-install">&lt;code>istioctl verify-install&lt;/code>&lt;/a> command (&lt;a href="https://github.com/istio/istio/pull/12174">Issue 12174&lt;/a>)&lt;/li>
&lt;li>Reduce log level for missing service account messages for a SPIFFE URI (&lt;a href="https://github.com/istio/istio/issues/12108">Issue 12108&lt;/a>)&lt;/li>
&lt;li>Fix broken path on the opt-in SDS feature&amp;rsquo;s Unix domain socket (&lt;a href="https://github.com/istio/istio/pull/12688">Issue 12688&lt;/a>)&lt;/li>
&lt;li>Fix Envoy tracing that was preventing a child span from being created if the parent span was propagated with an empty string (&lt;a href="https://github.com/envoyproxy/envoy/pull/6263">Envoy Issue 6263&lt;/a>)&lt;/li>
&lt;li>Add namespace scoping to the Gateway &amp;lsquo;port&amp;rsquo; names. This fixes two issues:
&lt;ul>
&lt;li>&lt;code>IngressGateway&lt;/code> only respects first port 443 Gateway definition (&lt;a href="https://github.com/istio/istio/issues/11509">Issue 11509&lt;/a>)&lt;/li>
&lt;li>Istio &lt;code>IngressGateway&lt;/code> routing broken with two different gateways with same port name (SDS) (&lt;a href="https://github.com/istio/istio/issues/12500">Issue 12500&lt;/a>)&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>Five bug fixes for locality weighted load balancing:
&lt;ul>
&lt;li>Fix bug causing empty endpoints per locality (&lt;a href="https://github.com/istio/istio/issues/12610">Issue 12610&lt;/a>)&lt;/li>
&lt;li>Apply locality weighted load balancing configuration correctly (&lt;a href="https://github.com/istio/istio/issues/12587">Issue 12587&lt;/a>)&lt;/li>
&lt;li>Locality label &lt;code>istio-locality&lt;/code> in Kubernetes should not contain &lt;code>/&lt;/code>, use &lt;code>.&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/12582">Issue 12582&lt;/a>)&lt;/li>
&lt;li>Fix crash in locality load balancing (&lt;a href="https://github.com/istio/istio/pull/12649">Issue 12649&lt;/a>)&lt;/li>
&lt;li>Fix bug in locality load balancing normalization (&lt;a href="https://github.com/istio/istio/pull/12579">Issue 12579&lt;/a>)&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>Propagate Envoy Metrics Service configuration (&lt;a href="https://github.com/istio/istio/issues/12569">Issue 12569&lt;/a>)&lt;/li>
&lt;li>Do not apply &lt;code>VirtualService&lt;/code> rule to the wrong gateway (&lt;a href="https://github.com/istio/istio/issues/10313">Issue 10313&lt;/a>)&lt;/li>
&lt;/ul></description><pubDate>Mon, 25 Mar 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1.1/</guid></item><item><title>Announcing Istio 1.0.6</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.6. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.6"
data-downloadbuttontext="DOWNLOAD 1.0.6"
data-updateadvice='Before you download 1.0.6, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.5...1.0.6">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="bug-fixes">Bug fixes&lt;/h2>
&lt;ul>
&lt;li>Fix Galley Helm charts so that the &lt;code>validatingwebhookconfiguration&lt;/code> object can now deployed to a namespace other than &lt;code>istio-system&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/13625">Issue 13625&lt;/a>).&lt;/li>
&lt;li>Additional Helm chart fixes for anti-affinity support: fix &lt;code>gatewaypodAntiAffinityRequiredDuringScheduling&lt;/code> and &lt;code>podAntiAffinityLabelSelector&lt;/code> match expressions and fix the default value for &lt;code>podAntiAffinityLabelSelector&lt;/code> (&lt;a href="https://github.com/istio/istio/issues/13892">Issue 13892&lt;/a>).&lt;/li>
&lt;li>Make Pilot handle a condition where Envoy continues to request routes for a deleted gateway while listeners are still draining (&lt;a href="https://github.com/istio/istio/issues/13739">Issue 13739&lt;/a>).&lt;/li>
&lt;/ul>
&lt;h2 id="small-enhancements">Small enhancements&lt;/h2>
&lt;ul>
&lt;li>If access logs are enabled, &lt;code>passthrough&lt;/code> listener requests will be logged.&lt;/li>
&lt;li>Make Pilot tolerate unknown JSON fields to make it easier to rollback to older versions during upgrade.&lt;/li>
&lt;li>Add support for fallback secrets to &lt;code>SDS&lt;/code> which Envoy can use instead of waiting indefinitely for late or non-existent secrets during startup (&lt;a href="https://github.com/istio/istio/issues/13853">Issue 13853&lt;/a>).&lt;/li>
&lt;/ul></description><pubDate>Tue, 12 Feb 2019 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.6/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.6/</guid></item><item><title>Announcing Istio 1.0.5</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.5. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.5"
data-downloadbuttontext="DOWNLOAD 1.0.5"
data-updateadvice='Before you download 1.0.5, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.4...1.0.5">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="general">General&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Disabled the precondition cache in the &lt;code>istio-policy&lt;/code> service as it lead to invalid results. The
cache will be reintroduced in a later release.&lt;/p>&lt;/li>
&lt;li>&lt;p>Mixer now only generates spans when there is an enabled &lt;code>tracespan&lt;/code> adapter, resulting in lower CPU overhead in normal cases.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a problem that could lead Pilot to hang.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Thu, 20 Dec 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.5/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.5/</guid></item><item><title>Announcing Istio 1.0.4</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.4. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.4"
data-downloadbuttontext="DOWNLOAD 1.0.4"
data-updateadvice='Before you download 1.0.4, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.3...1.0.4">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="known-issues">Known issues&lt;/h2>
&lt;ul>
&lt;li>Pilot may deadlock when using &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-proxy-status">&lt;code>istioctl proxy-status&lt;/code>&lt;/a> to get proxy synchronization status.
The work around is to &lt;em>not use&lt;/em> &lt;code>istioctl proxy-status&lt;/code>.
Once Pilot enters a deadlock, it exhibits continuous memory growth eventually running out of memory.&lt;/li>
&lt;/ul>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Fixed the lack of removal of stale endpoints causing &lt;code>503&lt;/code> errors.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed sidecar injection when a pod label contains a &lt;code>/&lt;/code>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="policy-and-telemetry">Policy and telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Fixed occasional data corruption problem with out-of-process Mixer adapters leading to incorrect behavior.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed excessive CPU usage by Mixer when waiting for missing CRDs.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Wed, 21 Nov 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.4/</guid></item><item><title>Announcing Istio 1.0.3</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.3. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.3"
data-downloadbuttontext="DOWNLOAD 1.0.3"
data-updateadvice='Before you download 1.0.3, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.2...1.0.3">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="behavior-changes">Behavior changes&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/ops/common-problems/validation">Validating webhook&lt;/a> is now mandatory. Disabling it may result in Pilot crashes.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/reference/config/networking/service-entry/">Service entry&lt;/a> validation now rejects the wildcard hostname (&lt;code>*&lt;/code>) when configuring DNS resolution. The API has never allowed this, however &lt;code>ServiceEntry&lt;/code> was erroneously excluded from validation in the previous release. Use of wildcards as part of a hostname, e.g. &lt;code>*.bar.com&lt;/code>, remains unchanged.&lt;/p>&lt;/li>
&lt;li>&lt;p>The core dump path for &lt;code>istio-proxy&lt;/code> has changed to &lt;code>/var/lib/istio&lt;/code>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Mutual TLS Permissive mode is enabled by default.&lt;/p>&lt;/li>
&lt;li>&lt;p>Pilot performance and scalability has been greatly enhanced. Pilot now delivers endpoint updates to 500 sidecars in under 1 second.&lt;/p>&lt;/li>
&lt;li>&lt;p>Default &lt;a href="/v1.5/docs/tasks/observability/distributed-tracing/overview/#trace-sampling">trace sampling&lt;/a> is set to 1%.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="policy-and-telemetry">Policy and telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Mixer (&lt;code>istio-telemetry&lt;/code>) now supports load shedding based on request rate and expected latency.&lt;/p>&lt;/li>
&lt;li>&lt;p>Mixer client (&lt;code>istio-policy&lt;/code>) now supports &lt;code>FAIL_OPEN&lt;/code> setting.&lt;/p>&lt;/li>
&lt;li>&lt;p>Istio Performance dashboard added to Grafana.&lt;/p>&lt;/li>
&lt;li>&lt;p>Reduced &lt;code>istio-telemetry&lt;/code> CPU usage by 10%.&lt;/p>&lt;/li>
&lt;li>&lt;p>Eliminated &lt;code>statsd-to-prometheus&lt;/code> deployment. Prometheus now directly scrapes from &lt;code>istio-proxy&lt;/code>.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Tue, 30 Oct 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.3/</guid></item><item><title>Announcing Istio 1.0.2</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.2. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.2"
data-downloadbuttontext="DOWNLOAD 1.0.2"
data-updateadvice='Before you download 1.0.2, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.1...1.0.2">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="general">General&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Fixed bug in Envoy where the sidecar would crash if receiving normal traffic on the mutual TLS port.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed bug with Pilot propagating incomplete updates to Envoy in a multicluster environment.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added a few more Helm options for Grafana.&lt;/p>&lt;/li>
&lt;li>&lt;p>Improved Kubernetes service registry queue performance.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed bug where &lt;code>istioctl proxy-status&lt;/code> was not showing the patch version.&lt;/p>&lt;/li>
&lt;li>&lt;p>Add validation of virtual service SNI hosts.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Thu, 06 Sep 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.2/</guid></item><item><title>Announcing Istio 1.0.1</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 1.0.1. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.1"
data-downloadbuttontext="DOWNLOAD 1.0.1"
data-updateadvice='Before you download 1.0.1, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://github.com/istio/istio/compare/1.0.0...1.0.1">
&lt;h5>SOURCE CHANGES&lt;/h5>
&lt;p>Inspect the full set of source code changes.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Improved Pilot scalability and Envoy startup time.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed virtual service host mismatch issue when adding a port.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added limited support for &lt;a href="/v1.5/docs/ops/best-practices/traffic-management/#split-virtual-services">merging multiple virtual service or destination rule definitions&lt;/a> for the same host.&lt;/p>&lt;/li>
&lt;li>&lt;p>Allow &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/cluster/outlier_detection.proto">outlier&lt;/a> consecutive gateway failures when using HTTP.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="environment">Environment&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Made it possible to use Pilot standalone, for those users who want to only leverage Istio&amp;rsquo;s traffic management functionality.&lt;/p>&lt;/li>
&lt;li>&lt;p>Introduced the convenient &lt;code>values-istio-gateway.yaml&lt;/code> configuration that enables users to run standalone gateways.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a variety of Helm installation issues, including an issue with the &lt;code>istio-sidecar-injector&lt;/code> configmap not being found.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed the Istio installation error with Galley not being ready.&lt;/p>&lt;/li>
&lt;li>&lt;p>Fixed a variety of issues around mesh expansion.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="policy-and-telemetry">Policy and telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Added an experimental metrics expiration configuration to the Mixer Prometheus adapter.&lt;/p>&lt;/li>
&lt;li>&lt;p>Updated Grafana to 5.2.2.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="adapters">Adapters&lt;/h3>
&lt;ul>
&lt;li>Ability to specify sink options for the Stackdriver adapter.&lt;/li>
&lt;/ul>
&lt;h2 id="galley">Galley&lt;/h2>
&lt;ul>
&lt;li>Improved configuration validation for health checks.&lt;/li>
&lt;/ul></description><pubDate>Wed, 29 Aug 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0.1/</guid></item><item><title>Announcing Istio 1.0</title><description>
&lt;p>Today, were excited to announce Istio 1.0! Its been a little over a year since our initial 0.1 release. Since then, Istio has evolved significantly with the help of a thriving and growing community of contributors and users. Weve now reached the point where many companies have successfully adopted Istio in production and have gotten real value from the insight and control it provides over their deployments. Weve helped large enterprises and fast-moving startups like &lt;a href="https://www.ebay.com/">eBay&lt;/a>, &lt;a href="https://www.autotrader.co.uk/">Auto Trader UK&lt;/a>, &lt;a href="http://www.descarteslabs.com/">Descartes Labs&lt;/a>, &lt;a href="https://www.fitstation.com/">HP FitStation&lt;/a>, &lt;a href="https://juspay.in">JUSPAY&lt;/a>, &lt;a href="https://www.namely.com/">Namely&lt;/a>, &lt;a href="https://www.pubnub.com/">PubNub&lt;/a> and &lt;a href="https://www.trulia.com/">Trulia&lt;/a> use Istio to connect, manage and secure their services from the ground up. Shipping this release as 1.0 is recognition that weve built a core set of functionality that our users can rely on for production use.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="update-notice entry"
data-title='Update Notice'
data-downloadhref="https://github.com/istio/istio/releases/tag/1.0.0"
data-downloadbuttontext="DOWNLOAD 1.0.0"
data-updateadvice='Before you download 1.0, you should know that there&amp;#39;s a newer patch release with the latest bug fixes and perf improvements.'
data-updatebutton='LEARN ABOUT ISTIO 1.0.9'
data-updatehref="/v1.5/news/releases/1.0.x/announcing-1.0.9/">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v1.0/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="ecosystem">Ecosystem&lt;/h2>
&lt;p>Weve seen substantial growth in Istio&amp;rsquo;s ecosystem in the last year. &lt;a href="https://www.envoyproxy.io/">Envoy&lt;/a> continues its impressive growth and added numerous
features that are crucial for a production quality service mesh. Observability providers like &lt;a href="https://www.datadoghq.com/">Datadog&lt;/a>,
&lt;a href="https://www.solarwinds.com/">SolarWinds&lt;/a>, &lt;a href="https://sysdig.com/blog/monitor-istio/">Sysdig&lt;/a>, &lt;a href="https://cloud.google.com/stackdriver/">Google Stackdriver&lt;/a> and
&lt;a href="https://aws.amazon.com/cloudwatch/">Amazon CloudWatch&lt;/a> have written plugins to integrate Istio with their products.
&lt;a href="https://www.tigera.io/resources/using-network-policy-concert-istio-2/">Tigera&lt;/a>, &lt;a href="https://www.aporeto.com/">Aporeto&lt;/a>, &lt;a href="https://cilium.io/">Cilium&lt;/a>
and &lt;a href="https://styra.com/">Styra&lt;/a> built extensions to our policy enforcement and networking capabilities. &lt;a href="https://www.redhat.com/en">Red Hat&lt;/a> built &lt;a href="https://www.kiali.io">Kiali&lt;/a> to wrap a nice user-experience around mesh management and observability. &lt;a href="https://www.cloudfoundry.org/">Cloud Foundry&lt;/a> is building on Istio for its next generation traffic routing stack, the recently announced &lt;a href="https://github.com/knative/docs">Knative&lt;/a> serverless project is doing the same and &lt;a href="https://apigee.com/">Apigee&lt;/a> announced that they plan to use it in their API management solution. These are just some of the integrations the community has added in the last year.&lt;/p>
&lt;h2 id="features">Features&lt;/h2>
&lt;p>Since the 0.8 release weve added some important new features and more importantly marked many of our existing features as Beta signaling that theyre ready for production use.
Here are some highlights:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Multiple Kubernetes clusters can now be &lt;a href="/v1.5/docs/setup/install/multicluster/">added to a single mesh&lt;/a> and enabling cross-cluster communication and consistent policy enforcement. Multicluster support is now Beta.&lt;/p>&lt;/li>
&lt;li>&lt;p>Networking APIs that enable fine grained control over the flow of traffic through a mesh are now Beta. Explicitly modeling ingress and egress concerns using Gateways allows operators to &lt;a href="/v1.5/blog/2018/v1alpha3-routing/">control the network topology&lt;/a> and meet access security requirements at the edge.&lt;/p>&lt;/li>
&lt;li>&lt;p>Mutual TLS can now be &lt;a href="/v1.5/docs/tasks/security/authentication/mtls-migration">rolled out incrementally&lt;/a> without requiring all clients of a service to be updated. This is a critical feature that unblocks adoption in-place by existing production deployments.&lt;/p>&lt;/li>
&lt;li>&lt;p>Mixer now has support for &lt;a href="https://github.com/istio/istio/wiki/Out-Of-Process-gRPC-Adapter-Dev-Guide">developing out-of-process adapters&lt;/a>. This will become the default way to extend Mixer over the coming releases and makes building adapters much simpler.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/concepts/security/#authorization">Authorization policies&lt;/a> which control access to services are now entirely evaluated locally in Envoy increasing
their performance and reliability.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/setup/install/helm/">Helm chart installation&lt;/a> is now the recommended install method offering rich customization options to adopt Istio on your terms.&lt;/p>&lt;/li>
&lt;li>&lt;p>Weve put a lot of effort into performance including continuous regression testing, large scale environment simulation and targeted fixes. Were very happy with the results and will share more on this in detail in the coming weeks.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="what-s-next">Whats next?&lt;/h2>
&lt;p>While this is a significant milestone for the project theres lots more to do. In working with adopters weve gotten a lot of great feedback about what to focus next. Weve heard consistent themes around support for hybrid-cloud, install modularity, richer networking features and scalability for massive deployments. Weve already taken some of this feedback into account in the 1.0 release and well continue to aggressively tackle this work in the coming months.&lt;/p>
&lt;h2 id="getting-started">Getting started&lt;/h2>
&lt;p>If youre new to Istio and looking to use it for your deployment wed love to hear from you. Take a look at &lt;a href="/v1.5/docs/">our docs&lt;/a> or stop by our
&lt;a href="https://discuss.istio.io">chat forum&lt;/a>. If youd like
to go deeper and &lt;a href="/v1.5/about/community">contribute to the project&lt;/a> come to one of our community meetings and say hello.&lt;/p>
&lt;h2 id="thanks">Thanks&lt;/h2>
&lt;p>The Istio team would like to give huge thanks to everyone who has made a contribution to the project. It wouldnt be where it is today without your help. The last year has been pretty amazing and we look forward to the next one with excitement about what we can achieve together as a community.&lt;/p>
&lt;h2 id="release-notes">Release notes&lt;/h2>
&lt;h3 id="networking">Networking&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>SNI Routing using Virtual Services&lt;/strong>. Newly introduced &lt;code>TLS&lt;/code> sections in
&lt;a href="/v1.5/docs/reference/config/networking/virtual-service/">&lt;code>VirtualService&lt;/code>&lt;/a> can be used to route TLS traffic
based on SNI values. Service ports named as TLS/HTTPS can be used in conjunction with
virtual service TLS routes. TLS/HTTPS ports without an accompanying virtual service will be treated as opaque TCP.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Streaming gRPC Restored&lt;/strong>. Istio 0.8 caused periodic termination of long running streaming gRPC connections. This has been fixed in 1.0.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Old (v1alpha1) Networking APIs Removed&lt;/strong>. Support for the old &lt;code>v1alpha1&lt;/code> traffic management model
has been removed.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Istio Ingress Deprecated&lt;/strong>. The old Istio ingress is deprecated and disabled by default. We encourage users to use &lt;a href="/v1.5/docs/concepts/traffic-management/#gateways">gateways&lt;/a> instead.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="policy-and-telemetry">Policy and telemetry&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Updated Attributes&lt;/strong>. The set of &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/attribute-vocabulary/">attributes&lt;/a> used to describe the source and
destination of traffic have been completely revamped in order to be more
precise and comprehensive.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Policy Check Cache&lt;/strong>. Mixer now features a large level 2 cache for policy checks, complementing the level 1 cache
present in the sidecar proxy. This further reduces the average latency of externally-enforced
policy checks.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Telemetry Buffering&lt;/strong>. Mixer now buffers report calls before dispatching to adapters, which gives an opportunity for
adapters to process telemetry data in bigger chunks, reducing overall computational overhead
in Mixer and its adapters.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Out of Process Adapters&lt;/strong>. Mixer now includes initial support for out-of-process adapters. This will
be the recommended approach moving forward for integrating with Mixer. Initial documentation on
how to build an out-of-process adapter is provided by the
&lt;a href="https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Dev-Guide">Out Of Process Adapter Dev Guide&lt;/a>
and the &lt;a href="https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Walkthrough">Out Of Process Adapter Walk-through&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Client-Side Telemetry&lt;/strong>. It&amp;rsquo;s now possible to collect telemetry from the client of an interaction,
in addition to the server-side telemetry.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h4 id="adapters">Adapters&lt;/h4>
&lt;ul>
&lt;li>&lt;p>&lt;strong>SignalFX&lt;/strong>. There is a new &lt;code>signalfx&lt;/code> adapter.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Stackdriver&lt;/strong>. The &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/stackdriver/">&lt;code>stackdriver&lt;/code>&lt;/a> adapter has been substantially enhanced in this
release to add new features and improve performance.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="security">Security&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Authorization&lt;/strong>. We&amp;rsquo;ve reimplemented our &lt;a href="/v1.5/docs/concepts/security/#authorization">authorization functionality&lt;/a>.
RPC-level authorization policies can now be implemented without the need for Mixer and Mixer adapters.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Improved Mutual TLS Authentication Control&lt;/strong>. It&amp;rsquo;s now easier to &lt;a href="/v1.5/docs/concepts/security/#authentication">control mutual TLS authentication&lt;/a> between services. We provide &amp;lsquo;PERMISSIVE&amp;rsquo; mode so that you can
&lt;a href="/v1.5/docs/tasks/security/authentication/mtls-migration/">incrementally turn on mutual TLS&lt;/a> for your services.
We removed service annotations and have a &lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy/">unique approach to turn on mutual TLS&lt;/a>,
coupled with client-side &lt;a href="/v1.5/docs/concepts/traffic-management/#destination-rules">destination rules&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>JWT Authentication&lt;/strong>. We now support &lt;a href="/v1.5/docs/concepts/security/#authentication">JWT authentication&lt;/a> which can
be configured using &lt;a href="/v1.5/docs/concepts/security/#authentication-policies">authentication policies&lt;/a>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="istioctl">&lt;code>istioctl&lt;/code>&lt;/h3>
&lt;ul>
&lt;li>&lt;p>Added the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-authn-tls-check">&lt;code>istioctl authn tls-check&lt;/code>&lt;/a> command.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-proxy-status">&lt;code>istioctl proxy-status&lt;/code>&lt;/a> command.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added the &lt;code>istioctl experimental convert-ingress&lt;/code> command.&lt;/p>&lt;/li>
&lt;li>&lt;p>Removed the &lt;code>istioctl experimental convert-networking-config&lt;/code> command.&lt;/p>&lt;/li>
&lt;li>&lt;p>Enhancements and bug fixes:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Align &lt;code>kubeconfig&lt;/code> handling with &lt;code>kubectl&lt;/code>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;code>istioctl get all&lt;/code> returns all types of networking and authentication configuration.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added the &lt;code>--all-namespaces&lt;/code> flag to &lt;code>istioctl get&lt;/code> to retrieve resources across all namespaces.&lt;/p>&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ul>
&lt;h3 id="known-issues-with-1-0">Known issues with 1.0&lt;/h3>
&lt;ul>
&lt;li>&lt;p>Amazon&amp;rsquo;s EKS service does not implement automatic sidecar injection. Istio can be used in Amazon&amp;rsquo;s
EKS by using &lt;a href="/v1.5/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection">manual injection&lt;/a> for
sidecars and turning off galley using the &lt;a href="/v1.5/docs/setup/install/helm">Helm parameter&lt;/a>
&lt;code>--set galley.enabled=false&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>In a &lt;a href="/v1.5/docs/setup/install/multicluster">multicluster deployment&lt;/a> the mixer-telemetry
and mixer-policy components do not connect to the Kubernetes API endpoints of any of the remote
clusters. This results in a loss of telemetry fidelity as some of the metadata associated
with workloads on remote clusters is incomplete.&lt;/p>&lt;/li>
&lt;li>&lt;p>There are Kubernetes manifests available for using Citadel standalone or with Citadel health checking enabled.
There is not a Helm implementation of these modes. See &lt;a href="https://github.com/istio/istio/issues/6922">Issue 6922&lt;/a>
for more details.&lt;/p>&lt;/li>
&lt;li>&lt;p>Mesh expansion functionality, which lets you add raw VMs to a mesh is broken in 1.0. We&amp;rsquo;re expecting to produce a
patch that fixes this problem within a few days.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Tue, 31 Jul 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.0.x/announcing-1.0/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.0.x/announcing-1.0/</guid></item><item><title>Announcing Istio 0.8</title><description>
&lt;p>This is a major release for Istio on the road to 1.0. There are a great many new features and architectural improvements in addition to the usual pile of bug fixes and performance improvements.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/0.8.0">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v0.8/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Revamped Traffic Management Model&lt;/strong>. We&amp;rsquo;re finally ready to take the wraps off our
&lt;a href="/v1.5/blog/2018/v1alpha3-routing/">new traffic management APIs&lt;/a>. We believe this new model is easier to understand while covering more real world
deployment &lt;a href="/v1.5/docs/tasks/traffic-management/">use-cases&lt;/a>. For folks upgrading from earlier releases there is a
&lt;a href="/v1.5/docs/setup/upgrade/">migration guide&lt;/a> and a conversion tool built into &lt;code>istioctl&lt;/code> to help convert your configuration from the old model.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Streaming Envoy configuration&lt;/strong>. By default Pilot now streams configuration to Envoy using its &lt;a href="https://github.com/envoyproxy/data-plane-api/blob/master/xds_protocol.rst">ADS API&lt;/a>. This new approach increases effective scalability, reduces rollout delay and should eliminate spurious 404 errors.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Gateway for Ingress/Egress&lt;/strong>. We no longer support combining Kubernetes Ingress specs with Istio routing rules as it has led to several bugs and reliability issues. Istio now supports a platform independent &lt;a href="/v1.5/docs/concepts/traffic-management/#gateways">Gateway&lt;/a> model for ingress &amp;amp; egress proxies that works across Kubernetes and Cloud Foundry and works seamlessly with routing. The Gateway supports &lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">Server Name Indication&lt;/a> based routing,
as well as serving a certificate based on the server name presented by the client.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Constrained Inbound Ports&lt;/strong>. We now restrict the inbound ports in a pod to the ones declared by the apps running inside that pod.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Introducing Citadel&lt;/strong>. We&amp;rsquo;ve finally given a name to our security component. What was formerly known as Istio-Auth or Istio-CA is now called Citadel.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Multicluster Support&lt;/strong>. We support per-cluster Citadel in multicluster deployments such that all Citadels share the same root certificate and workloads can authenticate each other across the mesh.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Authentication Policy&lt;/strong>. We&amp;rsquo;ve created a unified API for &lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy/">authentication policy&lt;/a> that controls whether service-to-service communication uses mutual TLS as well as end user authentication. This is now the recommended way to control these behaviors.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="telemetry">Telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Self-Reporting&lt;/strong>. Mixer and Pilot now produce telemetry that flows through the normal
Istio telemetry pipeline, just like services in the mesh.&lt;/li>
&lt;/ul>
&lt;h2 id="setup">Setup&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>A la Carte Istio&lt;/strong>. Istio has a rich set of features, however you don&amp;rsquo;t need to install or consume them all together. By using
Helm or &lt;code>istioctl gen-deploy&lt;/code>, users can install only the features they want. For example, users can install Pilot only and enjoy traffic
management functionality without dealing with Mixer or Citadel.&lt;/li>
&lt;/ul>
&lt;h2 id="mixer-adapters">Mixer adapters&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>CloudWatch&lt;/strong>. Mixer can now report metrics to AWS CloudWatch.
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/">Learn more&lt;/a>&lt;/li>
&lt;/ul>
&lt;h2 id="known-issues-with-0-8">Known issues with 0.8&lt;/h2>
&lt;ul>
&lt;li>&lt;p>A gateway with virtual services pointing to a headless service won&amp;rsquo;t work (&lt;a href="https://github.com/istio/istio/issues/5005">Issue #5005&lt;/a>).&lt;/p>&lt;/li>
&lt;li>&lt;p>There is a &lt;a href="https://github.com/istio/istio/issues/5723">problem with Google Kubernetes Engine 1.10.2&lt;/a>. The workaround is to use Kubernetes 1.9 or switch the node image to Ubuntu. A fix is expected in GKE 1.10.4.&lt;/p>&lt;/li>
&lt;li>&lt;p>There is a known namespace issue with &lt;code>istioctl experimental convert-networking-config&lt;/code> tool where the desired namespace may be changed to the &lt;code>istio-system&lt;/code> namespace, please manually adjust to use the desired namespace after running the conversation tool. &lt;a href="https://github.com/istio/istio/issues/5817">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Fri, 01 Jun 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.8/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.8/</guid></item><item><title>Announcing Istio 0.7</title><description>&lt;p>For this release, we focused on improving our build and test infrastructures and increasing the
quality of our tests. As a result, there are no new features for this month.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/0.7.0">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v0.7/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;p>Please note that this release includes preliminary support for the new v1alpha3 traffic management
functionality. This functionality is still in a great deal of flux and there may be some breaking
changes in 0.8. So if you feel like exploring, please go right ahead, but expect that this may
change in 0.8 and beyond.&lt;/p>
&lt;p>Known Issues:&lt;/p>
&lt;p>Our &lt;a href="/v1.5/docs/setup/install/helm">Helm chart&lt;/a>
currently requires some workaround to apply the chart correctly, see &lt;a href="https://github.com/istio/istio/issues/4701">4701&lt;/a> for details.&lt;/p></description><pubDate>Wed, 28 Mar 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.7/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.7/</guid></item><item><title>Announcing Istio 0.6</title><description>
&lt;p>In addition to the usual pile of bug fixes and performance improvements, this release includes the new or
updated features detailed below.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/0.6.0">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v0.6/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Custom Envoy Configuration&lt;/strong>. Pilot now supports ferrying custom Envoy configuration to the
proxy. &lt;a href="https://github.com/mandarjog/istioluawebhook">Learn more&lt;/a>&lt;/li>
&lt;/ul>
&lt;h2 id="mixer-adapters">Mixer adapters&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>SolarWinds&lt;/strong>. Mixer can now interface to AppOptics and Papertrail.
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/solarwinds/">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Redis Quota&lt;/strong>. Mixer now supports a Redis-based adapter for rate limit tracking.
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/redisquota/">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Datadog&lt;/strong>. Mixer now provides an adapter to deliver metric data to a Datadog agent.
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/datadog/">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="other">Other&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Separate Check &amp;amp; Report Clusters&lt;/strong>. When configuring Envoy, it&amp;rsquo;s now possible to use different clusters
for Mixer instances that are used for Mixer&amp;rsquo;s Check functionality from those used for Mixer&amp;rsquo;s Report
functionality. This may be useful in large deployments for better scaling of Mixer instances.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Monitoring Dashboards&lt;/strong>. There are now preliminary Mixer &amp;amp; Pilot monitoring dashboard in Grafana.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Liveness and Readiness Probes&lt;/strong>. Istio components now provide canonical liveness and readiness
probe support to help ensure mesh infrastructure health.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Egress Policy and Telemetry&lt;/strong>. Istio can monitor traffic to external services defined by &lt;code>EgressRule&lt;/code> or External Service. Istio can also apply
Mixer policies on this traffic.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Thu, 08 Mar 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.6/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.6/</guid></item><item><title>Announcing Istio 0.5</title><description>
&lt;p>In addition to the usual pile of bug fixes and performance improvements, this release includes the new or
updated features detailed below.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/0.5.0">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v0.5/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Incremental Istio Deployment&lt;/strong>. (Preview) You can now adopt Istio incrementally, more easily than before, by installing only
the components you want (e.g, Pilot+Ingress only as the minimal Istio install). Refer to the &lt;code>istioctl&lt;/code> CLI tool for generating a
information on customized Istio deployments.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Automatic Proxy Injection&lt;/strong>. We leverage Kubernetes 1.9&amp;rsquo;s new
&lt;a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.9.md#api-machinery">mutating webhook feature&lt;/a> to provide automatic
pod-level proxy injection. Automatic injection requires Kubernetes 1.9 or beyond and
therefore doesn&amp;rsquo;t work on older versions. The alpha initializer mechanism is no longer supported.
&lt;a href="/v1.5/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Revised Traffic Rules&lt;/strong>. Based on user feedback, we have made significant changes to Istio&amp;rsquo;s traffic management
(routing rules, destination rules, etc.). We would love your continuing feedback while we polish this in the coming weeks.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="mixer-adapters">Mixer adapters&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Open Policy Agent&lt;/strong>. Mixer now has an authorization adapter implementing the &lt;a href="https://www.openpolicyagent.org">open policy agent&lt;/a> model,
providing a flexible fine-grained access control mechanism. &lt;a href="https://docs.google.com/document/d/1U2XFmah7tYdmC5lWkk3D43VMAAQ0xkBatKmohf90ICA">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Istio RBAC&lt;/strong>. Mixer now has a role-based access control adapter.
&lt;a href="/v1.5/docs/concepts/security/#authorization">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Fluentd&lt;/strong>. Mixer now has an adapter for log collection through &lt;a href="https://www.fluentd.org">Fluentd&lt;/a>.
&lt;a href="/v1.5/docs/tasks/observability/mixer/logs/fluentd/">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Stdio&lt;/strong>. The stdio adapter now lets you log to files with support for log rotation &amp;amp; backup, along with a host
of controls.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Bring Your Own CA&lt;/strong>. There have been many enhancements to the &amp;lsquo;bring your own CA&amp;rsquo; feature.
&lt;a href="/v1.5/docs/tasks/security/plugin-ca-cert/">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>PKCS8&lt;/strong>. Add support for PKCS8 keys to Istio PKI.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Istio RBAC&lt;/strong> Istio RBAC provides access control for services in Istio mesh.
&lt;a href="/v1.5/docs/concepts/security/#authorization">Learn more&lt;/a>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="other">Other&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Release-Mode Binaries&lt;/strong>. We switched release and installation default to release for improved
performance and security.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Component Logging&lt;/strong>. Istio components now offer a rich set of command-line options to control local logging, including
common support for log rotation.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Consistent Version Reporting&lt;/strong>. Istio components now offer a consistent command-line interface to report their version information.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Optional Instance Fields&lt;/strong>. Within configuration, definitions of Mixer instances no longer need to include every field of the
associated template. Omitted fields get a zero or empty value.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="known-issues">Known issues&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Installing with Helm charts is currently broken.&lt;/p>&lt;/li>
&lt;li>&lt;p>Automatic sidecar injection only works with Kubernetes 1.9 or later.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Fri, 02 Feb 2018 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.5/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.5/</guid></item><item><title>Announcing Istio 0.4</title><description>
&lt;p>This release has only got a few weeks&amp;rsquo; worth of changes, as we stabilize our monthly release process.
In addition to the usual pile of bug fixes and performance improvements, this release includes the items
below.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/0.4.0">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v0.4/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="general">General&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Cloud Foundry&lt;/strong>. Added minimum Pilot support for the &lt;a href="https://www.cloudfoundry.org">Cloud Foundry&lt;/a> platform, making it
possible for Pilot to discover CF services and service instances.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Circonus&lt;/strong>. Mixer now includes an adapter for the &lt;a href="https://www.circonus.com">Circonus&lt;/a> analytics and monitoring platform.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Pilot Metrics&lt;/strong>. Pilot now collects metrics for diagnostics.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Helm Charts&lt;/strong>. We now provide Helm charts to install Istio.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Enhanced Attribute Expressions&lt;/strong>. Mixer&amp;rsquo;s expression language gained a few new functions
to make it easier to write policy rules. &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/expression-language/">Learn more&lt;/a>&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>If you&amp;rsquo;re into the nitty-gritty details, you can see our more detailed low-level
release notes &lt;a href="https://github.com/istio/istio/wiki/v0.4.0">here&lt;/a>.&lt;/p></description><pubDate>Mon, 18 Dec 2017 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.4/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.4/</guid></item><item><title>Announcing Istio 0.3</title><description>
&lt;p>We&amp;rsquo;re pleased to announce the availability of Istio 0.3. Please see below for what&amp;rsquo;s changed.&lt;/p>
&lt;div class="relnote-actions call-to-action">
&lt;a class="entry" href="https://github.com/istio/istio/releases/tag/0.3.0">
&lt;h5>DOWNLOAD&lt;/h5>
&lt;p>Download and install this release.&lt;/p>
&lt;/a>
&lt;a class="entry" href="https://archive.istio.io/v0.3/docs">
&lt;h5>DOCS&lt;/h5>
&lt;p>Visit the documentation for this release.&lt;/p>
&lt;/a>
&lt;/div>
&lt;h2 id="general">General&lt;/h2>
&lt;p>Starting with 0.3, Istio is switching to a monthly release cadence. We hope this will help accelerate our ability
to deliver timely improvements. See &lt;a href="/v1.5/about/feature-stages/">here&lt;/a> for information on the state of individual features
for this release.&lt;/p>
&lt;p>This is a fairly modest release in terms of new features as the team put emphasis on internal
infrastructure work to improve our velocity. Many bugs and smaller issues have been addressed and
overall performance has been improved in a number of areas.&lt;/p>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Secure Control Plane Communication&lt;/strong>. Mixer and Pilot are now secured with mutual TLS, just like all services in a mesh.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Selective Authentication&lt;/strong>. You can now control authentication on a per-service basis via service annotations,
which helps with incremental migration to Istio.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="networking">Networking&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Egress rules for TCP&lt;/strong>. You can now specify egress rules that affect TCP-level traffic.&lt;/li>
&lt;/ul>
&lt;h2 id="policy-enforcement-and-telemetry">Policy enforcement and telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Improved Caching&lt;/strong>. Caching between Envoy and Mixer has gotten substantially better, resulting in a
significant drop in average latency for authorization checks.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Improved list Adapter&lt;/strong>. The Mixer &amp;lsquo;list&amp;rsquo; adapter now supports regular expression matching. See the adapter&amp;rsquo;s
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/list/">configuration options&lt;/a> for details.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Configuration Validation&lt;/strong>. Mixer does more extensive validation of configuration state in order to catch problems earlier.
We expect to invest more in this area in coming releases.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>If you&amp;rsquo;re into the nitty-gritty details, you can see our more detailed low-level
release notes &lt;a href="https://github.com/istio/istio/wiki/v0.3.0">here&lt;/a>.&lt;/p></description><pubDate>Wed, 29 Nov 2017 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.3/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.3/</guid></item><item><title>Announcing Istio 0.2</title><description>
&lt;p>We launched Istio; an open platform to connect, manage, monitor, and secure microservices, on May 24, 2017. We have been humbled by the incredible interest, and
rapid community growth of developers, operators, and partners. Our 0.1 release was focused on showing all the concepts of Istio in Kubernetes.&lt;/p>
&lt;p>Today we are happy to announce the 0.2 release which improves stability and performance, allows for cluster wide deployment and automated injection of sidecars in Kubernetes, adds policy and authentication for TCP services, and enables expansion of the mesh to include services deployed in virtual machines. In addition, Istio can now run outside Kubernetes, leveraging Consul/Nomad or Eureka. Beyond core features, Istio is now ready for extensions to be written by third party companies and developers.&lt;/p>
&lt;h2 id="highlights-for-the-0-2-release">Highlights for the 0.2 release&lt;/h2>
&lt;h3 id="usability-improvements">Usability improvements&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;em>Multiple namespace support&lt;/em>: Istio now works cluster-wide, across multiple namespaces and this was one of the top requests from community from 0.1 release.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;em>Policy and security for TCP services&lt;/em>: In addition to HTTP, we have added transparent mutual TLS authentication and policy enforcement for TCP services as well. This will allow you to secure more of your
Kubernetes deployment, and get Istio features like telemetry, policy and security.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;em>Automated sidecar injection&lt;/em>: By leveraging the alpha &lt;a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/">initializer&lt;/a> feature provided by Kubernetes 1.7, envoy sidecars can now be automatically injected into application deployments when your cluster has the initializer enabled. This enables you to deploy microservices using &lt;code>kubectl&lt;/code>, the exact same command that you normally use for deploying the microservices without Istio.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;em>Extending Istio&lt;/em>: An improved Mixer design that lets vendors write Mixer adapters to implement support for their own systems, such as application
management or policy enforcement. The
&lt;a href="https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide">Mixer Adapter Developer&amp;rsquo;s Guide&lt;/a> can help
you easily integrate your solution with Istio.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;em>Bring your own CA certificates&lt;/em>: Allows users to provide their own key and certificate for Istio CA and persistent CA key/certificate Storage. Enables storing signing key/certificates in persistent storage to facilitate CA restarts.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;em>Improved routing &amp;amp; metrics&lt;/em>: Support for WebSocket, MongoDB and Redis protocols. You can apply resilience features like circuit breakers on traffic to third party services. In addition to Mixers metrics, hundreds of metrics from Envoy are now visible inside Prometheus for all traffic entering, leaving and within Istio mesh.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="cross-environment-support">Cross environment support&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;em>Mesh expansion&lt;/em>: Istio mesh can now span services running outside of Kubernetes - like those running in virtual machines while enjoying benefits such as automatic mutual TLS authentication, traffic management, telemetry, and policy enforcement across the mesh.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;em>Running outside Kubernetes&lt;/em>: We know many customers use other service registry and orchestration solutions like Consul/Nomad and Eureka. Istio Pilot can now run standalone outside Kubernetes, consuming information from these systems, and manage the Envoy fleet in VMs or containers.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="get-involved-in-shaping-the-future-of-istio">Get involved in shaping the future of Istio&lt;/h2>
&lt;p>We have a growing &lt;a href="/v1.5/about/feature-stages/">roadmap&lt;/a> ahead of us, full of great features to implement. Our focus next release is going to be on stability, reliability, integration with third party tools and multicluster use cases.&lt;/p>
&lt;p>To learn how to get involved and contribute to Istio&amp;rsquo;s future, check out our &lt;a href="https://github.com/istio/community">community&lt;/a> GitHub repository which
will introduce you to our working groups, our mailing lists, our various community meetings, our general procedures and our guidelines.&lt;/p>
&lt;p>We want to thank our fantastic community for field testing new versions, filing bug reports, contributing code, helping out other community members, and shaping Istio by participating in countless productive discussions. This has enabled the project to accrue 3000 stars on GitHub since launch and hundreds of active community members on Istio mailing lists.&lt;/p>
&lt;p>Thank you&lt;/p>
&lt;h2 id="release-notes">Release notes&lt;/h2>
&lt;h3 id="general">General&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Updated Configuration Model&lt;/strong>. Istio now uses the Kubernetes &lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/">Custom Resource&lt;/a>
model to describe and store its configuration. When running in Kubernetes, configuration can now be optionally managed using the &lt;code>kubectl&lt;/code>
command.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Multiple Namespace Support&lt;/strong>. Istio control plane components are now in the dedicated &lt;code>istio-system&lt;/code> namespace. Istio can manage
services in other non-system namespaces.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Mesh Expansion&lt;/strong>. Initial support for adding non-Kubernetes services (in the form of VMs and/or physical machines) to a mesh. This is an early version of
this feature and has some limitations (such as requiring a flat network across containers and VMs).&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Multi-Environment Support&lt;/strong>. Initial support for using Istio in conjunction with other service registries
including Consul and Eureka.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Automatic injection of sidecars&lt;/strong>. Istio sidecar can automatically be injected into a pod upon deployment using the
&lt;a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/">Initializers&lt;/a> alpha feature in Kubernetes.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="performance-and-quality">Performance and quality&lt;/h3>
&lt;p>There have been many performance and reliability improvements throughout the system. We dont consider Istio 0.2 ready for production yet, but
weve made excellent progress in that direction. Here are a few items of note:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Caching Client&lt;/strong>. The Mixer client library used by Envoy now provides caching for Check calls and batching for Report calls, considerably reducing
end-to-end overhead.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Avoid Hot Restarts&lt;/strong>. The need to hot-restart Envoy has been mostly eliminated through effective use of LDS/RDS/CDS/EDS.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Reduced Memory Use&lt;/strong>. Significantly reduced the size of the sidecar helper agent, from 50Mb to 7Mb.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Improved Mixer Latency&lt;/strong>. Mixer now clearly delineates configuration-time vs. request-time computations, which avoids doing extra setup work at
request-time for initial requests and thus delivers a smoother average latency. Better resource caching also contributes to better end-to-end performance.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Reduced Latency for Egress Traffic&lt;/strong>. We now forward traffic to external services directly from the sidecar.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="traffic-management">Traffic management&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Egress Rules&lt;/strong>. Its now possible to specify routing rules for egress traffic.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>New Protocols&lt;/strong>. Mesh-wide support for WebSocket connections, MongoDB proxying,
and Kubernetes &lt;a href="https://kubernetes.io/docs/concepts/services-networking/service/#headless-services">headless services&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Other Improvements&lt;/strong>. Ingress properly supports gRPC services, better support for health checks, and
Jaeger tracing.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="policy-enforcement-telemetry">Policy enforcement &amp;amp; telemetry&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Ingress Policies&lt;/strong>. In addition to east-west traffic supported in 0.1. policies can now be applied to north-south traffic.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Support for TCP Services&lt;/strong>. In addition to the HTTP-level policy controls available in 0.1, 0.2 introduces policy controls for
TCP services.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>New Mixer API&lt;/strong>. The API that Envoy uses to interact with Mixer has been completely redesigned for increased robustness, flexibility, and to support
rich proxy-side caching and batching for increased performance.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>New Mixer Adapter Model&lt;/strong>. A new adapter composition model makes it easier to extend Mixer by adding whole new classes of adapters via templates. This
new model will serve as the foundational building block for many features in the future. See the
&lt;a href="https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide">Adapter Developer&amp;rsquo;s Guide&lt;/a> to learn how
to write adapters.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Improved Mixer Build Model&lt;/strong>. Its now easier to build a Mixer binary that includes custom adapters.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Mixer Adapter Updates&lt;/strong>. The built-in adapters have all been rewritten to fit into the new adapter model. The &lt;code>stackdriver&lt;/code> adapter has been added for this
release. The experimental &lt;code>redisquota&lt;/code> adapter has been removed in the 0.2 release, but is expected to come back in production quality for the 0.3 release.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Mixer Call Tracing&lt;/strong>. Calls between Envoy and Mixer can now be traced and analyzed in the Zipkin dashboard.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="security">Security&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Mutual TLS for TCP Traffic&lt;/strong>. In addition to HTTP traffic, mutual TLS is now supported for TCP traffic as well.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Identity Provisioning for VMs and Physical Machines&lt;/strong>. Auth supports a new mechanism using a per-node agent for
identity provisioning. This agent runs on each node (VM / physical machine) and is responsible for generating and sending out the CSR
(Certificate Signing Request) to get certificates from Istio CA.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Bring Your Own CA Certificates&lt;/strong>. Allows users to provide their own key and certificate for Istio CA.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Persistent CA Key/Certificate Storage&lt;/strong>. Istio CA now stores signing key/certificates in
persistent storage to facilitate CA restarts.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="known-issues">Known issues&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>User may get periodical 404 when accessing the application&lt;/strong>: We have noticed that Envoy doesn&amp;rsquo;t get routes properly occasionally
thus a 404 is returned to the user. We are actively working on this &lt;a href="https://github.com/istio/istio/issues/1038">issue&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Istio Ingress or Egress reports ready before Pilot is actually ready&lt;/strong>: You can check the &lt;code>istio-ingress&lt;/code> and &lt;code>istio-egress&lt;/code> pods status
in the &lt;code>istio-system&lt;/code> namespace and wait a few seconds after all the Istio pods reach ready status. We are actively working on this
&lt;a href="https://github.com/istio/istio/pull/1055">issue&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>A service with Istio Auth enabled can&amp;rsquo;t communicate with a service without Istio&lt;/strong>: This limitation will be removed in the near future.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Tue, 10 Oct 2017 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.2/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.2/</guid></item><item><title>Introducing Istio</title><description>
&lt;p>Google, IBM, and Lyft are proud to announce the first public release of &lt;a href="/v1.5/">Istio&lt;/a>: an open source project that provides a uniform way to connect, secure, manage and monitor microservices. Our current release is targeted at the &lt;a href="https://kubernetes.io/">Kubernetes&lt;/a> environment; we intend to add support for other environments such as virtual machines and Cloud Foundry in the coming months.
Istio adds traffic management to microservices and creates a basis for value-add capabilities like security, monitoring, routing, connectivity management and policy. The software is built using the battle-tested &lt;a href="https://envoyproxy.github.io/envoy/">Envoy&lt;/a> proxy from Lyft, and gives visibility and control over traffic &lt;em>without requiring any changes to application code&lt;/em>. Istio gives CIOs a powerful tool to enforce security, policy and compliance requirements across the enterprise.&lt;/p>
&lt;h2 id="background">Background&lt;/h2>
&lt;p>Writing reliable, loosely coupled, production-grade applications based on microservices can be challenging. As monolithic applications are decomposed into microservices, software teams have to worry about the challenges inherent in integrating services in distributed systems: they must account for service discovery, load balancing, fault tolerance, end-to-end monitoring, dynamic routing for feature experimentation, and perhaps most important of all, compliance and security.&lt;/p>
&lt;p>Inconsistent attempts at solving these challenges, cobbled together from libraries, scripts and Stack Overflow snippets leads to solutions that vary wildly across languages and runtimes, have poor observability characteristics and can often end up compromising security.&lt;/p>
&lt;p>One solution is to standardize implementations on a common RPC library like &lt;a href="https://grpc.io">gRPC&lt;/a>, but this can be costly for organizations to adopt wholesale
and leaves out brownfield applications which may be practically impossible to change. Operators need a flexible toolkit to make their microservices secure, compliant, trackable and highly available, and developers need the ability to experiment with different features in production, or deploy canary releases, without impacting the system as a whole.&lt;/p>
&lt;h2 id="solution-service-mesh">Solution: service mesh&lt;/h2>
&lt;p>Imagine if we could transparently inject a layer of infrastructure between a service and the network that gives operators the controls they need while freeing developers from having to bake solutions to distributed system problems into their code. This uniform layer of infrastructure combined with service deployments is commonly referred to as a &lt;strong>&lt;em>service mesh&lt;/em>&lt;/strong>. Just as microservices help to decouple feature teams from each other, a service mesh helps to decouple operators from application feature development and release processes. Istio turns disparate microservices into an integrated service mesh by systemically injecting a proxy into the network paths among them.&lt;/p>
&lt;p>Google, IBM and Lyft joined forces to create Istio from a desire to provide a reliable substrate for microservice development and maintenance, based on our common experiences building and operating massive scale microservices for internal and enterprise customers. Google and IBM have extensive experience with these large scale microservices in their own applications and with their enterprise customers in sensitive/regulated environments, while Lyft developed Envoy to address their internal operability challenges. &lt;a href="https://eng.lyft.com/announcing-envoy-c-l7-proxy-and-communication-bus-92520b6c8191">Lyft open sourced Envoy&lt;/a> after successfully using it in production for over a year to manage more than 100 services spanning 10,000 VMs, processing 2M requests/second.&lt;/p>
&lt;h2 id="benefits-of-istio">Benefits of Istio&lt;/h2>
&lt;p>&lt;strong>Fleet-wide Visibility&lt;/strong>: Failures happen, and operators need tools to stay on top of the health of clusters and their graphs of microservices. Istio produces detailed monitoring data about application and network behaviors that is rendered using &lt;a href="https://prometheus.io/">Prometheus&lt;/a> &amp;amp; &lt;a href="https://github.com/grafana/grafana">Grafana&lt;/a>, and can be easily extended to send metrics and logs to any collection, aggregation and querying system. Istio enables analysis of performance hotspots and diagnosis of distributed failure modes with &lt;a href="https://github.com/openzipkin/zipkin">Zipkin&lt;/a> tracing.&lt;/p>
&lt;figure style="width:100%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:55.425531914893625%">
&lt;a data-skipendnotes="true" href="/v1.5/news/releases/0.x/announcing-0.1/istio_grafana_dashboard-new.png" title="Grafana Dashboard with Response Size">
&lt;img class="element-to-stretch" src="/v1.5/news/releases/0.x/announcing-0.1/istio_grafana_dashboard-new.png" alt="Grafana Dashboard with Response Size" />
&lt;/a>
&lt;/div>
&lt;figcaption>Grafana Dashboard with Response Size&lt;/figcaption>
&lt;/figure>
&lt;figure style="width:100%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:29.912663755458514%">
&lt;a data-skipendnotes="true" href="/v1.5/news/releases/0.x/announcing-0.1/istio_zipkin_dashboard.png" title="Zipkin Dashboard">
&lt;img class="element-to-stretch" src="/v1.5/news/releases/0.x/announcing-0.1/istio_zipkin_dashboard.png" alt="Zipkin Dashboard" />
&lt;/a>
&lt;/div>
&lt;figcaption>Zipkin Dashboard&lt;/figcaption>
&lt;/figure>
&lt;p>&lt;strong>Resiliency and efficiency&lt;/strong>: When developing microservices, operators need to assume that the network will be unreliable. Operators can use retries, load balancing, flow-control (HTTP/2), and circuit-breaking to compensate for some of the common failure modes due to an unreliable network. Istio provides a uniform approach to configuring these features, making it easier to operate a highly resilient service mesh.&lt;/p>
&lt;p>&lt;strong>Developer productivity&lt;/strong>: Istio provides a significant boost to developer productivity by letting them focus on building service features in their language of choice, while Istio handles resiliency and networking challenges in a uniform way. Developers are freed from having to bake solutions to distributed systems problems into their code. Istio further improves productivity by providing common functionality supporting A/B testing, canarying, and fault injection.&lt;/p>
&lt;p>&lt;strong>Policy Driven Ops&lt;/strong>: Istio empowers teams with different areas of concern to operate independently. It decouples cluster operators from the feature development cycle, allowing improvements to security, monitoring, scaling, and service topology to be rolled out &lt;em>without&lt;/em> code changes. Operators can route a precise subset of production traffic to qualify a new service release. They can inject failures or delays into traffic to test the resilience of the service mesh, and set up rate limits to prevent services from being overloaded. Istio can also be used to enforce compliance rules, defining ACLs between services to allow only authorized services to talk to each other.&lt;/p>
&lt;p>&lt;strong>Secure by default&lt;/strong>: It is a common fallacy of distributed computing that the network is secure. Istio enables operators to authenticate and secure all communication between services using a mutual TLS connection, without burdening the developer or the operator with cumbersome certificate management tasks. Our security framework is aligned with the emerging &lt;a href="https://spiffe.io/">SPIFFE&lt;/a> specification, and is based on similar systems that have been tested extensively inside Google.&lt;/p>
&lt;p>&lt;strong>Incremental Adoption&lt;/strong>: We designed Istio to be completely transparent to the services running in the mesh, allowing teams to incrementally adopt features of Istio over time. Adopters can start with enabling fleet-wide visibility and once theyre comfortable with Istio in their environment they can switch on other features as needed.&lt;/p>
&lt;h2 id="join-us-in-this-journey">Join us in this journey&lt;/h2>
&lt;p>Istio is a completely open development project. Today we are releasing version 0.1, which works in a Kubernetes cluster, and we plan to have major new
releases every 3 months, including support for additional environments. Our goal is to enable developers and operators to rollout and operate microservices
with agility, complete visibility of the underlying network, and uniform control and security in all environments. We look forward to working with the Istio
community and our partners towards these goals, following our &lt;a href="/v1.5/about/feature-stages/">roadmap&lt;/a>.&lt;/p>
&lt;p>Visit &lt;a href="https://github.com/istio/istio/releases">here&lt;/a> to get the latest released bits.&lt;/p>
&lt;p>View the &lt;a href="/v1.5/talks/istio_talk_gluecon_2017.pdf">presentation&lt;/a> from GlueCon 2017, where Istio was unveiled.&lt;/p>
&lt;h2 id="community">Community&lt;/h2>
&lt;p>We are excited to see early commitment to support the project from many companies in the community:
&lt;a href="https://blog.openshift.com/red-hat-istio-launch/">Red Hat&lt;/a> with Red Hat OpenShift and OpenShift Application Runtimes,
Pivotal with &lt;a href="https://content.pivotal.io/blog/pivotal-and-istio-advancing-the-ecosystem-for-microservices-in-the-enterprise">Pivotal Cloud Foundry&lt;/a>,
WeaveWorks with &lt;a href="https://www.weave.works/blog/istio-weave-cloud/">Weave Cloud&lt;/a> and Weave Net 2.0,
&lt;a href="https://www.projectcalico.org/welcoming-istio-to-the-kubernetes-networking-community">Tigera&lt;/a> with the Project Calico Network Policy Engine
and &lt;a href="https://www.datawire.io/istio-and-datawire-ecosystem/">Datawire&lt;/a> with the Ambassador project. We hope to see many more companies join us in
this journey.&lt;/p>
&lt;p>To get involved, connect with us via any of these channels:&lt;/p>
&lt;ul>
&lt;li>&lt;p>[istio.io]() for documentation and examples.&lt;/p>&lt;/li>
&lt;li>&lt;p>The &lt;a href="https://discuss.istio.io">Istio discussion board&lt;/a> general discussions,&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://stackoverflow.com/questions/tagged/istio">Stack Overflow&lt;/a> for curated questions and answers&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/istio/istio/issues">GitHub&lt;/a> for filing issues&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://twitter.com/IstioMesh">@IstioMesh&lt;/a> on Twitter&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>From everyone working on Istio, welcome aboard!&lt;/p>
&lt;h2 id="release-notes">Release notes&lt;/h2>
&lt;ul>
&lt;li>Installation of Istio into a Kubernetes namespace with a single command.&lt;/li>
&lt;li>Semi-automated injection of Envoy proxies into Kubernetes pods.&lt;/li>
&lt;li>Automatic traffic capture for Kubernetes pods using iptables.&lt;/li>
&lt;li>In-cluster load balancing for HTTP, gRPC, and TCP traffic.&lt;/li>
&lt;li>Support for timeouts, retries with budgets, and circuit breakers.&lt;/li>
&lt;li>Istio-integrated Kubernetes Ingress support (Istio acts as an Ingress Controller).&lt;/li>
&lt;li>Fine-grained traffic routing controls, including A/B testing, canarying, red/black deployments.&lt;/li>
&lt;li>Flexible in-memory rate limiting.&lt;/li>
&lt;li>L7 telemetry and logging for HTTP and gRPC using Prometheus.&lt;/li>
&lt;li>Grafana dashboards showing per-service L7 metrics.&lt;/li>
&lt;li>Request tracing through Envoy with Zipkin.&lt;/li>
&lt;li>Service-to-service authentication using mutual TLS.&lt;/li>
&lt;li>Simple service-to-service authorization using deny expressions.&lt;/li>
&lt;/ul></description><pubDate>Wed, 24 May 2017 00:00:00 +0000</pubDate><link>/v1.5/news/releases/0.x/announcing-0.1/</link><author/><guid isPermaLink="true">/v1.5/news/releases/0.x/announcing-0.1/</guid></item><item><title>Helm Changes</title><description>
&lt;p>The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.2 and Istio 1.3. The tables are grouped in to three different categories:&lt;/p>
&lt;ul>
&lt;li>The installation options already in the previous release but whose values have been modified in the new release.&lt;/li>
&lt;li>The new installation options added in the new release.&lt;/li>
&lt;li>The installation options removed from the new release.&lt;/li>
&lt;/ul>
&lt;!-- Run python scripts/tablegen.py to generate this table -->
&lt;!-- AUTO-GENERATED-START -->
&lt;h2 id="modified-configuration-options">Modified configuration options&lt;/h2>
&lt;h3 id="modified-kiali-key-value-pairs">Modified &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.20&lt;/code>&lt;/td>
&lt;td>&lt;code>v1.1.0&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-global-key-value-pairs">Modified &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>1.2.0-rc.3&lt;/code>&lt;/td>
&lt;td>&lt;code>release-1.3-latest-daily&lt;/code>&lt;/td>
&lt;td>&lt;code>Default tag for Istio images.&lt;/code>&lt;/td>
&lt;td>&lt;code>Default tag for Istio images.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-gateways-key-value-pairs">Modified &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>256Mi&lt;/code>&lt;/td>
&lt;td>&lt;code>1024Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-tracing-key-value-pairs">Modified &lt;code>tracing&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>1.9&lt;/code>&lt;/td>
&lt;td>&lt;code>1.12&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>2&lt;/code>&lt;/td>
&lt;td>&lt;code>2.14.2&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="new-configuration-options">New configuration options&lt;/h2>
&lt;h3 id="new-tracing-key-value-pairs">New &lt;code>tracing&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>tracing.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.image&lt;/code>&lt;/td>
&lt;td>&lt;code>all-in-one&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.spanStorageType&lt;/code>&lt;/td>
&lt;td>&lt;code>badger&lt;/code>&lt;/td>
&lt;td>&lt;code>spanStorageType value can be &amp;quot;memory&amp;quot; and &amp;quot;badger&amp;quot; for all-in-one image&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.persist&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.storageClassName&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.accessMode&lt;/code>&lt;/td>
&lt;td>&lt;code>ReadWriteMany&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.image&lt;/code>&lt;/td>
&lt;td>&lt;code>zipkin&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-sidecarinjectorwebhook-key-value-pairs">New &lt;code>sidecarInjectorWebhook&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-global-key-value-pairs">New &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.proxy.init.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>100m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.init.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>50Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.init.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>10m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.init.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>10Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.host&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: accesslog-service.istio-system&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.port&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: 15000&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tlsSettings.mode&lt;/code>&lt;/td>
&lt;td>&lt;code>DISABLE&lt;/code>&lt;/td>
&lt;td>&lt;code>DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tlsSettings.clientCertificate&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: /etc/istio/als/cert-chain.pem&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tlsSettings.privateKey&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: /etc/istio/als/key.pem&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tlsSettings.caCertificates&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: /etc/istio/als/root-cert.pem&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tlsSettings.sni&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: als.somedomain&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tlsSettings.subjectAltNames&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tcpKeepalive.probes&lt;/code>&lt;/td>
&lt;td>&lt;code>3&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tcpKeepalive.time&lt;/code>&lt;/td>
&lt;td>&lt;code>10s&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyAccessLogService.tcpKeepalive.interval&lt;/code>&lt;/td>
&lt;td>&lt;code>10s&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.protocolDetectionTimeout&lt;/code>&lt;/td>
&lt;td>&lt;code>10ms&lt;/code>&lt;/td>
&lt;td>&lt;code>Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc., Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE &amp;gt;=1ms)&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.enableCoreDumpImage&lt;/code>&lt;/td>
&lt;td>&lt;code>ubuntu:xenial&lt;/code>&lt;/td>
&lt;td>&lt;code>Image used to enable core dumps. This is only used, when &amp;quot;enableCoreDump&amp;quot; is set to true.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.defaultTolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;code>Default node tolerations to be applied to all deployments so that all pods can be scheduled to a particular nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.meshID&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>Mesh ID means Mesh Identifier. It should be unique within the scope where meshes will interact with each other, but it is not required to be globally/universally unique. For example, if any of the following are true, then two meshes must have different Mesh IDs: - Meshes will have their telemetry aggregated in one place - Meshes will be federated together - Policy will be written referencing one mesh from the other If an administrator expects that any of these conditions may become true in the future, they should ensure their meshes have different Mesh IDs assigned. Within a multicluster mesh, each cluster must be (manually or auto) configured to have the same Mesh ID value. If an existing cluster 'joins' a multicluster mesh, it will need to be migrated to the new mesh ID. Details of migration TBD, and it may be a disruptive operation to change the Mesh ID post-install. If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.localityLbSetting.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-galley-key-value-pairs">New &lt;code>galley&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>galley.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>galley.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-mixer-key-value-pairs">New &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.policy.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.reportBatchMaxEntries&lt;/code>&lt;/td>
&lt;td>&lt;code>100&lt;/code>&lt;/td>
&lt;td>&lt;code>Set reportBatchMaxEntries to 0 to use the default batching behavior (i.e., every 100 requests). A positive value indicates the number of requests that are batched before telemetry data is sent to the mixer server&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.reportBatchMaxTime&lt;/code>&lt;/td>
&lt;td>&lt;code>1s&lt;/code>&lt;/td>
&lt;td>&lt;code>Set reportBatchMaxTime to 0 to use the default batching behavior (i.e., every 1 second). A positive time value indicates the maximum wait time since the last request will telemetry data be batched before being sent to the mixer server&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-grafana-key-value-pairs">New &lt;code>grafana&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>grafana.env&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.envSecrets&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type.orgId&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type.url&lt;/code>&lt;/td>
&lt;td>&lt;code>http://prometheus:9090&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type.access&lt;/code>&lt;/td>
&lt;td>&lt;code>proxy&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type.isDefault&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type.jsonData.timeInterval&lt;/code>&lt;/td>
&lt;td>&lt;code>5s&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type.editable&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.orgId.folder&lt;/code>&lt;/td>
&lt;td>&lt;code>'istio'&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.orgId.type&lt;/code>&lt;/td>
&lt;td>&lt;code>file&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.orgId.disableDeletion&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.orgId.options.path&lt;/code>&lt;/td>
&lt;td>&lt;code>/var/lib/grafana/dashboards/istio&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-prometheus-key-value-pairs">New &lt;code>prometheus&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>prometheus.image&lt;/code>&lt;/td>
&lt;td>&lt;code>prometheus&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-gateways-key-value-pairs">New &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-certmanager-key-value-pairs">New &lt;code>certmanager&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>certmanager.image&lt;/code>&lt;/td>
&lt;td>&lt;code>cert-manager-controller&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-kiali-key-value-pairs">New &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.image&lt;/code>&lt;/td>
&lt;td>&lt;code>kiali&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.auth.strategy&lt;/code>&lt;/td>
&lt;td>&lt;code>login&lt;/code>&lt;/td>
&lt;td>&lt;code>Can be anonymous, login, or openshift&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.security.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.security.cert_file&lt;/code>&lt;/td>
&lt;td>&lt;code>/kiali-cert/cert-chain.pem&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.security.private_key_file&lt;/code>&lt;/td>
&lt;td>&lt;code>/kiali-cert/key.pem&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-istiocoredns-key-value-pairs">New &lt;code>istiocoredns&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>istiocoredns.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-security-key-value-pairs">New &lt;code>security&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>security.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.workloadCertTtl&lt;/code>&lt;/td>
&lt;td>&lt;code>2160h&lt;/code>&lt;/td>
&lt;td>&lt;code>90*24hour = 2160h&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.enableNamespacesByDefault&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override labels are not found on a given namespace. For example: consider a namespace called &amp;quot;target&amp;quot;, which has neither the &amp;quot;ca.istio.io/env&amp;quot; nor the &amp;quot;ca.istio.io/override&amp;quot; namespace labels. To decide whether or not to generate secrets for service accounts created in this &amp;quot;target&amp;quot; namespace, Citadel will defer to this option. If the value of this option is &amp;quot;true&amp;quot; in this case, secrets will be generated for the &amp;quot;target&amp;quot; namespace. If the value of this option is &amp;quot;false&amp;quot; Citadel will not generate secrets upon service account creation.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-pilot-key-value-pairs">New &lt;code>pilot&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>pilot.rollingMaxSurge&lt;/code>&lt;/td>
&lt;td>&lt;code>100%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.rollingMaxUnavailable&lt;/code>&lt;/td>
&lt;td>&lt;code>25%&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.enableProtocolSniffing&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>if protocol sniffing is enabled. Default to false.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="removed-configuration-options">Removed configuration options&lt;/h2>
&lt;h3 id="removed-global-key-value-pairs">Removed &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.sds.useTrustworthyJwt&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.sds.useNormalJwt&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.localityLbSetting&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-mixer-key-value-pairs">Removed &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.templates.useTemplateCRDs&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-grafana-key-value-pairs">Removed &lt;code>grafana&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.disableDeletion&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.type&lt;/code>&lt;/td>
&lt;td>&lt;code>file&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.folder&lt;/code>&lt;/td>
&lt;td>&lt;code>'istio'&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.isDefault&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.url&lt;/code>&lt;/td>
&lt;td>&lt;code>http://prometheus:9090&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.access&lt;/code>&lt;/td>
&lt;td>&lt;code>proxy&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.jsonData.timeInterval&lt;/code>&lt;/td>
&lt;td>&lt;code>5s&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.options.path&lt;/code>&lt;/td>
&lt;td>&lt;code>/var/lib/grafana/dashboards/istio&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.editable&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.orgId&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;!-- AUTO-GENERATED-END --></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3/helm-changes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3/helm-changes/</guid><category>kubernetes</category><category>helm</category><category>install</category><category>options</category></item><item><title>Helm Changes</title><description>
&lt;p>The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.1 and Istio 1.2. The tables are grouped in to three different categories:&lt;/p>
&lt;ul>
&lt;li>The installation options already in the previous release but whose values have been modified in the new release.&lt;/li>
&lt;li>The new installation options added in the new release.&lt;/li>
&lt;li>The installation options removed from the new release.&lt;/li>
&lt;/ul>
&lt;!-- Run python scripts/tablegen.py to generate this table -->
&lt;!-- AUTO-GENERATED-START -->
&lt;h2 id="modified-configuration-options">Modified configuration options&lt;/h2>
&lt;h3 id="modified-kiali-key-value-pairs">Modified &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.hub&lt;/code>&lt;/td>
&lt;td>&lt;code>docker.io/kiali&lt;/code>&lt;/td>
&lt;td>&lt;code>quay.io/kiali&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.14&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.20&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-prometheus-key-value-pairs">Modified &lt;code>prometheus&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>prometheus.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>v2.3.1&lt;/code>&lt;/td>
&lt;td>&lt;code>v2.8.0&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-global-key-value-pairs">Modified &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>release-1.1-latest-daily&lt;/code>&lt;/td>
&lt;td>&lt;code>1.2.0-rc.3&lt;/code>&lt;/td>
&lt;td>&lt;code>Default tag for Istio images.&lt;/code>&lt;/td>
&lt;td>&lt;code>Default tag for Istio images.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>128Mi&lt;/code>&lt;/td>
&lt;td>&lt;code>1024Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.dnsRefreshRate&lt;/code>&lt;/td>
&lt;td>&lt;code>5s&lt;/code>&lt;/td>
&lt;td>&lt;code>300s&lt;/code>&lt;/td>
&lt;td>&lt;code>Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS 5 seconds is the default refresh rate used by Envoy&lt;/code>&lt;/td>
&lt;td>&lt;code>Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-mixer-key-value-pairs">Modified &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.useAdapterCRDs&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>Setting this to false sets the useAdapterCRDs mixer startup argument to false&lt;/code>&lt;/td>
&lt;td>&lt;code>Setting this to false sets the useAdapterCRDs mixer startup argument to false&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-grafana-key-value-pairs">Modified &lt;code>grafana&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>grafana.image.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>5.4.0&lt;/code>&lt;/td>
&lt;td>&lt;code>6.1.6&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="new-configuration-options">New configuration options&lt;/h2>
&lt;h3 id="new-tracing-key-value-pairs">New &lt;code>tracing&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>tracing.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-sidecarinjectorwebhook-key-value-pairs">New &lt;code>sidecarInjectorWebhook&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.neverInjectSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;code>You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or always skip the injection on pods that match that label selector, regardless of the global policy. See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/more-control-adding-exceptions&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.alwaysInjectSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-global-key-value-pairs">New &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.logging.level&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;default:info&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.logLevel&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>Log level for proxy, applies to gateways and sidecars. If left empty, &amp;quot;warning&amp;quot; is used. Expected values are: trace\|debug\|info\|warning\|error\|critical\|off&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.componentLogLevel&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global &amp;quot;logLevel&amp;quot; will be used. If left empty, &amp;quot;misc:error&amp;quot; is used.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.excludeOutboundPorts&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tracer.datadog.address&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;$(HOST_IP):8126&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.imagePullSecrets&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;code>Lists the secrets you need to use to pull Istio images from a secure registry.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.localityLbSetting&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-galley-key-value-pairs">New &lt;code>galley&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>galley.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>galley.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>galley.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>galley.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-mixer-key-value-pairs">New &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.templates.useTemplateCRDs&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-grafana-key-value-pairs">New &lt;code>grafana&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>grafana.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-prometheus-key-value-pairs">New &lt;code>prometheus&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>prometheus.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-gateways-key-value-pairs">New &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.sds.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>100m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.sds.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>128Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.sds.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>2000m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.sds.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>1024Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>100m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>128Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>2000m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>1024Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.applicationPorts&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>100m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>128Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>2000m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>256Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-certmanager-key-value-pairs">New &lt;code>certmanager&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>certmanager.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>certmanager.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>certmanager.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>certmanager.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>certmanager.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-kiali-key-value-pairs">New &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.viewOnlyMode&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>Bind the service account to a role with only read access&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-istiocoredns-key-value-pairs">New &lt;code>istiocoredns&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>istiocoredns.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-security-key-value-pairs">New &lt;code>security&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>security.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.citadelHealthCheck&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-nodeagent-key-value-pairs">New &lt;code>nodeagent&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>nodeagent.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-pilot-key-value-pairs">New &lt;code>pilot&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>pilot.tolerations&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.podAntiAffinityLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.podAntiAffinityTermLabelSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="removed-configuration-options">Removed configuration options&lt;/h2>
&lt;h3 id="removed-kiali-key-value-pairs">Removed &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.usernameKey&lt;/code>&lt;/td>
&lt;td>&lt;code>username&lt;/code>&lt;/td>
&lt;td>&lt;code>This is the key name within the secret whose value is the actual username.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.passphraseKey&lt;/code>&lt;/td>
&lt;td>&lt;code>passphrase&lt;/code>&lt;/td>
&lt;td>&lt;code>This is the key name within the secret whose value is the actual passphrase.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-security-key-value-pairs">Removed &lt;code>security&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>security.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-gateways-key-value-pairs">Removed &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.resources&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-mixer-key-value-pairs">Removed &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-servicegraph-key-value-pairs">Removed &lt;code>servicegraph&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>servicegraph.ingress.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.service.name&lt;/code>&lt;/td>
&lt;td>&lt;code>http&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.service.type&lt;/code>&lt;/td>
&lt;td>&lt;code>ClusterIP&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.service.annotations&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.image&lt;/code>&lt;/td>
&lt;td>&lt;code>servicegraph&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.service.externalPort&lt;/code>&lt;/td>
&lt;td>&lt;code>8088&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>servicegraph.local&lt;/code>&lt;/td>
&lt;td>&lt;code>Used to create an Ingress record.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.prometheusAddr&lt;/code>&lt;/td>
&lt;td>&lt;code>http://prometheus:9090&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;!-- AUTO-GENERATED-END --></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2/helm-changes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2/helm-changes/</guid><category>kubernetes</category><category>helm</category><category>install</category><category>options</category></item><item><title>Helm Changes</title><description>
&lt;p>The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.0 and Istio 1.1. The tables are grouped in to three different categories:&lt;/p>
&lt;ul>
&lt;li>The installation options already in the previous release but whose values or descriptions have been modified in the new release.&lt;/li>
&lt;li>The new installation options added in the new release.&lt;/li>
&lt;li>The installation options removed from the new release.&lt;/li>
&lt;/ul>
&lt;!-- Run python scripts/tablegen.py to generate this table -->
&lt;!-- AUTO-GENERATED-START -->
&lt;h2 id="modified-configuration-options">Modified configuration options&lt;/h2>
&lt;h3 id="modified-servicegraph-key-value-pairs">Modified &lt;code>servicegraph&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>servicegraph.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>servicegraph.local&lt;/code>&lt;/td>
&lt;td>&lt;code>servicegraph.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Used to create an Ingress record.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-tracing-key-value-pairs">Modified &lt;code>tracing&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>1.5&lt;/code>&lt;/td>
&lt;td>&lt;code>1.9&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-global-key-value-pairs">Modified &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.hub&lt;/code>&lt;/td>
&lt;td>&lt;code>gcr.io/istio-release&lt;/code>&lt;/td>
&lt;td>&lt;code>gcr.io/istio-release&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Default hub for Istio images.Releases are published to docker hub under 'istio' project.Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>release-1.0-latest-daily&lt;/code>&lt;/td>
&lt;td>&lt;code>release-1.1-latest-daily&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Default tag for Istio images.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>10m&lt;/code>&lt;/td>
&lt;td>&lt;code>100m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.accessLogFile&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;/dev/stdout&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.enableCoreDump&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>If set, newly injected sidecars will have core dumps enabled.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.autoInject&lt;/code>&lt;/td>
&lt;td>&lt;code>enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>enabled&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>This controls the 'policy' in the sidecar injector.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyStatsd.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyStatsd.host&lt;/code>&lt;/td>
&lt;td>&lt;code>istio-statsd-prom-bridge&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>example: statsd-svc.istio-system&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyStatsd.port&lt;/code>&lt;/td>
&lt;td>&lt;code>9125&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>example: 9125&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy_init.image&lt;/code>&lt;/td>
&lt;td>&lt;code>proxy_init&lt;/code>&lt;/td>
&lt;td>&lt;code>proxy_init&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Base name for the proxy_init container, used to configure iptables.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.controlPlaneSecurityEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>controlPlaneMtls enabled. Will result in delays starting the pods while secrets arepropagated, not recommended for tests.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.disablePolicyChecks&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>disablePolicyChecks disables mixer policy checks.if mixer.policy.enabled==true then disablePolicyChecks has affect.Will set the value with same name in istio config map - pilot needs to be restarted to take effect.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.enableTracing&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.mtls.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Default setting for service-to-service mtls. Can be set explicitly usingdestination rules or service annotations.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.oneNamespace&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Whether to restrict the applications namespace the controller manages;If not set, controller watches all namespaces&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.configValidation&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>Whether to perform server-side validation of configuration.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-gateways-key-value-pairs">Modified &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.type&lt;/code>&lt;/td>
&lt;td>&lt;code>LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be&lt;/code>&lt;/td>
&lt;td>&lt;code>LoadBalancer&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>change to NodePort, ClusterIP or LoadBalancer if need be&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.type&lt;/code>&lt;/td>
&lt;td>&lt;code>ClusterIP #change to NodePort or LoadBalancer if need be&lt;/code>&lt;/td>
&lt;td>&lt;code>ClusterIP&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>change to NodePort or LoadBalancer if need be&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-certmanager-key-value-pairs">Modified &lt;code>certmanager&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>certmanager.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.3.1&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.6.2&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-kiali-key-value-pairs">Modified &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>istio-release-1.0&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.14&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-security-key-value-pairs">Modified &lt;code>security&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>security.selfSigned&lt;/code>&lt;/td>
&lt;td>&lt;code>true # indicate if self-signed CA is used.&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;code>indicate if self-signed CA is used.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="modified-pilot-key-value-pairs">Modified &lt;code>pilot&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Old Default Value&lt;/th>
&lt;th>New Default Value&lt;/th>
&lt;th>Old Description&lt;/th>
&lt;th>New Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>pilot.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.traceSampling&lt;/code>&lt;/td>
&lt;td>&lt;code>100.0&lt;/code>&lt;/td>
&lt;td>&lt;code>1.0&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="new-configuration-options">New configuration options&lt;/h2>
&lt;h3 id="new-istio-cni-key-value-pairs">New &lt;code>istio_cni&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>istio_cni.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-servicegraph-key-value-pairs">New &lt;code>servicegraph&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>servicegraph.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-tracing-key-value-pairs">New &lt;code>tracing&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>tracing.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.hub&lt;/code>&lt;/td>
&lt;td>&lt;code>docker.io/openzipkin&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>2&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.probeStartupDelay&lt;/code>&lt;/td>
&lt;td>&lt;code>200&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.queryPort&lt;/code>&lt;/td>
&lt;td>&lt;code>9411&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>300m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>900Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>150m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>900Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.javaOptsHeap&lt;/code>&lt;/td>
&lt;td>&lt;code>700&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.maxSpans&lt;/code>&lt;/td>
&lt;td>&lt;code>500000&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.zipkin.node.cpus&lt;/code>&lt;/td>
&lt;td>&lt;code>2&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-sidecarinjectorwebhook-key-value-pairs">New &lt;code>sidecarInjectorWebhook&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>sidecarInjectorWebhook.rewriteAppHTTPProbe&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>If true, webhook or istioctl injector will rewrite PodSpec for livenesshealth check to redirect request to sidecar. This makes liveness check workeven when mTLS is enabled.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-global-key-value-pairs">New &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.monitoringPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15014&lt;/code>&lt;/td>
&lt;td>&lt;code>monitoring port used by mixer, pilot, galley&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.k8sIngress.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.k8sIngress.gatewayName&lt;/code>&lt;/td>
&lt;td>&lt;code>ingressgateway&lt;/code>&lt;/td>
&lt;td>&lt;code>Gateway used for k8s Ingress resources. By default it isusing 'istio:ingressgateway' that will be installed by setting'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'flags to true.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.k8sIngress.enableHttps&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>enableHttps will add port 443 on the ingress.It REQUIRES that the certificates are installed in theexpected secrets - enabling this option without certificateswill result in LDS rejection and the ingress will not work.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.clusterDomain&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;cluster.local&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>cluster domain. Default value is &amp;quot;cluster.local&amp;quot;.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>128Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>2000m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>128Mi&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.concurrency&lt;/code>&lt;/td>
&lt;td>&lt;code>2&lt;/code>&lt;/td>
&lt;td>&lt;code>Controls number of Proxy worker threads.If set to 0 (default), then start worker thread for each CPU thread/core.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.accessLogFormat&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>Configure how and what fields are displayed in sidecar access log. Setting toempty string will result in default log format&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.accessLogEncoding&lt;/code>&lt;/td>
&lt;td>&lt;code>TEXT&lt;/code>&lt;/td>
&lt;td>&lt;code>Configure the access log for sidecar to JSON or TEXT.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.dnsRefreshRate&lt;/code>&lt;/td>
&lt;td>&lt;code>5s&lt;/code>&lt;/td>
&lt;td>&lt;code>Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS5 seconds is the default refresh rate used by Envoy&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.privileged&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>If set to true, istio-proxy container will have privileged securityContext&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.statusPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15020&lt;/code>&lt;/td>
&lt;td>&lt;code>Default port for Pilot agent health checks. A value of 0 will disable health checking.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.readinessInitialDelaySeconds&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;code>The initial delay for readiness probes in seconds.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.readinessPeriodSeconds&lt;/code>&lt;/td>
&lt;td>&lt;code>2&lt;/code>&lt;/td>
&lt;td>&lt;code>The period between readiness probes.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.readinessFailureThreshold&lt;/code>&lt;/td>
&lt;td>&lt;code>30&lt;/code>&lt;/td>
&lt;td>&lt;code>The number of successive failed probes before indicating readiness failure.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.kubevirtInterfaces&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>pod internal interfaces&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyMetricsService.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyMetricsService.host&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: metrics-service.istio-system&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.envoyMetricsService.port&lt;/code>&lt;/td>
&lt;td>``&lt;/td>
&lt;td>&lt;code>example: 15000&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.proxy.tracer&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;zipkin&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>Specify which tracer to use. One of: lightstep, zipkin&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.policyCheckFailOpen&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.Default is false which means the traffic is denied when the client is unable to connect to Mixer.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tracer.lightstep.address&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>example: lightstep-satellite:443&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tracer.lightstep.accessToken&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>example: abcdefg1234567&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tracer.lightstep.secure&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>example: true\|false&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tracer.lightstep.cacertPath&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>example: /etc/lightstep/cacert.pem&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.tracer.zipkin.address&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.defaultNodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;code>Default node selector to be applied to all deployments so that all pods can beconstrained to run a particular nodes. Each component can overwrite these defaultvalues by adding its node selector block in the relevant section below and settingthe desired values.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.meshExpansion.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.meshExpansion.useILB&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>If set to true, the pilot and citadel mtls and the plain text pilot portswill be exposed on an internal gateway&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.multiCluster.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>Set to true to connect two kubernetes clusters via their respectiveingressgateway services when pods in each cluster cannot directlytalk to one another. All clusters should be using Istio mTLS and musthave a shared root CA for this model to work.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.defaultPodDisruptionBudget.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.useMCP&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>Use the Mesh Control Protocol (MCP) for configuring Mixer andPilot. Requires galley (--set galley.enabled=true).&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.trustDomain&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.outboundTrafficPolicy.mode&lt;/code>&lt;/td>
&lt;td>&lt;code>ALLOW_ANY&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.sds.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>SDS enabled. IF set to true, mTLS certificates for the sidecars will bedistributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.sds.udsPath&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.sds.useTrustworthyJwt&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.sds.useNormalJwt&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.meshNetworks&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.enableHelmTest&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>Specifies whether helm test is enabled or not.This field is set to false by default, so 'helm template ...'will ignore the helm test yaml files when generating the template&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-mixer-key-value-pairs">New &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.env.GODEBUG&lt;/code>&lt;/td>
&lt;td>&lt;code>gctrace=1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.env.GOMAXPROCS&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;6&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>max procs should be ceil(cpu limit + 1)&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>if policy is enabled, global.disablePolicyChecks has affect.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.autoscaleMin&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.policy.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.autoscaleMin&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.sessionAffinityEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.loadshedding.mode&lt;/code>&lt;/td>
&lt;td>&lt;code>enforce&lt;/code>&lt;/td>
&lt;td>&lt;code>disabled, logonly or enforce&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.loadshedding.latencyThreshold&lt;/code>&lt;/td>
&lt;td>&lt;code>100ms&lt;/code>&lt;/td>
&lt;td>&lt;code>based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.resources.requests.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>1000m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.resources.requests.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>1G&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.resources.limits.cpu&lt;/code>&lt;/td>
&lt;td>&lt;code>4800m&lt;/code>&lt;/td>
&lt;td>&lt;code>It is best to do horizontal scaling of mixer using moderate cpu allocation.We have experimentally found that these values work well.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.telemetry.resources.limits.memory&lt;/code>&lt;/td>
&lt;td>&lt;code>4G&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.podAnnotations&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.kubernetesenv.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.stdio.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.stdio.outputAsJson&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.prometheus.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.prometheus.metricsExpiryDuration&lt;/code>&lt;/td>
&lt;td>&lt;code>10m&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.adapters.useAdapterCRDs&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;code>Setting this to false sets the useAdapterCRDs mixer startup argument to false&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-grafana-key-value-pairs">New &lt;code>grafana&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>grafana.image.repository&lt;/code>&lt;/td>
&lt;td>&lt;code>grafana/grafana&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.image.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>5.4.0&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.ingress.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>grafana.local&lt;/code>&lt;/td>
&lt;td>&lt;code>Used to create an Ingress record.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.persist&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.storageClassName&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.accessMode&lt;/code>&lt;/td>
&lt;td>&lt;code>ReadWriteMany&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.security.secretName&lt;/code>&lt;/td>
&lt;td>&lt;code>grafana&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.security.usernameKey&lt;/code>&lt;/td>
&lt;td>&lt;code>username&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.security.passphraseKey&lt;/code>&lt;/td>
&lt;td>&lt;code>passphrase&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.contextPath&lt;/code>&lt;/td>
&lt;td>&lt;code>/grafana&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.apiVersion&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.type&lt;/code>&lt;/td>
&lt;td>&lt;code>prometheus&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.orgId&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.url&lt;/code>&lt;/td>
&lt;td>&lt;code>http://prometheus:9090&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.access&lt;/code>&lt;/td>
&lt;td>&lt;code>proxy&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.isDefault&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.jsonData.timeInterval&lt;/code>&lt;/td>
&lt;td>&lt;code>5s&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.datasources.datasources.datasources.editable&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.apiVersion&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.orgId&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.folder&lt;/code>&lt;/td>
&lt;td>&lt;code>'istio'&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.type&lt;/code>&lt;/td>
&lt;td>&lt;code>file&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.disableDeletion&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.dashboardProviders.dashboardproviders.providers.options.path&lt;/code>&lt;/td>
&lt;td>&lt;code>/var/lib/grafana/dashboards/istio&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-prometheus-key-value-pairs">New &lt;code>prometheus&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>prometheus.retention&lt;/code>&lt;/td>
&lt;td>&lt;code>6h&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.scrapeInterval&lt;/code>&lt;/td>
&lt;td>&lt;code>15s&lt;/code>&lt;/td>
&lt;td>&lt;code>Controls the frequency of prometheus scraping&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.contextPath&lt;/code>&lt;/td>
&lt;td>&lt;code>/prometheus&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.ingress.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>prometheus.local&lt;/code>&lt;/td>
&lt;td>&lt;code>Used to create an Ingress record.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>prometheus.security.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-gateways-key-value-pairs">New &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.sds.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>If true, ingress gateway fetches credentials from SDS server to handle TLS connections.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.sds.image&lt;/code>&lt;/td>
&lt;td>&lt;code>node-agent-k8s&lt;/code>&lt;/td>
&lt;td>&lt;code>SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.This server runs in the same pod as ingress gateway.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.loadBalancerSourceRanges&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.externalIPs&lt;/code>&lt;/td>
&lt;td>&lt;code>[]&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.podAnnotations&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15029&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>https-kiali&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>https-prometheus&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>https-grafana&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15032&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>https-tracing&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15443&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15020&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>status-port&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15011&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tcp-pilot-grpc-tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15004&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tcp-mixer-grpc-tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>8060&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tcp-citadel-grpc-tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>853&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.meshExpansionPorts.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tcp-dns-tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;sni-dnat&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>A gateway with this mode ensures that pilot generates an additionalset of clusters for internal services but without Istio mTLS, toenable cross cluster routing.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.podAnnotations&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15443&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;sni-dnat&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.podAnnotations&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-kiali-key-value-pairs">New &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.contextPath&lt;/code>&lt;/td>
&lt;td>&lt;code>/kiali&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>kiali.local&lt;/code>&lt;/td>
&lt;td>&lt;code>Used to create an Ingress record.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.secretName&lt;/code>&lt;/td>
&lt;td>&lt;code>kiali&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.usernameKey&lt;/code>&lt;/td>
&lt;td>&lt;code>username&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.passphraseKey&lt;/code>&lt;/td>
&lt;td>&lt;code>passphrase&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.prometheusAddr&lt;/code>&lt;/td>
&lt;td>&lt;code>http://prometheus:9090&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.createDemoSecret&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;code>When true, a secret will be created with a default username and password. Useful for demos.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-istiocoredns-key-value-pairs">New &lt;code>istiocoredns&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>istiocoredns.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.coreDNSImage&lt;/code>&lt;/td>
&lt;td>&lt;code>coredns/coredns:1.1.2&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.coreDNSPluginImage&lt;/code>&lt;/td>
&lt;td>&lt;code>istio/coredns-plugin:0.2-istio-1.1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>istiocoredns.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-security-key-value-pairs">New &lt;code>security&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>security.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.createMeshPolicy&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>security.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-nodeagent-key-value-pairs">New &lt;code>nodeagent&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>nodeagent.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.image&lt;/code>&lt;/td>
&lt;td>&lt;code>node-agent-k8s&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.env.CA_PROVIDER&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>name of authentication provider.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.env.CA_ADDR&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>CA endpoint.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.env.Plugins&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;code>names of authentication provider's plugins.&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>nodeagent.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="new-pilot-key-value-pairs">New &lt;code>pilot&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>pilot.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.env.PILOT_PUSH_THROTTLE&lt;/code>&lt;/td>
&lt;td>&lt;code>100&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.env.GODEBUG&lt;/code>&lt;/td>
&lt;td>&lt;code>gctrace=1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.nodeSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>pilot.keepaliveMaxServerConnectionAge&lt;/code>&lt;/td>
&lt;td>&lt;code>30m&lt;/code>&lt;/td>
&lt;td>&lt;code>The following is used to limit how long a sidecar can be connectedto a pilot. It balances out load across pilot instances at the cost ofincreasing system churn.&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="removed-configuration-options">Removed configuration options&lt;/h2>
&lt;h3 id="removed-ingress-key-value-pairs">Removed &lt;code>ingress&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>ingress.service.ports.nodePort&lt;/code>&lt;/td>
&lt;td>&lt;code>32000&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.service.selector.istio&lt;/code>&lt;/td>
&lt;td>&lt;code>ingress&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.autoscaleMin&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.service.loadBalancerIP&lt;/code>&lt;/td>
&lt;td>&lt;code>&amp;quot;&amp;quot;&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.service.annotations&lt;/code>&lt;/td>
&lt;td>&lt;code>{}&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.service.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>http&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.service.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>https&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ingress.service.type&lt;/code>&lt;/td>
&lt;td>&lt;code>LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-servicegraph-key-value-pairs">Removed &lt;code>servicegraph&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>servicegraph&lt;/code>&lt;/td>
&lt;td>&lt;code>servicegraph.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.ingress&lt;/code>&lt;/td>
&lt;td>&lt;code>servicegraph.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>servicegraph.service.internalPort&lt;/code>&lt;/td>
&lt;td>&lt;code>8088&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-telemetry-gateway-key-value-pairs">Removed &lt;code>telemetry-gateway&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>telemetry-gateway.prometheusEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>telemetry-gateway.gatewayName&lt;/code>&lt;/td>
&lt;td>&lt;code>ingressgateway&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>telemetry-gateway.grafanaEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-global-key-value-pairs">Removed &lt;code>global&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>global.hyperkube.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>v1.7.6_coreos.0&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.k8sIngressHttps&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.crds&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.hyperkube.hub&lt;/code>&lt;/td>
&lt;td>&lt;code>quay.io/coreos&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.meshExpansion&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.k8sIngressSelector&lt;/code>&lt;/td>
&lt;td>&lt;code>ingress&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>global.meshExpansionILB&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-mixer-key-value-pairs">Removed &lt;code>mixer&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>mixer.autoscaleMin&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-policy.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-telemetry.autoscaleMin&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.prometheusStatsdExporter.tag&lt;/code>&lt;/td>
&lt;td>&lt;code>v0.6.0&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-telemetry.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-telemetry.cpu.targetAverageUtilization&lt;/code>&lt;/td>
&lt;td>&lt;code>80&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-policy.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-telemetry.autoscaleEnabled&lt;/code>&lt;/td>
&lt;td>&lt;code>true&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.prometheusStatsdExporter.hub&lt;/code>&lt;/td>
&lt;td>&lt;code>docker.io/prom&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-policy.autoscaleMin&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>mixer.istio-policy.autoscaleMax&lt;/code>&lt;/td>
&lt;td>&lt;code>5&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-grafana-key-value-pairs">Removed &lt;code>grafana&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>grafana.image&lt;/code>&lt;/td>
&lt;td>&lt;code>grafana&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.service.internalPort&lt;/code>&lt;/td>
&lt;td>&lt;code>3000&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.security.adminPassword&lt;/code>&lt;/td>
&lt;td>&lt;code>admin&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>grafana.security.adminUser&lt;/code>&lt;/td>
&lt;td>&lt;code>admin&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-gateways-key-value-pairs">Removed &lt;code>gateways&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ilbgateway.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-egressgateway.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tcp-pilot-grpc-tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>tcp-citadel-grpc-tls&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>http2-prometheus&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.name&lt;/code>&lt;/td>
&lt;td>&lt;code>http2-grafana&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>15011&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>gateways.istio-ingressgateway.ports.targetPort&lt;/code>&lt;/td>
&lt;td>&lt;code>8060&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-tracing-key-value-pairs">Removed &lt;code>tracing&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>tracing.service.internalPort&lt;/code>&lt;/td>
&lt;td>&lt;code>9411&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.ingress&lt;/code>&lt;/td>
&lt;td>&lt;code>jaeger.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.ingress&lt;/code>&lt;/td>
&lt;td>&lt;code>tracing.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger&lt;/code>&lt;/td>
&lt;td>&lt;code>jaeger.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing&lt;/code>&lt;/td>
&lt;td>&lt;code>jaeger.local tracing.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>jaeger.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.ingress.enabled&lt;/code>&lt;/td>
&lt;td>&lt;code>false&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.ingress.hosts&lt;/code>&lt;/td>
&lt;td>&lt;code>tracing.local&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>tracing.jaeger.ui.port&lt;/code>&lt;/td>
&lt;td>&lt;code>16686&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-kiali-key-value-pairs">Removed &lt;code>kiali&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.username&lt;/code>&lt;/td>
&lt;td>&lt;code>admin&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>kiali.dashboard.passphrase&lt;/code>&lt;/td>
&lt;td>&lt;code>admin&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h3 id="removed-pilot-key-value-pairs">Removed &lt;code>pilot&lt;/code> key/value pairs&lt;/h3>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Key&lt;/th>
&lt;th>Default Value&lt;/th>
&lt;th>Description&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>pilot.replicaCount&lt;/code>&lt;/td>
&lt;td>&lt;code>1&lt;/code>&lt;/td>
&lt;td>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;!-- AUTO-GENERATED-END --></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1/helm-changes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1/helm-changes/</guid><category>kubernetes</category><category>helm</category><category>install</category><category>options</category></item><item><title>Upgrade Notes</title><description>
&lt;p>This page describes changes you need to be aware of when upgrading from
Istio 1.4.x to 1.5.x. Here, we detail cases where we intentionally broke backwards
compatibility. We also mention cases where backwards compatibility was
preserved but new behavior was introduced that would be surprising to someone
familiar with the use and operation of Istio 1.4.&lt;/p>
&lt;h2 id="control-plane-restructuring">Control Plane Restructuring&lt;/h2>
&lt;p>In Istio 1.5, we have moved towards a new deployment model for the control plane, with many components consolidated. The following describes where various functionality has been moved to.&lt;/p>
&lt;h3 id="istiod">Istiod&lt;/h3>
&lt;p>In Istio 1.5, there will be a new deployment, &lt;code>istiod&lt;/code>. This component is the core of the control plane, and will handle configuration and certificate distribution, sidecar injection, and more.&lt;/p>
&lt;h3 id="sidecar-injection">Sidecar injection&lt;/h3>
&lt;p>Previously, sidecar injection was handled by a mutating webhook that was processed by a deployment named &lt;code>istio-sidecar-injector&lt;/code>. In Istio 1.5, the same mutating webhook remains, but it will now point to the &lt;code>istiod&lt;/code> deployment. All injection logic remains the same.&lt;/p>
&lt;h3 id="galley">Galley&lt;/h3>
&lt;ul>
&lt;li>Configuration Validation - this functionality remains the same, but is now handled by the &lt;code>istiod&lt;/code> deployment.&lt;/li>
&lt;li>MCP Server - the MCP server has been disabled by default. For most users, this is an implementation detail. If you depend on this functionality, you will need to run the &lt;code>istio-galley&lt;/code> deployment.&lt;/li>
&lt;li>Experimental features (such as configuration analysis) - These features will require the &lt;code>istio-galley&lt;/code> deployment.&lt;/li>
&lt;/ul>
&lt;h3 id="citadel">Citadel&lt;/h3>
&lt;p>Previously, Citadel served two functions: writing certificates to secrets in each namespace, and serving secrets to the &lt;code>nodeagent&lt;/code> over &lt;code>gRPC&lt;/code> when SDS is used. In Istio 1.5, secrets are no longer written to each namespace. Instead, they are only served over gRPC. This functionality has been moved to the &lt;code>istiod&lt;/code> deployment.&lt;/p>
&lt;h3 id="sds-node-agent">SDS Node Agent&lt;/h3>
&lt;p>The &lt;code>nodeagent&lt;/code> deployment has been removed. This functionality now exists in the Envoy sidecar.&lt;/p>
&lt;h3 id="sidecar">Sidecar&lt;/h3>
&lt;p>Previously, the sidecar was able to access certificates in two ways: through secrets mounted as files, or over SDS (through the &lt;code>nodeagent&lt;/code> deployment). In Istio 1.5, this has been simplified. All secrets will be served over a locally run SDS server. For most users, these secrets will be fetched from the &lt;code>istiod&lt;/code> deployment. For users with a custom CA, file mounted secrets can still be used, however, these will still be served by the local SDS server. This means that certificate rotations will no longer require Envoy to restart.&lt;/p>
&lt;h3 id="cni">CNI&lt;/h3>
&lt;p>There have been no changes to the deployment of &lt;code>istio-cni&lt;/code>.&lt;/p>
&lt;h3 id="pilot">Pilot&lt;/h3>
&lt;p>The &lt;code>istio-pilot&lt;/code> deployment has been removed in favor of the &lt;code>istiod&lt;/code> deployment, which contains all functionality that Pilot once had. For backwards compatibility, there are still some references to Pilot.&lt;/p>
&lt;h2 id="mixer-deprecation">Mixer deprecation&lt;/h2>
&lt;p>Mixer, the process behind the &lt;code>istio-telemetry&lt;/code> and &lt;code>istio-policy&lt;/code> deployments, has been deprecated with the 1.5 release. &lt;code>istio-policy&lt;/code> was disabled by default since Istio 1.3 and &lt;code>istio-telemetry&lt;/code> is disabled by default in Istio 1.5.&lt;/p>
&lt;p>Telemetry is collected using an in-proxy extension mechanism (Telemetry V2) that does not require Mixer.&lt;/p>
&lt;p>If you depend on specific Mixer features like out of process adapters, you may re-enable Mixer. Mixer will continue receiving bug fixes and security fixes until Istio 1.7.
Many features supported by Mixer have alternatives as specified in the &lt;a href="https://tinyurl.com/mixer-deprecation">Mixer Deprecation&lt;/a> document including the &lt;a href="https://github.com/istio/proxy/tree/master/extensions">in-proxy extensions&lt;/a> based on the WebAssembly sandbox API.&lt;/p>
&lt;p>If you rely on a Mixer feature that does not have an equivalent, we encourage you to open issues and discuss in the community.&lt;/p>
&lt;p>Please check &lt;a href="https://tinyurl.com/mixer-deprecation">Mixer Deprecation&lt;/a> notice for details.&lt;/p>
&lt;h3 id="feature-gaps-between-telemetry-v2-and-mixer-telemetry">Feature gaps between Telemetry V2 and Mixer Telemetry&lt;/h3>
&lt;ul>
&lt;li>Out of mesh telemetry is not supported. Some telemetry is missing if the traffic source or destination is not sidecar injected.&lt;/li>
&lt;li>Egress gateway telemetry is &lt;a href="https://github.com/istio/istio/issues/19385">not supported&lt;/a>.&lt;/li>
&lt;li>TCP telemetry is only supported with &lt;code>mtls&lt;/code>.&lt;/li>
&lt;li>Black Hole telemetry for TCP and HTTP protocols is not supported.&lt;/li>
&lt;li>Histogram buckets are &lt;a href="https://github.com/istio/istio/issues/20483">significantly different&lt;/a> than Mixer Telemetry and cannot be changed.&lt;/li>
&lt;/ul>
&lt;h2 id="authentication-policy">Authentication policy&lt;/h2>
&lt;p>Istio 1.5 introduces &lt;a href="/v1.5/docs/reference/config/security/peer_authentication/">&lt;code>PeerAuthentication&lt;/code>&lt;/a> and &lt;a href="/v1.5/docs/reference/config/security/request_authentication/">&lt;code>RequestAuthentication&lt;/code>&lt;/a>, which are replacing the alpha version of the Authentication API. For more information about how to use the new API, see the &lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy">authentication policy&lt;/a> tutorial.&lt;/p>
&lt;ul>
&lt;li>After you upgrade Istio, your alpha authentication policies remain in place and being used. You can gradually replace them with the equivalent &lt;code>PeerAuthentication&lt;/code> and &lt;code>RequestAuthentication&lt;/code>. The new policy will take over the old policy in the scope it is defined. We recommend starting with workload-wide (the most specific scope), then namespace-wide, and finally mesh-wide.&lt;/li>
&lt;li>After you replace policies for workload, namespace, and mesh, you can safely remove the alpha authentication policies. To delete the alpha policies, use this command:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete policies.authentication.istio.io --all-namespaces --all
$ kubectl delete meshpolicies.authentication.istio.io --all
&lt;/code>&lt;/pre>
&lt;h2 id="istio-workload-key-and-certificate-provisioning">Istio workload key and certificate provisioning&lt;/h2>
&lt;ul>
&lt;li>We have stabilized the SDS certificate and key provisioning flow. Now the Istio workloads are using SDS to provision certificates. The secret volume mount approach is deprecated.&lt;/li>
&lt;li>Please note when mutual TLS is enabled, Prometheus deployment needs to be manually modified to monitor the workloads. The details are described in this &lt;a href="https://github.com/istio/istio/issues/21843">issue&lt;/a>. This is not required in 1.5.1.&lt;/li>
&lt;/ul>
&lt;h2 id="automatic-mutual-tls">Automatic mutual TLS&lt;/h2>
&lt;p>Automatic mutual TLS is now enabled by default. Traffic between sidecars is automatically configured as mutual TLS. You can disable this explicitly if you worry about the encryption overhead by adding the option &lt;code>-- set values.global.mtls.auto=false&lt;/code> during install. For more details, refer to &lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls">automatic mutual TLS&lt;/a>.&lt;/p>
&lt;h2 id="control-plane-security">Control plane security&lt;/h2>
&lt;p>As part of the Istiod effort, we have changed how proxies securely communicate with the control plane. In previous versions, proxies would connect to the control plane securely when the setting &lt;code>values.global.controlPlaneSecurityEnabled=true&lt;/code> was configured, which was the default for Istio 1.4. Each control plane component ran a sidecar with Citadel certificates, and proxies connected to Pilot over port 15011.&lt;/p>
&lt;p>In Istio 1.5, this is no longer the recommended or default way to connect the proxies with the control plane; instead, DNS certificates, which can be signed by Kubernetes or Istiod, will be used to connect to Istiod over port 15012.&lt;/p>
&lt;p>Note: despite the naming, in Istio 1.5 when &lt;code>controlPlaneSecurityEnabled&lt;/code> is set to &lt;code>false&lt;/code>, communication between the control plane will be secure by default.&lt;/p>
&lt;h2 id="multicluster-setup">Multicluster setup&lt;/h2>
&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">&lt;p>We recommend that you &lt;strong>do not upgrade&lt;/strong> to Istio 1.5.0 if you are using a multicluster setup.&lt;/p>
&lt;p>Istio 1.5.0 multicluster setup has several known issues (&lt;a href="https://github.com/istio/istio/issues/21702">27102&lt;/a>, &lt;a href="https://github.com/istio/istio/issues/21676">21676&lt;/a>) that make it unusable in both shared control plane and replicated control plane deployments. These issues will be resolved in Istio 1.5.1.&lt;/p>
&lt;/div>
&lt;/aside>
&lt;/div>
&lt;h2 id="helm-upgrade">Helm upgrade&lt;/h2>
&lt;p>If you used &lt;code>helm upgrade&lt;/code> to update your cluster to newer Istio versions, we recommend you to switch to use &lt;a href="/v1.5/docs/setup/upgrade/istioctl-upgrade/">&lt;code>istioctl upgrade&lt;/code>&lt;/a> or follow the &lt;a href="/v1.5/docs/setup/upgrade/cni-helm-upgrade/">helm template&lt;/a> steps.&lt;/p></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.5.x/announcing-1.5/upgrade-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.5.x/announcing-1.5/upgrade-notes/</guid></item><item><title>Upgrade Notes</title><description>
&lt;p>This page describes changes you need to be aware of when upgrading from
Istio 1.3.x to 1.4.x. Here, we detail cases where we intentionally broke backwards
compatibility. We also mention cases where backwards compatibility was
preserved but new behavior was introduced that would be surprising to someone
familiar with the use and operation of Istio 1.3.&lt;/p>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;h3 id="http-services-on-port-443">HTTP services on port 443&lt;/h3>
&lt;p>Services of type &lt;code>http&lt;/code> are no longer allowed on port 443. This change was made to prevent protocol conflicts with external HTTPS services.&lt;/p>
&lt;p>If you depend on this behavior, there are a few options:&lt;/p>
&lt;ul>
&lt;li>Move the application to another port.&lt;/li>
&lt;li>Change the protocol from type &lt;code>http&lt;/code> to type &lt;code>tcp&lt;/code>&lt;/li>
&lt;li>Specify the environment variable &lt;code>PILOT_BLOCK_HTTP_ON_443=false&lt;/code> to the Pilot deployment. Note: this may be removed in future releases.&lt;/li>
&lt;/ul>
&lt;p>See &lt;a href="/v1.5/docs/ops/configuration/traffic-management/protocol-selection/">Protocol Selection&lt;/a> for more information about specifying the protocol of a port&lt;/p>
&lt;h3 id="regex-engine-changes">Regex Engine Changes&lt;/h3>
&lt;p>To prevent excessive resource consumption from large regular expressions, Envoy has moved to a new regular expression engine based on &lt;a href="https://github.com/google/re2">&lt;code>re2&lt;/code>&lt;/a>. Previously, &lt;code>std::regex&lt;/code> was used. These two engines may have slightly different syntax; in particular, the regex fields are now limited to 100 bytes.&lt;/p>
&lt;p>If you depend on specific behavior of the old regex engine, you can opt out of this change by adding the environment variable &lt;code>PILOT_ENABLE_UNSAFE_REGEX=true&lt;/code> to the Pilot deployment. Note: this will be removed in future releases.&lt;/p>
&lt;h2 id="configuration-management">Configuration management&lt;/h2>
&lt;p>We introduced OpenAPI v3 schemas in the Kubernetes &lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions">Custom Resource Definitions (CRD)&lt;/a> of Istio resources. The schemas describe the Istio resources and help ensure the Istio resources you create and modify are structurally correct.&lt;/p>
&lt;p>If one or more fields in your configurations are unknown or have wrong types, they will be rejected by the Kubernetes API server when you create or modify Istio resources. This feature, &lt;code>CustomResourceValidation&lt;/code>, is on by default for Kubernetes 1.9+ clusters. Please note that existing configurations already in Kubernetes are &lt;strong>NOT&lt;/strong> affected if they stay unchanged.&lt;/p>
&lt;p>To help with your upgrade, here are some steps you could take:&lt;/p>
&lt;ul>
&lt;li>After upgrading Istio, run your Istio configurations with &lt;code>kubectl apply --dry-run&lt;/code> so that you are able to know if the configurations can be accepted by the API server as well as any possible unknown and/or invalid fields to the API server. (&lt;code>DryRun&lt;/code> feature is on by default for Kubernetes 1.13+ clusters.)&lt;/li>
&lt;li>Use the &lt;a href="/v1.5/docs/reference/config/">reference documentation&lt;/a> to confirm and correct the field names and data types.&lt;/li>
&lt;li>In addition to structural validation, you can also use &lt;code>istioctl x analyze&lt;/code> to help you detect other potential issues with your Istio configurations. Refer to &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">here&lt;/a> for more details.&lt;/li>
&lt;/ul>
&lt;p>If you choose to ignore the validation errors, add &lt;code>--validate=false&lt;/code> to your &lt;code>kubectl&lt;/code> command when you create or modify Istio resources. We strongly discourage doing so however, since it is willingly introducing incorrect configuration.&lt;/p>
&lt;h2 id="leftover-crd">Leftover CRD&lt;/h2>
&lt;p>Istio 1.4 introduces a new CRD &lt;code>authorizationpolicies.security.istio.io&lt;/code> for the
&lt;a href="/v1.5/docs/reference/config/security/authorization-policy/">authorization policy&lt;/a>.
Your cluster may have an interim leftover CRD &lt;code>authorizationpolicies.rbac.istio.io&lt;/code>
due to an internal implementation detail before Istio 1.4.&lt;/p>
&lt;p>The leftover CRD is unused and you can safely remove it from the cluster using
this command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete crd authorizationpolicies.rbac.istio.io --ignore-not-found=true
&lt;/code>&lt;/pre></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes/</guid></item><item><title>Upgrade Notes</title><description>
&lt;p>This page describes changes you need to be aware of when upgrading from
Istio 1.2.x to 1.3.x. Here, we detail cases where we intentionally broke backwards
compatibility. We also mention cases where backwards compatibility was
preserved but new behavior was introduced that would be surprising to someone
familiar with the use and operation of Istio 1.2.&lt;/p>
&lt;h2 id="installation-and-upgrade">Installation and upgrade&lt;/h2>
&lt;p>We simplified the configuration model for Mixer and removed support for
adapter-specific and template-specific Custom Resource Definitions (CRDs)
entirely in 1.3. Please move to the new configuration model.&lt;/p>
&lt;p>We removed the Mixer CRDs from the system to simplify the configuration
model, improve Mixer&amp;rsquo;s performance in Kubernetes deployments, and improve
reliability in various Kubernetes environments.&lt;/p>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;p>Istio now captures all ports by default. If you don&amp;rsquo;t specify container ports
to intentionally bypass Envoy, you must opt out of port capturing with the
&lt;code>traffic.sidecar.istio.io/excludeInboundPorts&lt;/code> option.&lt;/p>
&lt;p>Protocol sniffing is now enabled by default. Disable protocol sniffing with the
&lt;code>--set pilot.enableProtocolSniffing=false&lt;/code> option when you upgrade to get the
previous behavior. To learn more see our &lt;a href="/v1.5/docs/ops/configuration/traffic-management/protocol-selection/">protocol selection page&lt;/a>.&lt;/p>
&lt;p>To specify a hostname in multiple namespaces, you must select a single host using
a &lt;a href="/v1.5/docs/reference/config/networking/sidecar/">&lt;code>Sidecar&lt;/code> resource&lt;/a>.&lt;/p>
&lt;h2 id="trust-domain-validation">Trust domain validation&lt;/h2>
&lt;p>Trust domain validation is new in Istio 1.3. If you only have one trust domain
or you don&amp;rsquo;t enable mutual TLS through authentication policies, there is nothing
you must do.&lt;/p>
&lt;p>To opt-out the trust domain validation, include the following flag in your Helm
template before upgrading to Istio 1.3:
&lt;code>--set pilot.env.PILOT_SKIP_VALIDATE_TRUST_DOMAIN=true&lt;/code>&lt;/p>
&lt;h2 id="secret-discovery-service">Secret discovery service&lt;/h2>
&lt;p>In Istio 1.3, we are taking advantage of improvements in Kubernetes to issue
certificates for workload instances more securely.&lt;/p>
&lt;p>Kubernetes 1.12 introduces &lt;code>trustworthy&lt;/code> JWTs to solve these issues.
&lt;a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.13.md">Kubernetes 1.13&lt;/a>
introduced the ability to change the value of the &lt;code>aud&lt;/code> field to a value other
than the API server. The &lt;code>aud&lt;/code> field represents the audience in Kubernetes. To
better secure the mesh, Istio 1.3 only supports &lt;code>trustworthy&lt;/code> JWTs and requires
the audience, the value of the &lt;code>aud&lt;/code> field, to be &lt;code>istio-ca&lt;/code> when you enable
SDS.&lt;/p>
&lt;p>Before upgrading to Istio 1.3 with SDS enabled, see our blog post on
&lt;a href="/v1.5/blog/2019/trustworthy-jwt-sds/">trustworthy JWTs and SDS&lt;/a>.&lt;/p></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/</guid></item><item><title>Upgrade Notes</title><description>
&lt;p>This page describes changes you need to be aware of when upgrading from
Istio 1.1.x to 1.2.x. Here, we detail cases where we intentionally broke backwards
compatibility. We also mention cases where backwards compatibility was
preserved but new behavior was introduced that would be surprising to someone
familiar with the use and operation of Istio 1.1.&lt;/p>
&lt;h2 id="installation-and-upgrade">Installation and upgrade&lt;/h2>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">The configuration model for Mixer has been simplified. Support for
adapter-specific and template-specific Custom Resources has been
removed by default in 1.2 and will be removed entirely in 1.3.
Please move to the new configuration model.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Most Mixer CRDs were removed from the system to simplify the configuration
model, improve performance of Mixer when used with Kubernetes, and improve
reliability in a variety of Kubernetes environments.&lt;/p>
&lt;p>The following CRDs remain:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Custom Resource Definition name&lt;/th>
&lt;th>Purpose&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>adapter&lt;/code>&lt;/td>
&lt;td>Specification of Istio extension declarations&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>attributemanifest&lt;/code>&lt;/td>
&lt;td>Specification of Istio extension declarations&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>template&lt;/code>&lt;/td>
&lt;td>Specification of Istio extension declarations&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>handler&lt;/code>&lt;/td>
&lt;td>Specification of extension invocations&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>rule&lt;/code>&lt;/td>
&lt;td>Specification of extension invocations&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>instance&lt;/code>&lt;/td>
&lt;td>Specification of extension invocations&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>In the event you are using the removed mixer configuration schemas, set
the following Helm flags during upgrade of the main Helm chart:
&lt;code>--set mixer.templates.useTemplateCRDs=true --set mixer.adapters.useAdapterCRDs=true&lt;/code>&lt;/p></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2/upgrade-notes/</guid></item><item><title>Upgrade Notes</title><description>
&lt;p>This page describes changes you need to be aware of when upgrading from Istio 1.0.x to 1.1.x. Here we detail cases where we intentionally broke backwards compatibility. We also mention cases where backwards compatibility was preserved but new behavior was introduced that would be surprising to someone familiar with the use and operation of Istio 1.0.&lt;/p>
&lt;p>For an overview of new features introduced with Istio 1.1, please refer to the &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1/change-notes/">1.1 change notes&lt;/a>.&lt;/p>
&lt;h2 id="installation">Installation&lt;/h2>
&lt;ul>
&lt;li>&lt;p>We have increased the control plane and envoy sidecars required CPU and memory. It is critical to ensure your cluster have enough resource before proceeding
the update.&lt;/p>&lt;/li>
&lt;li>&lt;p>Istios CRDs have been placed into their own Helm chart &lt;code>istio-init&lt;/code>. This prevents loss of custom resource data, facilitates the upgrade process, and enables
Istio to evolve beyond a Helm-based installation. The &lt;a href="/v1.5/docs/setup/upgrade/">upgrade documentation&lt;/a> provides the proper procedures for upgrading
from Istio 1.0.6 to Istio 1.1. Please follow these instructions carefully when upgrading. If &lt;code>certmanager&lt;/code> is desired, use the &lt;code>--set certmanager=true&lt;/code> flag
when installing both &lt;code>istio-init&lt;/code> and Istio charts with either &lt;code>template&lt;/code> or &lt;code>tiller&lt;/code> installation modes.&lt;/p>&lt;/li>
&lt;li>&lt;p>Many installation options have been added, removed, or changed. Refer to &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1/helm-changes/">Installation Options Changes&lt;/a> for a detailed
summary of the changes.&lt;/p>&lt;/li>
&lt;li>&lt;p>The 1.0 &lt;code>istio-remote&lt;/code> chart used for &lt;a href="https://archive.istio.io/v1.1/docs/setup/kubernetes/install/multicluster/vpn/">multicluster VPN&lt;/a> and
&lt;a href="https://archive.istio.io/v1.1/docs/examples/multicluster/split-horizon-eds/">multicluster split horizon&lt;/a> remote cluster
installation has been consolidated into the Istio chart. To generate an equivalent &lt;code>istio-remote&lt;/code> chart, use the &lt;code>--set global.istioRemote=true&lt;/code> flag.&lt;/p>&lt;/li>
&lt;li>&lt;p>Addons are no longer exposed via separate load balancers. Instead addons can now be optionally exposed via the Ingress Gateway. To expose an addon via the
Ingress Gateway, please follow the &lt;a href="/v1.5/docs/tasks/observability/gateways/">Remotely Accessing Telemetry Addons&lt;/a> guide.&lt;/p>&lt;/li>
&lt;li>&lt;p>The built-in Istio Statsd collector has been removed. Istio retains the capability of integrating with your own Statsd collector, using the
&lt;code>--set global.envoyStatsd.enabled=true&lt;/code> flag.&lt;/p>&lt;/li>
&lt;li>&lt;p>The &lt;code>ingress&lt;/code> series of options for configuring a Kubernetes Ingress have been removed. Kubernetes Ingress is still functional and can be enabled using the
&lt;code>--set global.k8sIngress.enabled=true&lt;/code> flag. Check out &lt;a href="/v1.5/docs/tasks/traffic-management/ingress/ingress-certmgr/">Securing Kubernetes Ingress with Cert-Manager&lt;/a>
to learn how to secure your Kubernetes ingress resources.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Outbound traffic policy now defaults to &lt;code>ALLOW_ANY&lt;/code>. Traffic to unknown ports will be forwarded as-is. Traffic to known ports (e.g., port 80) will be matched
with one of the services in the system and forwarded accordingly.&lt;/p>&lt;/li>
&lt;li>&lt;p>During sidecar routing to a service, destination rules for the target service in the same namespace as the sidecar will take precedence, followed by destination
rules in the services namespace, and finally followed by destination rules in other namespaces if applicable.&lt;/p>&lt;/li>
&lt;li>&lt;p>We recommend storing gateway resources in the same namespace as the gateway workload (e.g., &lt;code>istio-system&lt;/code> in case of &lt;code>istio-ingressgateway&lt;/code>). When referring
to gateway resources in virtual services, use the namespace/name format instead of using &lt;code>name.namespace.svc.cluster.local&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>The optional egress gateway is now disabled by default. It is enabled in the demo profile for users to explore but disabled in all other profiles by default.
If you need to control and secure your outbound traffic through the egress gateway, you will need to enable &lt;code>gateways.istio-egressgateway.enabled=true&lt;/code> manually
in any of the non-demo profiles.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="policy-telemetry">Policy &amp;amp; telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;code>istio-policy&lt;/code> check is now disabled by default. It is enabled in the demo profile for users to explore but disabled in all other profiles. This change is
only for &lt;code>istio-policy&lt;/code> and not for &lt;code>istio-telemetry&lt;/code>. In order to re-enable policy checking, run &lt;code>helm template&lt;/code> with &lt;code>--set global.disablePolicyChecks=false&lt;/code>
and re-apply the configuration.&lt;/p>&lt;/li>
&lt;li>&lt;p>The Service Graph component has now been deprecated in favor of &lt;a href="https://www.kiali.io/">Kiali&lt;/a>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>RBAC configuration has been modified to implement cluster scoping. The &lt;code>RbacConfig&lt;/code> resource has been replaced with the &lt;code>ClusterRbacConfig&lt;/code> resource. Refer
to &lt;a href="https://archive.istio.io/v1.1/docs/setup/kubernetes/upgrade/steps/#migrating-from-rbacconfig-to-clusterrbacconfig">Migrating &lt;code>RbacConfig&lt;/code> to &lt;code>ClusterRbacConfig&lt;/code>&lt;/a> for migration instructions.&lt;/li>
&lt;/ul></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes/</guid></item><item><title>Change Notes</title><description>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> performance of the &lt;code>ServiceEntry&lt;/code> resource by avoiding unnecessary full pushes &lt;a href="https://github.com/istio/istio/pull/19305">#19305&lt;/a>&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Envoy sidecar readiness probe to more accurate determine readiness &lt;a href="https://github.com/istio/istio/pull/18164">#18164&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> performance of Envoy proxy configuration updates via xDS by sending partial updates where possible &lt;a href="https://github.com/istio/istio/pull/18354">#18354&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> an option to configure locality load balancing settings for each targeted service via destination rule&lt;a href="https://github.com/istio/istio/pull/18406">#18406&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> an issue where pods crashing would trigger excessive Envoy proxy configuration pushes &lt;a href="https://github.com/istio/istio/pull/18574">#18574&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> issues with applications such as headless services to call themselves directly without going through Envoy proxy &lt;a href="https://github.com/istio/istio/pull/19308">#19308&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> detection of &lt;code>iptables&lt;/code> failure when using Istio CNI &lt;a href="https://github.com/istio/istio/pull/19534">#19534&lt;/a>&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>consecutiveGatewayErrors&lt;/code> and &lt;code>consecutive5xxErrors&lt;/code> as outlier detection options within destination rule &lt;a href="https://github.com/istio/istio/pull/19771">#19771&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;code>EnvoyFilter&lt;/code> matching performance &lt;a href="https://github.com/istio/istio/pull/19786">#19786&lt;/a>&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for &lt;code>HTTP_PROXY&lt;/code> protocol &lt;a href="https://github.com/istio/istio/pull/19919">#19919&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;code>iptables&lt;/code> setup to use &lt;code>iptables-restore&lt;/code> by default &lt;a href="https://github.com/istio/istio/pull/18847">#18847&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Gateway performance by filtering unused clusters. This setting is disabled by default &lt;a href="https://github.com/istio/istio/pull/20124">#20124&lt;/a>.&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Graduated&lt;/strong> SDS to stable and enabled by default. It provides identity provisioning for Istio Envoy proxies.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> Beta authentication API. The new API separates peer (i.e mutual TLS) and origin (JWT) authentication into &lt;a href="https://github.com/istio/api/blob/master/security/v1beta1/peer_authentication.proto">&lt;code>PeerAuthentication&lt;/code>&lt;/a> and &lt;a href="https://github.com/istio/api/blob/master/security/v1beta1/request_authentication.proto">&lt;code>RequestAuthentication&lt;/code>&lt;/a> respectively. Both new APIs are workload-oriented, as opposed to service-oriented in alpha &lt;code>AuthenticationPolicy&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/tasks/security/authorization/authz-deny">deny semantics&lt;/a> and &lt;a href="/v1.5/docs/concepts/security/#exclusion-matching">exclusion matching&lt;/a> to Authorization Policy.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls">auto mutual TLS&lt;/a> from alpha to beta. This feature is now enabled by default.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret">SDS security&lt;/a> by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Istio by including certificate provisioning functionality within istiod.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> Support Kubernetes &lt;a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens">&lt;code>first-party-jwt&lt;/code>&lt;/a> as a fallback token for CSR authentication in clusters where &lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection">&lt;code>third-party-jwt&lt;/code>&lt;/a> is not supported.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> Support Istio CA and Kubernetes CA to provision certificates for the control plane, configurable via &lt;code>values.global.pilotCertProvider&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> Istio Agent provisions a key and certificates for Prometheus.&lt;/li>
&lt;/ul>
&lt;h2 id="telemetry">Telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> TCP protocol support for v2 telemetry.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> gRPC response status code support in metrics/logs.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for Istio Canonical Service.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> stability of v2 telemetry pipeline.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> alpha-level support for configurability in v2 telemetry.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for populating AWS platform metadata in Envoy node metadata.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Stackdriver adapter for Mixer to support configurable flush intervals for tracing data.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for a headless collector service to the Jaeger addon.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;code>kubernetesenv&lt;/code> adapter to provide proper support for pods that contain a dot in their name.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the Fluentd adapter for Mixer to provide millisecond-resolution in exported timestamps.&lt;/li>
&lt;/ul>
&lt;h2 id="configuration-management">Configuration management&lt;/h2>
&lt;h2 id="operator">Operator&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Replaced&lt;/strong> the alpha &lt;code>IstioControlPlane&lt;/code> API with the new &lt;a href="/v1.5/docs/reference/config/istio.operator.v1alpha1/">&lt;code>IstioOperator&lt;/code>&lt;/a> API to align with existing &lt;code>MeshConfig&lt;/code> API.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>istioctl operator init&lt;/code> and &lt;code>istioctl operator remove&lt;/code> commands.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> reconciliation speed with caching &lt;a href="https://github.com/istio/operator/pull/667">&lt;code>operator#667&lt;/code>&lt;/a>.&lt;/li>
&lt;/ul>
&lt;h2 id="istioctl">&lt;code>istioctl&lt;/code>&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>Istioctl Analyze&lt;/code>&lt;/a> out of experimental.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> various analyzers: mutual TLS, JWT, &lt;code>ServiceAssociation&lt;/code>, Secret, sidecar image, port name and policy deprecated analyzers.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> more validation rules for &lt;code>RequestAuthentication&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> a new flag &lt;code>-A|--all-namespaces&lt;/code> to &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> to analyze the entire cluster.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for analyzing content passed via &lt;code>stdin&lt;/code> to &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze -L&lt;/code>&lt;/a> to show a list of all analyzers available.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the ability to suppress messages from &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> structured format options to &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> links to relevant documentation to &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> output.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> annotation methods provided by Istio API in &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>Istioctl Analyze&lt;/code>&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> now loads files from a directory.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> to try to associate message with their source filename.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> to print the namespace that is being analyzed.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> to analyze in-cluster resources by default.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> bug where &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> suppressed cluster-level resource messages.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for multiple input files to &lt;code>istioctl manifest&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Replaced&lt;/strong> the &lt;code>IstioControlPlane&lt;/code> API with the &lt;code>IstioOperator&lt;/code> API.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> selector for &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-dashboard">&lt;code>istioctl dashboard&lt;/code>&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for slices and lists in &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-manifest">&lt;code>istioctl manifest --set&lt;/code>&lt;/a> flag.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-manifest">&lt;code>istioctl manifest&lt;/code>&lt;/a> to read profiles from &lt;code>stdin&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> a &lt;code>docker/istioctl&lt;/code> image #19079.&lt;/li>
&lt;/ul></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.5.x/announcing-1.5/change-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.5.x/announcing-1.5/change-notes/</guid></item><item><title>Change Notes</title><description>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> support for &lt;a href="/v1.5/docs/tasks/traffic-management/mirroring/">mirroring&lt;/a> a percentage of traffic.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the Envoy sidecar. The Envoy sidecar now exits when it crashes. This change makes it easier to see whether or not the Envoy sidecar is healthy.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Pilot to skip sending redundant configuration to Envoy when no changes are required.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> headless services to avoid conflicts with different services on the same port.&lt;/li>
&lt;li>&lt;strong>Disabled&lt;/strong> default &lt;a href="/v1.5/docs/tasks/traffic-management/circuit-breaking/">circuit breakers&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> the default regex engine to &lt;code>re2&lt;/code>. Please see the &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes">Upgrade Notes&lt;/a> for details.&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> the &lt;a href="/v1.5/blog/2019/v1beta1-authorization-policy/">&lt;code>v1beta1&lt;/code> authorization policy model&lt;/a> for enforcing access control. This will eventually replace the &lt;a href="/v1.5/docs/reference/config/security/istio.rbac.v1alpha1/">&lt;code>v1alpha1&lt;/code> RBAC policy&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> experimental support for automatic mutual TLS to enable mutual TLS without destination rule configuration.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> experimental support for &lt;a href="/v1.5/docs/tasks/security/authorization/authz-td-migration/">authorization policy trust domain migration&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> experimental &lt;a href="/v1.5/blog/2019/dns-cert/">DNS certificate management&lt;/a> to securely provision and manage DNS certificates signed by the Kubernetes CA.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Citadel to periodically check and rotate the expired root certificate when running in self-sign CA mode.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> JWT authentication to treat &lt;a href="https://github.com/istio/istio/issues/13565">space-delimited claim&lt;/a> as a list of claims.&lt;/li>
&lt;/ul>
&lt;h2 id="telemetry">Telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> experimental in-proxy telemetry reporting to &lt;a href="https://github.com/istio/proxy/blob/release-1.5/extensions/stackdriver/README.md">Stackdriver&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> support for in-proxy Prometheus generation of HTTP service metrics (from experimental to alpha).&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> telemetry collection for &lt;a href="/v1.5/blog/2019/monitoring-external-service-traffic/">blocked and passthrough external service traffic&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the option to configure &lt;a href="/v1.5/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig">stat patterns&lt;/a> for Envoy stats.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the &lt;code>inbound&lt;/code> and &lt;code>outbound&lt;/code> prefixes to the Envoy HTTP stats to specify traffic direction.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> reporting of telemetry for traffic that goes through an egress gateway.&lt;/li>
&lt;/ul>
&lt;h2 id="configuration-management">Configuration management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> multiple validation checks to the &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">&lt;code>istioctl analyze&lt;/code>&lt;/a> sub-command.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the experimental option to enable validation messages for Istio &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/#enabling-validation-messages-for-resource-status">resource statuses&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> OpenAPI v3 schema validation of Custom Resource Definitions (CRDs). Please see the &lt;a href="/v1.5/news/releases/1.4.x/announcing-1.4/upgrade-notes">Upgrade Notes&lt;/a> for details.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="https://github.com/istio/client-go">client-go&lt;/a> libraries to access Istio APIs.&lt;/li>
&lt;/ul>
&lt;h2 id="installation">Installation&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> the experimental &lt;a href="/v1.5/docs/setup/install/standalone-operator/">operator controller&lt;/a> for dynamic updates to an Istio installation.&lt;/li>
&lt;li>&lt;strong>Removed&lt;/strong> the &lt;code>proxy_init&lt;/code> Docker image. Instead, the &lt;code>istio-init&lt;/code> container reuses the &lt;code>proxyv2&lt;/code> image.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> the base image to &lt;code>ubuntu:bionic&lt;/code>.&lt;/li>
&lt;/ul>
&lt;h2 id="istioctl">&lt;code>istioctl&lt;/code>&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-proxy-config-log">&lt;code>istioctl proxy-config logs&lt;/code>&lt;/a> sub-command retrieve and update Envoy logging levels.&lt;/li>
&lt;li>&lt;strong>Updated&lt;/strong> the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-authn-tls-check">&lt;code>istioctl authn tls-check&lt;/code>&lt;/a> sub-command to display which policy is in use.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the experimental &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-wait">&lt;code>istioctl experimental wait&lt;/code>&lt;/a> sub-command to have Istio wait until it has pushed a configuration to all Envoy sidecars.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the experimental &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-multicluster">&lt;code>istioctl experimental multicluster&lt;/code>&lt;/a> sub-command to help manage Istio across multiple clusters.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the experimental &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-post-install-webhook">&lt;code>istioctl experimental post-install webhook&lt;/code>&lt;/a> sub-command to &lt;a href="/v1.5/blog/2019/webhook/">securely manage webhook configurations&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the experimental &lt;a href="/v1.5/docs/setup/upgrade/istioctl-upgrade/">&lt;code>istioctl experimental upgrade&lt;/code>&lt;/a> sub-command to perform upgrades of Istio.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-version">&lt;code>istioctl version&lt;/code>&lt;/a> sub-command. It now shows the Envoy proxy versions.&lt;/li>
&lt;/ul></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.4.x/announcing-1.4/change-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.4.x/announcing-1.4/change-notes/</guid></item><item><title>Change Notes</title><description>
&lt;h2 id="installation">Installation&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> experimental &lt;a href="/v1.5/docs/setup/install/istioctl/">manifest and profile commands&lt;/a> to install and manage the Istio control plane for evaluation.&lt;/li>
&lt;/ul>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/ops/configuration/traffic-management/protocol-selection/">automatic protocol determination&lt;/a> of HTTP or TCP for outbound traffic when ports are not named according to Istios &lt;a href="/v1.5/docs/ops/deployment/requirements/">conventions&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> a mode to the Gateway API for mutual TLS operation.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Envoy proxy readiness checks. They now check Envoy&amp;rsquo;s readiness status.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> container ports are no longer required in the pod spec. All ports are &lt;a href="/v1.5/faq/traffic-management/#controlling-inbound-ports">captured by default&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the &lt;code>EnvoyFilter&lt;/code> API. You can now add or update all configurations.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the Redis load balancer to now default to &lt;a href="https://www.envoyproxy.io/docs/envoy/v1.6.0/intro/arch_overview/load_balancing#maglev">&lt;code>MAGLEV&lt;/code>&lt;/a> when using the Redis proxy.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> load balancing to direct traffic to the &lt;a href="/v1.5/faq/traffic-management/#controlling-inbound-ports">same region and zone&lt;/a> by default.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Pilot by reducing CPU utilization. The reduction approaches 90% depending on the specific deployment.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the &lt;code>ServiceEntry&lt;/code> API to allow for the same hostname in different namespaces.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the &lt;a href="/v1.5/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar API&lt;/a> to customize the &lt;code>OutboundTrafficPolicy&lt;/code> policy.&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> [labels]((/docs/ops/configuration/mesh/secret-creation/) to control service account secret generation by namespace.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> SDS support to deliver the private key and certificates to each Istio control plane service.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for &lt;a href="/v1.5/docs/ops/diagnostic-tools/controlz/">introspection&lt;/a> to Citadel.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> metrics to the &lt;code>/metrics&lt;/code> endpoint of Citadel Agent on port 15014 to monitor the SDS service.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> diagnostics to the Citadel Agent using the &lt;code>/debug/sds/workload&lt;/code> and &lt;code>/debug/sds/gateway&lt;/code> on port 8080.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the ingress gateway to &lt;a href="/v1.5/docs/tasks/traffic-management/ingress/secure-ingress-sds/#configure-a-mutual-tls-ingress-gateway">load the trusted CA certificate from a separate secret&lt;/a> when using SDS.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> SDS security by enforcing the usage of &lt;a href="/v1.5/blog/2019/trustworthy-jwt-sds">Kubernetes Trustworthy JWTs&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Citadel Agent logs by unifying the logging pattern.&lt;/li>
&lt;li>&lt;strong>Removed&lt;/strong> support for Istio SDS when using &lt;a href="/v1.5/blog/2019/trustworthy-jwt-sds">Kubernetes versions earlier than 1.13&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Removed&lt;/strong> integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.&lt;/li>
&lt;li>&lt;strong>Enabled&lt;/strong> the Envoy JWT filter by default to improve security and reliability.&lt;/li>
&lt;/ul>
&lt;h2 id="telemetry">Telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> Access Log Service &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/service/accesslog/v2/als.proto#grpc-access-log-service-als">ALS&lt;/a> support for Envoy gRPC.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> a Grafana dashboard for Citadel monitoring.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/sidecar-injector/#metrics">metrics&lt;/a> for monitoring the sidecar injector webhook.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> control plane metrics to monitor Istio&amp;rsquo;s configuration state.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> telemetry reporting for traffic destined to the &lt;code>Passthrough&lt;/code> and &lt;code>BlackHole&lt;/code> clusters.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> alpha support for in-proxy generation of service metrics using Prometheus.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> alpha support for environmental metadata in Envoy node metadata.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> alpha support for Proxy Metadata Exchange.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> alpha support for the OpenCensus trace driver.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> reporting for external services by removing requirements to add a service entry.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the mesh dashboard to provide monitoring of Istio&amp;rsquo;s configuration state.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the Pilot dashboard to expose additional key metrics to more clearly identify errors.&lt;/li>
&lt;li>&lt;strong>Removed&lt;/strong> deprecated &lt;code>Adapter&lt;/code> and &lt;code>Template&lt;/code> custom resource definitions (CRDs).&lt;/li>
&lt;li>&lt;strong>Deprecated&lt;/strong> the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.&lt;/li>
&lt;/ul>
&lt;h2 id="policy">Policy&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> rate limit enforcement to allow communication when the quota backend is unavailable.&lt;/li>
&lt;/ul>
&lt;h2 id="configuration-management">Configuration management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> Galley to stop too many gRPC pings from closing connections.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Galley to avoid control plane upgrade failures.&lt;/li>
&lt;/ul>
&lt;h2 id="istioctl">&lt;code>istioctl&lt;/code>&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-manifest">&lt;code>istioctl experimental manifest&lt;/code>&lt;/a> to manage the new experimental install manifests.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-profile">&lt;code>istioctl experimental profile&lt;/code>&lt;/a> to manage the new experimental install profiles.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-metrics">&lt;code>istioctl experimental metrics&lt;/code>&lt;/a>&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-describe-pod">&lt;code>istioctl experimental describe pod&lt;/code>&lt;/a> to describe an Istio pod&amp;rsquo;s configuration.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-add-to-mesh">&lt;code>istioctl experimental add-to-mesh&lt;/code>&lt;/a> to add Kubernetes services or virtual machines to an existing Istio service mesh.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-remove-from-mesh">&lt;code>istioctl experimental remove-from-mesh&lt;/code>&lt;/a> to remove Kubernetes services or virtual machines from an existing Istio service mesh.&lt;/li>
&lt;li>&lt;strong>Promoted&lt;/strong> the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-convert-ingress">&lt;code>istioctl experimental convert-ingress&lt;/code>&lt;/a> command to &lt;code>istioctl convert-ingress&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Promoted&lt;/strong> the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-dashboard">&lt;code>istioctl experimental dashboard&lt;/code>&lt;/a> command to &lt;code>istioctl dashboard&lt;/code>.&lt;/li>
&lt;/ul>
&lt;h2 id="miscellaneous">Miscellaneous&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> new images based on &lt;a href="/v1.5/docs/ops/configuration/security/harden-docker-images/">distroless&lt;/a> base images.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> the Istio CNI Helm chart to have consistent versions with Istio.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Kubernetes Jobs behavior. Kubernetes Jobs now exit correctly when the job manually calls the &lt;code>/quitquitquit&lt;/code> endpoint.&lt;/li>
&lt;/ul></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.3.x/announcing-1.3/change-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.3.x/announcing-1.3/change-notes/</guid></item><item><title>Change Notes</title><description>
&lt;h2 id="general">General&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>traffic.sidecar.istio.io/includeInboundPorts&lt;/code> annotation to eliminate the need for service owner to declare &lt;code>containerPort&lt;/code> in the deployment yaml file. This will become the default in a future release.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> IPv6 experimental support for Kubernetes clusters.&lt;/li>
&lt;/ul>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;a href="/v1.5/docs/ops/configuration/traffic-management/locality-load-balancing/">locality based routing&lt;/a> in multicluster environments.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> outbound traffic policy in &lt;a href="/v1.5/docs/reference/config/installation-options/#global-options">&lt;code>ALLOW_ANY&lt;/code> mode&lt;/a>. Traffic for unknown HTTP/HTTPS hosts on an existing port will be &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services">forwarded as is&lt;/a>. Unknown traffic will be logged in Envoy access logs.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for setting HTTP idle timeouts to upstream services.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> Sidecar support for &lt;a href="/v1.5/docs/reference/config/networking/sidecar/#CaptureMode">NONE mode&lt;/a> (without iptables) .&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> ability to configure the &lt;a href="/v1.5/docs/reference/config/installation-options/#global-options">DNS refresh rate&lt;/a> for sidecar Envoys, to reduce the load on the DNS servers.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/reference/config/networking/sidecar/">Sidecar API&lt;/a> from Alpha to Alpha API and Beta runtime.&lt;/li>
&lt;/ul>
&lt;h2 id="security">Security&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> extend the default lifetime of self-signed Citadel root certificates to 10 years.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> Kubernetes health check prober rewrite per deployment via &lt;code>sidecar.istio.io/rewriteAppHTTPProbers: &amp;quot;true&amp;quot;&lt;/code> in the &lt;code>PodSpec&lt;/code> &lt;a href="/v1.5/docs/ops/configuration/mesh/app-health-check/#use-annotations-on-pod">annotation&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for configuring the secret paths for Istio mutual TLS certificates. Refer &lt;a href="https://github.com/istio/istio/issues/11984">here&lt;/a> for more details.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for &lt;a href="https://en.wikipedia.org/wiki/PKCS_8">PKCS 8&lt;/a> private keys for workloads, enabled by the flag &lt;code>pkcs8-keys&lt;/code> on Citadel.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> JWT public key fetching logic to be more resilient to network failure.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.6">SAN&lt;/a> field in workload certificates is set as &lt;code>critical&lt;/code>. This fixes the issue that some custom certificate verifiers cannot verify Istio certificates.&lt;/li>
&lt;li>&lt;strong>Fixed&lt;/strong> mutual TLS probe rewrite for HTTPS probes.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/reference/config/networking/gateway/">SNI with multiple certificates support at ingress gateway&lt;/a> from Alpha to Stable.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/tasks/traffic-management/ingress/secure-ingress-sds/">certification management on Ingress Gateway&lt;/a> from Alpha to Beta.&lt;/li>
&lt;/ul>
&lt;h2 id="telemetry">Telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.&lt;/li>
&lt;li>&lt;strong>Changed&lt;/strong> Prometheus generated traffic is excluded from metrics.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support for sending traces to Datadog.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/tasks/observability/distributed-tracing/">distributed tracing&lt;/a> from Beta to Stable.&lt;/li>
&lt;/ul>
&lt;h2 id="policy">Policy&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Fixed&lt;/strong> &lt;a href="https://github.com/istio/istio/issues/13868">Mixer based&lt;/a>TCP Policy enforcement.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;a href="/v1.5/docs/reference/config/security/istio.rbac.v1alpha1/">Authorization (RBAC)&lt;/a> from Alpha to Alpha API and Beta runtime.&lt;/li>
&lt;/ul>
&lt;h2 id="configuration-management">Configuration management&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Improved&lt;/strong> validation of Policy &amp;amp; Telemetry CRDs.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> basic configuration resource validation from Alpha to Beta.&lt;/li>
&lt;/ul>
&lt;h2 id="installation-and-upgrade">Installation and upgrade&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Updated&lt;/strong> default proxy memory limit size(&lt;code>global.proxy.resources.limits.memory&lt;/code>) from &lt;code>128Mi&lt;/code> to &lt;code>1024Mi&lt;/code> to ensure proxy has sufficient memory.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> pod &lt;a href="https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity">anti-affinity&lt;/a> and &lt;a href="https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/">toleration&lt;/a> support to all of our control plane components.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>sidecarInjectorWebhook.neverInjectSelector&lt;/code> and &lt;code>sidecarInjectorWebhook.alwaysInjectSelector&lt;/code> to allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>global.logging.level&lt;/code> and &lt;code>global.proxy.logLevel&lt;/code> to allow users to easily configure logs for control plane and data plane components globally.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> support to configure the Datadog location via &lt;a href="/v1.5/docs/reference/config/installation-options/#global-options">&lt;code>global.tracer.datadog.address&lt;/code>&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Removed&lt;/strong> Previously &lt;a href="https://discuss.istio.io/t/deprecation-notice-custom-mixer-adapter-crds/2055">deprecated&lt;/a> Adapter and Template CRDs are disabled by default. Use &lt;code>mixer.templates.useTemplateCRDs=true&lt;/code> and &lt;code>mixer.adapters.useAdapterCRDs=true&lt;/code> install options to re-enable them.&lt;/li>
&lt;/ul>
&lt;p>Refer to the &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2/helm-changes/">installation option change page&lt;/a> to view the complete list of changes.&lt;/p>
&lt;h2 id="istioctl-and-kubectl">&lt;code>istioctl&lt;/code> and &lt;code>kubectl&lt;/code>&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Graduated&lt;/strong> &lt;code>istioctl verify-install&lt;/code> out of experimental.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;code>istioctl verify-install&lt;/code> to validate if a given Kubernetes environment meets Istio&amp;rsquo;s prerequisites.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> auto-completion support to &lt;code>istioctl&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>istioctl experimental dashboard&lt;/code> to allow users to easily open the web UI of any Istio addons.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>istioctl x&lt;/code> alias to conveniently run &lt;code>istioctl experimental&lt;/code> command.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;code>istioctl version&lt;/code> to report both Istio control plane and &lt;code>istioctl&lt;/code> version info by default.&lt;/li>
&lt;li>&lt;strong>Improved&lt;/strong> &lt;code>istioctl validate&lt;/code> to validate Mixer configuration and supports deep validation with referential integrity.&lt;/li>
&lt;/ul>
&lt;h2 id="miscellaneous">Miscellaneous&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/setup/additional-setup/cni/">Istio CNI support&lt;/a> to setup sidecar network redirection and remove the use of &lt;code>istio-init&lt;/code> containers requiring &lt;code>NET_ADMIN&lt;/code> capability.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> a new experimental &lt;a href="https://github.com/istio/installer/wiki">&amp;lsquo;a-la-carte&amp;rsquo; Istio installer&lt;/a> to enable users to install and upgrade Istio with desired isolation and security.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="https://docs.google.com/document/d/1M-qqBMNbhbAxl3S_8qQfaeOLAiRqSBpSgfWebFBRuu8/edit">environment variable and configuration file support&lt;/a> for configuring Galley, in addition to command-line flags.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;a href="/v1.5/docs/ops/diagnostic-tools/controlz/">ControlZ&lt;/a> support to visualize the state of the MCP Server in Galley.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> the &lt;a href="/v1.5/docs/reference/commands/galley/#galley-server">&lt;code>enableServiceDiscovery&lt;/code> command-line flag&lt;/a> to control the service discovery module in Galley.&lt;/li>
&lt;li>&lt;strong>Added&lt;/strong> &lt;code>InitialWindowSize&lt;/code> and &lt;code>InitialConnWindowSize&lt;/code> parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.&lt;/li>
&lt;li>&lt;strong>Graduated&lt;/strong> configuration processing with Galley from Alpha to Beta.&lt;/li>
&lt;/ul></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.2.x/announcing-1.2/change-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.2.x/announcing-1.2/change-notes/</guid></item><item><title>Change Notes</title><description>
&lt;h2 id="incompatible-changes-from-1-0">Incompatible changes from 1.0&lt;/h2>
&lt;p>In addition to the new features and improvements listed below, Istio 1.1 has introduced
a number of significant changes from 1.0 that can alter the behavior of applications.
A concise list of these changes can be found in the &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes">upgrade notice&lt;/a>.&lt;/p>
&lt;h2 id="upgrades">Upgrades&lt;/h2>
&lt;p>We recommend a manual upgrade of the control plane and data plane to 1.1. See
the &lt;a href="/v1.5/docs/setup/upgrade/">upgrades documents&lt;/a> for more information.&lt;/p>
&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">Be sure to check out the &lt;a href="/v1.5/news/releases/1.1.x/announcing-1.1/upgrade-notes">upgrade notice&lt;/a> for a
concise list of things you should know before upgrading your deployment to Istio 1.1.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;h2 id="installation">Installation&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>CRD Install Separated from Istio Install&lt;/strong>. Placed Istios Custom Resource
Definitions (CRDs) into the &lt;code>istio-init&lt;/code> Helm chart. Placing the CRDs in
their own Helm chart preserves the data continuity of the custom resource
content during the upgrade process and further enables Istio to evolve beyond
a Helm-based installation.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Installation Configuration Profiles&lt;/strong>. Added several installation
configuration profiles to simplify the installation process using well-known
and well-tested patterns. Learn more about the better user experience
afforded by the &lt;a href="/v1.5/docs/setup/additional-setup/config-profiles/">installation profile feature&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Improved Multicluster Integration&lt;/strong>. Consolidated the 1.0 &lt;code>istio-remote&lt;/code>
chart previously used for
&lt;a href="https://archive.istio.io/v1.1/docs/setup/kubernetes/install/multicluster/vpn/">multicluster VPN&lt;/a> and
&lt;a href="https://archive.istio.io/v1.1/docs/examples/multicluster/split-horizon-eds/">multicluster split horizon&lt;/a>
remote cluster installation into the Istio Helm chart simplifying the operational experience.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="traffic-management">Traffic management&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>New &lt;code>Sidecar&lt;/code> Resource&lt;/strong>. The new &lt;a href="/v1.5/docs/concepts/traffic-management/#sidecars">sidecar&lt;/a> resource
enables more fine-grained control over the behavior of the sidecar proxies attached to workloads within a namespace.
In particular it adds support to limit the set of services a sidecar will send traffic to.
This reduces the amount of configuration computed and transmitted to
the proxy, improving startup time, resource consumption and control-plane scalability.
For large deployments, we recommend adding a sidecar resource per namespace. Controls are also
provided for ports, protocols and traffic capture for advanced use-cases.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Restrict Visibility of Services&lt;/strong>. Added the new &lt;code>exportTo&lt;/code> feature which allows
service owners to control which namespaces can reference their services. This feature is
added to &lt;code>ServiceEntry&lt;/code>, &lt;code>VirtualService&lt;/code> and is also supported on a Kubernetes Service via the
&lt;code>networking.istio.io/exportTo&lt;/code> annotation.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Namespace Scoping&lt;/strong>. When referring to a &lt;code>VirtualService&lt;/code> in a Gateway we use DNS based name matching
in our configuration model. This can be ambiguous when more than one namespace defines a virtual service
for the same host name. To resolve ambiguity it is now possible to explicitly scope these references
by namespace using a syntax of the form &lt;strong>&lt;code>[{namespace-name}]/{hostname-match}&lt;/code>&lt;/strong> in the &lt;code>hosts&lt;/code> field.
The equivalent capability is also available in &lt;code>Sidecar&lt;/code> for egress.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Updates to &lt;code>ServiceEntry&lt;/code> Resources&lt;/strong>. Added support to specify the
locality of a service and the associated SAN to use with mutual TLS. Service
entries with HTTPS ports no longer need an additional virtual service to
enable SNI-based routing.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Locality-Aware Routing&lt;/strong>. Added full support for routing to services in the
same locality before picking services in other localities.
See &lt;a href="/v1.5/docs/reference/config/networking/destination-rule#LocalityLoadBalancerSetting">Locality Load Balancer Settings&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Refined Multicluster Routing&lt;/strong>. Simplified the multicluster setup and
enabled additional deployment modes. You can now connect multiple clusters
simply using their ingress gateways without needing pod-level VPNs, deploy
control planes in each cluster for high-availability cases, and span a
namespace across several clusters to create global namespaces. Locality-aware
routing is enabled by default in the high-availability control plane
solution.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Istio Ingress Deprecated&lt;/strong>. Removed the previously deprecated Istio
ingress. Refer to the &lt;a href="/v1.5/docs/tasks/traffic-management/ingress/ingress-certmgr/">Securing Kubernetes Ingress with Cert-Manager&lt;/a>
example for more details on how to use Kubernetes Ingress resources with
&lt;a href="/v1.5/docs/concepts/traffic-management/#gateways">gateways&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Performance and Scalability Improvements&lt;/strong>. Tuned the performance and
scalability of Istio and Envoy. Read more about &lt;a href="/v1.5/docs/ops/deployment/performance-and-scalability/">Performance and Scalability&lt;/a>
enhancements.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Access Logging Off by Default&lt;/strong>. Disabled the access logs for all Envoy
sidecars by default to improve performance.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="security">Security&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Readiness and Liveness Probes&lt;/strong>. Added support for Kubernetes&amp;rsquo; HTTP
&lt;a href="/v1.5/faq/security/#k8s-health-checks">readiness and liveness probes&lt;/a> when
mutual TLS is enabled.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Cluster RBAC Configuration&lt;/strong>. Replaced the &lt;code>RbacConfig&lt;/code> resource with the
&lt;code>ClusterRbacConfig&lt;/code> resource to implement the correct cluster scope. See
&lt;a href="https://archive.istio.io/v1.1/docs/setup/kubernetes/upgrade/steps/#migrating-from-rbacconfig-to-clusterrbacconfig">Migrating &lt;code>RbacConfig&lt;/code> to &lt;code>ClusterRbacConfig&lt;/code>&lt;/a>.
for migration instructions.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Identity Provisioning Through SDS&lt;/strong>. Added SDS support to provide stronger
security with on-node key generation and dynamic certificate rotation without
restarting Envoy.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Authorization for TCP Services&lt;/strong>. Added support of authorization for TCP
services in addition to HTTP and gRPC services. See &lt;a href="/v1.5/docs/tasks/security/authorization/authz-tcp">Authorization for TCP Services&lt;/a>
for more information.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Authorization for End-User Groups&lt;/strong>. Added authorization based on &lt;code>groups&lt;/code>
claim or any list-typed claims in JWT. See &lt;a href="/v1.5/docs/tasks/security/authorization/authz-jwt/">Authorization for JWT&lt;/a>
for more information.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>External Certificate Management on Ingress Gateway Controller&lt;/strong>.
Added a controller to dynamically load and rotate external certificates.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Custom PKI Integration&lt;/strong>. Added Vault PKI integration with support for
Vault-protected signing keys and ability to integrate with existing Vault PKIs.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Customized (non &lt;code>cluster.local&lt;/code>) Trust Domains&lt;/strong>. Added support for
organization- or cluster-specific trust domains in the identities.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="policies-and-telemetry">Policies and telemetry&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Policy Checks Off By Default&lt;/strong>. Changed policy checks to be turned off by
default to improve performance for most customer scenarios. &lt;a href="/v1.5/docs/tasks/policy-enforcement/enabling-policy/">Enabling Policy Enforcement&lt;/a>
details how to turn on Istio policy checks, if needed.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Kiali&lt;/strong>. Replaced the &lt;a href="https://github.com/istio/istio/issues/9066">Service Graph addon&lt;/a>
with &lt;a href="https://www.kiali.io">Kiali&lt;/a> to provide a richer visualization
experience. See the &lt;a href="/v1.5/docs/tasks/observability/kiali/">Kiali task&lt;/a> for more
details.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Reduced Overhead&lt;/strong>. Added several performance and scale improvements
including:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Significant reduction in default collection of Envoy-generated
statistics.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added load-shedding functionality to Mixer workloads.&lt;/p>&lt;/li>
&lt;li>&lt;p>Improved the protocol between Envoy and Mixer.&lt;/p>&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>&lt;strong>Control Headers and Routing&lt;/strong>. Added the option to create adapters to
influence the headers and routing of an incoming request. See the &lt;a href="/v1.5/docs/tasks/policy-enforcement/control-headers">Control Headers and Routing&lt;/a>
task for more information.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Out of Process Adapters&lt;/strong>. Added the out-of-process adapter functionality
for production use. As a result, we deprecated the in-process adapter model
in this release. All new adapter development should use the out-of-process
model moving forward.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Tracing Improvements&lt;/strong>. Performed many improvements in our overall tracing
story:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Trace ids are now 128 bit wide.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added support for sending trace data to &lt;a href="/v1.5/docs/tasks/observability/distributed-tracing/lightstep/">LightStep&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>Added the option to disable tracing for Mixer-backed services entirely.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added policy decision-aware tracing.&lt;/p>&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>&lt;p>&lt;strong>Default TCP Metrics&lt;/strong>. Added default metrics for tracking TCP connections.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Reduced Load Balancer Requirements for Addons&lt;/strong>. Stopped exposing addons
via separate load balancers. Instead, addons are exposed via the Istio
gateway. To expose addons externally using either HTTP or HTTPS protocols,
please use the &lt;a href="/v1.5/docs/tasks/observability/gateways/">Addon Gateway documentation&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Secure Addon Credentials&lt;/strong>. Changed storage of the addon credentials.
Grafana, Kiali, and Jaeger passwords and username are now stored in
&lt;a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes secrets&lt;/a>
for improved security and compliance.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>More Flexibility with &lt;code>statsd&lt;/code> Collector&lt;/strong>. Removed the built-in &lt;code>statsd&lt;/code>
collector. Istio now supports bring your own &lt;code>statsd&lt;/code> for
improved flexibility with existing Kubernetes deployments.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="configuration-management">Configuration management&lt;/h3>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Galley&lt;/strong>. Added &lt;a href="/v1.5/docs/ops/deployment/architecture/#galley">Galley&lt;/a> as the
primary configuration ingestion and distribution mechanism within Istio. It
provides a robust model to validate, transform, and distribute configuration
states to Istio components insulating the Istio components from Kubernetes
details. Galley uses the &lt;a href="https://github.com/istio/api/tree/release-1.5/mcp">Mesh Configuration Protocol&lt;/a>
to interact with components.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Monitoring Port&lt;/strong>. Changed Galley&amp;rsquo;s default monitoring port from 9093 to
15014.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="istioctl-and-kubectl">&lt;code>istioctl&lt;/code> and &lt;code>kubectl&lt;/code>&lt;/h2>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Validate Command&lt;/strong>. Added the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-validate">&lt;code>istioctl validate&lt;/code>&lt;/a>
command for offline validation of Istio Kubernetes resources.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Verify-Install Command&lt;/strong>. Added the &lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-verify-install">&lt;code>istioctl verify-install&lt;/code>&lt;/a>
command to verify the status of an Istio installation given a specified
installation YAML file.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Deprecated Commands&lt;/strong>. Deprecated the &lt;code>istioctl create&lt;/code>, &lt;code>istioctl
replace&lt;/code>, &lt;code>istioctl get&lt;/code>, and &lt;code>istioctl delete&lt;/code> commands. Use the
&lt;a href="https://kubernetes.io/docs/tasks/tools/install-kubectl">&lt;code>kubectl&lt;/code>&lt;/a>
equivalents instead. Deprecated the &lt;code>istioctl gen-deploy&lt;/code> command too. Use a
&lt;a href="https://archive.istio.io/v1.1/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template">&lt;code>helm template&lt;/code>&lt;/a>
instead. Release 1.2 will remove these commands.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Short Commands&lt;/strong>. Included short commands in &lt;code>kubectl&lt;/code> for gateways,
virtual services, destination rules and service entries.&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><link>/v1.5/news/releases/1.1.x/announcing-1.1/change-notes/</link><author/><guid isPermaLink="true">/v1.5/news/releases/1.1.x/announcing-1.1/change-notes/</guid></item><item><title>Extending Istio 1.5 with Gloo API Gateway</title><description>&lt;p>&lt;a href="https://docs.solo.io/gloo/latest/">Gloo is an open-source API Gateway&lt;/a> built on Envoy Proxy that highly complements a service mesh like Istio with edge capabilities like &lt;a href="https://docs.solo.io/gloo/latest/guides/traffic_management/request_processing/transformations/">request/response transformations&lt;/a>, &lt;a href="https://docs.solo.io/gloo/latest/guides/traffic_management/request_processing/direct_response_action/">direct-response actions&lt;/a>, and &lt;a href="https://docs.solo.io/gloo/latest/installation/advanced_configuration/fds_mode/">Open API Spec/Swagger and gRPC discovery&lt;/a>. &lt;a href="https://www.solo.io/products/gloo/">Gloo Enterprise&lt;/a> supports more sophisticated security edge requirements like &lt;a href="https://docs.solo.io/gloo/latest/guides/security/auth/oauth/">OIDC authentication&lt;/a>, &lt;a href="https://docs.solo.io/gloo/latest/guides/security/auth/opa/">OPA authorization&lt;/a>, &lt;a href="https://docs.solo.io/gloo/latest/guides/security/waf/">Web Application Fire walling (WAF)&lt;/a>, rate limiting and others. A lot of Gloo users put Gloo at the edge and &lt;a href="https://www.solo.io/blog/using-gloo-as-an-ingress-gateway-with-istio-and-mtls-updated-for-istio-1-1/">integrate with Istio for east-west traffic management&lt;/a>.&lt;/p>
&lt;p>In the &lt;a href="/v1.5/news/releases/1.5.x/announcing-1.5/">Istio 1.5 release&lt;/a>, many architectural considerations have changed with how folks deploy and manage Istio. The way mTLS is implemented in Istio has also changed a bit. For example, In the past, Istio would create secrets for each service account and mount those in for the workloads to assume their identity. That has now changed. Istio uses &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret">Envoys SDS&lt;/a> to &lt;a href="/v1.5/docs/concepts/security/#pki">distribute workload identity/certificates by default with Istio 1.5 now&lt;/a>.&lt;/p>
&lt;p>Gloo &lt;a href="https://docs.solo.io/gloo/latest/guides/integrations/service_mesh/gloo_istio_mtls/">has had integration with Istio SDS&lt;/a> for a while now while giving the option to use SDS (more secure) or the secret mounting approach, but now with the Istio 1.5 change, weve updated the Gloo functionality to show how to get &lt;a href="https://docs.solo.io/gloo/latest/guides/integrations/service_mesh/gloo_istio_mtls/#istio-15x">Gloo working with Istio 1.5&lt;/a>.&lt;/p>
&lt;p>There are two different approaches to doing this. The supported way for Gloo OSS is to load an Istio proxy (and istio-agent) to connect to the mesh and pull down the certificates and allow upstreams to use that. This requires, unfortunately, running another Envoy next to the Gloo proxy (also based on Envoy) that does nothing other than pull down certificates. &lt;a href="/v1.5/blog/2020/proxy-cert/">This is the recommended way to accomplish integration with SDS&lt;/a> and Istio. However, for Gloo Enterprise, we feel we can do better. We have a custom build of the istio-agent that can serve SDS for Istio without the need for running an entirely separate Envoy. This slims down the deployment of the Gloo API Gateway when integrating with Istio.&lt;/p>
&lt;p>See a quick demo of integrating open-source Gloo with Istio 1.5:&lt;/p>
&lt;iframe width="560" height="315" src="https://www.youtube.com/embed/zhUR3HgeFSg" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen>&lt;/iframe></description><pubDate>Tue, 21 Apr 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/istio-sds-gloo/</link><author>Christian Posta (Solo.io)</author><guid isPermaLink="true">/v1.5/blog/2020/istio-sds-gloo/</guid><category>istio</category><category>sds</category><category>mTLS</category><category>edge</category><category>ingress</category><category>gloo</category><category>solo.io</category></item><item><title>Provision a certificate and key for an application without sidecars</title><description>&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">The following information describes an experimental feature, which is intended
for evaluation purposes only.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Istio sidecars obtain their certificates using
the secret discovery service.
A service in the service mesh may not need (or want) an Envoy sidecar
to handle its traffic. In this case, the service will need
to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services.&lt;/p>
&lt;p>For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be
deployed only to provision the private key and certificates through
the CSR flow from the CA and then share the certificate with the service
through a mounted file in &lt;code>tmpfs&lt;/code>.
We have used Prometheus as our example application for provisioning
a certificate using this mechanism.&lt;/p>
&lt;p>In the example application (i.e., Prometheus), a sidecar is added to the
Prometheus deployment by setting the flag &lt;code>.Values.prometheus.provisionPrometheusCert&lt;/code>
to &lt;code>true&lt;/code> (this flag is set to true by default in an Istio installation).
This deployed sidecar will then request and share a
certificate with Prometheus.&lt;/p>
&lt;p>The key and certificate provisioned for the example application
are mounted in the directory &lt;code>/etc/istio-certs/&lt;/code>.
We can list the key and certificate provisioned for the application by
running the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it `kubectl get pod -l app=prometheus -n istio-system -o jsonpath=&amp;#39;{.items[0].metadata.name}&amp;#39;` -c prometheus -n istio-system -- ls -la /etc/istio-certs/
&lt;/code>&lt;/pre>
&lt;p>The output from the above command should include non-empty key and certificate files, similar to the following:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >-rwxr-xr-x 1 root root 2209 Feb 25 13:06 cert-chain.pem
-rwxr-xr-x 1 root root 1679 Feb 25 13:06 key.pem
-rwxr-xr-x 1 root root 1054 Feb 25 13:06 root-cert.pem
&lt;/code>&lt;/pre>
&lt;p>If you want to use this mechanism to provision a certificate
for your own application, take a look at our
&lt;a href="https://github.com/istio/istio/blob/release-1.5/manifests/istio-telemetry/prometheus/templates/deployment.yaml">Prometheus example application&lt;/a> and simply follow the same pattern.&lt;/p></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/proxy-cert/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.5/blog/2020/proxy-cert/</guid><category>certificate</category><category>sidecar</category></item><item><title>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</title><description>
&lt;p>&lt;a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">&lt;em>Originally posted on the Solo.io blog&lt;/em>&lt;/a>&lt;/p>
&lt;p>As organizations adopt Envoy-based infrastructure like Istio to help solve challenges with microservices communication, they inevitably find themselves needing to customize some part of that infrastructure to fit within their organization&amp;rsquo;s constraints. &lt;a href="https://webassembly.org/">WebAssembly (Wasm)&lt;/a> has emerged as a safe, secure, and dynamic environment for platform extension.&lt;/p>
&lt;p>In the recent &lt;a href="/v1.5/blog/2020/wasm-announce/">announcement of Istio 1.5&lt;/a>, the Istio project lays the foundation for bringing WebAssembly to the popular Envoy proxy. &lt;a href="https://solo.io">Solo.io&lt;/a> is collaborating with Google and the Istio community to simplify the overall experience of creating, sharing, and deploying WebAssembly extensions to Envoy and Istio. It wasn&amp;rsquo;t that long ago that Google and others laid the foundation for containers, and Docker built a great user experience to make it consumable. Similarly, this effort makes Wasm consumable by building the best user experience for WebAssembly on Istio.&lt;/p>
&lt;p>Back in December 2019, Solo.io began an effort to provide a great developer experience for WebAssembly with the announcement of WebAssembly Hub. The WebAssembly Hub allows developers to very quickly spin up a new WebAssembly project in C++ (we&amp;rsquo;re expanding this language choice, see below), build it using Bazel in Docker, and push it to an OCI-compliant registry. From there, operators had to pull the module, and configure Envoy proxies themselves to load it from disk. Beta support in &lt;a href="https://docs.solo.io/gloo/latest/">Gloo, an API Gateway built on Envoy&lt;/a> allows you to declaratively and dynamically load the module, the Solo.io team wanted to bring the same effortless and secure experience to other Envoy-based frameworks as well - like Istio.&lt;/p>
&lt;p>There has been a lot of interest in the innovation in this area, and the Solo.io team has been working hard to further the capabilities of WebAssembly Hub and the workflows it supports. In conjunction with Istio 1.5, Solo.io is thrilled to announce new enhancements to WebAssembly Hub that evolve the viability of WebAssembly with Envoy for production, improve the developer experience, and streamline using Wasm with Envoy in Istio.&lt;/p>
&lt;h2 id="evolving-toward-production">Evolving toward production&lt;/h2>
&lt;p>The Envoy community is working hard to bring Wasm support into the upstream project (right now it lives on a working development fork), with Istio declaring Wasm support an Alpha feature. In &lt;a href="https://www.solo.io/blog/announcing-gloo-1-0-a-production-ready-envoy-based-api-gateway/">Gloo 1.0, we also announced&lt;/a> early, non-production support for Wasm. What is Gloo? Gloo is a modern API Gateway and Ingress Controller (built on Envoy Proxy) that supports routing and securing incoming traffic to legacy monoliths, microservices / Kubernetes and serverless functions. Dev and ops teams are able to shape and control traffic patterns from external end users/clients to backend application services. Gloo is a Kubernetes and Istio native ingress gateway.&lt;/p>
&lt;p>Although it&amp;rsquo;s still maturing in each individual project, there are things that we, as a community, can do to improve the foundation for production support.&lt;/p>
&lt;p>The first area is standardizing what a WebAssembly extension for Envoy looks like. Solo.io, Google, and the Istio community have defined an open specification for bundling and distributing WebAssembly modules as OCI images. This specification provides a powerful model for distributing any type of Wasm module including Envoy extensions.&lt;/p>
&lt;p>This is open to the community - &lt;a href="https://github.com/solo-io/wasm-image-spec">Join in the effort&lt;/a>&lt;/p>
&lt;p>The next area is improving the experience of deploying Wasm extensions into an Envoy-based framework running in production. In the Kubernetes ecosystem, it is considered a best practice in production to use declarative CRD-based configuration to manage cluster configuration. The new &lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/wasme_operator/">WebAssembly Hub Operator&lt;/a> adds a single, declarative CRD which automatically deploys and configures Wasm filters to Envoy proxies running inside of a Kubernetes cluster. This operator enables GitOps workflows and cluster automation to manage Wasm filters without human intervention or imperative workflows. We will provide more information about the Operator in an upcoming blog post.&lt;/p>
&lt;p>Lastly, the interactions between developers of Wasm extensions and the teams that deploy them need some kind of role-based access, organization management, and facilities to share, discover, and consume these extensions. The WebAssembly Hub adds team management features like permissions, organizations, user management, sharing, and more.&lt;/p>
&lt;h2 id="improving-the-developer-experience">Improving the developer experience&lt;/h2>
&lt;p>As developers want to target more languages and runtimes, the experience must be kept as simple and as productive as possible. Multi-language support and runtime ABI (Application Binary Interface) targets should be handled automatically in tooling.&lt;/p>
&lt;p>One of the benefits of Wasm is the ability to write modules in many languages. The collaboration between Solo.io and Google provides out-of-the-box support for Envoy filters written in C++, Rust, and AssemblyScript. We will continue to add support for more languages.&lt;/p>
&lt;p>Wasm extensions use the Application Binary Interface (ABI) within the Envoy proxy to which they are deployed. The WebAssembly Hub provides strong ABI versioning guarantees between Envoy, Istio, and Gloo to prevent unpredictable behavior and bugs. All you have to worry about is writing your extension code.&lt;/p>
&lt;p>Lastly, like Docker, the WebAssembly Hub stores and distributes Wasm extensions as OCI images. This makes pushing, pulling, and running extensions as easy as Docker containers. Wasm extension images are versioned and cryptographically secure, making it safe to run extensions locally the same way you would in production. This allows you to build and push as well as trust the source when they pull down and deploy images.&lt;/p>
&lt;h2 id="webassembly-hub-with-istio">WebAssembly Hub with Istio&lt;/h2>
&lt;p>The WebAssembly Hub now fully automates the process of deploying Wasm extensions to Istio, (as well as other Envoy-based frameworks like &lt;a href="https://https://docs.solo.io/gloo/latest/">Gloo API Gateway&lt;/a>) installed in Kubernetes. With this deployment feature, the WebAssembly Hub relieves the operator or end user from having to manually configure the Envoy proxy in their Istio service mesh to use their WebAssembly modules.&lt;/p>
&lt;p>Take a look at the following video to see just how easy it is to get started with WebAssembly and Istio:&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://www.youtube.com/watch?v=-XPTGXEpUp8">Part 1&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://youtu.be/vuJKRnjh1b8">Part 2&lt;/a>&lt;/li>
&lt;/ul>
&lt;h2 id="get-started">Get Started&lt;/h2>
&lt;p>We hope that the WebAssembly Hub will become a meeting place for the community to share, discover, and distribute Wasm extensions. By providing a great user experience, we hope to make developing, installing, and running Wasm easier and more rewarding. Join us at the &lt;a href="https://webassemblyhub.io">WebAssembly Hub&lt;/a>, share your extensions and &lt;a href="https://https://slack.solo.io">ideas&lt;/a>, and join an &lt;a href="https://solo.zoom.us/webinar/register/WN_i8MiDTIpRxqX-BjnXbj9Xw">upcoming webinar&lt;/a>.&lt;/p></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/wasmhub-istio/</link><author>Idit Levine (Solo.io)</author><guid isPermaLink="true">/v1.5/blog/2020/wasmhub-istio/</guid><category>wasm</category><category>extensibility</category><category>alpha</category><category>performance</category><category>operator</category></item><item><title>Introducing istiod: simplifying the control plane</title><description>
&lt;p>Microservices are a great pattern when they map services to disparate teams that deliver them, or when the value of independent rollout and the value of independent scale are greater than the cost of orchestration. We regularly talk to customers and teams running Istio in the real world, and they told us that none of these were the case for the Istio control plane. So, in Istio 1.5, we&amp;rsquo;ve changed how Istio is packaged, consolidating the control plane functionality into a single binary called &lt;strong>istiod&lt;/strong>.&lt;/p>
&lt;h2 id="history-of-the-istio-control-plane">History of the Istio control plane&lt;/h2>
&lt;p>Istio implements a pattern that has been in use at both Google and IBM for many years, which later became known as &amp;ldquo;service mesh&amp;rdquo;. By pairing client and server processes with proxy servers, they act as an application-aware &lt;em>data plane&lt;/em> thats not simply moving packets around hosts, or pulses over wires.&lt;/p>
&lt;p>This pattern helps the world come to terms with &lt;em>microservices&lt;/em>: fine-grained, loosely-coupled services connected via lightweight protocols. The common cross-platform and cross-language standards like HTTP and gRPC that replace proprietary transports, and the widespread presence of the needed libraries, empower different teams to write different parts of an overall architecture in whatever language makes the most sense. Furthermore, each service can scale independently as needed. A desire to implement security, observability and traffic control for such a network powers Istios popularity.&lt;/p>
&lt;p>Istio&amp;rsquo;s &lt;em>control plane&lt;/em> is, itself, a modern, cloud-native application. Thus, it was built from the start as a set of microservices. Individual Istio components like service discovery (Pilot), configuration (Galley), certificate generation (Citadel) and extensibility (Mixer) were all written and deployed as separate microservices. The need for these components to communicate securely and be observable, provided opportunities for Istio to eat its own dogfood (or &amp;ldquo;drink its own champagne&amp;rdquo;, to use a more French version of the metaphor!).&lt;/p>
&lt;h2 id="the-cost-of-complexity">The cost of complexity&lt;/h2>
&lt;p>Good teams look back upon their choices and, with the benefit of hindsight, revisit them. Generally, when a team adopts microservices and their inherent complexity, they look for improvements in other areas to justify the tradeoffs. Let&amp;rsquo;s look at the Istio control plane through that lens.&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Microservices empower you to write in different languages.&lt;/strong> The data plane (the Envoy proxy) is written in C++, and this boundary benefits from a clean separation in terms of the xDS APIs. However, all of the Istio control plane components are written in Go. We were able to choose the appropriate language for the appropriate job: highly performant C++ for the proxy, but accessible and speedy-development for everything else.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Microservices empower you to allow different teams to manage services individually.&lt;/strong>. In the vast majority of Istio installations, all the components are installed and operated by a single team or individual. The componentization done within Istio is aligned along the boundaries of the development teams who build it. This would make sense if the Istio components were delivered as a managed service by the people who wrote them, but this is not the case! Making life simpler for the development teams had an outsized impact of the usability for the orders-of-magnitude more users.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Microservices empower you to decouple versions, and release different components at different times.&lt;/strong> All the components of the control plane have always been released at the same version, at the same time. We have never tested or supported running different versions of (for example) Citadel and Pilot.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Microservices empower you to scale components independently.&lt;/strong> In Istio 1.5, control plane costs are dominated by a single feature: serving the Envoy xDS APIs that program the data plane. Every other feature has a marginal cost, which means there is very little value to having those features in separately-scalable microservices.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Microservices empower you to maintain security boundaries.&lt;/strong> Another good reason to separate an application into different microservices is if they have different security roles. Multiple Istio microservices like the sidecar injector, the Envoy bootstrap, Citadel, and Pilot hold nearly equivalent permissions to change the proxy configuration. Therefore, exploiting any of these services would cause near equivalent damage. When you deploy Istio, all the components are installed by default into the same Kubernetes namespace, offering limited security isolation.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="the-benefit-of-consolidation-introducing-istiod">The benefit of consolidation: introducing istiod&lt;/h2>
&lt;p>Having established that many of the common benefits of microservices didn&amp;rsquo;t apply to the Istio control plane, we decided to unify them into a single binary: &lt;strong>istiod&lt;/strong> (the &amp;rsquo;d&amp;rsquo; is for &lt;a href="https://en.wikipedia.org/wiki/Daemon_%28computing%29">daemon&lt;/a>).&lt;/p>
&lt;p>Let&amp;rsquo;s look at the benefits of the new packaging:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Installation becomes easier.&lt;/strong> Fewer Kubernetes deployments and associated configurations are required, so the set of configuration options and flags for Istio is reduced significantly. In the simplest case, &lt;strong>&lt;em>you can start the Istio control plane, with all features enabled, by starting a single Pod.&lt;/em>&lt;/strong>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Configuration becomes easier.&lt;/strong> Many of the configuration options that Istio has today are ways to orchestrate the control plane components, and so are no longer needed. You also no longer need to change cluster-wide &lt;code>PodSecurityPolicy&lt;/code> to deploy Istio.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Using VMs becomes easier.&lt;/strong> To add a workload to a mesh, you now just need to install one agent and the generated certificates. That agent connects back to only a single service.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Maintenance becomes easier.&lt;/strong> Installing, upgrading, and removing Istio no longer require a complicated dance of version dependencies and startup orders. For example: To upgrade, you only need to start a new istiod version alongside your existing control plane, canary it, and then move all traffic over to it.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Scalability becomes easier.&lt;/strong> There is now only one component to scale.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Debugging becomes easier.&lt;/strong> Fewer components means less cross-component environmental debugging.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Startup time goes down.&lt;/strong> Components no longer need to wait for each other to start in a defined order.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Resource usage goes down and responsiveness goes up.&lt;/strong> Communication between components becomes guaranteed, and not subject to gRPC size limits. Caches can be shared safely, which decreases the resource footprint as a result.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>istiod unifies functionality that Pilot, Galley, Citadel and the sidecar injector previously performed, into a single binary.&lt;/p>
&lt;p>A separate component, the istio-agent, helps each sidecar connect to the mesh by securely passing configuration and secrets to the Envoy proxies. While the agent, strictly speaking, is still part of the control plane, it runs on a per-pod basis. Weve further simplified by rolling per-node functionality that used to run as a DaemonSet, into that per-pod agent.&lt;/p>
&lt;h2 id="extra-for-experts">Extra for experts&lt;/h2>
&lt;p>There will still be some cases where you might want to run Istio components independently, or replace certain components.&lt;/p>
&lt;p>Some users might want to use a Certificate Authority (CA) outside the mesh, and we have &lt;a href="/v1.5/docs/tasks/security/plugin-ca-cert/">documentation on how to do that&lt;/a>. If you do your certificate provisioning using a different tool, we can use that instead of the built-in CA.&lt;/p>
&lt;h2 id="moving-forward">Moving forward&lt;/h2>
&lt;p>At its heart, istiod is just a packaging and optimization change. It&amp;rsquo;s built on the same code and API contracts as the separate components, and remains covered by our comprehensive test suite. This gives us confidence in making it the default in Istio 1.5. The service is now called &lt;code>istiod&lt;/code> - youll see an &lt;code>istio-pilot&lt;/code> for existing proxies as the upgrade process completes.&lt;/p>
&lt;p>While the move to istiod may seem like a big change, and is a huge improvement for the people who &lt;em>administer&lt;/em> and &lt;em>maintain&lt;/em> the mesh, it wont make the day-to-day life of &lt;em>using&lt;/em> Istio any different. istiod is not changing any of the APIs used to configure your mesh, so your existing processes will all stay the same.&lt;/p>
&lt;p>Does this change imply that microservice are a mistake for &lt;em>all&lt;/em> workloads and architectures? Of course not. They are a tool in a toolbelt, and they work best when they are reflected in your organizational reality. Instead, this change shows a willingness in the project to change based on user feedback, and a continued focus on simplification for all users. Microservices have to be right sized, and we believe we have found the right size for Istio.&lt;/p></description><pubDate>Thu, 19 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/istiod/</link><author>Craig Box (Google)</author><guid isPermaLink="true">/v1.5/blog/2020/istiod/</guid><category>istiod</category><category>control plane</category><category>operator</category></item><item><title>Declarative WebAssembly deployment for Istio</title><description>
&lt;p>As outlined in the &lt;a href="/v1.5/blog/2020/tradewinds-2020/">Istio 2020 trade winds blog&lt;/a> and more recently &lt;a href="/v1.5/news/releases/1.5.x/announcing-1.5/">announced with Istio 1.5&lt;/a>, WebAssembly (Wasm) is now an (alpha) option for extending the functionality of the Istio service proxy (Envoy proxy). With Wasm, users can build support for new protocols, custom metrics, loggers, and other filters. Working closely with Google, we in the community (&lt;a href="https://solo.io">Solo.io&lt;/a>) have focused on the user experience of building, socializing, and deploying Wasm extensions to Istio. We&amp;rsquo;ve announced &lt;a href="https://webassemblyhub.io">WebAssembly Hub&lt;/a> and &lt;a href="https://docs.solo.io/web-assembly-hub/latest/installation/">associated tooling&lt;/a> to build a &amp;ldquo;docker-like&amp;rdquo; experience for working with Wasm.&lt;/p>
&lt;h2 id="background">Background&lt;/h2>
&lt;p>With the WebAssembly Hub tooling, we can use the &lt;code>wasme&lt;/code> CLI to easily bootstrap a Wasm project for Envoy, push it to a repository, and then pull/deploy it to Istio. For example, to deploy a Wasm extension to Istio with &lt;code>wasme&lt;/code> we can run the following:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ wasme deploy istio webassemblyhub.io/ceposta/demo-add-header:v0.2 \
--id=myfilter \
--namespace=bookinfo \
--config &amp;#39;tomorrow&amp;#39;
&lt;/code>&lt;/pre>
&lt;p>This will add the &lt;code>demo-add-header&lt;/code> extension to all workloads running in the &lt;code>bookinfo&lt;/code> namespace. We can get more fine-grained control over which workloads get the extension by using the &lt;code>--labels&lt;/code> parameter:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ wasme deploy istio webassemblyhub.io/ceposta/demo-add-header:v0.2 \
--id=myfilter \
--namespace=bookinfo \
--config &amp;#39;tomorrow&amp;#39; \
--labels app=details
&lt;/code>&lt;/pre>
&lt;p>This is a much easier experience than manually creating &lt;code>EnvoyFilter&lt;/code> resources and trying to get the Wasm module to each of the pods that are part of the workload you&amp;rsquo;re trying to target. However, this is a very imperative approach to interacting with Istio. Just like users typically don&amp;rsquo;t use &lt;code>kubectl&lt;/code> directly in production and prefer a declarative, resource-based workflow, we want the same for making customizations to our Istio proxies.&lt;/p>
&lt;h2 id="a-declarative-approach">A declarative approach&lt;/h2>
&lt;p>The WebAssembly Hub tooling also includes &lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/wasme_operator/">an operator for deploying Wasm extensions to Istio workloads&lt;/a>. The &lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">operator&lt;/a> allows users to define their WebAssembly extensions using a declarative format and leave it to the operator to rectify the deployment. For example, we use a &lt;code>FilterDeployment&lt;/code> resource to define what image and workloads need the extension:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: wasme.io/v1
kind: FilterDeployment
metadata:
name: bookinfo-custom-filter
namespace: bookinfo
spec:
deployment:
istio:
kind: Deployment
labels:
app: details
filter:
config: &amp;#39;world&amp;#39;
image: webassemblyhub.io/ceposta/demo-add-header:v0.2
&lt;/code>&lt;/pre>
&lt;p>We could then take this &lt;code>FilterDeployment&lt;/code> document and version it with the rest of our Istio resources. You may be wondering why we need this Custom Resource to configure Istio&amp;rsquo;s service proxy to use a Wasm extension when Istio already has the &lt;code>EnvoyFilter&lt;/code> resource.&lt;/p>
&lt;p>Let&amp;rsquo;s take a look at exactly how all of this works under the covers.&lt;/p>
&lt;h2 id="how-it-works">How it works&lt;/h2>
&lt;p>Under the covers the operator is doing a few things that aid in deploying and configuring a Wasm extension into the Istio service proxy (Envoy Proxy).&lt;/p>
&lt;ul>
&lt;li>Set up local cache of Wasm extensions&lt;/li>
&lt;li>Pull desired Wasm extension into the local cache&lt;/li>
&lt;li>Mount the &lt;code>wasm-cache&lt;/code> into appropriate workloads&lt;/li>
&lt;li>Configure Envoy with &lt;code>EnvoyFilter&lt;/code> CRD to use the Wasm filter&lt;/li>
&lt;/ul>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.663891779396465%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2020/deploy-wasm-declarative/how-it-works.png" title="Understanding how wasme operator works">
&lt;img class="element-to-stretch" src="/v1.5/blog/2020/deploy-wasm-declarative/how-it-works.png" alt="How the wasme operator works" />
&lt;/a>
&lt;/div>
&lt;figcaption>Understanding how wasme operator works&lt;/figcaption>
&lt;/figure>
&lt;p>At the moment, the Wasm image needs to be published into a registry for the operator to correctly cache it. The cache pods run as DaemonSet on each node so that the cache can be mounted into the Envoy container. This is being improved, as it&amp;rsquo;s not the ideal mechanism. Ideally we wouldn&amp;rsquo;t have to deal with mounting anything and could stream the module to the proxy directly over HTTP, so stay tuned for updates (should land within next few days). The mount is established by using the &lt;code>sidecar.istio.io/userVolume&lt;/code> and &lt;code>sidecar.istio.io/userVolumeMount&lt;/code> annotations. See &lt;a href="/v1.5/docs/reference/config/annotations/">the docs on Istio Resource Annotations&lt;/a> for more about how that works.&lt;/p>
&lt;p>Once the Wasm module is cached correctly and mounted into the workload&amp;rsquo;s service proxy, the operator then configures the &lt;code>EnvoyFilter&lt;/code> resources.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: details-v1-myfilter
namespace: bookinfo
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
config:
config:
configuration: tomorrow
name: myfilter
rootId: add_header
vmConfig:
code:
local:
filename: /var/local/lib/wasme-cache/44bf95b368e78fafb663020b43cf099b23fc6032814653f2f47e4d20643e7267
runtime: envoy.wasm.runtime.v8
vmId: myfilter
name: envoy.filters.http.wasm
workloadSelector:
labels:
app: details
version: v1
&lt;/code>&lt;/pre>
&lt;p>You can see the &lt;code>EnvoyFilter&lt;/code> resource configures the proxy to add the &lt;code>envoy.filter.http.wasm&lt;/code> filter and load the Wasm module from the &lt;code>wasme-cache&lt;/code>.&lt;/p>
&lt;p>Once the Wasm extension is loaded into the Istio service proxy, it will extend the capabilities of the proxy with whatever custom code you introduced.&lt;/p>
&lt;h2 id="next-steps">Next Steps&lt;/h2>
&lt;p>In this blog we explored options for installing Wasm extensions into Istio workloads. The easiest way to get started with WebAssembly on Istio is to use the &lt;code>wasme&lt;/code> tool &lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/getting_started/">to bootstrap a new Wasm project&lt;/a> with C++, AssemblyScript [or Rust coming really soon!]. For example, to set up a C++ Wasm module, you can run:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ wasme init ./filter --language cpp --platform istio --platform-version 1.5.x
&lt;/code>&lt;/pre>
&lt;p>If we didn&amp;rsquo;t have the extra flags, &lt;code>wasme init&lt;/code> would enter an interactive mode walking you through the correct values to choose.&lt;/p>
&lt;p>Take a look at the &lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/getting_started/">WebAssembly Hub wasme tooling&lt;/a> to get started with Wasm on Istio.&lt;/p>
&lt;h2 id="learn-more">Learn more&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Redefine Extensibility &lt;a href="/v1.5/blog/2020/wasm-announce/">with WebAssembly on Envoy and Istio&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>WebAssembly SF talk (video): &lt;a href="https://www.youtube.com/watch?v=OIUPf8m7CGA">Extensions for network proxies&lt;/a>, by John Plevyak&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">Solo blog&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/proxy-wasm/spec">Proxy-Wasm ABI specification&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">Proxy-Wasm C++ SDK&lt;/a> and
its &lt;a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">developer documentation&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk">Proxy-Wasm Rust SDK&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/solo-io/proxy-runtime">Proxy-Wasm AssemblyScript SDK&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">Tutorials&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>Videos on the &lt;a href="https://www.youtube.com/channel/UCuketWAG3WqYjjxtQ9Q8ApQ">Solo.io Youtube Channel&lt;/a>&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Mon, 16 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/deploy-wasm-declarative/</link><author>Christian Posta (Solo.io)</author><guid isPermaLink="true">/v1.5/blog/2020/deploy-wasm-declarative/</guid><category>wasm</category><category>extensibility</category><category>alpha</category><category>operator</category></item><item><title>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</title><description>
&lt;p>Since adopting &lt;a href="https://www.envoyproxy.io/">Envoy&lt;/a> in 2016, the Istio project has always wanted to
provide a platform on top of which a rich set of extensions could be built, to meet the diverse
needs of our users. There are many reasons to add capability to the data plane of a service
mesh &amp;mdash; to support newer protocols, integrate with proprietary security controls, or enhance
observability with custom metrics, to name a few.&lt;/p>
&lt;p>Over the last year and a half our team here at Google has been working on adding dynamic
extensibility to the Envoy proxy using &lt;a href="https://webassembly.org/">WebAssembly&lt;/a>. We are delighted to
share that work with the world today, as well as
unveiling &lt;a href="https://github.com/proxy-wasm/spec">WebAssembly (Wasm) for Proxies&lt;/a> (Proxy-Wasm): an ABI,
which we intend to standardize; SDKs; and its first major implementation, the new,
lower-latency &lt;a href="/v1.5/docs/reference/config/telemetry">Istio telemetry system&lt;/a>.&lt;/p>
&lt;p>We have also worked closely with the community to ensure that there is a great developer experience
for users to get started quickly. The Google team has been working closely with the team
at &lt;a href="https://solo.io">Solo.io&lt;/a> who have built the &lt;a href="https://webassemblyhub.io/">WebAssembly Hub,&lt;/a>
a service for building, sharing, discovering and deploying Wasm extensions.
With the WebAssembly Hub, Wasm extensions are as easy to manage, install and and run as containers.&lt;/p>
&lt;p>This work is being released today in Alpha and there is still lots
of &lt;a href="#next-steps">work to be done&lt;/a>, but we are excited to get this into the hands of developers
so they can start experimenting with the tremendous possibilities this opens up.&lt;/p>
&lt;h2 id="background">Background&lt;/h2>
&lt;p>The need for extensibility has been a founding tenet of both the Istio and Envoy projects,
but the two projects took different approaches. Istio project focused on enabling a generic
out-of-process extension model called &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/">Mixer&lt;/a>
with a lightweight developer experience, while Envoy focused on in-proxy &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/extending/extending">extensions&lt;/a>.&lt;/p>
&lt;p>Each approach has its share of pros and cons. The Istio model led to significant resource
inefficiencies that impacted tail latencies and resource utilization. This model was also
intrinsically limited - for example, it was never going to provide support for
implementing &lt;a href="https://blog.envoyproxy.io/how-to-write-envoy-filters-like-a-ninja-part-1-d166e5abec09">custom protocol handling&lt;/a>.&lt;/p>
&lt;p>The Envoy model imposed a monolithic build process, and required extensions to be written in C++,
limiting the developer ecosystem. Rolling out a new extension to the fleet required pushing new
binaries and rolling restarts, which can be difficult to coordinate, and risk downtime. This also
incentivized developers to upstream extensions into Envoy that were used by only a small
percentage of deployments, just to piggyback on its release mechanisms.&lt;/p>
&lt;p>Over time some of the most performance-sensitive features of Istio have been upstreamed
into Envoy - &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter">policy checks on traffic&lt;/a>, and
&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/jwt_authn_filter">JWT authentication&lt;/a>, for example.
Still, we have always wanted to converge on a single stack for extensibility that imposes fewer
tradeoffs: something that decouples Envoy releases from its extension ecosystem, enables
developers to work in their languages of choice, and enables Istio to reliably roll out new
capability without downtime risk. Enter WebAssembly.&lt;/p>
&lt;h2 id="what-is-webassembly">What is WebAssembly?&lt;/h2>
&lt;p>&lt;a href="https://webassembly.org/">WebAssembly&lt;/a> (Wasm) is a portable bytecode format for executing code
written in &lt;a href="https://github.com/appcypher/awesome-wasm-langs">multiple languages&lt;/a> at
near-native speed. Its initial &lt;a href="https://webassembly.org/docs/high-level-goals/">design goals&lt;/a> align
well with the challenges outlined above, and it has sizable industry support behind it. Wasm
is the fourth standard language (following HTML, CSS and JavaScript) to run natively in all
the major browsers, having become a &lt;a href="https://www.w3.org/TR/wasm-core-1/">W3C Recommendation&lt;/a> in
December 2019. That gives us confidence in making a strategic bet on it.&lt;/p>
&lt;p>While WebAssembly started life as a client-side technology, there are a number of advantages
to using it on the server. The runtime is memory-safe and sandboxed for security. There is a
large tooling ecosystem for compiling and debugging Wasm in its textual or binary format.
The &lt;a href="https://www.w3.org/">W3C&lt;/a> and &lt;a href="https://bytecodealliance.org/">BytecodeAlliance&lt;/a> have become
active hubs for other server-side efforts. For example, the Wasm community is standardizing
a &lt;a href="https://hacks.mozilla.org/2019/03/standardizing-wasi-a-webassembly-system-interface/">&amp;ldquo;WebAssembly System Interface&amp;rdquo; (WASI)&lt;/a>
at the W3C, with a sample implementation, which provides an OS-like abstraction to Wasm &amp;lsquo;programs&amp;rsquo;.&lt;/p>
&lt;h2 id="bringing-webassembly-to-envoy">Bringing WebAssembly to Envoy&lt;/h2>
&lt;p>&lt;a href="https://github.com/envoyproxy/envoy/issues/4272">Over the past 18 months&lt;/a>, we have been working
with the Envoy community to build Wasm extensibility into Envoy and contribute it upstream.
We&amp;rsquo;re pleased to announce it is available as Alpha in the Envoy build shipped
with &lt;a href="/v1.5/news/releases/1.5.x/announcing-1.5/">Istio 1.5&lt;/a>, with source in
the &lt;a href="https://github.com/envoyproxy/envoy-wasm/">&lt;code>envoy-wasm&lt;/code>&lt;/a> development fork and work ongoing to
merge it into the main Envoy tree. The implementation uses the WebAssembly runtime built into
Google&amp;rsquo;s high performance &lt;a href="https://v8.dev/">V8 engine&lt;/a>.&lt;/p>
&lt;p>In addition to the underlying runtime, we have also built:&lt;/p>
&lt;ul>
&lt;li>&lt;p>A generic Application Binary Interface (ABI) for embedding Wasm in proxies, which means compiled
extensions will work across different versions of Envoy - or even other proxies, should they choose
to implement the ABI&lt;/p>&lt;/li>
&lt;li>&lt;p>SDKs for easy extension development in &lt;a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk">C++&lt;/a>,
&lt;a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk">Rust&lt;/a>
and &lt;a href="https://github.com/solo-io/proxy-runtime">AssemblyScript&lt;/a>, with more to follow&lt;/p>&lt;/li>
&lt;li>&lt;p>Comprehensive &lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">samples and instructions&lt;/a>
on how to deploy in Istio and standalone Envoy&lt;/p>&lt;/li>
&lt;li>&lt;p>Abstractions to allow for other Wasm runtimes to be used, including a &amp;lsquo;null&amp;rsquo; runtime which
simply compiles the extension natively into Envoy &amp;mdash; very useful for testing and debugging&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>Using Wasm for extending Envoy brings us several key benefits:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Agility: Extensions can be delivered and reloaded at runtime using the Istio control plane.
This enables a fast develop → test → release cycle for extensions without
requiring Envoy rollouts.&lt;/p>&lt;/li>
&lt;li>&lt;p>Stock releases: Once merging into the main tree is complete, Istio and others will be able to
use stock releases of Envoy, instead of custom builds. This will also free the Envoy community
to move some of the built-in extensions to this model, thereby reducing their
supported footprint.&lt;/p>&lt;/li>
&lt;li>&lt;p>Reliability and isolation: Extensions are deployed inside a sandbox with resource constraints,
which means they can now crash, or leak memory, without bringing the whole Envoy process down.
CPU and memory usage can also be constrained.&lt;/p>&lt;/li>
&lt;li>&lt;p>Security: The sandbox has a clearly defined API for communicating with Envoy, so extensions
only have access to, and can modify, a limited number of properties of a connection or request.
Furthermore, because Envoy mediates this interaction, it can hide or sanitize sensitive
information from the extension (e.g. &amp;ldquo;Authorization&amp;rdquo; and &amp;ldquo;Cookie&amp;rdquo; HTTP headers, or
the client&amp;rsquo;s IP address).&lt;/p>&lt;/li>
&lt;li>&lt;p>Flexibility: &lt;a href="https://github.com/appcypher/awesome-wasm-langs">over 30 programming languages can be compiled to WebAssembly&lt;/a>,
allowing developers from all backgrounds - C++, Go, Rust, Java, TypeScript, etc. - to write
Envoy extensions in their language of choice.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>&amp;ldquo;I am extremely excited to see WASM support land in Envoy; this is the future of Envoy
extensibility, full stop. Envoy&amp;rsquo;s WASM support coupled with a community driven hub will unlock an
incredible amount of innovation in the networking space across both service mesh and API gateway
use cases. I can&amp;rsquo;t wait to see what the community builds moving forward.&amp;rdquo;
&amp;ndash; Matt Klein, Envoy creator.&lt;/p>
&lt;p>For technical details of the implementation, look out for an upcoming post
to &lt;a href="https://blog.envoyproxy.io/">the Envoy blog&lt;/a>.&lt;/p>
&lt;p>The &lt;a href="https://github.com/proxy-wasm">Proxy-Wasm&lt;/a> interface between host environment and extensions
is deliberately proxy agnostic. We&amp;rsquo;ve built it into Envoy, but it was designed to be adopted by
other proxy vendors. We want to see a world where you can take an extension written for Istio and
Envoy and run it in other infrastructure; you&amp;rsquo;ll hear more about that soon.&lt;/p>
&lt;h2 id="building-on-webassembly-in-istio">Building on WebAssembly in Istio&lt;/h2>
&lt;p>Istio moved several of its extensions into its build of Envoy as part of the 1.5 release, in order
to significantly improve performance. While doing that work we have been testing to ensure those
same extensions can compile and run as Proxy-Wasm modules with no variation in behavior. We&amp;rsquo;re not
quite ready to make this setup the default, given that we consider Wasm support to be Alpha;
however, this has given us a lot of confidence in our general approach and in the host
environment, ABI and SDKs that have been developed.&lt;/p>
&lt;p>We have also been careful to ensure that the Istio control plane and
its &lt;a href="/v1.5/docs/reference/config/networking/envoy-filter/">Envoy configuration APIs&lt;/a> are Wasm-ready.
We have samples to show how several common customizations such as custom header decoding or
programmatic routing can be performed which are common asks from users. As we move this support to
Beta, you will see documentation showing best practices for using Wasm with Istio.&lt;/p>
&lt;p>Finally, we are working with the many vendors who have
written &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/">Mixer adapters&lt;/a>,
to help them with a migration to Wasm &amp;mdash; if that is the best path forward. Mixer will move to a
community project in a future release, where it will remain available for legacy use cases.&lt;/p>
&lt;h2 id="developer-experience">Developer Experience&lt;/h2>
&lt;p>Powerful tooling is nothing without a great developer experience. Solo.io
&lt;a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">recently announced&lt;/a>
the release of &lt;a href="https://webassemblyhub.io/">WebAssembly Hub&lt;/a>, a set of tools and repository for
building, deploying, sharing and discovering Envoy Proxy Wasm extensions for Envoy and Istio.&lt;/p>
&lt;p>The WebAssembly Hub fully automates many of the steps required for developing and deploying Wasm
extensions. Using WebAssembly Hub tooling, users can easily compile their code - in any supported
language - into Wasm extensions. The extensions can then be uploaded to the Hub registry, and be
deployed and undeployed to Istio with a single command.&lt;/p>
&lt;p>Behind the scenes the Hub takes care of much of the nitty-gritty, such as pulling in the correct
toolchain, ABI version verification, permission control, and more. The workflow also eliminates
toil with configuration changes across Istio service proxies by automating the deployment of your
extensions. This tooling helps users and operators avoid unexpected behaviors due to
misconfiguration or version mismatches.&lt;/p>
&lt;p>The WebAssembly Hub tools provide a powerful CLI as well as an elegant and easy-to-use graphical
user interface. An important goal of the WebAssembly Hub is to simplify the experience around
building Wasm modules and provide a place of collaboration for developers to share and discover
useful extensions.&lt;/p>
&lt;p>Check out the &lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">getting started guide&lt;/a>
to create your first Proxy-Wasm extension.&lt;/p>
&lt;h2 id="next-steps">Next Steps&lt;/h2>
&lt;p>In addition to working towards a beta release, we are committed to making sure that there is a
durable community around Proxy-Wasm. The ABI needs to be finalized, and turning it into a standard
will be done with broader feedback within the appropriate standards body. Completing upstreaming
support into the Envoy mainline is still in progress. We are also seeking an appropriate
community home for the tooling and the WebAssembly Hub&lt;/p>
&lt;h2 id="learn-more">Learn more&lt;/h2>
&lt;ul>
&lt;li>&lt;p>WebAssembly SF talk (video): &lt;a href="https://www.youtube.com/watch?v=OIUPf8m7CGA">Extensions for network proxies&lt;/a>, by John Plevyak&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">Solo blog&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/proxy-wasm/spec">Proxy-Wasm ABI specification&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">Proxy-Wasm C++ SDK&lt;/a> and
its &lt;a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">developer documentation&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk">Proxy-Wasm Rust SDK&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://github.com/solo-io/proxy-runtime">Proxy-Wasm AssemblyScript SDK&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">Tutorials&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>Videos on the &lt;a href="https://www.youtube.com/channel/UCuketWAG3WqYjjxtQ9Q8ApQ">Solo.io Youtube Channel&lt;/a>&lt;/p>&lt;/li>
&lt;/ul></description><pubDate>Thu, 05 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/wasm-announce/</link><author>Craig Box, Mandar Jog, John Plevyak, Louis Ryan, Piotr Sikora (Google), Yuval Kohavi, Scott Weiss (Solo.io)</author><guid isPermaLink="true">/v1.5/blog/2020/wasm-announce/</guid><category>wasm</category><category>extensibility</category><category>alpha</category><category>performance</category><category>operator</category></item><item><title>Istio in 2020 - Following the Trade Winds</title><description>
&lt;p>Istio solves real problems that people encounter running microservices. Even
&lt;a href="https://kubernetespodcast.com/episode/016-descartes-labs/">very early pre-release versions&lt;/a>
helped users debug the latency in their architecture, increase the reliability
of services, and transparently secure traffic behind the firewall.&lt;/p>
&lt;p>Last year, the Istio project experienced major growth. After a 9-month gestation
before the 1.1 release in Q1, we set a goal of having a quarterly release
cadence. We knew it was important to deliver value consistently and predictably.
With three releases landing in the successive quarters as planned, we are proud
to have reached that goal.&lt;/p>
&lt;p>During that time, we improved our build and test infrastructure, resulting in
higher quality and easier release cycles. We doubled down on user experience,
adding many commands to make operating and debugging the mesh easier. We also
saw tremendous growth in the number of developers and companies contributing to
the product - culminating in us being
&lt;a href="https://octoverse.github.com/#fastest-growing-oss-projects-by-contributors">#4 on GitHub&amp;rsquo;s top ten list of fastest growing projects&lt;/a>!&lt;/p>
&lt;p>We have ambitious goals for Istio in 2020 and there are many major efforts
underway, but at the same time we strongly believe that good infrastructure
should be &amp;ldquo;boring.&amp;rdquo; Using Istio in production should be a seamless experience;
performance should not be a concern, upgrades should be a non-event and complex
tasks should be automated away. With our investment in a more powerful
extensibility story we think the pace of innovation in the service mesh space
can increase while Istio focuses on being gloriously dull.
More details on our major efforts in 2020 below.&lt;/p>
&lt;h2 id="sleeker-smoother-and-faster">Sleeker, smoother and faster&lt;/h2>
&lt;p>Istio provided for extensibility from day one, implemented by a component called
Mixer. Mixer is a platform that allows custom
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/#adapters">adapters&lt;/a>
to act as an intermediary between the data plane and the backends you use for
policy or telemetry. Mixer necessarily added overhead to requests because it
required extensions to be out-of-process. So, we&amp;rsquo;re moving to a model that
enables extension directly in the proxies instead.&lt;/p>
&lt;p>Most of Mixers use cases for policy enforcement are already addressed with
Istio&amp;rsquo;s &lt;a href="/v1.5/docs/concepts/security/#authentication-policies">authentication&lt;/a>
and &lt;a href="/v1.5/docs/concepts/security/#authorization">authorization&lt;/a> policies, which
allow you to control workload-to-workload and end-user-to-workload authorization
directly in the proxy. Common monitoring use cases have already moved into the
proxy too - we have
&lt;a href="/v1.5/docs/reference/config/telemetry/metrics">introduced in-proxy support&lt;/a>
for sending telemetry to Prometheus and Stackdriver.&lt;/p>
&lt;p>Our benchmarking shows that the new telemetry model reduces our latency
dramatically and gives us industry-leading performance, with 50% reductions in
both latency and CPU consumption.&lt;/p>
&lt;h2 id="a-new-model-for-istio-extensibility">A new model for Istio extensibility&lt;/h2>
&lt;p>The model that replaces Mixer uses extensions in Envoy to provide even more
capability. The Istio community is leading the implementation of a
&lt;a href="https://webassembly.org/">WebAssembly&lt;/a> (Wasm) runtime in Envoy, which lets us
implement extensions that are modular, sandboxed, and developed in one of
&lt;a href="https://github.com/appcypher/awesome-wasm-langs">over 20 languages&lt;/a>. Extensions
can be dynamically loaded and reloaded while the proxy continues serving
traffic. Wasm extensions will also be able to extend the platform in ways that
Mixer simply couldnt. They can act as custom protocol handlers and transform
payloads as they pass through Envoy — in short they can do the same things as
modules built into Envoy.&lt;/p>
&lt;p>We&amp;rsquo;re working with the Envoy community on ways to discover and distribute these
extensions. We want to make WebAssembly extensions as easy to install and run as
containers. Many of our partners have written Mixer adapters, and together we
are getting them ported to Wasm. We are also developing guides and codelabs on
how to write your own extensions for custom integrations.&lt;/p>
&lt;p>By changing the extension model, we were also able to remove dozens of CRDs.
You no longer need a unique CRD for every piece of software you integrate with
Istio.&lt;/p>
&lt;p>Installing Istio 1.5 with the &amp;lsquo;preview&amp;rsquo; configuration profile won&amp;rsquo;t install
Mixer. If you upgrade from a previous release, or install the &amp;lsquo;default&amp;rsquo; profile,
we still keep Mixer around, to be safe. When using Prometheus or Stackdriver for
metrics, we recommend you try out the new mode and see how much your performance
improves.&lt;/p>
&lt;p>You can keep Mixer installed and enabled if you need it. Eventually Mixer will
become a separately released add-on to Istio that is part of the
&lt;a href="https://github.com/istio-ecosystem/">istio-ecosystem&lt;/a>.&lt;/p>
&lt;h2 id="fewer-moving-parts">Fewer moving parts&lt;/h2>
&lt;p>We are also simplifying the deployment of the rest of the control plane. To
that end, we combined several of the control plane components into a single
component: Istiod. This binary includes the features of Pilot, Citadel, Galley,
and the sidecar injector. This approach improves many aspects of installing and
managing Istio &amp;ndash; reducing installation and configuration complexity,
maintenance effort, and issue diagnosis time while increasing responsiveness.
Read more about Istiod in
&lt;a href="https://blog.christianposta.com/microservices/istio-as-an-example-of-when-not-to-do-microservices/">this post from Christian Posta&lt;/a>.&lt;/p>
&lt;p>We are shipping istiod as the default for all profiles in 1.5.&lt;/p>
&lt;p>To reduce the per-node footprint, we are getting rid of the node-agent, used to
distribute certificates, and moving its functionality to the istio-agent, which
already runs in each Pod. For those of you who like pictures we are moving from
this &amp;hellip;&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2020/tradewinds-2020/architecture-pre-istiod.svg" title="The Istio architecture today">
&lt;img class="element-to-stretch" src="/v1.5/blog/2020/tradewinds-2020/architecture-pre-istiod.svg" alt="Istio architecture with Pilot, Mixer, Citadel, Sidecar injector" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Istio architecture today&lt;/figcaption>
&lt;/figure>
&lt;p>to this&amp;hellip;&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2020/tradewinds-2020/architecture-post-istiod.svg" title="The Istio architecture in 2020">
&lt;img class="element-to-stretch" src="/v1.5/blog/2020/tradewinds-2020/architecture-post-istiod.svg" alt="Istio architecture with istiod" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Istio architecture in 2020&lt;/figcaption>
&lt;/figure>
&lt;p>In 2020, we will continue to invest in onboarding to achieve our goal of a
&amp;ldquo;zero config&amp;rdquo; default that doesnt require you to change any of your
application&amp;rsquo;s configuration to take advantage of most Istio features.&lt;/p>
&lt;h2 id="improved-lifecycle-management">Improved lifecycle management&lt;/h2>
&lt;p>To improve Istios life-cycle management, we moved to an
&lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">operator&lt;/a>-based
installation. We introduced the
&lt;strong>&lt;a href="/v1.5/docs/setup/install/istioctl/">IstioOperator CRD and two installation modes&lt;/a>&lt;/strong>:&lt;/p>
&lt;ul>
&lt;li>Human-triggered: use istioctl to apply the settings to the cluster.&lt;/li>
&lt;li>Machine-triggered: use a controller that is continually watching for changes
in that CRD and affecting those in real time.&lt;/li>
&lt;/ul>
&lt;p>In 2020 upgrades will getting easier too. We will add support for &amp;ldquo;canarying&amp;rdquo;
new versions of the Istio control plane, which allows you to run a new version
alongside the existing version and gradually switch your data plane over to use
the new one.&lt;/p>
&lt;h2 id="secure-by-default">Secure By Default&lt;/h2>
&lt;p>Istio already provides the fundamentals for strong service security: reliable
workload identity, robust access policies and comprehensive audit logging. Were
stabilizing APIs for these features; many Alpha APIs are moving to Beta in 1.5,
and we expect them to all be v1 by the end of 2020. To learn more about the
status of our APIs, see our
&lt;a href="/v1.5/about/feature-stages/#istio-features">features page&lt;/a>.&lt;/p>
&lt;p>Network traffic is also becoming more secure by default. After many users
enabled it in preview,
&lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls">automated rollout of mutual TLS&lt;/a>
is becoming the recommended practice in Istio 1.5.&lt;/p>
&lt;p>In addition we will make Istio require fewer privileges and simplify its
dependencies which in turn make it a more robust system. Historically, you had
to mount certificates into Envoy using Kubernetes Secrets, which were mounted as
files into each proxy. By leveraging the
&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret">Secret Discovery Service&lt;/a>
we can distribute these certificates securely without concern of them being
intercepted by other workloads on the machine. This mode will become the default
in 1.5.&lt;/p>
&lt;p>Getting rid of the node-agent not only simplifies the deployment, but also
removes the requirement for a cluster-wide &lt;code>PodSecurityPolicy&lt;/code>, further
improving the security posture of your cluster.&lt;/p>
&lt;h2 id="other-features">Other features&lt;/h2>
&lt;p>Here&amp;rsquo;s a snapshot of some more exciting things you can expect from Istio in
2020:&lt;/p>
&lt;ul>
&lt;li>Integration with more hosted Kubernetes environments - service meshes
powered by Istio are currently available from 15 vendors, including Google, IBM,
Red Hat, VMware, Alibaba and Huawei&lt;/li>
&lt;li>More investment in &lt;code>istioctl&lt;/code> and its ability to help diagnose problems&lt;/li>
&lt;li>Better integration of VM-based workloads into meshes&lt;/li>
&lt;li>Continued work towards making multi-cluster and multi-network meshes easier to
configure, maintain, and run&lt;/li>
&lt;li>Integration with more service discovery systems, including
Functions-as-a-Service&lt;/li>
&lt;li>Implementation of the new
&lt;a href="https://kubernetes-sigs.github.io/service-apis/">Kubernetes service APIs&lt;/a>,
which are currently in development&lt;/li>
&lt;li>An &lt;a href="https://github.com/istio/enhancements/">enhancement repository&lt;/a>,
to track feature development&lt;/li>
&lt;li>Making it easier to run Istio without needing Kubernetes!&lt;/li>
&lt;/ul>
&lt;p>From the seas to &lt;a href="https://www.youtube.com/watch?v=YjZ4AZ7hRM0">the skies&lt;/a>,
we&amp;rsquo;re excited to see where you take Istio next.&lt;/p></description><pubDate>Tue, 03 Mar 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/tradewinds-2020/</link><author>Istio Team</author><guid isPermaLink="true">/v1.5/blog/2020/tradewinds-2020/</guid><category>roadmap</category><category>security</category><category>performance</category><category>operator</category></item><item><title>Remove cross-pod unix domain sockets</title><description>&lt;p>In Istio versions before 1.5, during secret discovery service (SDS) execution,
the SDS client and the SDS server communicate through a cross-pod Unix domain
socket (UDS), which needs to be protected by Kubernetes pod security policies.&lt;/p>
&lt;p>With Istio 1.5, Pilot Agent, Envoy, and Citadel Agent will be running in
the same container (the architecture is shown in the following diagram).
To defend against attackers eavesdropping on the cross-pod UDS between Envoy (SDS client)
and Citadel Agent (SDS server), Istio 1.5 merges Pilot Agent and Citadel Agent
into a single Istio Agent and makes the UDS between Envoy and Citadel Agent
private to the Istio Agent container.
The Istio Agent container is deployed as the sidecar of the application service container.&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:80.39622513132818%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2020/istio-agent/istio_agent.svg" title="The architecture of Istio Agent">
&lt;img class="element-to-stretch" src="/v1.5/blog/2020/istio-agent/istio_agent.svg" alt="The architecture of Istio Agent" />
&lt;/a>
&lt;/div>
&lt;figcaption>The architecture of Istio Agent&lt;/figcaption>
&lt;/figure></description><pubDate>Thu, 20 Feb 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/istio-agent/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.5/blog/2020/istio-agent/</guid><category>security</category><category>secret discovery service</category><category>unix domain socket</category></item><item><title>Multicluster Istio configuration and service discovery using Admiral</title><description>
&lt;p>At Intuit, we read the blog post &lt;a href="/v1.5/blog/2019/isolated-clusters/">Multi-Mesh Deployments for Isolation and Boundary Protection&lt;/a> and immediately related to some of the problems mentioned.
We realized that even though we wanted to configure a single multi-cluster mesh, instead of a federation of multiple meshes
as described in the blog post, the same non-uniform naming issues also applied in our environment.
This blog post explains how we solved these problems using &lt;a href="https://github.com/istio-ecosystem/admiral">Admiral&lt;/a>, an open source project under &lt;code>istio-ecosystem&lt;/code> in GitHub.&lt;/p>
&lt;h2 id="background">Background&lt;/h2>
&lt;p>Using Istio, we realized the configuration for multi-cluster was complex and challenging to maintain over time. As a result, we chose the model described in &lt;a href="/v1.5/docs/setup/install/multicluster/gateways/#deploy-the-istio-control-plane-in-each-cluster">Multi-Cluster Istio Service Mesh with replicated control planes&lt;/a> for scalability and other operational reasons. Following this model, we had to solve these key requirements before widely adopting an Istio service mesh:&lt;/p>
&lt;ul>
&lt;li>Creation of service DNS entries decoupled from the namespace, as described in &lt;a href="/v1.5/blog/2019/isolated-clusters/#features-of-multi-mesh-deployments">Features of multi-mesh deployments&lt;/a>.&lt;/li>
&lt;li>Service discovery across many clusters.&lt;/li>
&lt;li>Supporting active-active &amp;amp; HA/DR deployments. We also had to support these crucial resiliency patterns with services being deployed in globally unique namespaces across discrete clusters.&lt;/li>
&lt;/ul>
&lt;p>We have over 160 Kubernetes clusters with a globally unique namespace name across all clusters. In this configuration, we can have the same service workload deployed in different regions running in namespaces with different names. As a result, following the routing strategy mentioned in &lt;a href="/v1.5/blog/2019/multicluster-version-routing">Multicluster version routing&lt;/a>, the example name &lt;code>foo.namespace.global&lt;/code> wouldn&amp;rsquo;t work across clusters. We needed a globally unique and discoverable service DNS that resolves service instances in multiple clusters, each instance running/addressable with its own unique Kubernetes FQDN. For example, &lt;code>foo.global&lt;/code> should resolve to both &lt;code>foo.uswest2.svc.cluster.local&lt;/code> &amp;amp; &lt;code>foo.useast2.svc.cluster.local&lt;/code> if &lt;code>foo&lt;/code> is running in two Kubernetes clusters with different names.
Also, our services need additional DNS names with different resolution and global routing properties. For example, &lt;code>foo.global&lt;/code> should resolve locally first, then route to a remote instance using topology routing, while &lt;code>foo-west.global&lt;/code> and &lt;code>foo-east.global&lt;/code> (names used for testing) should always resolve to the respective regions.&lt;/p>
&lt;h2 id="contextual-configuration">Contextual Configuration&lt;/h2>
&lt;p>After further investigation, it was apparent that configuration needed to be contextual: each cluster needs a configuration specifically tailored for its view of the world.&lt;/p>
&lt;p>For example, we have a payments service consumed by orders and reports. The payments service has a HA/DR deployment across &lt;code>us-east&lt;/code> (cluster 3) and &lt;code>us-west&lt;/code> (cluster 2). The payments service is deployed in namespaces with different names in each region. The orders service is deployed in a different cluster as payments in &lt;code>us-west&lt;/code> (cluster 1). The reports service is deployed in the same cluster as payments in &lt;code>us-west&lt;/code> (cluster 2).&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60.81558869142712%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example.svg" title="Cross cluster workload communication with Istio">
&lt;img class="element-to-stretch" src="/v1.5/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example.svg" alt="Example of calling a workload in Istio multicluster" />
&lt;/a>
&lt;/div>
&lt;figcaption>Cross cluster workload communication with Istio&lt;/figcaption>
&lt;/figure>
&lt;p>Istio &lt;code>ServiceEntry&lt;/code> yaml for payments service in Cluster 1 and Cluster 2 below illustrates the contextual configuration that other services need to use the payments service:&lt;/p>
&lt;p>Cluster 1 Service Entry&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: payments.global-se
spec:
addresses:
- 240.0.0.10
endpoints:
- address: ef394f...us-east-2.elb.amazonaws.com
locality: us-east-2
ports:
http: 15443
- address: ad38bc...us-west-2.elb.amazonaws.com
locality: us-west-2
ports:
http: 15443
hosts:
- payments.global
location: MESH_INTERNAL
ports:
- name: http
number: 80
protocol: http
resolution: DNS
&lt;/code>&lt;/pre>
&lt;p>Cluster 2 Service Entry&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: payments.global-se
spec:
addresses:
- 240.0.0.10
endpoints:
- address: ef39xf...us-east-2.elb.amazonaws.com
locality: us-east-2
ports:
http: 15443
- address: payments.default.svc.cluster.local
locality: us-west-2
ports:
http: 80
hosts:
- payments.global
location: MESH_INTERNAL
ports:
- name: http
number: 80
protocol: http
resolution: DNS
&lt;/code>&lt;/pre>
&lt;p>The payments &lt;code>ServiceEntry&lt;/code> (Istio CRD) from the point of view of the reports service in Cluster 2, would set the locality &lt;code>us-west&lt;/code> pointing to the local Kubernetes FQDN and locality &lt;code>us-east&lt;/code> pointing to the &lt;code>istio-ingressgateway&lt;/code> (load balancer) for Cluster 3.
The payments &lt;code>ServiceEntry&lt;/code> from the point of view of the orders service in Cluster 1, will set the locality &lt;code>us-west&lt;/code> pointing to Cluster 2 &lt;code>istio-ingressgateway&lt;/code> and locality &lt;code>us-east&lt;/code> pointing to the &lt;code>istio-ingressgateway&lt;/code> for Cluster 3.&lt;/p>
&lt;p>But wait, there&amp;rsquo;s even more complexity: What if the payment services want to move traffic to the &lt;code>us-east&lt;/code> region for a planned maintenance in &lt;code>us-west&lt;/code>? This would require the payments service to change the Istio configuration in all of their clients&amp;rsquo; clusters. This would be nearly impossible to do without automation.&lt;/p>
&lt;h2 id="admiral-to-the-rescue-admiral-is-that-automation">Admiral to the Rescue: Admiral is that Automation&lt;/h2>
&lt;p>&lt;em>Admiral is a controller of Istio control planes.&lt;/em>&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:69.43866943866944%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example_with_admiral.svg" title="Cross cluster workload communication with Istio and Admiral">
&lt;img class="element-to-stretch" src="/v1.5/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example_with_admiral.svg" alt="Example of calling a workload in Istio multicluster with Admiral" />
&lt;/a>
&lt;/div>
&lt;figcaption>Cross cluster workload communication with Istio and Admiral&lt;/figcaption>
&lt;/figure>
&lt;p>Admiral provides automatic configuration for an Istio mesh spanning multiple clusters to work as a single mesh based on a unique service identifier that associates workloads running on multiple clusters to a service. It also provides automatic provisioning and syncing of Istio configuration across clusters. This removes the burden on developers and mesh operators, which helps scale beyond a few clusters.&lt;/p>
&lt;h2 id="admiral-crds">Admiral CRDs&lt;/h2>
&lt;h3 id="global-traffic-routing">Global Traffic Routing&lt;/h3>
&lt;p>With Admirals global traffic policy CRD, the payments service can update regional traffic weights and Admiral updates the Istio configuration in all clusters that consume the payments service.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: admiral.io/v1alpha1
kind: GlobalTrafficPolicy
metadata:
name: payments-gtp
spec:
selector:
identity: payments
policy:
- dns: default.payments.global
lbType: 1
target:
- region: us-west-2/*
weight: 10
- region: us-east-2/*
weight: 90
&lt;/code>&lt;/pre>
&lt;p>In the example above, 90% of the payments service traffic is routed to the &lt;code>us-east&lt;/code> region. This Global Traffic Configuration is automatically converted into Istio configuration and contextually mapped into Kubernetes clusters to enable multi-cluster global routing for the payments service for its clients within the Mesh.&lt;/p>
&lt;p>This Global Traffic Routing feature relies on Istio&amp;rsquo;s locality load-balancing per service available in Istio 1.5 or later.&lt;/p>
&lt;h3 id="dependency">Dependency&lt;/h3>
&lt;p>The Admiral &lt;code>Dependency&lt;/code> CRD allows us to specify a service&amp;rsquo;s dependencies based on a service identifier. This optimizes the delivery of Admiral generated configuration only to the required clusters where the dependent clients of a service are running (instead of writing it to all clusters). Admiral also configures and/or updates the Sidecar Istio CRD in the client&amp;rsquo;s workload namespace to limit the Istio configuration to only its dependencies. We use service-to-service authorization information recorded elsewhere to generate this &lt;code>dependency&lt;/code> records for Admiral to use.&lt;/p>
&lt;p>An example &lt;code>dependency&lt;/code> for the &lt;code>orders&lt;/code> service:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: admiral.io/v1alpha1
kind: Dependency
metadata:
name: dependency
namespace: admiral
spec:
source: orders
identityLabel: identity
destinations:
- payments
&lt;/code>&lt;/pre>
&lt;p>&lt;code>Dependency&lt;/code> is optional and a missing dependency for a service will result in an Istio configuration for that service pushed to all clusters.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Admiral provides a new Global Traffic Routing and unique service naming functionality to address some challenges posed by the Istio model described in &lt;a href="/v1.5/docs/setup/install/multicluster/gateways/#deploy-the-istio-control-plane-in-each-cluster">multi-cluster deployment with replicated control planes&lt;/a>. It removes the need for manual configuration synchronization between clusters and generates contextual configuration for each cluster. This makes it possible to operate a Service Mesh composed of many Kubernetes clusters.&lt;/p>
&lt;p>We think Istio/Service Mesh community would benefit from this approach, so we &lt;a href="https://github.com/istio-ecosystem/admiral">open sourced Admiral&lt;/a> and would love your feedback and support!&lt;/p></description><pubDate>Sun, 05 Jan 2020 00:00:00 +0000</pubDate><link>/v1.5/blog/2020/multi-cluster-mesh-automation/</link><author>Anil Attuluri (Intuit), Jason Webb (Intuit)</author><guid isPermaLink="true">/v1.5/blog/2020/multi-cluster-mesh-automation/</guid><category>traffic-management</category><category>automation</category><category>configuration</category><category>multicluster</category><category>multi-mesh</category><category>gateway</category><category>federated</category><category>globalidentifer</category></item><item><title>Secure Webhook Management</title><description>&lt;p>Istio has two webhooks: Galley and the sidecar injector.
Galley validates Kubernetes resources and the sidecar injector injects sidecar
containers into Istio.&lt;/p>
&lt;p>By default, Galley and the sidecar injector manage their own webhook configurations.
This can pose a security risk if they are compromised, for example, through buffer overflow attacks.
Configuring a webhook is a highly privileged operation as a webhook may monitor and mutate all
Kubernetes resources.&lt;/p>
&lt;p>In the following example, the attacker compromises
Galley and modifies the webhook configuration of Galley to eavesdrop on all Kubernetes secrets
(the &lt;code>clientConfig&lt;/code> is modified by the attacker to direct the &lt;code>secrets&lt;/code> resources to
a service owned by the attacker).&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:44.37367303609342%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/webhook/example_attack.png" title="An example attack">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/webhook/example_attack.png" alt="An example attack" />
&lt;/a>
&lt;/div>
&lt;figcaption>An example attack&lt;/figcaption>
&lt;/figure>
&lt;p>To protect against this kind of attack, Istio 1.4 introduces a new feature to securely manage
webhooks using &lt;code>istioctl&lt;/code>:&lt;/p>
&lt;ol>
&lt;li>&lt;p>&lt;code>istioctl&lt;/code>, instead of Galley and the sidecar injector, manage the webhook configurations.
Galley and the sidecar injector are de-privileged so even if they are compromised, they
will not be able to alter the webhook configurations.&lt;/p>&lt;/li>
&lt;li>&lt;p>Before configuring a webhook, &lt;code>istioctl&lt;/code> will verify the webhook server is up
and that the certificate chain used by the webhook server is valid. This reduces the errors
that can occur before a server is ready or if a server has invalid certificates.&lt;/p>&lt;/li>
&lt;/ol>
&lt;p>To try this new feature, refer to the &lt;a href="https://archive.istio.io/1.4/docs/tasks/security/webhook">Istio webhook management task&lt;/a>.&lt;/p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/webhook/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/webhook/</guid><category>security</category><category>kubernetes</category><category>webhook</category></item><item><title>Introducing the Istio v1beta1 Authorization Policy</title><description>
&lt;p>Istio 1.4 introduces the
&lt;a href="/v1.5/docs/reference/config/security/authorization-policy/">&lt;code>v1beta1&lt;/code> authorization policy&lt;/a>,
which is a major update to the previous &lt;code>v1alpha1&lt;/code> role-based access control
(RBAC) policy. The new policy provides these improvements:&lt;/p>
&lt;ul>
&lt;li>Aligns with Istio configuration model.&lt;/li>
&lt;li>Improves the user experience by simplifying the API.&lt;/li>
&lt;li>Supports more use cases (e.g. Ingress/Egress gateway support) without
added complexity.&lt;/li>
&lt;/ul>
&lt;p>The &lt;code>v1beta1&lt;/code> policy is not backward compatible and requires a one time
conversion. A tool is provided to automate this process. The previous
configuration resources &lt;code>ClusterRbacConfig&lt;/code>, &lt;code>ServiceRole&lt;/code>, and
&lt;code>ServiceRoleBinding&lt;/code> will not be supported from Istio 1.6 onwards.&lt;/p>
&lt;p>This post describes the new &lt;code>v1beta1&lt;/code> authorization policy model, its
design goals and the migration from &lt;code>v1alpha1&lt;/code> RBAC policies. See the
&lt;a href="/v1.5/docs/concepts/security/#authorization">authorization concept page&lt;/a>
for a detailed in-depth explanation of the &lt;code>v1beta1&lt;/code> authorization policy.&lt;/p>
&lt;p>We welcome your feedback about the &lt;code>v1beta1&lt;/code> authorization policy at
&lt;a href="https://discuss.istio.io/c/security">discuss.istio.io&lt;/a>.&lt;/p>
&lt;h2 id="background">Background&lt;/h2>
&lt;p>To date, Istio provided RBAC policies to enforce access control on
&lt;span class="term" data-title="Service" data-body="&amp;lt;p&amp;gt;A delineated group of related behaviors within a &amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;service mesh&amp;lt;/a&amp;gt;. Services are identified using a
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-name&amp;#34;&amp;gt;service name&amp;lt;/a&amp;gt;,
and Istio policies such as load balancing and routing are applied using these names.
A service is typically materialized by one or more &amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-endpoint&amp;#34;&amp;gt;service endpoints&amp;lt;/a&amp;gt;, and may consist of multiple
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-version&amp;#34;&amp;gt;service versions&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">services&lt;/span> using three configuration
resources: &lt;code>ClusterRbacConfig&lt;/code>, &lt;code>ServiceRole&lt;/code> and &lt;code>ServiceRoleBinding&lt;/code>.
With this API, users have been able to enforce control access at mesh-level,
namespace-level and service-level. Like other RBAC policies, Istio RBAC uses
the same concept of role and binding for granting permissions to identities.&lt;/p>
&lt;p>Although Istio RBAC has been working reliably, we&amp;rsquo;ve found that many
improvements were possible.&lt;/p>
&lt;p>For example, users have mistakenly assumed that access control enforcement
happens at service-level because &lt;code>ServiceRole&lt;/code> uses service to specify where
to apply the policy, however, the policy is actually applied on
&lt;span class="term" data-title="Workload" data-body="&amp;lt;p&amp;gt;A binary deployed by &amp;lt;a href=&amp;#34;/docs/reference/glossary/#operator&amp;#34;&amp;gt;operators&amp;lt;/a&amp;gt; to deliver some function of a service mesh application.
Workloads have names, namespaces, and unique ids. These properties are available in policy and telemetry configuration
using the following &amp;lt;a href=&amp;#34;/docs/reference/glossary/#attribute&amp;#34;&amp;gt;attributes&amp;lt;/a&amp;gt;:&amp;lt;/p&amp;gt;
&amp;lt;ul&amp;gt;
&amp;lt;li&amp;gt;&amp;lt;code&amp;gt;source.workload.name&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;source.workload.namespace&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;source.workload.uid&amp;lt;/code&amp;gt;&amp;lt;/li&amp;gt;
&amp;lt;li&amp;gt;&amp;lt;code&amp;gt;destination.workload.name&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;destination.workload.namespace&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;destination.workload.uid&amp;lt;/code&amp;gt;&amp;lt;/li&amp;gt;
&amp;lt;/ul&amp;gt;
&amp;lt;p&amp;gt;In Kubernetes, a workload typically corresponds to a Kubernetes deployment,
while a &amp;lt;a href=&amp;#34;/docs/reference/glossary/#workload-instance&amp;#34;&amp;gt;workload instance&amp;lt;/a&amp;gt; corresponds to an individual &amp;lt;a href=&amp;#34;/docs/reference/glossary/#pod&amp;#34;&amp;gt;pod&amp;lt;/a&amp;gt; managed
by the deployment.&amp;lt;/p&amp;gt;
">workloads&lt;/span>, the service is only used to
find the corresponding workload. This nuance is significant when multiple
services are referring to the same workload. A &lt;code>ServiceRole&lt;/code> for service A
will also affect service B if the two services are referring to the same
workload, which can cause confusion and incorrect configuration.&lt;/p>
&lt;p>An other example is that it&amp;rsquo;s proven difficult for users to maintain and
manage the Istio RBAC configurations because of the need to deeply understand
three related resources.&lt;/p>
&lt;h2 id="design-goals">Design goals&lt;/h2>
&lt;p>The new &lt;code>v1beta1&lt;/code> authorization policy had several design goals:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Align with &lt;a href="https://goo.gl/x3STjD">Istio Configuration Model&lt;/a> for better
clarity on the policy target. The configuration model provides a unified
configuration hierarchy, resolution and target selection.&lt;/p>&lt;/li>
&lt;li>&lt;p>Improve the user experience by simplifying the API. It&amp;rsquo;s easier to manage
one custom resource definition (CRD) that includes all access control
specifications, instead of multiple CRDs.&lt;/p>&lt;/li>
&lt;li>&lt;p>Support more use cases without added complexity. For example, allow the
policy to be applied on Ingress/Egress gateway to enforce access control
for traffic entering/exiting the mesh.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="authorizationpolicy">&lt;code>AuthorizationPolicy&lt;/code>&lt;/h2>
&lt;p>An &lt;a href="/v1.5/docs/reference/config/security/authorization-policy/">&lt;code>AuthorizationPolicy&lt;/code> custom resource&lt;/a>
enables access control on workloads. This section gives an overview of the
changes in the &lt;code>v1beta1&lt;/code> authorization policy.&lt;/p>
&lt;p>An &lt;code>AuthorizationPolicy&lt;/code> includes a &lt;code>selector&lt;/code> and a list of &lt;code>rule&lt;/code>.
The &lt;code>selector&lt;/code> specifies on which workload to apply the policy and the
list of &lt;code>rule&lt;/code> specifies the detailed access control rule for the workload.&lt;/p>
&lt;p>The &lt;code>rule&lt;/code> is additive, which means a request is allowed if any &lt;code>rule&lt;/code>
allows the request. Each &lt;code>rule&lt;/code> includes a list of &lt;code>from&lt;/code>, &lt;code>to&lt;/code> and
&lt;code>when&lt;/code>, which specifies &lt;strong>who&lt;/strong> is allowed to do &lt;strong>what&lt;/strong> under which
&lt;strong>conditions&lt;/strong>.&lt;/p>
&lt;p>The &lt;code>selector&lt;/code> replaces the functionality provided by &lt;code>ClusterRbacConfig&lt;/code>
and the &lt;code>services&lt;/code> field in &lt;code>ServiceRole&lt;/code>. The &lt;code>rule&lt;/code> replaces the other
fields in the &lt;code>ServiceRole&lt;/code> and &lt;code>ServiceRoleBinding&lt;/code>.&lt;/p>
&lt;h3 id="example">Example&lt;/h3>
&lt;p>The following authorization policy applies to workloads with &lt;code>app: httpbin&lt;/code>
and &lt;code>version: v1&lt;/code> label in the &lt;code>foo&lt;/code> namespace:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;]
to:
- operation:
methods: [&amp;#34;GET&amp;#34;]
when:
- key: request.headers[version]
values: [&amp;#34;v1&amp;#34;, &amp;#34;v2&amp;#34;]
&lt;/code>&lt;/pre>
&lt;p>The policy allows principal &lt;code>cluster.local/ns/default/sa/sleep&lt;/code> to access the
workload using the &lt;code>GET&lt;/code> method when the request includes a &lt;code>version&lt;/code> header
of value &lt;code>v1&lt;/code> or &lt;code>v2&lt;/code>. Any requests not matched with the policy will be denied
by default.&lt;/p>
&lt;p>Assuming the &lt;code>httpbin&lt;/code> service is defined as:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: foo
spec:
selector:
app: httpbin
version: v1
ports:
# omitted
&lt;/code>&lt;/pre>
&lt;p>You would need to configure three resources to achieve the same result in
&lt;code>v1alpha1&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &amp;#39;ON_WITH_INCLUSION&amp;#39;
inclusion:
services: [&amp;#34;httpbin.foo.svc.cluster.local&amp;#34;]
---
apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&amp;#34;httpbin.foo.svc.cluster.local&amp;#34;]
methods: [&amp;#34;GET&amp;#34;]
constraints:
- key: request.headers[version]
values: [&amp;#34;v1&amp;#34;, &amp;#34;v2&amp;#34;]
---
apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: &amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;
roleRef:
kind: ServiceRole
name: &amp;#34;httpbin&amp;#34;
&lt;/code>&lt;/pre>
&lt;h3 id="workload-selector">Workload selector&lt;/h3>
&lt;p>A major change in the &lt;code>v1beta1&lt;/code> authorization policy is that it now uses
workload selector to specify where to apply the policy. This is the same
workload selector used in the &lt;code>Gateway&lt;/code>, &lt;code>Sidecar&lt;/code> and &lt;code>EnvoyFilter&lt;/code>
configurations.&lt;/p>
&lt;p>The workload selector makes it clear that the policy is applied and enforced
on workloads instead of services. If a policy applies to a workload that is
used by multiple different services, the same policy will affect the traffic
to all the different services.&lt;/p>
&lt;p>You can simply leave the &lt;code>selector&lt;/code> empty to apply the policy to all
workloads in a namespace. The following policy applies to all workloads in
the namespace &lt;code>bar&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bar
spec:
rules:
# omitted
&lt;/code>&lt;/pre>
&lt;h3 id="root-namespace">Root namespace&lt;/h3>
&lt;p>A policy in the root namespace applies to all workloads in the mesh in every
namespaces. The root namespace is configurable in the
&lt;a href="/v1.5/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig">&lt;code>MeshConfig&lt;/code>&lt;/a>
and has the default value of &lt;code>istio-system&lt;/code>.&lt;/p>
&lt;p>For example, you installed Istio in &lt;code>istio-system&lt;/code> namespace and deployed
workloads in &lt;code>default&lt;/code> and &lt;code>bookinfo&lt;/code> namespace. The root namespace is
changed to &lt;code>istio-config&lt;/code> from the default value. The following policy will
apply to workloads in every namespace including &lt;code>default&lt;/code>, &lt;code>bookinfo&lt;/code> and
the &lt;code>istio-system&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: istio-config
spec:
rules:
# omitted
&lt;/code>&lt;/pre>
&lt;h3 id="ingress-egress-gateway-support">Ingress/Egress Gateway support&lt;/h3>
&lt;p>The &lt;code>v1beta1&lt;/code> authorization policy can also be applied on ingress/egress
gateway to enforce access control on traffic entering/leaving the mesh,
you only need to change the &lt;code>selector&lt;/code> to make select the ingress/egress
workload.&lt;/p>
&lt;p>The following policy applies to workloads with the
&lt;code>app: istio-ingressgateway&lt;/code> label:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
# omitted
&lt;/code>&lt;/pre>
&lt;p>Remember the authorization policy only applies to workloads in the same
namespace as the policy, unless the policy is applied in the root namespace:&lt;/p>
&lt;ul>
&lt;li>&lt;p>If you don&amp;rsquo;t change the default root namespace value (i.e. &lt;code>istio-system&lt;/code>),
the above policy will apply to workloads with the &lt;code>app: istio-ingressgateway&lt;/code>
label in &lt;strong>every&lt;/strong> namespace.&lt;/p>&lt;/li>
&lt;li>&lt;p>If you have changed the root namespace to a different value, the above
policy will only apply to workloads with the &lt;code>app: istio-ingressgateway&lt;/code>
label &lt;strong>only&lt;/strong> in the &lt;code>istio-system&lt;/code> namespace.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="comparison">Comparison&lt;/h3>
&lt;p>The following table highlights the key differences between the old &lt;code>v1alpha1&lt;/code>
RBAC policies and the new &lt;code>v1beta1&lt;/code> authorization policy.&lt;/p>
&lt;h4 id="feature">Feature&lt;/h4>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Feature&lt;/th>
&lt;th>&lt;code>v1alpha1&lt;/code> RBAC policy&lt;/th>
&lt;th>&lt;code>v1beta1&lt;/code> Authorization Policy&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>API stability&lt;/td>
&lt;td>&lt;code>alpha&lt;/code>: &lt;strong>No&lt;/strong> backward compatible&lt;/td>
&lt;td>&lt;code>beta&lt;/code>: backward compatible &lt;strong>guaranteed&lt;/strong>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Number of CRDs&lt;/td>
&lt;td>Three: &lt;code>ClusterRbacConfig&lt;/code>, &lt;code>ServiceRole&lt;/code> and &lt;code>ServiceRoleBinding&lt;/code>&lt;/td>
&lt;td>Only One: &lt;code>AuthorizationPolicy&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Policy target&lt;/td>
&lt;td>&lt;strong>service&lt;/strong>&lt;/td>
&lt;td>&lt;strong>workload&lt;/strong>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Deny-by-default behavior&lt;/td>
&lt;td>Enabled &lt;strong>explicitly&lt;/strong> by configuring &lt;code>ClusterRbacConfig&lt;/code>&lt;/td>
&lt;td>Enabled &lt;strong>implicitly&lt;/strong> with &lt;code>AuthorizationPolicy&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Ingress/Egress gateway support&lt;/td>
&lt;td>Not supported&lt;/td>
&lt;td>Supported&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>The &lt;code>&amp;quot;*&amp;quot;&lt;/code> value in policy&lt;/td>
&lt;td>Match all contents (empty and non-empty)&lt;/td>
&lt;td>Match non-empty contents only&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>The following tables show the relationship between the &lt;code>v1alpha1&lt;/code> and &lt;code>v1beta1&lt;/code> API.&lt;/p>
&lt;h4 id="clusterrbacconfig">&lt;code>ClusterRbacConfig&lt;/code>&lt;/h4>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>&lt;code>ClusterRbacConfig.Mode&lt;/code>&lt;/th>
&lt;th>&lt;code>AuthorizationPolicy&lt;/code>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>OFF&lt;/code>&lt;/td>
&lt;td>No policy applied&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ON&lt;/code>&lt;/td>
&lt;td>A deny-all policy applied in root namespace&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ON_WITH_INCLUSION&lt;/code>&lt;/td>
&lt;td>policies should be applied to namespaces or workloads included by &lt;code>ClusterRbacConfig&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>ON_WITH_EXCLUSION&lt;/code>&lt;/td>
&lt;td>policies should be applied to namespaces or workloads excluded by &lt;code>ClusterRbacConfig&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h4 id="servicerole">&lt;code>ServiceRole&lt;/code>&lt;/h4>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>&lt;code>ServiceRole&lt;/code>&lt;/th>
&lt;th>&lt;code>AuthorizationPolicy&lt;/code>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>services&lt;/code>&lt;/td>
&lt;td>&lt;code>selector&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>paths&lt;/code>&lt;/td>
&lt;td>&lt;code>paths&lt;/code> in &lt;code>to&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>methods&lt;/code>&lt;/td>
&lt;td>&lt;code>methods&lt;/code> in &lt;code>to&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>destination.ip&lt;/code> in constraint&lt;/td>
&lt;td>Not supported&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>destination.port&lt;/code> in constraint&lt;/td>
&lt;td>&lt;code>ports&lt;/code> in &lt;code>to&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>destination.labels&lt;/code> in constraint&lt;/td>
&lt;td>&lt;code>selector&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>destination.namespace&lt;/code> in constraint&lt;/td>
&lt;td>Replaced by the namespace of the policy, i.e. the &lt;code>namespace&lt;/code> in metadata&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>destination.user&lt;/code> in constraint&lt;/td>
&lt;td>Not supported&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>experimental.envoy.filters&lt;/code> in constraint&lt;/td>
&lt;td>&lt;code>experimental.envoy.filters&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>request.headers&lt;/code> in constraint&lt;/td>
&lt;td>&lt;code>request.headers&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h4 id="servicerolebinding">&lt;code>ServiceRoleBinding&lt;/code>&lt;/h4>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>&lt;code>ServiceRoleBinding&lt;/code>&lt;/th>
&lt;th>&lt;code>AuthorizationPolicy&lt;/code>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;code>user&lt;/code>&lt;/td>
&lt;td>&lt;code>principals&lt;/code> in &lt;code>from&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>group&lt;/code>&lt;/td>
&lt;td>&lt;code>request.auth.claims[group]&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>source.ip&lt;/code> in property&lt;/td>
&lt;td>&lt;code>ipBlocks&lt;/code> in &lt;code>from&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>source.namespace&lt;/code> in property&lt;/td>
&lt;td>&lt;code>namespaces&lt;/code> in &lt;code>from&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>source.principal&lt;/code> in property&lt;/td>
&lt;td>&lt;code>principals&lt;/code> in &lt;code>from&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>request.headers&lt;/code> in property&lt;/td>
&lt;td>&lt;code>request.headers&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>request.auth.principal&lt;/code> in property&lt;/td>
&lt;td>&lt;code>requestPrincipals&lt;/code> in &lt;code>from&lt;/code> or &lt;code>request.auth.principal&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>request.auth.audiences&lt;/code> in property&lt;/td>
&lt;td>&lt;code>request.auth.audiences&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>request.auth.presenter&lt;/code> in property&lt;/td>
&lt;td>&lt;code>request.auth.presenter&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;code>request.auth.claims&lt;/code> in property&lt;/td>
&lt;td>&lt;code>request.auth.claims&lt;/code> in &lt;code>when&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Beyond all the differences, the &lt;code>v1beta1&lt;/code> policy is enforced by the same
engine in Envoy and supports the same authenticated identity (mutual TLS or
JWT), condition and other primitives (e.g. IP, port and etc.) as the
&lt;code>v1alpha1&lt;/code> policy.&lt;/p>
&lt;h2 id="future-of-the-v1alpha1-policy">Future of the &lt;code>v1alpha1&lt;/code> policy&lt;/h2>
&lt;p>The &lt;code>v1alpha1&lt;/code> RBAC policy (&lt;code>ClusterRbacConfig&lt;/code>, &lt;code>ServiceRole&lt;/code>, and
&lt;code>ServiceRoleBinding&lt;/code>) is deprecated by the &lt;code>v1beta1&lt;/code> authorization policy.&lt;/p>
&lt;p>Istio 1.4 continues to support the &lt;code>v1alpha1&lt;/code> RBAC policy to give you
enough time to move away from the alpha policies.&lt;/p>
&lt;h2 id="migration-from-the-v1alpha1-policy">Migration from the &lt;code>v1alpha1&lt;/code> policy&lt;/h2>
&lt;p>Istio only supports one of the two versions for a given workload:&lt;/p>
&lt;ul>
&lt;li>If there is only &lt;code>v1beta1&lt;/code> policy for a workload, the &lt;code>v1beta1&lt;/code> policy
will be used.&lt;/li>
&lt;li>If there is only &lt;code>v1alpha1&lt;/code> policy for a workload, the &lt;code>v1alpha1&lt;/code> policy
will be used.&lt;/li>
&lt;li>If there are both &lt;code>v1beta1&lt;/code> and &lt;code>v1alpha1&lt;/code> policies for a workload,
only the &lt;code>v1beta1&lt;/code> policy will be used and the the &lt;code>v1alpha1&lt;/code> policy
will be ignored.&lt;/li>
&lt;/ul>
&lt;h3 id="general-guideline">General Guideline&lt;/h3>
&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">When migrating to use &lt;code>v1beta1&lt;/code> policy for a given workload, make sure the
new &lt;code>v1beta1&lt;/code> policy covers all the existing &lt;code>v1alpha1&lt;/code> policies applied
for the workload, because the &lt;code>v1alpha1&lt;/code> policies applied for the workload
will be ignored after you applied the &lt;code>v1beta1&lt;/code> policies.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>The typical flow of migrating to &lt;code>v1beta1&lt;/code> policy is to start by checking the
&lt;code>ClusterRbacConfig&lt;/code> to decide which namespace or service is enabled with RBAC.&lt;/p>
&lt;p>For each service enabled with RBAC:&lt;/p>
&lt;ol>
&lt;li>Get the workload selector from the service definition.&lt;/li>
&lt;li>Create a &lt;code>v1beta1&lt;/code> policy with the workload selector.&lt;/li>
&lt;li>Update the &lt;code>v1beta1&lt;/code> policy for each &lt;code>ServiceRole&lt;/code> and &lt;code>ServiceRoleBinding&lt;/code>
applied to the service.&lt;/li>
&lt;li>Apply the &lt;code>v1beta1&lt;/code> policy and monitor the traffic to make sure the
policy is working as expected.&lt;/li>
&lt;li>Repeat the process for the next service enabled with RBAC.&lt;/li>
&lt;/ol>
&lt;p>For each namespace enabled with RBAC:&lt;/p>
&lt;ol>
&lt;li>Apply a &lt;code>v1beta1&lt;/code> policy that denies all traffic to the given namespace.&lt;/li>
&lt;/ol>
&lt;h3 id="migration-example">Migration Example&lt;/h3>
&lt;p>Assume you have the following &lt;code>v1alpha1&lt;/code> policies for the &lt;code>httpbin&lt;/code> service
in the &lt;code>foo&lt;/code> namespace:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &amp;#39;ON_WITH_INCLUSION&amp;#39;
inclusion:
namespaces: [&amp;#34;foo&amp;#34;]
---
apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&amp;#34;httpbin.foo.svc.cluster.local&amp;#34;]
methods: [&amp;#34;GET&amp;#34;]
---
apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: &amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;
roleRef:
kind: ServiceRole
name: &amp;#34;httpbin&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>Migrate the above policies to &lt;code>v1beta1&lt;/code> in the following ways:&lt;/p>
&lt;ol>
&lt;li>&lt;p>Assume the &lt;code>httpbin&lt;/code> service has the following workload selector:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >selector:
app: httpbin
version: v1
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a &lt;code>v1beta1&lt;/code> policy with the workload selector:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Update the &lt;code>v1beta1&lt;/code> policy with each &lt;code>ServiceRole&lt;/code> and &lt;code>ServiceRoleBinding&lt;/code>
applied to the service:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;]
to:
- operation:
methods: [&amp;#34;GET&amp;#34;]
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Apply the &lt;code>v1beta1&lt;/code> policy and monitor the traffic to make sure it works
as expected.&lt;/p>&lt;/li>
&lt;li>&lt;p>Apply the following &lt;code>v1beta1&lt;/code> policy that denies all traffic to the
&lt;code>foo&lt;/code> namespace because the &lt;code>foo&lt;/code> namespace is enabled with RBAC:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: foo
spec:
{}
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;p>Make sure the &lt;code>v1beta1&lt;/code> policy is working as expected and then you can delete
the &lt;code>v1alpha1&lt;/code> policies from the cluster.&lt;/p>
&lt;h3 id="automation-of-the-migration">Automation of the Migration&lt;/h3>
&lt;p>To help ease the migration, the &lt;code>istioctl experimental authz convert&lt;/code>
command is provided to automatically convert the &lt;code>v1alpha1&lt;/code> policies to
the &lt;code>v1beta1&lt;/code> policy.&lt;/p>
&lt;p>You can evaluate the command but it is experimental in Istio 1.4 and doesn&amp;rsquo;t
support the full &lt;code>v1alpha1&lt;/code> semantics as of the date of this blog post.&lt;/p>
&lt;p>The command to support the full &lt;code>v1alpha1&lt;/code> semantics is expected in a patch
release following Istio 1.4.&lt;/p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/v1beta1-authorization-policy/</link><author>Yangmin Zhu (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/v1beta1-authorization-policy/</guid><category>security</category><category>RBAC</category><category>access control</category><category>authorization</category></item><item><title>Introducing the Istio Operator</title><description>
&lt;p>Kubernetes &lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">operators&lt;/a> provide
a pattern for encoding human operational knowledge in software and are a popular way to simplify
the administration of software infrastructure components. Istio is a natural candidate for an automated
operator as it is challenging to administer.&lt;/p>
&lt;p>Up until now, &lt;a href="https://github.com/helm/helm">Helm&lt;/a> has been the primary tool to install and upgrade Istio.
Istio 1.4 introduces a new method of &lt;a href="/v1.5/docs/setup/install/istioctl/">installation using istioctl&lt;/a>.
This new installation method builds on the strengths of Helm with the addition of the
following:&lt;/p>
&lt;ul>
&lt;li>Users only need to install one tool: &lt;code>istioctl&lt;/code>&lt;/li>
&lt;li>All API fields are validated&lt;/li>
&lt;li>Small customizations not in the API don&amp;rsquo;t require chart or API changes&lt;/li>
&lt;li>Version specific upgrade hooks can be easily and robustly implemented&lt;/li>
&lt;/ul>
&lt;p>The &lt;a href="/v1.5/docs/setup/install/helm/">Helm installation&lt;/a> method is in the process of deprecation. Upgrading from Istio
1.4 with a version not initially installed with Helm will also be replaced by a new
&lt;a href="/v1.5/docs/setup/upgrade/istioctl-upgrade/">istioctl upgrade feature&lt;/a>.&lt;/p>
&lt;p>The new &lt;code>istioctl&lt;/code> installation commands use a
&lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/">custom resource&lt;/a>
to configure the installation. The custom resource is part of a new Istio operator
implementation intended to simplify the common administrative tasks of installation, upgrade,
and complex configuration changes for Istio. Validation and checking for installation and upgrade
is tightly integrated with the tools to prevent common errors and simplify troubleshooting.&lt;/p>
&lt;h2 id="the-operator-api">The Operator API&lt;/h2>
&lt;p>Every operator implementation requires a
&lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions">custom resource definition (CRD)&lt;/a>
to define its custom resource, that is, its API. Istio&amp;rsquo;s operator API is defined by the
&lt;a href="https://archive.istio.io/v1.4/docs/reference/config/istio.operator.v1alpha12.pb/">&lt;code>IstioControlPlane&lt;/code> CRD&lt;/a>,
which is generated from an
&lt;a href="https://github.com/istio/operator/blob/release-1.4/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto">&lt;code>IstioControlPlane&lt;/code> proto&lt;/a>.
The API supports all of Istio&amp;rsquo;s current &lt;a href="/v1.5/docs/setup/additional-setup/config-profiles/">configuration profiles&lt;/a>
using a single field to select the profile. For example, the following &lt;code>IstioControlPlane&lt;/code> resource
configures Istio using the &lt;code>demo&lt;/code> profile:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: demo
&lt;/code>&lt;/pre>
&lt;p>You can then customize the configuration with additional settings. For example, to disable telemetry:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
metadata:
namespace: istio-operator
name: example-istiocontrolplane
spec:
profile: demo
telemetry:
enabled: false
&lt;/code>&lt;/pre>
&lt;h2 id="installing-with-hahahugoshortcode-s4-hbhb">Installing with istioctl&lt;/h2>
&lt;p>The recommended way to use the Istio operator API is through a new set of &lt;code>istioctl&lt;/code> commands.
For example, to install Istio into a cluster:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest apply -f &amp;lt;your-istiocontrolplane-customresource&amp;gt;
&lt;/code>&lt;/pre>
&lt;p>Make changes to the installation configuration by editing the configuration file and executing
&lt;code>istioctl manifest apply&lt;/code> again.&lt;/p>
&lt;p>To upgrade to a new version of Istio:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x upgrade -f &amp;lt;your-istiocontrolplane-config-changes&amp;gt;
&lt;/code>&lt;/pre>
&lt;p>In addition to specifying the complete configuration in an &lt;code>IstioControlPlane&lt;/code> resource,
the &lt;code>istioctl&lt;/code> commands can also be passed individual settings using a &lt;code>--set&lt;/code> flag:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest apply --set telemetry.enabled=false
&lt;/code>&lt;/pre>
&lt;p>There are also a number of other &lt;code>istioctl&lt;/code> commands that, for example, help you list, display,
and compare configuration profiles and manifests.&lt;/p>
&lt;p>Refer to the Istio &lt;a href="/v1.5/docs/setup/install/istioctl">install instructions&lt;/a> for more details.&lt;/p>
&lt;h2 id="istio-controller-alpha">Istio Controller (alpha)&lt;/h2>
&lt;p>Operator implementations use a Kubernetes controller to continuously monitor their custom resource
and apply the corresponding configuration changes. The Istio controller monitors an &lt;code>IstioControlPlane&lt;/code>
resource and reacts to changes by updating the Istio installation configuration in the corresponding cluster.&lt;/p>
&lt;p>In the 1.4 release, the Istio controller is in the alpha phase of development and not fully
integrated with &lt;code>istioctl&lt;/code>. It is, however,
&lt;a href="/v1.5/docs/setup/install/standalone-operator/">available for experimentation&lt;/a> using &lt;code>kubectl&lt;/code> commands.
For example, to install the controller and a default version of Istio into your cluster,
run the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f https://&amp;lt;repo URL&amp;gt;/operator.yaml
$ kubectl apply -f https://&amp;lt;repo URL&amp;gt;/default-cr.yaml
&lt;/code>&lt;/pre>
&lt;p>You can then make changes to the Istio installation configuration:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl edit istiocontrolplane example-istiocontrolplane -n istio-system
&lt;/code>&lt;/pre>
&lt;p>As soon as the resource is updated, the controller will detect the changes and respond by updating
the Istio installation correspondingly.&lt;/p>
&lt;p>Both the operator controller and &lt;code>istioctl&lt;/code> commands share the same implementation. The significant
difference is the execution context. In the &lt;code>istioctl&lt;/code> case, the operation runs in the admin users
command execution and security context. In the controller case, a pod in the cluster runs the code
in its security context. In both cases, configuration is validated against a schema and the same correctness
checks are performed.&lt;/p>
&lt;h2 id="migration-from-helm">Migration from Helm&lt;/h2>
&lt;p>To help ease the transition from previous configurations using Helm,
&lt;code>istioctl&lt;/code> and the controller support pass-through access for the full Helm installation API.&lt;/p>
&lt;p>You can pass Helm configuration options using &lt;code>istioctl --set&lt;/code> by prepending the string &lt;code>values.&lt;/code> to the option name.
For example, instead of this Helm command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template ... --set global.mtls.enabled=true
&lt;/code>&lt;/pre>
&lt;p>You can use this &lt;code>istioctl&lt;/code> command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest generate ... --set values.global.mtls.enabled=true
&lt;/code>&lt;/pre>
&lt;p>You can also set Helm configuration values in an &lt;code>IstioControlPlane&lt;/code> custom resource.
See &lt;a href="/v1.5/docs/setup/install/istioctl/#customize-istio-settings-using-the-helm-api">Customize Istio settings using Helm&lt;/a>
for details.&lt;/p>
&lt;p>Another feature to help with the transition from Helm is the alpha
&lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-manifest-migrate">istioctl manifest migrate&lt;/a> command.
This command can be used to automatically convert a Helm &lt;code>values.yaml&lt;/code> file to a corresponding
&lt;code>IstioControlPlane&lt;/code> configuration.&lt;/p>
&lt;h2 id="implementation">Implementation&lt;/h2>
&lt;p>Several frameworks have been created to help implement operators by generating stubs for some or all of
the components. The Istio operator was created with the help of a combination of
&lt;a href="https://github.com/kubernetes-sigs/kubebuilder">kubebuilder&lt;/a> and
&lt;a href="https://github.com/operator-framework">operator framework&lt;/a>. Istio&amp;rsquo;s installation now uses a proto to
describe the API such that runtime validation can be executed against a schema.&lt;/p>
&lt;p>More information about the implementation can be found in the README and ARCHITECTURE documents
in the &lt;a href="https://github.com/istio/operator">Istio operator repository&lt;/a>.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Starting in Istio 1.4, Helm installation is being replaced by new &lt;code>istioctl&lt;/code> commands using
a new operator custom resource definition, &lt;code>IstioControlPlane&lt;/code>, for the configuration API.
An alpha controller is also available for early experimentation with the operator.&lt;/p>
&lt;p>The new &lt;code>istioctl&lt;/code> commands and operator controller both validate configuration schemas and perform a range of
checks for installation change or upgrade. These checks are tightly integrated with the tools to prevent
common errors and simplify troubleshooting.&lt;/p>
&lt;p>The Istio maintainers expect that this new approach will improve the user experience during Istio
installation and upgrade, better stabilize the installation API, and help users better manage and
monitor their Istio installations.&lt;/p>
&lt;p>We welcome your feedback about the new installation approach at &lt;a href="https://discuss.istio.io/">discuss.istio.io&lt;/a>.&lt;/p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/introducing-istio-operator/</link><author>Martin Ostrowski (Google), Frank Budinsky (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/introducing-istio-operator/</guid><category>install</category><category>configuration</category><category>istioctl</category><category>operator</category></item><item><title>Introducing istioctl analyze</title><description>
&lt;p>Istio 1.4 introduces an experimental new tool to help you analyze and debug your clusters running Istio.&lt;/p>
&lt;p>&lt;a href="/v1.5/docs/reference/commands/istioctl/#istioctl-experimental-analyze">&lt;code>istioctl analyze&lt;/code>&lt;/a> is a diagnostic tool that detects potential issues with your
Istio configuration, as well as gives general insights to improve your configuration.
It can run against a live cluster or a set of local configuration files.
It can also run against a combination of the two, allowing you to catch problems before you
apply changes to a cluster.&lt;/p>
&lt;p>To get started with it in just minutes, head over to the &lt;a href="/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/">documentation&lt;/a>.&lt;/p>
&lt;h2 id="designed-to-be-approachable-for-novice-users">Designed to be approachable for novice users&lt;/h2>
&lt;p>One of the key design goals that we followed for this feature is to make it extremely approachable.
This is achieved by making the command useful without having to pass any required complex parameters.&lt;/p>
&lt;p>In practice, here are some of the scenarios that it goes after:&lt;/p>
&lt;ul>
&lt;li>&lt;em>&amp;ldquo;There is some problem with my cluster, but I have no idea where to start&amp;rdquo;&lt;/em>&lt;/li>
&lt;li>&lt;em>&amp;ldquo;Things are generally working, but I&amp;rsquo;m wondering if there is anything I could improve&amp;rdquo;&lt;/em>&lt;/li>
&lt;/ul>
&lt;p>In that sense, it is very different from some of the more advanced diagnostic tools, which go
after scenarios along the lines of (taking &lt;code>istioctl proxy-config&lt;/code> as an example):&lt;/p>
&lt;ul>
&lt;li>&lt;em>&amp;ldquo;Show me the Envoy configuration for this specific pod so I can see if anything looks wrong&amp;rdquo;&lt;/em>&lt;/li>
&lt;/ul>
&lt;p>This can be very useful for advanced debugging, but it requires a lot of expertize before you
can figure out that you need to run this specific command, and which pod to run it on.&lt;/p>
&lt;p>So really, the one-line pitch for &lt;code>analyze&lt;/code> is: just run it! It&amp;rsquo;s completely safe, it takes no thinking,
it might help you, and at worst, you&amp;rsquo;ll have wasted a minute!&lt;/p>
&lt;h2 id="improving-this-tool-over-time">Improving this tool over time&lt;/h2>
&lt;p>In Istio 1.4, &lt;code>analyze&lt;/code> comes with a nice set of analyzers that can detect a number of common issues.
But this is just the beginning, and we are planning to keep growing and fine tuning the analyzers with
each release.&lt;/p>
&lt;p>In fact, we would welcome suggestions from Istio users. Specifically, if you encounter a situation
where you think an issue could be detected via configuration analysis, but is not currently flagged
by &lt;code>analyze&lt;/code>, please do let us know. The best way to do this is to &lt;a href="https://github.com/istio/istio/issues">open an issue on GitHub&lt;/a>.&lt;/p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/introducing-istioctl-analyze/</link><author>David Ebbo (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/introducing-istioctl-analyze/</guid><category>debugging</category><category>istioctl</category><category>configuration</category></item><item><title>DNS Certificate Management</title><description>&lt;p>By default, Citadel manages the DNS certificates of the Istio control plane.
Citadel is a large component that maintains its own private signing key, and acts as a Certificate Authority (CA).&lt;/p>
&lt;p>New in Istio 1.4, we introduce a feature to securely provision and manage DNS certificates
signed by the Kubernetes CA, which has the following advantages.&lt;/p>
&lt;ul>
&lt;li>&lt;p>Lighter weight DNS certificate management with no dependency on Citadel.&lt;/p>&lt;/li>
&lt;li>&lt;p>Unlike Citadel, this feature doesn&amp;rsquo;t maintain a private signing key, which enhances security.&lt;/p>&lt;/li>
&lt;li>&lt;p>Simplified root certificate distribution to TLS clients.
Clients no longer need to wait for Citadel to generate and distribute its CA certificate.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>The following diagram shows the architecture of provisioning and managing DNS certificates in Istio.
Chiron is the component provisioning and managing DNS certificates in Istio.&lt;/p>
&lt;figure style="width:50%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:82.13367609254499%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/dns-cert/architecture.png" title="The architecture of provisioning and managing DNS certificates in Istio">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/dns-cert/architecture.png" alt="The architecture of provisioning and managing DNS certificates in Istio" />
&lt;/a>
&lt;/div>
&lt;figcaption>The architecture of provisioning and managing DNS certificates in Istio&lt;/figcaption>
&lt;/figure>
&lt;p>To try this new feature, refer to the &lt;a href="/v1.5/docs/tasks/security/dns-cert">DNS certificate management task&lt;/a>.&lt;/p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/dns-cert/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/dns-cert/</guid><category>security</category><category>kubernetes</category><category>certificates</category><category>DNS</category></item><item><title>Announcing Istio client-go</title><description>
&lt;p>We are pleased to announce the initial release of the Istio
&lt;a href="https://github.com/istio/client-go">client go&lt;/a> repository which enables developers
to gain programmatic access to Istio APIs in a Kubernetes environment. The
generated Kubernetes informers and client set in this repository makes it easy
for developers to create controllers and perform Create, Read, Update and Delete
(CRUD) operations for all Istio Custom Resource Definitions (CRDs).&lt;/p>
&lt;p>This was a highly requested functionality by many Istio users, as is evident
from the feature requests on the clients generated by &lt;a href="https://github.com/aspenmesh/istio-client-go">Aspen Mesh&lt;/a>
and the &lt;a href="https://github.com/knative/pkg">Knative project&lt;/a>.
If you&amp;rsquo;re currently using one of the above mentioned clients, you can easily
switch to using &lt;a href="https://github.com/istio/client-go">Istio client go&lt;/a> like
this:&lt;/p>
&lt;pre>&lt;code class='language-go' data-expandlinks='true' data-repo='istio' >import (
...
- versionedclient &amp;#34;github.com/aspenmesh/istio-client-go/pkg/client/clientset/versioned&amp;#34;
+ versionedclient &amp;#34;istio.io/client-go/pkg/clientset/versioned&amp;#34;
)
&lt;/code>&lt;/pre>
&lt;p>As the generated client sets are functionally equivalent, switching the imported
client libraries should be sufficient in order to consume the newly
generated library.&lt;/p>
&lt;h2 id="how-to-use-client-go">How to use client-go&lt;/h2>
&lt;p>The Istio &lt;a href="https://github.com/istio/client-go">client go&lt;/a> repository follows the
same branching strategy as the &lt;a href="https://github.com/istio/api">Istio API&lt;/a>
repository, as the client repository depends on the API definitions. If you want
to use a stable client set, you can use the release branches or tagged versions
in the &lt;a href="https://github.com/istio/client-go">client go&lt;/a> repository.
Using the client set is very similar to using the &lt;a href="https://github.com/kubernetes/client-go">Kubernetes client
go&lt;/a>, here&amp;rsquo;s a quick example of using
the client to list all &lt;a href="/v1.5/docs/reference/config/networking/virtual-service">Istio
virtual services&lt;/a>
in the passed namespace:&lt;/p>
&lt;pre>&lt;code class='language-go' data-expandlinks='true' data-repo='istio' >package main
import (
&amp;#34;log&amp;#34;
&amp;#34;os&amp;#34;
metav1 &amp;#34;k8s.io/apimachinery/pkg/apis/meta/v1&amp;#34;
&amp;#34;k8s.io/client-go/tools/clientcmd&amp;#34;
versionedclient &amp;#34;istio.io/client-go/pkg/clientset/versioned&amp;#34;
)
func main() {
kubeconfig := os.Getenv(&amp;#34;KUBECONFIG&amp;#34;)
namespace := os.Getenv(&amp;#34;NAMESPACE&amp;#34;)
if len(kubeconfig) == 0 || len(namespace) == 0 {
log.Fatalf(&amp;#34;Environment variables KUBECONFIG and NAMESPACE need to be set&amp;#34;)
}
restConfig, err := clientcmd.BuildConfigFromFlags(&amp;#34;&amp;#34;, kubeconfig)
if err != nil {
log.Fatalf(&amp;#34;Failed to create k8s rest client: %s&amp;#34;, err)
}
ic, err := versionedclient.NewForConfig(restConfig)
if err != nil {
log.Fatalf(&amp;#34;Failed to create istio client: %s&amp;#34;, err)
}
// Print all VirtualServices
vsList, err := ic.NetworkingV1alpha3().VirtualServices(namespace).List(metav1.ListOptions{})
if err != nil {
log.Fatalf(&amp;#34;Failed to get VirtualService in %s namespace: %s&amp;#34;, namespace, err)
}
for i := range vsList.Items {
vs := vsList.Items[i]
log.Printf(&amp;#34;Index: %d VirtualService Hosts: %+v\n&amp;#34;, i, vs.Spec.GetHosts())
}
}
&lt;/code>&lt;/pre>
&lt;p>You can find a more in-depth example &lt;a href="https://github.com/istio/client-go/blob/release-1.5/cmd/example/client.go">here&lt;/a>.&lt;/p>
&lt;h2 id="useful-tools-created-for-generating-istio-client-go">Useful tools created for generating Istio client-go&lt;/h2>
&lt;p>If you&amp;rsquo;re wondering why it took so long or why was it difficult to generate
this client set, this section is for you. In Istio, we use
&lt;a href="https://developers.google.com/protocol-buffers">protobuf&lt;/a> specifications to
write APIs which are then converted to Go definitions
using the protobuf tool chain. There are three major challenges which you might
face if you&amp;rsquo;re trying to generate Kubernetes client set from a protobuf-generated API:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Creating Kubernetes Wrapper Types&lt;/strong> - Kubernetes &lt;a href="https://github.com/kubernetes/code-generator/tree/master/cmd/client-gen">client generation&lt;/a>
library only works for Go objects which follow the Kubernetes object
specification for e.g. &lt;a href="https://github.com/istio/client-go/blob/release-1.5/pkg/apis/authentication/v1alpha1/types.gen.go">Authentication Policy Kubernetes Wrappers&lt;/a>.
This means for every API which needs programmatic access, you need to create
these wrappers. Additionally, there is a fair amount of boilerplate needed for
every &lt;code>CRD&lt;/code> group, version and kind that needs client code generation.
To automate this process, we created a &lt;a href="https://github.com/istio/tools/tree/master/cmd/kubetype-gen">Kubernetes type
generator&lt;/a> tool
which can automatically create the Kubernetes types based on annotations.
The annotations parsed by this tool and the various available options
are explained in the &lt;a href="https://github.com/istio/tools/blob/master/cmd/kubetype-gen/README.md">README&lt;/a>.
Note that if you&amp;rsquo;re using protobuf tools to generate Go types, you would need to
add these annotations as comments in the proto files, so that the comments are
present in the generated Go files which are then used by this tool.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Generating deep copy methods&lt;/strong> - In Kubernetes client machinery, if you want to
mutate any object returned from the client set, you are required to make a copy
of the object to prevent modifying the object in-place in the cache store. The
canonical way to do this is to create a &lt;code>deepcopy&lt;/code> method on all nested types.
We created a tool &lt;a href="https://github.com/istio/tools/tree/master/cmd/protoc-gen-deepcopy">protoc deep copy
generator&lt;/a>
which is a &lt;code>protoc&lt;/code> plugin and can automatically create &lt;code>deepcopy&lt;/code> method
based on annotations using the Proto library utility &lt;a href="https://godoc.org/github.com/golang/protobuf/proto#Clone">Proto
Clone&lt;/a>. Here&amp;rsquo;s an
&lt;a href="https://github.com/istio/api/blob/release-1.5/authentication/v1alpha1/policy_deepcopy.gen.go">example&lt;/a>
of the generated &lt;code>deepcopy&lt;/code> method.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Marshaling and Unmarshaling types to/from JSON&lt;/strong> - For the types generated
from proto definitions, it is often problematic to use the default Go JSON
encoder/decoder as there are various fields like protobuf&amp;rsquo;s &lt;code>oneof&lt;/code> which requires
special handling. Additionally, any Proto fields with underscores in their
name might serialize/deserialize to different field names depending on the
encoder/decoder as the Go struct tag are &lt;a href="https://github.com/istio/istio/issues/17600">generated
differently&lt;/a>.
It is always recommended to use protobuf primitives for
serializing/deserializing to JSON instead of relying on default Go
library. We created a tool &lt;a href="https://github.com/istio/tools/tree/master/cmd/protoc-gen-jsonshim">protoc JSON
shim&lt;/a> which
is a &lt;code>protoc&lt;/code> plugin and can automatically create Marshalers/Unmarshalers for
all Go type generated from Proto definitions. Here&amp;rsquo;s an
&lt;a href="https://github.com/istio/api/blob/release-1.5/authentication/v1alpha1/policy_json.gen.go">example&lt;/a>
of the code generated by this tool.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>I&amp;rsquo;m hoping that the newly released client library enables users to create more
integrations and controllers for the Istio APIs, and the tools mentioned above
can be used by developers to generate Kubernetes client set from Proto APIs.&lt;/p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/announcing-istio-client-go/</link><author>Neeraj Poddar (Aspen Mesh)</author><guid isPermaLink="true">/v1.5/blog/2019/announcing-istio-client-go/</guid><category>client-go</category><category>tools</category><category>crd</category></item><item><title>Istio as a Proxy for External Services</title><description>
&lt;p>The &lt;a href="/v1.5/docs/tasks/traffic-management/ingress/ingress-control/">Control Ingress Traffic&lt;/a> and the
&lt;a href="/v1.5/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/">Ingress Gateway without TLS Termination&lt;/a> tasks describe
how to configure an ingress gateway to expose services inside the mesh to external traffic. The services can be HTTP or
HTTPS. In the case of HTTPS, the gateway passes the traffic through, without terminating TLS.&lt;/p>
&lt;p>This blog post describes how to use the same ingress gateway mechanism of Istio to enable access to external services and
not to applications inside the mesh. This way Istio as a whole can serve just as a proxy server, with the added value of
observability, traffic management and policy enforcement.&lt;/p>
&lt;p>The blog post shows configuring access to an HTTP and an HTTPS external service, namely &lt;code>httpbin.org&lt;/code> and
&lt;code>edition.cnn.com&lt;/code>.&lt;/p>
&lt;h2 id="configure-an-ingress-gateway">Configure an ingress gateway&lt;/h2>
&lt;ol>
&lt;li>&lt;p>Define an ingress gateway with a &lt;code>servers:&lt;/code> section configuring the &lt;code>80&lt;/code> and &lt;code>443&lt;/code> ports.
Ensure &lt;code>mode:&lt;/code> is set to &lt;code>PASSTHROUGH&lt;/code> for &lt;code>tls:&lt;/code> in the port &lt;code>443&lt;/code>, which instructs the gateway to pass the
ingress traffic AS IS, without terminating TLS.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: proxy
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- httpbin.org
- port:
number: 443
name: tls
protocol: TLS
tls:
mode: PASSTHROUGH
hosts:
- edition.cnn.com
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create service entries for the &lt;code>httpbin.org&lt;/code> and &lt;code>edition.cnn.com&lt;/code> services to make them accessible from the ingress
gateway:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cnn
spec:
hosts:
- edition.cnn.com
ports:
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a service entry and configure a destination rule for the &lt;code>localhost&lt;/code> service.
You need this service entry in the next step as a destination for traffic to the external services from
applications inside the mesh to block traffic from inside the mesh. In this example you use Istio as a proxy between
external applications and external services.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: localhost
spec:
hosts:
- localhost.local
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: tls
protocol: TLS
resolution: STATIC
endpoints:
- address: 127.0.0.1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: localhost
spec:
host: localhost.local
trafficPolicy:
tls:
mode: DISABLE
sni: localhost.local
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a virtual service for each external service to configure routing to it. Both virtual services include the
&lt;code>proxy&lt;/code> gateway in the &lt;code>gateways:&lt;/code> section and in the &lt;code>match:&lt;/code> section for HTTP and HTTPS traffic accordingly.&lt;/p>
&lt;p>Notice the &lt;code>route:&lt;/code> section for the &lt;code>mesh&lt;/code> gateway, the gateway that represents the applications inside
the mesh. The &lt;code>route:&lt;/code> for the &lt;code>mesh&lt;/code> gateway shows how the traffic is directed to the &lt;code>localhost.local&lt;/code> service,
effectively blocking the traffic.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.org
gateways:
- proxy
- mesh
http:
- match:
- gateways:
- proxy
port: 80
uri:
prefix: /status
route:
- destination:
host: httpbin.org
port:
number: 80
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: localhost.local
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: cnn
spec:
hosts:
- edition.cnn.com
gateways:
- proxy
- mesh
tls:
- match:
- gateways:
- proxy
port: 443
sni_hosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
- match:
- gateways:
- mesh
port: 443
sni_hosts:
- edition.cnn.com
route:
- destination:
host: localhost.local
port:
number: 443
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoy&amp;rsquo;s access logging&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Follow the instructions in
&lt;a href="/v1.5/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports">Determining the ingress IP and ports&lt;/a>
to define the &lt;code>SECURE_INGRESS_PORT&lt;/code> and &lt;code>INGRESS_HOST&lt;/code> environment variables.&lt;/p>&lt;/li>
&lt;li>&lt;p>Access the &lt;code>httbin.org&lt;/code> service through your ingress IP and port which you stored in the
&lt;code>$INGRESS_HOST&lt;/code> and &lt;code>$INGRESS_PORT&lt;/code> environment variables, respectively, during the previous step.
Access the &lt;code>/status/418&lt;/code> path of the &lt;code>httpbin.org&lt;/code> service that returns the HTTP status
&lt;a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418">418 I&amp;rsquo;m a teapot&lt;/a>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl $INGRESS_HOST:$INGRESS_PORT/status/418 -Hhost:httpbin.org
-=[ teapot ]=-
_...._
.&amp;#39; _ _ `.
| .&amp;#34;` ^ `&amp;#34;. _,
\_;`&amp;#34;---&amp;#34;`|//
| ;/
\_ _/
`&amp;#34;&amp;#34;&amp;#34;`
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>If the Istio ingress gateway is deployed in the &lt;code>istio-system&lt;/code> namespace, print the gateway&amp;rsquo;s log with the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=ingressgateway -c istio-proxy -n istio-system | grep &amp;#39;httpbin.org&amp;#39;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Search the log for an entry similar to:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >[2019-01-31T14:40:18.645Z] &amp;#34;GET /status/418 HTTP/1.1&amp;#34; 418 - 0 135 187 186 &amp;#34;10.127.220.75&amp;#34; &amp;#34;curl/7.54.0&amp;#34; &amp;#34;28255618-6ca5-9d91-9634-c562694a3625&amp;#34; &amp;#34;httpbin.org&amp;#34; &amp;#34;34.232.181.106:80&amp;#34; outbound|80||httpbin.org - 172.30.230.33:80 10.127.220.75:52077 -
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Access the &lt;code>edition.cnn.com&lt;/code> service through your ingress gateway:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -s --resolve edition.cnn.com:$SECURE_INGRESS_PORT:$INGRESS_HOST https://edition.cnn.com:$SECURE_INGRESS_PORT | grep -o &amp;#34;&amp;lt;title&amp;gt;.*&amp;lt;/title&amp;gt;&amp;#34;
&amp;lt;title&amp;gt;CNN International - Breaking News, US News, World News and Video&amp;lt;/title&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>If the Istio ingress gateway is deployed in the &lt;code>istio-system&lt;/code> namespace, print the gateway&amp;rsquo;s log with the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=ingressgateway -c istio-proxy -n istio-system | grep &amp;#39;edition.cnn.com&amp;#39;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Search the log for an entry similar to:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >[2019-01-31T13:40:11.076Z] &amp;#34;- - -&amp;#34; 0 - 589 17798 1644 - &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;172.217.31.132:443&amp;#34; outbound|443||edition.cnn.com 172.30.230.33:54508 172.30.230.33:443 10.127.220.75:49467 edition.cnn.com
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h2 id="cleanup">Cleanup&lt;/h2>
&lt;p>Remove the gateway, the virtual services and the service entries:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete gateway proxy
$ kubectl delete virtualservice cnn httpbin
$ kubectl delete serviceentry cnn httpbin-ext localhost
$ kubectl delete destinationrule localhost
&lt;/code>&lt;/pre></description><pubDate>Tue, 15 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/proxy/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/proxy/</guid><category>traffic-management</category><category>ingress</category><category>https</category><category>http</category></item><item><title>Multi-Mesh Deployments for Isolation and Boundary Protection</title><description>
&lt;p>Various compliance standards require protection of sensitive data environments. Some of the important standards and the
types of sensitive data they protect appear in the following table:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Standard&lt;/th>
&lt;th>Sensitive data&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;a href="https://www.pcisecuritystandards.org/pci_security">PCI DSS&lt;/a>&lt;/td>
&lt;td>payment card data&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;a href="https://www.fedramp.gov">FedRAMP&lt;/a>&lt;/td>
&lt;td>federal information, data and metadata&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;a href="http://www.gpo.gov/fdsys/search/pagedetails.action?granuleId=CRPT-104hrpt736&amp;amp;packageId=CRPT-104hrpt736">HIPAA&lt;/a>&lt;/td>
&lt;td>personal health data&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;a href="https://gdpr-info.eu">GDPR&lt;/a>&lt;/td>
&lt;td>personal data&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>&lt;a href="https://www.pcisecuritystandards.org/pci_security">PCI DSS&lt;/a>, for example, recommends putting cardholder data
environment on a network, separate from the rest of the system. It also requires using a &lt;a href="https://en.wikipedia.org/wiki/DMZ_(computing)">DMZ&lt;/a>,
and setting firewalls between the public Internet and the DMZ, and between the DMZ and the internal network.&lt;/p>
&lt;p>Isolation of sensitive data environments from other information systems can reduce the scope of the compliance checks
and improve the security of the sensitive data. Reducing the scope reduces the risks of failing a compliance check and
reduces the costs of compliance since there are less components to check and secure, according to compliance
requirements.&lt;/p>
&lt;p>You can achieve isolation of sensitive data by separating the parts of the application that process that data
into a separate service mesh, preferably on a separate network, and then connect the meshes with different
compliance requirements together in a &lt;span class="term" data-title="Multi-Mesh" data-body="&amp;lt;p&amp;gt;Multi-mesh is a deployment model that consists of two or more &amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;service meshes&amp;lt;/a&amp;gt;.
Each mesh has independent administration for naming and identities but you can
expose services between meshes through &amp;lt;a href=&amp;#34;/docs/reference/glossary/#mesh-federation&amp;#34;&amp;gt;mesh federation&amp;lt;/a&amp;gt;.
The resulting deployment is a multi-mesh deployment.&amp;lt;/p&amp;gt;
">multi-mesh&lt;/span> deployment.
The process of connecting inter-mesh
applications is called &lt;span class="term" data-title="Mesh Federation" data-body="&amp;lt;p&amp;gt;Mesh federation is the act of exposing services between meshes and enabling
communication across mesh boundaries. Each mesh may expose a subset of its
services to enable one or more other meshes to consume the exposed services. You
can use mesh federation to enable communication between meshes in a
&amp;lt;a href=&amp;#34;/docs/ops/deployment/deployment-models/#multiple-meshes&amp;#34;&amp;gt;multi-mesh deployment&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">mesh federation&lt;/span>.&lt;/p>
&lt;p>Note that using mesh federation to create a multi-mesh deployment is very different than creating a
&lt;span class="term" data-title="Multicluster" data-body="&amp;lt;p&amp;gt;Multicluster is a deployment model that consists of a
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;mesh&amp;lt;/a&amp;gt; with multiple
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#cluster&amp;#34;&amp;gt;clusters&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">multicluster&lt;/span> deployment, which defines a single service mesh composed from services spanning more than one cluster. Unlike multi-mesh, a multicluster deployment is not suitable for
applications that require isolation and boundary protection.&lt;/p>
&lt;p>In this blog post I describe the requirements for isolation and boundary protection, and outline the principles of
multi-mesh deployments. Finally, I touch on the current state of mesh-federation support and automation work under way for
Istio.&lt;/p>
&lt;h2 id="isolation-and-boundary-protection">Isolation and boundary protection&lt;/h2>
&lt;p>Isolation and boundary protection mechanisms are explained in the
&lt;a href="http://dx.doi.org/10.6028/NIST.SP.800-53r4">NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations&lt;/a>,
&lt;em>Appendix F, Security Control Catalog, SC-7 Boundary Protection&lt;/em>.&lt;/p>
&lt;p>In particular, the &lt;em>Boundary protection, isolation of information system components&lt;/em> control enhancement:&lt;/p>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">Organizations can isolate information system components performing different missions and/or business functions.
Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy
greater levels of protection for selected components. Separating system components with boundary protection mechanisms
provides the capability for increased protection of individual components and to more effectively control information
flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and
errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms
include, for example, routers, gateways, and firewalls separating system components into physically separate networks or
subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows
among system components using distinct encryption keys.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Various compliance standards recommend isolating environments that process sensitive data from the rest of the
organization.
The &lt;a href="https://www.pcisecuritystandards.org/pci_security/">Payment Card Industry (PCI) Data Security Standard&lt;/a>
recommends implementing network isolation for &lt;em>cardholder data&lt;/em> environment and requires isolating this environment from
the &lt;a href="https://en.wikipedia.org/wiki/DMZ_(computing)">DMZ&lt;/a>.
&lt;a href="https://www.fedramp.gov/assets/resources/documents/CSP_A_FedRAMP_Authorization_Boundary_Guidance.pdf">FedRAMP Authorization Boundary Guidance&lt;/a>
describes &lt;em>authorization boundary&lt;/em> for federal information and data, while
&lt;a href="https://doi.org/10.6028/NIST.SP.800-37r2">NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy&lt;/a>
recommends protecting of such a boundary in &lt;em>Appendix G, Authorization Boundary Considerations&lt;/em>:&lt;/p>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">Dividing a system into subsystems (i.e., divide and conquer) facilitates a targeted application of controls to achieve
adequate security, protection of individual privacy, and a cost-effective risk management process. Dividing complex
systems into subsystems also supports the important security concepts of domain separation and network segmentation,
which can be significant when dealing with high value assets. When systems are divided into subsystems, organizations
may choose to develop individual subsystem security and privacy plans or address the system and subsystems in the same
security and privacy plans.
Information security and privacy architectures play a key part in the process of dividing complex systems into
subsystems. This includes monitoring and controlling communications at internal boundaries among subsystems and
selecting, allocating, and implementing controls that meet or exceed the security and privacy requirements of the
constituent subsystems.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Boundary protection, in particular, means:&lt;/p>
&lt;ul>
&lt;li>put an access control mechanism at the boundary (firewall, gateway, etc.)&lt;/li>
&lt;li>monitor the incoming/outgoing traffic at the boundary&lt;/li>
&lt;li>all the access control mechanisms must be &lt;em>deny-all&lt;/em> by default&lt;/li>
&lt;li>do not expose private IP addresses from the boundary&lt;/li>
&lt;li>do not let components from outside the boundary to impact security inside the boundary&lt;/li>
&lt;/ul>
&lt;p>Multi-mesh deployments facilitate division of a system into subsystems with different
security and compliance requirements, and facilitate the boundary protection.
You put each subsystem into a separate service mesh, preferably on a separate network.
You connect the Istio meshes using gateways. The gateways monitor and control cross-mesh traffic at the boundary of
each mesh.&lt;/p>
&lt;h2 id="features-of-multi-mesh-deployments">Features of multi-mesh deployments&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>non-uniform naming&lt;/strong>. The &lt;code>withdraw&lt;/code> service in the &lt;code>accounts&lt;/code> namespace in one mesh might have
different functionality and API than the &lt;code>withdraw&lt;/code> services in the &lt;code>accounts&lt;/code> namespace in other meshes.
Such situation could happen in an organization where there is no uniform policy on naming of namespaces and services, or
when the meshes belong to different organizations.&lt;/li>
&lt;li>&lt;strong>expose-nothing by default&lt;/strong>. None of the services in a mesh are exposed by default, the mesh owners must
explicitly specify which services are exposed.&lt;/li>
&lt;li>&lt;strong>boundary protection&lt;/strong>. The access control of the traffic must be enforced at the ingress gateway, which stops
forbidden traffic from entering the mesh. This requirement implements
&lt;a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense-in-depth principle&lt;/a> and is part of some compliance
standards, such as the
&lt;a href="https://www.pcisecuritystandards.org/pci_security/">Payment Card Industry (PCI) Data Security Standard&lt;/a>.&lt;/li>
&lt;li>&lt;strong>common trust may not exist&lt;/strong>. The Istio sidecars in one mesh may not trust the Citadel certificates in other
meshes, due to some security requirement or due to the fact that the mesh owners did not initially plan to federate
the meshes.&lt;/li>
&lt;/ul>
&lt;p>While &lt;strong>expose-nothing by default&lt;/strong> and &lt;strong>boundary protection&lt;/strong> are required to facilitate compliance and improve
security, &lt;strong>non-uniform naming&lt;/strong> and &lt;strong>common trust may not exist&lt;/strong> are required when connecting
meshes of different organizations, or of an organization that cannot enforce uniform naming or cannot or may not
establish common trust between the meshes.&lt;/p>
&lt;p>An optional feature that you may want to use is &lt;strong>service location transparency&lt;/strong>: consuming services send requests
to the exposed services in remote meshes using local service names. The consuming services are oblivious to the fact
that some of the destinations are in remote meshes and some are local services. The access is uniform, using the local
service names, for example, in Kubernetes, &lt;code>reviews.default.svc.cluster.local&lt;/code>.
&lt;strong>Service location transparency&lt;/strong> is useful in the cases when you want to be able to change the location of the
consumed services, for example when some service is migrated from private cloud to public cloud, without changing the
code of your applications.&lt;/p>
&lt;h2 id="the-current-mesh-federation-work">The current mesh-federation work&lt;/h2>
&lt;p>While you can perform mesh federation using standard Istio configurations already today,
it requires writing a lot of boilerplate YAML files and is error-prone. There is an effort under way to automate
the mesh federation process. In the meantime, you can look at these
&lt;a href="https://github.com/istio-ecosystem/multi-mesh-examples">multi-mesh deployment examples&lt;/a>
to get an idea of what a generated federation might include.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>In this blog post I described the requirements for isolation and boundary protection of sensitive data environments by
using Istio multi-mesh deployments. I outlined the principles of Istio
multi-mesh deployments and reported the current work on
mesh federation in Istio.&lt;/p>
&lt;p>I will be happy to hear your opinion about &lt;span class="term" data-title="Multi-Mesh" data-body="&amp;lt;p&amp;gt;Multi-mesh is a deployment model that consists of two or more &amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;service meshes&amp;lt;/a&amp;gt;.
Each mesh has independent administration for naming and identities but you can
expose services between meshes through &amp;lt;a href=&amp;#34;/docs/reference/glossary/#mesh-federation&amp;#34;&amp;gt;mesh federation&amp;lt;/a&amp;gt;.
The resulting deployment is a multi-mesh deployment.&amp;lt;/p&amp;gt;
">multi-mesh&lt;/span> and
&lt;span class="term" data-title="Multicluster" data-body="&amp;lt;p&amp;gt;Multicluster is a deployment model that consists of a
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;mesh&amp;lt;/a&amp;gt; with multiple
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#cluster&amp;#34;&amp;gt;clusters&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">multicluster&lt;/span> at &lt;a href="https://discuss.istio.io">discuss.istio.io&lt;/a>.&lt;/p></description><pubDate>Wed, 02 Oct 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/isolated-clusters/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/isolated-clusters/</guid><category>traffic-management</category><category>multicluster</category><category>security</category><category>gateway</category><category>tls</category></item><item><title>Monitoring Blocked and Passthrough External Service Traffic</title><description>
&lt;p>Understanding, controlling and securing your external service access is one
of the key benefits that you get from a service mesh like Istio. From a security
and operations point of view, it is critical to monitor what external service traffic
is getting blocked as they might surface possible misconfigurations or a
security vulnerability if an application is attempting to communicate with a
service that it should not be allowed to. Similarly, if you currently have a
policy of allowing any external service access, it is beneficial to monitor
the traffic so you can incrementally add explicit Istio configuration to allow
access and better secure your cluster. In either case, having visibility into this
traffic via telemetry is quite helpful as it enables you to create alerts and
dashboards, and better reason about your security posture. This was a highly
requested feature by production users of Istio and we are excited that the
support for this was added in release 1.3.&lt;/p>
&lt;p>To implement this, the Istio &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/metrics">default
metrics&lt;/a> are augmented with
explicit labels to capture blocked and passthrough external service traffic.
This blog will cover how you can use these augmented metrics to monitor all
external service traffic.&lt;/p>
&lt;p>The Istio control plane configures the sidecar proxy with
predefined clusters called BlackHoleCluster and Passthrough which block or
allow all traffic respectively. To understand these clusters, let&amp;rsquo;s start with
what external and internal services mean in the context of Istio service mesh.&lt;/p>
&lt;h2 id="external-and-internal-services">External and internal services&lt;/h2>
&lt;p>Internal services are defined as services which are part of your platform
and are considered to be in the mesh. For internal services, Istio control
plane provides all the required configuration to the sidecars by default.
For example, in Kubernetes clusters, Istio configures the sidecars for all
Kubernetes services to preserve the default Kubernetes behavior of all
services being able to communicate with other.&lt;/p>
&lt;p>External services are services which are not part of your platform i.e. services
which are outside of the mesh. For external services, Istio provides two
options, first to block all external service access (enabled by setting
&lt;code>global.outboundTrafficPolicy.mode&lt;/code> to &lt;code>REGISTRY_ONLY&lt;/code>) and
second to allow all access to external service (enabled by setting
&lt;code>global.outboundTrafficPolicy.mode&lt;/code> to &lt;code>ALLOW_ANY&lt;/code>). The default option for this
setting (as of Istio 1.3) is to allow all external service access. This
option can be configured via &lt;a href="/v1.5/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode">mesh configuration&lt;/a>.&lt;/p>
&lt;p>This is where the BlackHole and Passthrough clusters are used.&lt;/p>
&lt;h2 id="what-are-blackhole-and-passthrough-clusters">What are BlackHole and Passthrough clusters?&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>BlackHoleCluster&lt;/strong> - The BlackHoleCluster is a virtual cluster created
in the Envoy configuration when &lt;code>global.outboundTrafficPolicy.mode&lt;/code> is set to
&lt;code>REGISTRY_ONLY&lt;/code>. In this mode, all traffic to external service is blocked unless
&lt;a href="/v1.5/docs/reference/config/networking/service-entry">service entries&lt;/a>
are explicitly added for each service. To implement this, the default virtual
outbound listener at &lt;code>0.0.0.0:15001&lt;/code> which uses
&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination">original destination&lt;/a>
is setup as a TCP Proxy with the BlackHoleCluster as the static cluster.
The configuration for the BlackHoleCluster looks like this:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;name&amp;#34;: &amp;#34;BlackHoleCluster&amp;#34;,
&amp;#34;type&amp;#34;: &amp;#34;STATIC&amp;#34;,
&amp;#34;connectTimeout&amp;#34;: &amp;#34;10s&amp;#34;
}
&lt;/code>&lt;/pre>
&lt;p>As you can see, this cluster is static with no endpoints so all the traffic
will be dropped. Additionally, Istio creates unique listeners for every
port/protocol combination of platform services which gets hit instead of the
virtual listener if the request is made to an external service on the same port.
In that case, the route configuration of every virtual route in Envoy is augmented to
add the BlackHoleCluster like this:&lt;/p>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;name&amp;#34;: &amp;#34;block_all&amp;#34;,
&amp;#34;domains&amp;#34;: [
&amp;#34;*&amp;#34;
],
&amp;#34;routes&amp;#34;: [
{
&amp;#34;match&amp;#34;: {
&amp;#34;prefix&amp;#34;: &amp;#34;/&amp;#34;
},
&amp;#34;directResponse&amp;#34;: {
&amp;#34;status&amp;#34;: 502
}
}
]
}
&lt;/code>&lt;/pre>
&lt;p>The route is setup as &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route_components.proto#envoy-api-field-route-route-direct-response">direct response&lt;/a>
with &lt;code>502&lt;/code> response code which means if no other routes match the Envoy proxy
will directly return a &lt;code>502&lt;/code> HTTP status code.&lt;/p>
&lt;ul>
&lt;li>&lt;strong>PassthroughCluster&lt;/strong> - The PassthroughCluster is a virtual cluster created
in the Envoy configuration when &lt;code>global.outboundTrafficPolicy.mode&lt;/code> is set to
&lt;code>ALLOW_ANY&lt;/code>. In this mode, all traffic to any external service external is allowed.
To implement this, the default virtual outbound listener at &lt;code>0.0.0.0:15001&lt;/code>
which uses &lt;code>SO_ORIGINAL_DST&lt;/code>, is setup as a TCP Proxy with the PassthroughCluster
as the static cluster.
The configuration for the PassthroughCluster looks like this:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;name&amp;#34;: &amp;#34;PassthroughCluster&amp;#34;,
&amp;#34;type&amp;#34;: &amp;#34;ORIGINAL_DST&amp;#34;,
&amp;#34;connectTimeout&amp;#34;: &amp;#34;10s&amp;#34;,
&amp;#34;lbPolicy&amp;#34;: &amp;#34;ORIGINAL_DST_LB&amp;#34;,
&amp;#34;circuitBreakers&amp;#34;: {
&amp;#34;thresholds&amp;#34;: [
{
&amp;#34;maxConnections&amp;#34;: 102400,
&amp;#34;maxRetries&amp;#34;: 1024
}
]
}
}
&lt;/code>&lt;/pre>
&lt;p>This cluster uses the &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination">original destination load balancing&lt;/a>
policy which configures Envoy to send the traffic to the
original destination i.e. passthrough.&lt;/p>
&lt;p>Similar to the BlackHoleCluster, for every port/protocol based listener the
virtual route configuration is augmented to add the PassthroughCluster as the
default route:&lt;/p>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;name&amp;#34;: &amp;#34;allow_any&amp;#34;,
&amp;#34;domains&amp;#34;: [
&amp;#34;*&amp;#34;
],
&amp;#34;routes&amp;#34;: [
{
&amp;#34;match&amp;#34;: {
&amp;#34;prefix&amp;#34;: &amp;#34;/&amp;#34;
},
&amp;#34;route&amp;#34;: {
&amp;#34;cluster&amp;#34;: &amp;#34;PassthroughCluster&amp;#34;
}
}
]
}
&lt;/code>&lt;/pre>
&lt;p>Prior to Istio 1.3, there were no metrics reported or if metrics were reported
there were no explicit labels set when traffic hit these clusters, resulting in
lack of visibility in traffic flowing through the mesh.&lt;/p>
&lt;p>The next section covers how to take advantage of this enhancement as the metrics
and labels emitted are conditional on whether the virtual outbound or explicit port/protocol
listener is being hit.&lt;/p>
&lt;h2 id="using-the-augmented-metrics">Using the augmented metrics&lt;/h2>
&lt;p>To capture all external service traffic in either of the cases (BlackHole or
Passthrough), you will need to monitor &lt;code>istio_requests_total&lt;/code> and
&lt;code>istio_tcp_connections_closed_total&lt;/code> metrics. Depending upon the Envoy listener
type i.e. TCP proxy or HTTP proxy that gets invoked, one of these metrics
will be incremented.&lt;/p>
&lt;p>Additionally, in case of a TCP proxy listener in order to see the IP address of
the external service that is blocked or allowed via BlackHole or Passthrough
cluster, you will need to add the &lt;code>destination_ip&lt;/code> label to the
&lt;code>istio_tcp_connections_closed_total&lt;/code> metric. In this scenario, the host name of
the external service is not captured. This label is not added by default and can
be easily added by augmenting the Istio configuration for attribute generation
and Prometheus handler. You should be careful about cardinality explosion in
time series if you have many services with non-stable IP addresses.&lt;/p>
&lt;h3 id="passthroughcluster-metrics">PassthroughCluster metrics&lt;/h3>
&lt;p>This section explains the metrics and the labels emitted based on the listener
type invoked in Envoy.&lt;/p>
&lt;ul>
&lt;li>HTTP proxy listener: This happens when the port of the external service is
same as one of the service ports defined in the cluster. In this scenario,
when the PassthroughCluster is hit, &lt;code>istio_requests_total&lt;/code> will get increased
like this:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;metric&amp;#34;: {
&amp;#34;__name__&amp;#34;: &amp;#34;istio_requests_total&amp;#34;,
&amp;#34;connection_security_policy&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_app&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_service&amp;#34;: &amp;#34;httpbin.org&amp;#34;,
&amp;#34;destination_service_name&amp;#34;: &amp;#34;PassthroughCluster&amp;#34;,
&amp;#34;destination_service_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;instance&amp;#34;: &amp;#34;100.96.2.183:42422&amp;#34;,
&amp;#34;job&amp;#34;: &amp;#34;istio-mesh&amp;#34;,
&amp;#34;permissive_response_code&amp;#34;: &amp;#34;none&amp;#34;,
&amp;#34;permissive_response_policyid&amp;#34;: &amp;#34;none&amp;#34;,
&amp;#34;reporter&amp;#34;: &amp;#34;source&amp;#34;,
&amp;#34;request_protocol&amp;#34;: &amp;#34;http&amp;#34;,
&amp;#34;response_code&amp;#34;: &amp;#34;200&amp;#34;,
&amp;#34;response_flags&amp;#34;: &amp;#34;-&amp;#34;,
&amp;#34;source_app&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_workload&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_workload_namespace&amp;#34;: &amp;#34;default&amp;#34;
},
&amp;#34;value&amp;#34;: [
1567033080.282,
&amp;#34;1&amp;#34;
]
}
&lt;/code>&lt;/pre>
&lt;p>Note that the &lt;code>destination_service_name&lt;/code> label is set to PassthroughCluster to
indicate that this cluster was hit and the &lt;code>destination_service&lt;/code> is set to the
host of the external service.&lt;/p>
&lt;ul>
&lt;li>TCP proxy virtual listener - If the external service port doesn&amp;rsquo;t map to any
HTTP based service ports within the cluster, this listener is invoked and
&lt;code>istio_tcp_connections_closed_total&lt;/code> is the metric that will be increased:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;status&amp;#34;: &amp;#34;success&amp;#34;,
&amp;#34;data&amp;#34;: {
&amp;#34;resultType&amp;#34;: &amp;#34;vector&amp;#34;,
&amp;#34;result&amp;#34;: [
{
&amp;#34;metric&amp;#34;: {
&amp;#34;__name__&amp;#34;: &amp;#34;istio_tcp_connections_closed_total&amp;#34;,
&amp;#34;connection_security_policy&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_app&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_ip&amp;#34;: &amp;#34;52.22.188.80&amp;#34;,
&amp;#34;destination_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_service&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_service_name&amp;#34;: &amp;#34;PassthroughCluster&amp;#34;,
&amp;#34;destination_service_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;instance&amp;#34;: &amp;#34;100.96.2.183:42422&amp;#34;,
&amp;#34;job&amp;#34;: &amp;#34;istio-mesh&amp;#34;,
&amp;#34;reporter&amp;#34;: &amp;#34;source&amp;#34;,
&amp;#34;response_flags&amp;#34;: &amp;#34;-&amp;#34;,
&amp;#34;source_app&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_workload&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_workload_namespace&amp;#34;: &amp;#34;default&amp;#34;
},
&amp;#34;value&amp;#34;: [
1567033761.879,
&amp;#34;1&amp;#34;
]
}
]
}
}
&lt;/code>&lt;/pre>
&lt;p>In this case, &lt;code>destination_service_name&lt;/code> is set to PassthroughCluster and
the &lt;code>destination_ip&lt;/code> is set to the IP address of the external service.
The &lt;code>destination_ip&lt;/code> label can be used to do a reverse DNS lookup and
get the host name of the external service. As this cluster is passthrough,
other TCP related metrics like &lt;code>istio_tcp_connections_opened_total&lt;/code>,
&lt;code>istio_tcp_received_bytes_total&lt;/code> and &lt;code>istio_tcp_sent_bytes_total&lt;/code> are also
updated.&lt;/p>
&lt;h3 id="blackholecluster-metrics">BlackHoleCluster metrics&lt;/h3>
&lt;p>Similar to the PassthroughCluster, this section explains the metrics and the
labels emitted based on the listener type invoked in Envoy.&lt;/p>
&lt;ul>
&lt;li>HTTP proxy listener: This happens when the port of the external service is same
as one of the service ports defined in the cluster.
In this scenario, when the BlackHoleCluster is hit,
&lt;code>istio_requests_total&lt;/code> will get increased like this:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;metric&amp;#34;: {
&amp;#34;__name__&amp;#34;: &amp;#34;istio_requests_total&amp;#34;,
&amp;#34;connection_security_policy&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_app&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_service&amp;#34;: &amp;#34;httpbin.org&amp;#34;,
&amp;#34;destination_service_name&amp;#34;: &amp;#34;BlackHoleCluster&amp;#34;,
&amp;#34;destination_service_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;instance&amp;#34;: &amp;#34;100.96.2.183:42422&amp;#34;,
&amp;#34;job&amp;#34;: &amp;#34;istio-mesh&amp;#34;,
&amp;#34;permissive_response_code&amp;#34;: &amp;#34;none&amp;#34;,
&amp;#34;permissive_response_policyid&amp;#34;: &amp;#34;none&amp;#34;,
&amp;#34;reporter&amp;#34;: &amp;#34;source&amp;#34;,
&amp;#34;request_protocol&amp;#34;: &amp;#34;http&amp;#34;,
&amp;#34;response_code&amp;#34;: &amp;#34;502&amp;#34;,
&amp;#34;response_flags&amp;#34;: &amp;#34;-&amp;#34;,
&amp;#34;source_app&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_workload&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_workload_namespace&amp;#34;: &amp;#34;default&amp;#34;
},
&amp;#34;value&amp;#34;: [
1567034251.717,
&amp;#34;1&amp;#34;
]
}
&lt;/code>&lt;/pre>
&lt;p>Note the &lt;code>destination_service_name&lt;/code> label is set to BlackHoleCluster and the
&lt;code>destination_service&lt;/code> to the host name of the external service. The response
code should always be &lt;code>502&lt;/code> in this case.&lt;/p>
&lt;ul>
&lt;li>TCP proxy virtual listener - If the external service port doesn&amp;rsquo;t map to any
HTTP based service ports within the cluster, this listener is invoked and
&lt;code>istio_tcp_connections_closed_total&lt;/code> is the metric that will be increased:&lt;/li>
&lt;/ul>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;metric&amp;#34;: {
&amp;#34;__name__&amp;#34;: &amp;#34;istio_tcp_connections_closed_total&amp;#34;,
&amp;#34;connection_security_policy&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_app&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_ip&amp;#34;: &amp;#34;52.22.188.80&amp;#34;,
&amp;#34;destination_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_service&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_service_name&amp;#34;: &amp;#34;BlackHoleCluster&amp;#34;,
&amp;#34;destination_service_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;destination_workload_namespace&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;instance&amp;#34;: &amp;#34;100.96.2.183:42422&amp;#34;,
&amp;#34;job&amp;#34;: &amp;#34;istio-mesh&amp;#34;,
&amp;#34;reporter&amp;#34;: &amp;#34;source&amp;#34;,
&amp;#34;response_flags&amp;#34;: &amp;#34;-&amp;#34;,
&amp;#34;source_app&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_principal&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_version&amp;#34;: &amp;#34;unknown&amp;#34;,
&amp;#34;source_workload&amp;#34;: &amp;#34;sleep&amp;#34;,
&amp;#34;source_workload_namespace&amp;#34;: &amp;#34;default&amp;#34;
},
&amp;#34;value&amp;#34;: [
1567034481.03,
&amp;#34;1&amp;#34;
]
}
&lt;/code>&lt;/pre>
&lt;p>Note the &lt;code>destination_ip&lt;/code> label represents the IP address of the external
service and the &lt;code>destination_service_name&lt;/code> is set to BlackHoleCluster
to indicate that this traffic was blocked by the mesh. Is is interesting to
note that for the BlackHole cluster case, other TCP related metrics like
&lt;code>istio_tcp_connections_opened_total&lt;/code> are not increased as there&amp;rsquo;s no
connection that is ever established.&lt;/p>
&lt;p>Monitoring these metrics can help operators easily understand all the external
services consumed by the applications in their cluster.&lt;/p></description><pubDate>Sat, 28 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/monitoring-external-service-traffic/</link><author>Neeraj Poddar (Aspen Mesh)</author><guid isPermaLink="true">/v1.5/blog/2019/monitoring-external-service-traffic/</guid><category>monitoring</category><category>blackhole</category><category>passthrough</category></item><item><title>Mixer Adapter for Knative</title><description>
&lt;p>This post demonstrates how you can use &lt;a href="/v1.5/faq/mixer/">Mixer&lt;/a> to push application logic
into Istio. It describes a Mixer adapter which implements the &lt;a href="https://knative.dev/">Knative&lt;/a> scale-from-zero logic
with simple code and similar performance to the original implementation.&lt;/p>
&lt;h2 id="knative-serving">Knative serving&lt;/h2>
&lt;p>&lt;a href="https://knative.dev/docs/serving/">Knative Serving&lt;/a> builds on &lt;a href="https://kubernetes.io/">Kubernetes&lt;/a> to support deploying
and serving of serverless applications. A core capability of serverless platforms is scale-to-zero
functionality which reduces resource usage and cost of inactive workloads.
A new mechanism is required to scale from zero when an idle application receives a new request.&lt;/p>
&lt;p>The following diagram represents the current Knative architecture for scale-from-zero.&lt;/p>
&lt;figure style="width:60%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:76.29350893697084%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/knative-activator-adapter/knative-activator.png" title="Knative scale-from-zero">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/knative-activator-adapter/knative-activator.png" alt="Knative scale-from-zero" />
&lt;/a>
&lt;/div>
&lt;figcaption>Knative scale-from-zero&lt;/figcaption>
&lt;/figure>
&lt;p>The traffic for an idle application is redirected to &lt;strong>Activator&lt;/strong> component by programming Istio with &lt;code>VirtualServices&lt;/code>
and &lt;code>DestinationRules&lt;/code>. When &lt;strong>Activator&lt;/strong> receives a new request, it:&lt;/p>
&lt;ol>
&lt;li>buffers incoming requests&lt;/li>
&lt;li>triggers the &lt;strong>Autoscaler&lt;/strong>&lt;/li>
&lt;li>redirects requests to the application after it has been scaled up, including retries and load-balancing (if needed)&lt;/li>
&lt;/ol>
&lt;p>Once the application is up and running again, Knative restores the routing from &lt;strong>Activator&lt;/strong> to the running application.&lt;/p>
&lt;h2 id="mixer-adapter">Mixer adapter&lt;/h2>
&lt;p>&lt;a href="/v1.5/faq/mixer/">Mixer&lt;/a> provides a rich intermediation layer between the Istio components and infrastructure backends.
It is designed as a stand-alone component, separate from &lt;a href="https://www.envoyproxy.io/">Envoy&lt;/a>, and has a simple extensibility model
to enable Istio to interoperate with a wide breadth of backends. Mixer is inherently easier to extend
than Envoy is.&lt;/p>
&lt;p>Mixer is an attribute processing engine that uses operator-supplied configuration to map request attributes from the Istio proxy into calls
to the infrastructure backends systems via a pluggable set of adapters. Adapters enable &lt;strong>Mixer&lt;/strong> to expose a single consistent API, independent of the
infrastructure backends in use. The exact set of adapters used at runtime is determined through operator configuration and can easily
be extended to target new or custom infrastructure backends.&lt;/p>
&lt;p>In order to achieve Knative scale-from-zero, we use a Mixer &lt;a href="https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Dev-Guide">out-of-process adapter&lt;/a>
to call the Autoscaler. Out-of-process adapters for Mixer allow developers to use any
programming language and to build and maintain your extension as a stand-alone program
without the need to build the Istio proxy.&lt;/p>
&lt;p>The following diagram represents the Knative design using the &lt;strong>Mixer&lt;/strong> adapter.&lt;/p>
&lt;figure style="width:60%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:76.29350893697084%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/knative-activator-adapter/knative-mixer-adapter.png" title="Knative scale-from-zero">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/knative-activator-adapter/knative-mixer-adapter.png" alt="Knative scale-from-zero" />
&lt;/a>
&lt;/div>
&lt;figcaption>Knative scale-from-zero&lt;/figcaption>
&lt;/figure>
&lt;p>In this design, there is no need to change the routing from/to &lt;strong>Activator&lt;/strong> for an idle application as in the original Knative setup.
When the Istio proxy represented by the ingress gateway component receives a new request for an idle application, it informs &lt;strong>Mixer&lt;/strong>, including all the
relevant metadata information.
&lt;strong>Mixer&lt;/strong> then calls your adapter which triggers the Knative &lt;strong>Autoscaler&lt;/strong> using the original Knative protocol.&lt;/p>
&lt;div>
&lt;aside class="callout idea">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-idea"/>&lt;/svg>
&lt;/div>
&lt;div class="content">By using this design you do not need to deal with buffering, retries and load-balancing because it is already handled by the Istio proxy.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Istio&amp;rsquo;s use of Mixer adapters makes it possible to replace otherwise complex networking-based application logic with a more
straightforward implementation, as demonstrated in the &lt;a href="https://github.com/zachidan/istio-kactivator">Knative adapter&lt;/a>.&lt;/p>
&lt;p>When the adapter receives a message from &lt;strong>Mixer&lt;/strong>, it sends a &lt;code>StatMessage&lt;/code> directly to &lt;strong>Autoscaler&lt;/strong>
component using the Knative protocol.
The metadata information (&lt;code>namespace&lt;/code> and &lt;code>service name&lt;/code>) required by &lt;strong>Autoscaler&lt;/strong> are transferred by Istio proxy to
&lt;strong>Mixer&lt;/strong> and from there to the adapter.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>I compared the cold-start time of the original Knative reference architecture to the new Istio Mixer adapter reference architecture.
The results show similar cold-start times.
The implementation using the Mixer adapter has greater simplicity. It is not necessary to handle low-level network-based mechanisms as these are handled by Envoy.&lt;/p>
&lt;p>The next step is converting this Mixer adapter into an Envoy-specific filter running inside an ingress gateway.
This will allow to further improve the latency overhead (no more calls to &lt;strong>Mixer&lt;/strong> and the adapter) and
to remove the dependency on the Istio Mixer.&lt;/p></description><pubDate>Wed, 18 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/knative-activator-adapter/</link><author>Idan Zach (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/knative-activator-adapter/</guid><category>mixer</category><category>adapter</category><category>knative</category><category>scale-from-zero</category></item><item><title>App Identity and Access Adapter</title><description>
&lt;p>If you are running your containerized applications on Kubernetes, you can benefit from using the App Identity and Access Adapter for an abstracted level of security with zero code changes or redeploys.&lt;/p>
&lt;p>Whether your computing environment is based on a single cloud provider, a combination of multiple cloud providers, or following a hybrid cloud approach, having a centralized identity management can help you to preserve existing infrastructure and avoid vendor lock-in.&lt;/p>
&lt;p>With the &lt;a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">App Identity and Access Adapter&lt;/a>, you can use any OAuth2/OIDC provider: IBM Cloud App ID, Auth0, Okta, Ping Identity, AWS Cognito, Azure AD B2C and more. Authentication and authorization policies can be applied in a streamlined way in all environments — including frontend and backend applications — all without code changes or redeploys.&lt;/p>
&lt;h2 id="understanding-istio-and-the-adapter">Understanding Istio and the adapter&lt;/h2>
&lt;p>&lt;a href="/v1.5/docs/concepts/what-is-istio/">Istio&lt;/a> is an open source service mesh that
transparently layers onto distributed applications and seamlessly integrates
with Kubernetes. To reduce the complexity of deployments Istio provides
behavioral insights and operational control over the service mesh as a whole.
See the &lt;a href="/v1.5/docs/ops/deployment/architecture/">Istio Architecture&lt;/a> for more details.&lt;/p>
&lt;p>Istio uses &lt;a href="/v1.5/blog/2019/data-plane-setup/">Envoy proxy sidecars&lt;/a> to mediate inbound and outbound traffic for all pods in the service mesh. Istio extracts telemetry from the Envoy sidecars and sends it to Mixer, the Istio component responsible for collecting telemetry and enforcing policy.&lt;/p>
&lt;p>The App Identity and Access adapter extends the Mixer functionality by analyzing the telemetry (attributes) against various access control policies across the service mesh. The access control policies can be linked to a particular Kubernetes services and can be finely tuned to specific service endpoints. For more information about policies and telemetry, see the Istio documentation.&lt;/p>
&lt;p>When &lt;a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">App Identity and Access Adapter&lt;/a> is combined with Istio, it provides a scalable, integrated identity and access solution for multicloud architectures that does not require any custom application code changes.&lt;/p>
&lt;h2 id="installation">Installation&lt;/h2>
&lt;p>App Identity and Access adapter can be installed using Helm directly from the &lt;code>github.com&lt;/code> repository&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm repo add appidentityandaccessadapter https://raw.githubusercontent.com/ibm-cloud-security/app-identity-and-access-adapter/master/helm/appidentityandaccessadapter
$ helm install --name appidentityandaccessadapter appidentityandaccessadapter/appidentityandaccessadapter
&lt;/code>&lt;/pre>
&lt;p>Alternatively, you can clone the repository and install the Helm chart locally&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ git clone git@github.com:ibm-cloud-security/app-identity-and-access-adapter.git
$ helm install ./helm/appidentityandaccessadapter --name appidentityandaccessadapter.
&lt;/code>&lt;/pre>
&lt;h2 id="protecting-web-applications">Protecting web applications&lt;/h2>
&lt;p>Web applications are most commonly protected by the OpenID Connect (OIDC) workflow called &lt;code>authorization_code&lt;/code>. When an unauthenticated/unauthorized user is detected, they are automatically redirected to the identity service of your choice and presented with the authentication page. When authentication completes, the browser is redirected back to an implicit &lt;code>/oidc/callback&lt;/code> endpoint intercepted by the adapter. At this point, the adapter obtains access and identity tokens from the identity service and then redirects users back to their originally requested URL in the web app.&lt;/p>
&lt;p>Authentication state and tokens are maintained by the adapter. Each request processed by the adapter will include the Authorization header bearing both access and identity tokens in the following format &lt;code>Authorization: Bearer &amp;lt;access_token&amp;gt; &amp;lt;id_token&amp;gt;&lt;/code>&lt;/p>
&lt;p>Developers can read leverage the tokens for application experience adjustments, e.g. displaying user name, adjusting UI based on user role etc.&lt;/p>
&lt;p>In order to terminate the authenticated session and wipe tokens, aka user logout, simply redirect browser to the &lt;code>/oidc/logout&lt;/code> endpoint under the protected service, e.g. if you&amp;rsquo;re serving your app from &lt;code>https://example.com/myapp&lt;/code>, redirect users to &lt;code>https://example.com/myapp/oidc/logout&lt;/code>&lt;/p>
&lt;p>Whenever access token expires, a refresh token is used to automatically acquire new access and identity tokens without your user&amp;rsquo;s needing to re-authenticate. If the configured identity provider returns a refresh token, it is persisted by the adapter and used to retrieve new access and identity tokens when the old ones expire.&lt;/p>
&lt;h3 id="applying-web-application-protection">Applying web application protection&lt;/h3>
&lt;p>Protecting web applications requires creating two types of resources - use &lt;code>OidcConfig&lt;/code> resources to define various OIDC providers, and &lt;code>Policy&lt;/code> resources to define the web app protection policies.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;security.cloud.ibm.com/v1&amp;#34;
kind: OidcConfig
metadata:
name: my-oidc-provider-config
namespace: sample-namespace
spec:
discoveryUrl: &amp;lt;discovery-url-from-oidc-provider&amp;gt;
clientId: &amp;lt;client-id-from-oidc-provider&amp;gt;
clientSecretRef:
name: &amp;lt;kubernetes-secret-name&amp;gt;
key: &amp;lt;kubernetes-secret-key&amp;gt;
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;security.cloud.ibm.com/v1&amp;#34;
kind: Policy
metadata:
name: my-sample-web-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &amp;lt;kubernetes-service-name-to-protect&amp;gt;
paths:
- prefix: /webapp
method: ALL
policies:
- policyType: oidc
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &amp;lt;expected-issuer-id&amp;gt;
- claim: scope
match: ALL
source: access_token
values:
- openid
&lt;/code>&lt;/pre>
&lt;p>&lt;a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">Read more about protecting web applications&lt;/a>&lt;/p>
&lt;h2 id="protecting-backend-application-and-apis">Protecting backend application and APIs&lt;/h2>
&lt;p>Backend applications and APIs are protected using the Bearer Token flow, where an incoming token is validated against a particular policy. The Bearer Token authorization flow expects a request to contain the &lt;code>Authorization&lt;/code> header with a valid access token in JWT format. The expected header structure is &lt;code>Authorization: Bearer {access_token}&lt;/code>. In case token is successfully validated request will be forwarded to the requested service. In case token validation fails the HTTP 401 will be returned back to the client with a list of scopes that are required to access the API.&lt;/p>
&lt;h3 id="applying-backend-application-and-apis-protection">Applying backend application and APIs protection&lt;/h3>
&lt;p>Protecting backend applications and APIs requires creating two types of resources - use &lt;code>JwtConfig&lt;/code> resources to define various JWT providers, and &lt;code>Policy&lt;/code> resources to define the backend app protection policies.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;security.cloud.ibm.com/v1&amp;#34;
kind: JwtConfig
metadata:
name: my-jwt-config
namespace: sample-namespace
spec:
jwksUrl: &amp;lt;the-jwks-url&amp;gt;
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;security.cloud.ibm.com/v1&amp;#34;
kind: Policy
metadata:
name: my-sample-backend-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &amp;lt;kubernetes-service-name-to-protect&amp;gt;
paths:
- prefix: /api/files
method: ALL
policies:
- policyType: jwt
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &amp;lt;expected-issuer-id&amp;gt;
- claim: scope
match: ALL
source: access_token
values:
- files.read
- files.write
&lt;/code>&lt;/pre>
&lt;p>&lt;a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">Read more about protecting backend applications&lt;/a>&lt;/p>
&lt;h2 id="known-limitations">Known limitations&lt;/h2>
&lt;p>At the time of writing this blog there are two known limitations of the App Identity and Access adapter:&lt;/p>
&lt;ul>
&lt;li>&lt;p>If you use the App Identity and Access adapter for Web Applications you should not create more than a single replica of the adapter. Due to the way Envoy Proxy was handling HTTP headers it was impossible to return multiple &lt;code>Set-Cookie&lt;/code> headers from Mixer back to Envoy. Therefore we couldn&amp;rsquo;t set all the cookies required for handling Web Application scenarios. The issue was recently addressed in Envoy and Mixer and we&amp;rsquo;re planning to address this in future versions of our adapter. &lt;strong>Note that this only affects Web Applications, and doesn&amp;rsquo;t affect Backend Apps and APIs in any way&lt;/strong>.&lt;/p>&lt;/li>
&lt;li>&lt;p>As a general best practice you should always consider using mutual-tls for any in-cluster communications. At the moment the communications channel between Mixer and App Identity and Access adapter currently does not use mutual-tls. In future we plan to address this by implementing an approach described in the &lt;a href="https://github.com/istio/istio/wiki/Mixer-Out-of-Process-Adapter-Walkthrough#step-7-encrypt-connection-between-mixer-and-grpc-adapter">Mixer Adapter developer guide&lt;/a>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>When a multicloud strategy is in place, security can become complicated as the environment grows and diversifies. While cloud providers supply protocols and tools to ensure their offerings are safe, the development teams are still responsible for the application-level security, such as API access control with OAuth2, defending against man-in-the-middle attacks with traffic encryption, and providing mutual TLS for service access control. However, this becomes complex in a multicloud environment since you might need to define those security details for each service separately. With proper security protocols in place, those external and internal threats can be mitigated.&lt;/p>
&lt;p>Development teams have spent time making their services portable to different cloud providers, and in the same regard, the security in place should be flexible and not infrastructure-dependent.&lt;/p>
&lt;p>Istio and App Identity and Access Adapter allow you to secure your Kubernetes apps with absolutely zero code changes or redeployments regardless of which programming language and which frameworks you use. Following this approach ensures maximum portability of your apps, and ability to easily enforce same security policies across multiple environments.&lt;/p>
&lt;p>You can read more about the App Identity and Access Adapter in the &lt;a href="https://www.ibm.com/cloud/blog/using-istio-to-secure-your-multicloud-kubernetes-applications-with-zero-code-change">release blog&lt;/a>.&lt;/p></description><pubDate>Wed, 18 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/app-identity-and-access-adapter/</link><author>Anton Aleksandrov (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/app-identity-and-access-adapter/</guid><category>security</category><category>oidc</category><category>jwt</category><category>policies</category></item><item><title>Change in Secret Discovery Service in Istio 1.3</title><description>&lt;p>In Istio 1.3, we are taking advantage of improvements in Kubernetes to issue certificates for workload instances more securely.&lt;/p>
&lt;p>When a Citadel Agent sends a certificate signing request to Citadel to get a certificate for a workload instance,
it includes the JWT that the Kubernetes API server issued representing the service account of the workload instance.
If Citadel can authenticate the JWT, it extracts the service account name needed to issue the certificate for the workload instance.&lt;/p>
&lt;p>Before Kubernetes 1.12, the Kubernetes API server issues JWTs with the following issues:&lt;/p>
&lt;ol>
&lt;li>The tokens don&amp;rsquo;t have important fields to limit their scope of usage, such as &lt;code>aud&lt;/code> or &lt;code>exp&lt;/code>. See &lt;a href="https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md">Bound Service Tokens&lt;/a> for more info.&lt;/li>
&lt;li>The tokens are mounted onto all the pods without a way to opt-out. See &lt;a href="https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/svcacct-token-volume-source.md">Service Account Token Volumes&lt;/a> for motivation.&lt;/li>
&lt;/ol>
&lt;p>Kubernetes 1.12 introduces &lt;code>trustworthy&lt;/code> JWTs to solve these issues.
However, support for the &lt;code>aud&lt;/code> field to have a different value than the API server audience didn&amp;rsquo;t become available until &lt;a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.13.md">Kubernetes 1.13&lt;/a>.
To better secure the mesh, Istio 1.3 only supports &lt;code>trustworthy&lt;/code> JWTs and requires the value of the &lt;code>aud&lt;/code> field to be &lt;code>istio-ca&lt;/code> when you enable SDS.
Before upgrading your Istio deployment to 1.3 with SDS enabled, verify that you use Kubernetes 1.13 or later.&lt;/p>
&lt;p>Make the following considerations based on your platform of choice:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>GKE:&lt;/strong> Upgrade your cluster version to at least 1.13.&lt;/li>
&lt;li>&lt;strong>On-prem Kubernetes&lt;/strong> and &lt;strong>GKE on-prem:&lt;/strong> Add &lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection">extra configurations&lt;/a> to your Kubernetes. You may
also want to refer to the &lt;a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/">api-server page&lt;/a> for the most up-to-date flag names.&lt;/li>
&lt;li>For other platforms, check with your provider. If your vendor does not support trustworthy JWTs, you will need to fall back to the file-mount approach to propagate the workload keys and certificates in Istio 1.3.&lt;/li>
&lt;/ul></description><pubDate>Tue, 10 Sep 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/trustworthy-jwt-sds/</link><author>Phillip Quy Le (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/trustworthy-jwt-sds/</guid><category>security</category><category>PKI</category><category>certificate</category><category>nodeagent</category><category>sds</category></item><item><title>The Evolution of Istio's APIs</title><description>
&lt;p>One of Istios main goals has always been, and continues to be, enabling teams to develop abstractions that work best for their specific organization and workloads. Istio provides robust and powerful building blocks for service-to-service networking. Since &lt;a href="/v1.5/news/releases/0.x/announcing-0.1">Istio 0.1&lt;/a>, the Istio team has been learning from production users about how they map their own architectures, workloads, and constraints to Istios capabilities, and weve been evolving Istios APIs to make them work better for you.&lt;/p>
&lt;h2 id="evolving-istio-s-apis">Evolving Istios APIs&lt;/h2>
&lt;p>The next step in Istios evolution is to sharpen our focus and align with the roles of Istios users. A security admin should be able to interact with an API that logically groups and simplifies security operations within an Istio mesh; the same goes for service operators and traffic management operations.&lt;/p>
&lt;p>Taking it a step further, theres an opportunity to provide improved experiences for beginning, intermediate, and advanced use cases for each role. There are many common use cases that can be addressed with obvious default settings and a better defined initial experience that requires little to no configuration. For intermediate use cases, the Istio team wants to leverage contextual cues from the environment and provide you with a simpler configuration experience. Finally, for advanced scenarios, our goal is to make &lt;a href="https://www.quora.com/What-is-the-origin-of-the-phrase-make-the-easy-things-easy-and-the-hard-things-possible">easy things easy and hard things possible&lt;/a>.&lt;/p>
&lt;p>To provide these sorts of role-centric abstractions, however, the APIs underneath them must be able to describe all of Istios power and capabilities. Historically, Istios approach to API design followed paths similar to those of other infrastructure APIs. Istio follows these design principles:&lt;/p>
&lt;ol>
&lt;li>The Istio APIs should seek to:
&lt;ul>
&lt;li>Properly represent the underlying resources to which they are mapped&lt;/li>
&lt;li>Shouldnt hide any of the underlying resources useful capabilities&lt;/li>
&lt;/ul>&lt;/li>
&lt;li>The Istio APIs should also be &lt;a href="https://en.wikipedia.org/wiki/Composability">composable&lt;/a>, so end users can combine infrastructure APIs in a way that makes sense for their own needs.&lt;/li>
&lt;li>The Istio APIs should be flexible: Within an organization, it should be possible to have different representations of the underlying resources and surface the ones that make sense for each individual team.&lt;/li>
&lt;/ol>
&lt;p>Over the course of the next several releases we will share our progress as we strengthen the alignment between Istios APIs and the roles of Istio users.&lt;/p>
&lt;h2 id="composability-and-abstractions">Composability and abstractions&lt;/h2>
&lt;p>Istio and Kubernetes often go together, but Istio is much more than an add-on to Kubernetes it is as much a &lt;em>platform&lt;/em> as Kubernetes is. Istio aims to provide infrastructure, and surface the capabilities you need in a powerful service mesh. For example, there are platform-as-a-service offerings that use Kubernetes as their foundation, and build on Kubernetes composability to provide a subset of APIs to application developers.&lt;/p>
&lt;p>The number of objects that must be configured to deploy applications is a concrete example of Kubernetes composability. By our count, at least 10 objects need to be configured: &lt;code>Namespace&lt;/code>, &lt;code>Service&lt;/code>, &lt;code>Ingress&lt;/code>, &lt;code>Deployment&lt;/code>, &lt;code>HorizontalPodAutoscaler&lt;/code>, &lt;code>Secret&lt;/code>, &lt;code>ConfigMap&lt;/code>, &lt;code>RBAC&lt;/code>, &lt;code>PodDisruptionBudget&lt;/code>, and &lt;code>NetworkPolicy&lt;/code>.&lt;/p>
&lt;p>It sounds complicated, but not everyone needs to interact with those concepts. Some are the responsibility of different teams like the cluster, network, or security admin teams, and many provide sensible defaults. A great benefit of cloud native platforms and deployment tools is that they can hide that complexity by taking in a small amount of information and configuring those objects for you.&lt;/p>
&lt;p>Another example of composability in the networking space can be found in the &lt;a href="https://cloud.google.com/load-balancing/docs/https/">Google Cloud HTTP(S) Load Balancer&lt;/a> (GCLB). To correctly use an instance of the GCLB, six different infrastructure objects need to be created and configured. This design is the result of our 20 years of experience in operating distributed systems and &lt;a href="https://www.youtube.com/watch?v=J5HJ1y6PeyE">there is a reason why each one is separate from the others&lt;/a>. But the steps are simplified when youre creating an instance via the Google Cloud console. We provide the more common end-user/role-specific configurations, and you can configure less common settings later. Ultimately, the goals of infrastructure APIs are to offer the most flexibility without sacrificing functionality.&lt;/p>
&lt;p>&lt;a href="http://knative.dev">Knative&lt;/a> is a platform for building, running, and operating serverless workloads that provides a great real-world example of role-centric,
higher-level APIs. &lt;a href="https://knative.dev/docs/serving/">Knative Serving&lt;/a>, a component of Knative that builds on Kubernetes and Istio to support deploying and
serving serverless applications and functions, provides an opinionated workflow for application developers to manage routes and revisions of their services.
Thanks to that opinionated approach, Knative Serving exposes a subset of Istios networking APIs that are most relevant to application developers via a simplified
&lt;a href="https://github.com/knative/docs/blob/master/docs/serving/spec/knative-api-specification-1.0.md#route">Routes&lt;/a> object that supports revisions and traffic routing,
abstracting Istios &lt;a href="/v1.5/docs/reference/config/networking/virtual-service/">&lt;code>VirtualService&lt;/code>&lt;/a> and &lt;a href="/v1.5/docs/reference/config/networking/destination-rule/">&lt;code>DestinationRule&lt;/code>&lt;/a>
resources.&lt;/p>
&lt;p>As Istio has matured, weve also seen production users develop workload- and organization-specific abstractions on top of Istios infrastructure APIs.&lt;/p>
&lt;p>AutoTrader UK has one of our favorite examples of a custom platform built on Istio. In &lt;a href="https://kubernetespodcast.com/episode/052-autotrader/">an interview with the Kubernetes Podcast from Google&lt;/a>, Russel Warman and Karl Stoney describe their Kubernetes-based delivery platform, with &lt;a href="https://karlstoney.com/2018/07/07/managing-your-costs-on-kubernetes/">cost dashboards using Prometheus and Grafana&lt;/a>. With minimal effort, they added configuration options to determine what their developers want configured on the network, and it now manages the Istio objects required to make that happen. There are countless other platforms being built in enterprise and cloud-native companies: some designed to replace a web of company-specific custom scripts, and some aimed to be a general-purpose public tool. As more companies start to talk about their tooling publicly, we&amp;rsquo;ll bring their stories to this blog.&lt;/p>
&lt;h2 id="what-s-coming-next">Whats coming next&lt;/h2>
&lt;p>Some areas of improvement that were working on for upcoming releases include:&lt;/p>
&lt;ul>
&lt;li>Installation profiles to setup standard patterns for ingress and egress, with the Istio operator&lt;/li>
&lt;li>Automatic inference of container ports and protocols for telemetry&lt;/li>
&lt;li>Support for routing all traffic by default to constrain routing incrementally&lt;/li>
&lt;li>Add a single global flag to enable mutual TLS and encrypt all inter-pod traffic&lt;/li>
&lt;/ul>
&lt;p>Oh, and if for some reason you judge a toolbox by the list of CRDs it installs, in Istio 1.2 we cut the number from 54 down to 23. Why? It turns out that if you have a bunch of features, you need to have a way to configure them all. With the improvements weve made to our installer, you can now install Istio using a &lt;a href="/v1.5/docs/setup/additional-setup/config-profiles/">configuration&lt;/a> that works with your adapters.&lt;/p>
&lt;p>All service meshes and, by extension, Istio seeks to automate complex infrastructure operations, like networking and security. That means there will always be complexity in its APIs, but Istio will always aim to solve the needs of operators, while continuing to evolve the API to provide robust building blocks and prioritize flexibility through role-centric abstractions.&lt;/p>
&lt;p>We can&amp;rsquo;t wait for you to join our &lt;a href="/v1.5/about/community/join/">community&lt;/a> to see what you build with Istio next!&lt;/p></description><pubDate>Mon, 05 Aug 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/evolving-istios-apis/</link><author>Louis Ryan (Google), Sandeep Parikh (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/evolving-istios-apis/</guid><category>apis</category><category>composability</category><category>evolution</category></item><item><title>Secure Control of Egress Traffic in Istio, part 3</title><description>
&lt;p>Welcome to part 3 in our series about secure control of egress traffic in Istio.
In &lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-1/">the first part in the series&lt;/a>, I presented the attacks involving
egress traffic and the requirements we collected for a secure control system for egress traffic.
In &lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/">the second part in the series&lt;/a>, I presented the Istio way of
securing egress traffic and showed how you can prevent the attacks using Istio.&lt;/p>
&lt;p>In this installment, I compare secure control of egress traffic in Istio with alternative solutions such as using Kubernetes
network policies and legacy egress proxies and firewalls. Finally, I describe the performance considerations regarding the
secure control of egress traffic in Istio.&lt;/p>
&lt;h2 id="alternative-solutions-for-egress-traffic-control">Alternative solutions for egress traffic control&lt;/h2>
&lt;p>First, let&amp;rsquo;s remember the &lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-1/#requirements-for-egress-traffic-control">requirements for egress traffic control&lt;/a> we previously collected:&lt;/p>
&lt;ol>
&lt;li>Support of &lt;a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS&lt;/a> with
&lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI&lt;/a> or of &lt;a href="/v1.5/docs/reference/glossary/#tls-origination">TLS origination&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Monitor&lt;/strong> SNI and the source workload of every egress access.&lt;/li>
&lt;li>Define and enforce &lt;strong>policies per cluster&lt;/strong>.&lt;/li>
&lt;li>Define and enforce &lt;strong>policies per source&lt;/strong>, &lt;em>Kubernetes-aware&lt;/em>.&lt;/li>
&lt;li>&lt;strong>Prevent tampering&lt;/strong>.&lt;/li>
&lt;li>Traffic control is &lt;strong>transparent&lt;/strong> to the applications.&lt;/li>
&lt;/ol>
&lt;p>Next, I&amp;rsquo;m going to cover two alternative solutions for egress traffic control: the Kubernetes network policies and
egress proxies and firewalls. I show the requirements they satisfy, and, more importantly, the requirements they can&amp;rsquo;t satisfy.&lt;/p>
&lt;p>Kubernetes provides a native solution for traffic control, and in particular, for control of egress traffic, through the &lt;a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">network policies&lt;/a>.
Using these network policies, cluster operators can configure which pods can access specific external services.
Cluster operators can identify pods by pod labels, namespace labels, or by IP ranges. To specify the external services, cluster operators can use IP ranges, but cannot use domain names like &lt;code>cnn.com&lt;/code>. This is because &lt;strong>Kubernetes network policies are not DNS-aware&lt;/strong>.
Network policies satisfy the first requirement since they can control any TCP traffic.
Network policies only partially satisfy the third and the fourth requirements because cluster operators can specify policies
per cluster or per pod but operators can&amp;rsquo;t identify external services by domain names.
Network policies only satisfy the fifth requirement if the attackers are not able to break from a malicious container into the Kubernetes
node and interfere with the implementation of the policies inside said node.
Lastly, network policies do satisfy the sixth requirement: Operators don&amp;rsquo;t need to change the code or the
container environment. In summary, we can say that Kubernetes Network Policies provide transparent, Kubernetes-aware egress traffic
control, which is not DNS-aware.&lt;/p>
&lt;p>The second alternative predates the Kubernetes network policies. Using a &lt;strong>DNS-aware egress proxy or firewall&lt;/strong> lets you
configure applications to direct the traffic to the proxy and use some proxy protocol, for example,
&lt;a href="https://en.wikipedia.org/wiki/SOCKS">SOCKS&lt;/a>.
Since operators must configure the applications, this solution is not transparent. Moreover, operators can&amp;rsquo;t use
pod labels or pod service accounts to configure the proxies because the egress proxies don&amp;rsquo;t know about them. Therefore, &lt;strong>the egress proxies are not Kubernetes-aware&lt;/strong> and can&amp;rsquo;t fulfill the fourth requirement because
egress proxies cannot enforce policies by source if a Kubernetes artifact specifies the source.
In summary, egress proxies can fulfill the first, second, third and fifth requirements, but can&amp;rsquo;t satisfy the fourth and
the six requirements because they are not transparent and not Kubernetes-aware.&lt;/p>
&lt;h2 id="advantages-of-istio-egress-traffic-control">Advantages of Istio egress traffic control&lt;/h2>
&lt;p>Istio egress traffic control is &lt;strong>DNS-aware&lt;/strong>: you can define policies based on URLs or on wildcard domains like
&lt;code>*.ibm.com&lt;/code>. In this sense, it is better than Kubernetes network policies which are not DNS-aware.&lt;/p>
&lt;p>Istio egress traffic control is &lt;strong>transparent&lt;/strong> with regard to TLS traffic, since Istio is transparent:
you don&amp;rsquo;t need to change the applications or configure their containers.
For HTTP traffic with TLS origination, you must configure the applications in the mesh to use HTTP instead of HTTPS.&lt;/p>
&lt;p>Istio egress traffic control is &lt;strong>Kubernetes-aware&lt;/strong>: the identity of the source of egress traffic is based on
Kubernetes service accounts. Istio egress traffic control is better than the legacy DNS-aware proxies or firewalls which
are not transparent and not Kubernetes-aware.&lt;/p>
&lt;p>Istio egress traffic control is &lt;strong>secure&lt;/strong>: it is based on the strong identity of Istio and, when you
apply
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">additional security measures&lt;/a>,
Istio&amp;rsquo;s traffic control is resilient to tampering.&lt;/p>
&lt;p>Additionally, Istio&amp;rsquo;s egress traffic control provides the following advantages:&lt;/p>
&lt;ul>
&lt;li>Define access policies in the same language for ingress, egress, and in-cluster traffic. You
need to learn a single policy and configuration language for all types of traffic.&lt;/li>
&lt;li>Out-of-the-Box integration of Istio&amp;rsquo;s egress traffic control with Istio&amp;rsquo;s policy and observability adapters.&lt;/li>
&lt;li>Write the adapters to use external monitoring or access control systems with Istio only once and
apply them for all types of traffic: ingress, egress, and in-cluster.&lt;/li>
&lt;li>Use Istio&amp;rsquo;s &lt;a href="/v1.5/docs/concepts/traffic-management/">traffic management features&lt;/a> for egress traffic:
load balancing, passive and active health checking, circuit breaker, timeouts, retries, fault injection, and others.&lt;/li>
&lt;/ul>
&lt;p>We refer to a system with the advantages above as &lt;strong>Istio-aware&lt;/strong>.&lt;/p>
&lt;p>The following table summarizes the egress traffic control features that Istio and the alternative solutions provide:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>&lt;/th>
&lt;th>Istio Egress Traffic Control&lt;/th>
&lt;th>Kubernetes Network Policies&lt;/th>
&lt;th>Legacy Egress Proxy or Firewall&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>DNS-aware&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#cancel"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Kubernetes-aware&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#cancel"/>&lt;/svg>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Transparent&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#cancel"/>&lt;/svg>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Istio-aware&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#checkmark"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#cancel"/>&lt;/svg>&lt;/td>
&lt;td>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#cancel"/>&lt;/svg>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="performance-considerations">Performance considerations&lt;/h2>
&lt;p>Controlling egress traffic using Istio has a price: increased latency of calls to external services and
increased CPU usage by the cluster&amp;rsquo;s pods.
Traffic passes through two proxies:&lt;/p>
&lt;ul>
&lt;li>The application&amp;rsquo;s sidecar proxy&lt;/li>
&lt;li>The egress gateway&amp;rsquo;s proxy&lt;/li>
&lt;/ul>
&lt;p>If you use &lt;a href="/v1.5/docs/tasks/traffic-management/egress/wildcard-egress-hosts/">TLS egress traffic to wildcard domains&lt;/a>,
you must add
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains">an additional proxy&lt;/a>
between the application and the external service. Since the traffic between the egress gateway&amp;rsquo;s proxy and
the proxy needed for the configuration of arbitrary domains using wildcards is on the pod&amp;rsquo;s local
network, that traffic shouldn&amp;rsquo;t have a significant impact on latency.&lt;/p>
&lt;p>See a &lt;a href="/v1.5/blog/2019/egress-performance/">performance evaluation&lt;/a> of different Istio configurations set to control egress
traffic. I would encourage you to carefully measure different configurations with your own applications and your own
external services, before you decide whether you can afford the performance overhead for your use cases. You should weigh the
required level of security versus your performance requirements and compare the performance overhead of all
alternative solutions.&lt;/p>
&lt;p>Let me share my thoughts on the performance overhead that controlling egress traffic using Istio adds:
Accessing external services already could have high latency and the overhead added
because of two or three proxies inside the cluster could likely not be very significant by comparison.
After all, applications with a microservice architecture can have chains of dozens of calls between microservices.
Therefore, an additional hop with one or two proxies in the egress gateway should not have a large impact.&lt;/p>
&lt;p>Moreover, we continue to work towards reducing Istio&amp;rsquo;s performance overhead.
Possible optimizations include:&lt;/p>
&lt;ul>
&lt;li>Extending Envoy to handle wildcard domains: This would eliminate the need for a third proxy between
the application and the external services for that use case.&lt;/li>
&lt;li>Using mutual TLS for authentication only without encrypting the TLS traffic, since the traffic is already
encrypted.&lt;/li>
&lt;/ul>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>I hope that after reading this series you are convinced that controlling egress traffic is very important for the
security of your cluster.
Hopefully, I also managed to convince you that Istio is an effective tool to control egress traffic
securely, and that Istio has multiple advantages over the alternative solutions.
Istio is the only solution I&amp;rsquo;m aware of that lets you:&lt;/p>
&lt;ul>
&lt;li>Control egress traffic in a secure and transparent way&lt;/li>
&lt;li>Specify external services as domain names&lt;/li>
&lt;li>Use Kubernetes artifacts to specify the traffic source&lt;/li>
&lt;/ul>
&lt;p>In my opinion, secure control of egress traffic is a great choice if you are looking for your first Istio use case.
In this case, Istio already provides you some benefits even before you start using all other Istio features:
&lt;a href="/v1.5/docs/tasks/traffic-management/">traffic management&lt;/a>, &lt;a href="/v1.5/docs/tasks/security/">security&lt;/a>,
&lt;a href="/v1.5/docs/tasks/policy-enforcement/">policies&lt;/a> and &lt;a href="/v1.5/docs/tasks/observability/">observability&lt;/a>, applied to traffic between
microservices inside the cluster.&lt;/p>
&lt;p>So, if you haven&amp;rsquo;t had the chance to work with Istio yet, &lt;a href="/v1.5/docs/setup/install/">install Istio&lt;/a> on your cluster
and check our &lt;a href="/v1.5/docs/tasks/traffic-management/egress/">egress traffic control tasks&lt;/a> and the tasks for the other
&lt;a href="/v1.5/docs/tasks/">Istio features&lt;/a>. We also want to hear from you, please join us at &lt;a href="https://discuss.istio.io">discuss.istio.io&lt;/a>.&lt;/p></description><pubDate>Mon, 22 Jul 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/egress-traffic-control-in-istio-part-3/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/egress-traffic-control-in-istio-part-3/</guid><category>traffic-management</category><category>egress</category><category>security</category><category>gateway</category><category>tls</category></item><item><title>Secure Control of Egress Traffic in Istio, part 2</title><description>
&lt;p>Welcome to part 2 in our new series about secure control of egress traffic in Istio.
In &lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-1/">the first part in the series&lt;/a>, I presented the attacks involving
egress traffic and the requirements we collected for a secure control system for egress traffic.
In this installment, I describe the Istio way to securely control the egress traffic, and show how Istio can help you
prevent the attacks.&lt;/p>
&lt;h2 id="secure-control-of-egress-traffic-in-istio">Secure control of egress traffic in Istio&lt;/h2>
&lt;p>To implement secure control of egress traffic in Istio, you must
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic">direct TLS traffic to external services through an egress gateway&lt;/a>.
Alternatively, you
can &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-http-traffic">direct HTTP traffic through an egress gateway&lt;/a>
and &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway">let the egress gateway perform TLS origination&lt;/a>.&lt;/p>
&lt;p>Both alternatives have their pros and cons, you should choose between them according to your circumstances.
The choice mainly depends on whether your application can send unencrypted HTTP requests and whether your
organization&amp;rsquo;s security policies allow sending unencrypted HTTP requests.
For example, if your application uses some client library that encrypts the traffic without a possibility to cancel the
encryption, you cannot use the option of sending unencrypted HTTP traffic.
The same in the case your organization&amp;rsquo;s security policies do not allow sending unencrypted HTTP requests
&lt;strong>inside the pod&lt;/strong> (outside the pod the traffic is encrypted by Istio).&lt;/p>
&lt;p>If the application sends HTTP requests and the egress gateway performs TLS origination, you can monitor HTTP
information like HTTP methods, headers, and URL paths. You can also
&lt;a href="/v1.5/blog/2018/egress-monitoring-access-control">define policies&lt;/a> based on said HTTP information. If the application
performs TLS origination, you can
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/">monitor SNI and the service account&lt;/a> of the
source pod&amp;rsquo;s TLS traffic, and define policies based on SNI and service accounts.&lt;/p>
&lt;p>You must ensure that traffic from your cluster to the outside cannot bypass the egress gateway. Istio cannot enforce it
for you, so you must apply some
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">additional security mechanisms&lt;/a>,
for example,
the &lt;a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">Kubernetes network policies&lt;/a> or an L3
firewall. See an example of the
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#apply-kubernetes-network-policies">Kubernetes network policies configuration&lt;/a>.
According to the &lt;a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense in depth&lt;/a> concept, the more
security mechanisms you apply for the same goal, the better.&lt;/p>
&lt;p>You must also ensure that Istio control plane and the egress gateway cannot be compromised. While you may have hundreds
or thousands of application pods in your cluster, there are only a dozen of Istio control plane pods and the gateways.
You can and should focus on protecting the control plane pods and the gateways, since it is easy (there is a small
number of pods to protect) and it is most crucial for the security of your cluster.
If attackers compromise the control plane or the egress gateway, they could violate any policy.&lt;/p>
&lt;p>You might have multiple tools to protect the control plane pods, depending on your environment.
The reasonable security measures are:&lt;/p>
&lt;ul>
&lt;li>Run the control plane pods on nodes separate from the application nodes.&lt;/li>
&lt;li>Run the control plane pods in their own separate namespace.&lt;/li>
&lt;li>Apply the Kubernetes RBAC and network policies to protect the control plane pods.&lt;/li>
&lt;li>Monitor the control plane pods more closely than you do the application pods.&lt;/li>
&lt;/ul>
&lt;p>Once you direct egress traffic through an egress gateway and apply the additional security mechanisms,
you can securely monitor and enforce security policies for the traffic.&lt;/p>
&lt;p>The following diagram shows Istio&amp;rsquo;s security architecture, augmented with an L3 firewall which is part of the
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">additional security mechanisms&lt;/a>
that should be provided outside of Istio.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.89557965057057%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/SecurityArchitectureWithL3Firewalls.svg" title="Istio Security Architecture with Egress Gateway and L3 Firewall">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/SecurityArchitectureWithL3Firewalls.svg" alt="Istio Security Architecture with Egress Gateway and L3 Firewall" />
&lt;/a>
&lt;/div>
&lt;figcaption>Istio Security Architecture with Egress Gateway and L3 Firewall&lt;/figcaption>
&lt;/figure>
&lt;p>You can configure the L3 firewall trivially to only allow incoming traffic through the Istio ingress gateway and
only allow outgoing traffic through the Istio egress gateway. The Istio proxies of the gateways enforce
policies and report telemetry just as all other proxies in the mesh do.&lt;/p>
&lt;p>Now let&amp;rsquo;s examine possible attacks and let me show you how the secure control of egress traffic in Istio prevents them.&lt;/p>
&lt;h2 id="preventing-possible-attacks">Preventing possible attacks&lt;/h2>
&lt;p>Consider the following security policies for egress traffic:&lt;/p>
&lt;ul>
&lt;li>Application &lt;strong>A&lt;/strong> is allowed to access &lt;code>*.ibm.com&lt;/code>, which includes all the external services with URLs matching
&lt;code>*.ibm.com&lt;/code>.&lt;/li>
&lt;li>Application &lt;strong>B&lt;/strong> is allowed to access &lt;code>mongo1.composedb.com&lt;/code>.&lt;/li>
&lt;li>All egress traffic is monitored.&lt;/li>
&lt;/ul>
&lt;p>Suppose the attackers have the following goals:&lt;/p>
&lt;ul>
&lt;li>Access &lt;code>*.ibm.com&lt;/code> from your cluster.&lt;/li>
&lt;li>Access &lt;code>*.ibm.com&lt;/code> from your cluster, unmonitored. The attackers want their traffic to be unmonitored to prevent a
possibility that you will detect the forbidden access.&lt;/li>
&lt;li>Access &lt;code>mongo1.composedb.com&lt;/code> from your cluster.&lt;/li>
&lt;/ul>
&lt;p>Now suppose that the attackers manage to break into one of the pods of application &lt;strong>A&lt;/strong>, and try to use the compromised
pod to perform the forbidden access. The attackers may try their luck and access the external services in a
straightforward way. You will react to the straightforward attempts as follows:&lt;/p>
&lt;ul>
&lt;li>Initially, there is no way to prevent a compromised application &lt;strong>A&lt;/strong> to access &lt;code>*.ibm.com&lt;/code>, because the compromised
pod is indistinguishable from the original pod.&lt;/li>
&lt;li>Fortunately, you can monitor all access to external services, detect suspicious traffic, and thwart attackers from
gaining unmonitored access to &lt;code>*.ibm.com&lt;/code>. For example, you could apply anomaly detection tools on the
egress traffic logs.&lt;/li>
&lt;li>To stop attackers from accessing &lt;code>mongo1.composedb.com&lt;/code> from your cluster, Istio will correctly detect the source of
the traffic, application &lt;strong>A&lt;/strong> in this case, and verify that it is not allowed to access &lt;code>mongo1.composedb.com&lt;/code>
according to the security policies mentioned above.&lt;/li>
&lt;/ul>
&lt;p>Having failed to achieve their goals in a straightforward way, the malicious actors may resort to advanced attacks:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Bypass the container&amp;rsquo;s sidecar proxy&lt;/strong> to be able to access any external service directly, without the sidecar&amp;rsquo;s
policy enforcement and reporting. This attack is prevented by a Kubernetes Network Policy or by an L3 firewall that
allow egress traffic to exit the mesh only from the egress gateway.&lt;/li>
&lt;li>&lt;strong>Compromise the egress gateway&lt;/strong> to be able to force it to send fake information to the monitoring system or to
disable enforcement of the security policies. This attack is prevented by applying the special security measures to
the egress gateway pods.&lt;/li>
&lt;li>&lt;strong>Impersonate as application B&lt;/strong> since application &lt;strong>B&lt;/strong> is allowed to access &lt;code>mongo1.composedb.com&lt;/code>. This attack,
fortunately, is prevented by Istio&amp;rsquo;s &lt;a href="/v1.5/docs/concepts/security/#istio-identity">strong identity support&lt;/a>.&lt;/li>
&lt;/ul>
&lt;p>As far as we can see, all the forbidden access is prevented, or at least is monitored and can be prevented later.
If you see other attacks that involve egress traffic or security holes in the current design, we would be happy
&lt;a href="https://discuss.istio.io">to hear about it&lt;/a>.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Hopefully, I managed to convince you that Istio is an effective tool to prevent attacks involving egress
traffic. In &lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-3/">the next part of this series&lt;/a>, I compare secure control of egress traffic in Istio with alternative
solutions such as
&lt;a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">Kubernetes Network Policies&lt;/a> and legacy
egress proxies/firewalls.&lt;/p></description><pubDate>Wed, 10 Jul 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/</guid><category>traffic-management</category><category>egress</category><category>security</category><category>gateway</category><category>tls</category></item><item><title>Best Practices: Benchmarking Service Mesh Performance</title><description>
&lt;p>Service meshes add a lot of functionality to application deployments, including &lt;a href="/v1.5/docs/concepts/what-is-istio/#traffic-management">traffic policies&lt;/a>, &lt;a href="/v1.5/docs/concepts/what-is-istio/#observability">observability&lt;/a>, and &lt;a href="/v1.5/docs/concepts/what-is-istio/#security">secure communication&lt;/a>. But adding a service mesh to your environment comes at a cost, whether that&amp;rsquo;s time (added latency) or resources (CPU cycles). To make an informed decision on whether a service mesh is right for your use case, it&amp;rsquo;s important to evaluate how your application performs when deployed with a service mesh.&lt;/p>
&lt;p>Earlier this year, we published a &lt;a href="/v1.5/blog/2019/istio1.1_perf/">blog post&lt;/a> on Istio&amp;rsquo;s performance improvements in version 1.1. Following the release of &lt;a href="/v1.5/news/releases/1.2.x/announcing-1.2">Istio 1.2&lt;/a>, we want to provide guidance and tools to help you benchmark Istio&amp;rsquo;s data plane performance in a production-ready Kubernetes environment.&lt;/p>
&lt;p>Overall, we found that Istio&amp;rsquo;s &lt;a href="/v1.5/docs/ops/deployment/architecture/#envoy">sidecar proxy&lt;/a> latency scales with the number of concurrent connections. At 1000 requests per second (RPS), across 16 connections, Istio adds &lt;strong>3 milliseconds&lt;/strong> per request in the 50th percentile, and &lt;strong>10 milliseconds&lt;/strong> in the 99th percentile.&lt;/p>
&lt;p>In the &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark">Istio Tools repository&lt;/a>, youll find scripts and instructions for measuring Istio&amp;rsquo;s data plane performance, with additional instructions on how to run the scripts with &lt;a href="https://linkerd.io">Linkerd&lt;/a>, another service mesh implementation. &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark#setup">Follow along&lt;/a> as we detail some best practices for each step of the performance test framework.&lt;/p>
&lt;h2 id="1-use-a-production-ready-istio-installation">1. Use a production-ready Istio installation&lt;/h2>
&lt;p>To accurately measure the performance of a service mesh at scale, it&amp;rsquo;s important to use an &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/istio-install#istio-setup">adequately-sized&lt;/a> Kubernetes cluster. We test using three worker nodes, each with at least 4 vCPUs and 15 GB of memory.&lt;/p>
&lt;p>Then, it&amp;rsquo;s important to use a production-ready Istio &lt;strong>installation profile&lt;/strong> on that cluster. This lets us achieve performance-oriented settings such as control plane pod autoscaling, and ensures that resource limits are appropriate for heavy traffic load. The &lt;a href="/v1.5/docs/setup/install/helm/#installation-steps">default&lt;/a> Istio installation is suitable for most benchmarking use cases. For extensive performance benchmarking, with thousands of proxy-injected services, we also provide &lt;a href="https://github.com/istio/tools/blob/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/istio-install/values.yaml">a tuned Istio install&lt;/a> that allocates extra memory and CPU to the Istio control plane.&lt;/p>
&lt;p>&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#exclamation-mark"/>&lt;/svg> Istio&amp;rsquo;s &lt;a href="/v1.5/docs/setup/getting-started/">demo installation&lt;/a> is not suitable for performance testing, because it is designed to be deployed on a small trial cluster, and has full tracing and access logs enabled to showcase Istio&amp;rsquo;s features.&lt;/p>
&lt;h2 id="2-focus-on-the-data-plane">2. Focus on the data plane&lt;/h2>
&lt;p>Our benchmarking scripts focus on evaluating the Istio data plane: the &lt;span class="term" data-title="Envoy" data-body="&amp;lt;p&amp;gt;The high-performance proxy that Istio uses to mediate inbound and outbound traffic for all &amp;lt;a href=&amp;#34;/docs/reference/glossary/#service&amp;#34;&amp;gt;services&amp;lt;/a&amp;gt; in the
&amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;service mesh&amp;lt;/a&amp;gt;. &amp;lt;a href=&amp;#34;https://envoyproxy.github.io/envoy/&amp;#34;&amp;gt;Learn more about Envoy&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">Envoy&lt;/span> proxies that mediate traffic between application containers. Why focus on the data plane? Because at scale, with lots of application containers, the data planes &lt;strong>memory&lt;/strong> and &lt;strong>CPU&lt;/strong> usage quickly eclipses that of the Istio control plane. Let&amp;rsquo;s look at an example of how this happens:&lt;/p>
&lt;p>Say you run 2,000 Envoy-injected pods, each handling 1,000 requests per second. Each proxy is using 50 MB of memory, and to configure all these proxies, Pilot is using 1 vCPU and 1.5 GB of memory. All together, the Istio data plane (the sum of all the Envoy proxies) is using 100 GB of memory, compared to Pilot&amp;rsquo;s 1.5 GB.&lt;/p>
&lt;p>It is also important to focus on data plane performance for &lt;strong>latency&lt;/strong> reasons. This is because most application requests move through the Istio data plane, not the control plane. There are two exceptions:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Telemetry reporting:&lt;/strong> Each proxy sends raw telemetry data to &lt;span class="term" data-title="Mixer" data-body="&amp;lt;p&amp;gt;The Istio component is responsible for enforcing access control and usage policies across the &amp;lt;a href=&amp;#34;/docs/reference/glossary/#service-mesh&amp;#34;&amp;gt;service mesh&amp;lt;/a&amp;gt; and collecting telemetry data
from &amp;lt;a href=&amp;#34;/docs/reference/glossary/#envoy&amp;#34;&amp;gt;Envoy&amp;lt;/a&amp;gt; and other services.
&amp;lt;a href=&amp;#34;/docs/reference/config/policy-and-telemetry/&amp;#34;&amp;gt;Learn more about Mixer&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">Mixer&lt;/span>, which Mixer processes into metrics, traces, and other telemetry. The raw telemetry data is similar to access logs, and therefore comes at a cost. Access log processing consumes CPU and keeps a worker thread from picking up the next unit of work. At higher throughput, it is more likely that the next unit of work is waiting in the queue to be picked up by the worker. This can lead to long-tail (99th percentile) latency for Envoy.&lt;/li>
&lt;li>&lt;strong>Custom policy checks:&lt;/strong> When using &lt;a href="/v1.5/docs/concepts/observability/">custom Istio policy adapters&lt;/a>, policy checks are on the request path. This means that request headers and metadata on the data path will be sent to the control plane (Mixer), resulting in higher request latency. &lt;strong>Note:&lt;/strong> These policy checks are &lt;a href="/v1.5/docs/reference/config/installation-options/#global-options">disabled by default&lt;/a>, as the most common policy use case (&lt;a href="/v1.5/docs/reference/config/security/istio.rbac.v1alpha1">RBAC&lt;/a>) is performed entirely by the Envoy proxies.&lt;/li>
&lt;/ol>
&lt;p>Both of these exceptions will go away in a future Istio release, when &lt;a href="https://docs.google.com/document/d/1QKmtem5jU_2F3Lh5SqLp0IuPb80_70J7aJEYu4_gS-s">Mixer V2&lt;/a> moves all policy and telemetry features directly into the proxies.&lt;/p>
&lt;p>Next, when testing Istio&amp;rsquo;s data plane performance at scale, it&amp;rsquo;s important to test not only at increasing requests per second, but also against an increasing number of &lt;strong>concurrent&lt;/strong> connections. This is because real-world, high-throughput traffic comes from multiple clients. The &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark#run-performance-tests">provided scripts&lt;/a> allow you to perform the same load test with any number of concurrent connections, at increasing RPS.&lt;/p>
&lt;p>Lastly, our test environment measures requests between two pods, not many. The client pod is &lt;a href="http://fortio.org/">Fortio&lt;/a>, which sends traffic to the server pod.&lt;/p>
&lt;p>Why test with only two pods? Because scaling up throughput (RPS) and connections (threads) has a greater effect on Envoy&amp;rsquo;s performance than increasing the total size of the service registry — or, the total number of pods and services in the Kubernetes cluster. When the size of the service registry grows, Envoy does have to keep track of more endpoints, and lookup time per request does increase, but by a tiny constant. If you have many services, and this constant becomes a latency concern, Istio provides a &lt;a href="/v1.5/docs/reference/config/networking/sidecar/">Sidecar resource&lt;/a>, which allows you to limit which services each Envoy knows about.&lt;/p>
&lt;h2 id="3-measure-with-and-without-proxies">3. Measure with and without proxies&lt;/h2>
&lt;p>While many Istio features, such as &lt;a href="/v1.5/docs/concepts/security/#mutual-tls-authentication">mutual TLS authentication&lt;/a>, rely on an Envoy proxy next to an application pod, you can &lt;a href="/v1.5/docs/setup/additional-setup/sidecar-injection/#disabling-or-updating-the-webhook">selectively disable&lt;/a> sidecar proxy injection for some of your mesh services. As you scale up Istio for production, you may want to incrementally add the sidecar proxy to your workloads.&lt;/p>
&lt;p>To that end, the test scripts provide &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark#run-performance-tests">three different modes&lt;/a>. These modes analyze Istio&amp;rsquo;s performance when a request goes through both the client and server proxies (&lt;code>both&lt;/code>), just the server proxy (&lt;code>serveronly&lt;/code>), and neither proxy (&lt;code>baseline&lt;/code>).&lt;/p>
&lt;p>You can also disable &lt;a href="/v1.5/docs/concepts/observability/">Mixer&lt;/a> to stop Istio&amp;rsquo;s telemetry during the performance tests, which provides results in line with the performance we expect when the Mixer V2 work is completed. Istio also supports &lt;a href="https://github.com/istio/istio/wiki/Envoy-native-telemetry">Envoy native telemetry&lt;/a>, which performs similarly to having Istio&amp;rsquo;s telemetry disabled.&lt;/p>
&lt;h2 id="istio-1-2-performance">Istio 1.2 Performance&lt;/h2>
&lt;p>Let&amp;rsquo;s see how to use this test environment to analyze the data plane performance of Istio 1.2. We also provide instructions to run the &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark/linkerd">same performance tests for the Linkerd data plane&lt;/a>. Currently, only latency benchmarking is supported for Linkerd.&lt;/p>
&lt;p>For measuring Istio&amp;rsquo;s sidecar proxy latency, we look at the 50th, 90th, and 99th percentiles for an increasing number of concurrent connections,keeping request throughput (RPS) constant.&lt;/p>
&lt;p>We found that with 16 concurrent connections and 1000 RPS, Istio adds &lt;strong>3ms&lt;/strong> over the baseline (P50) when a request travels through both a client and server proxy. (Subtract the pink line, &lt;code>base&lt;/code>, from the green line, &lt;code>both&lt;/code>.) At 64 concurrent connections, Istio adds &lt;strong>12ms&lt;/strong> over the baseline, but with Mixer disabled (&lt;code>nomixer_both&lt;/code>), Istio only adds &lt;strong>7ms&lt;/strong>.&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/performance-best-practices/latency_p50.png" title="Istio sidecar proxy, 50th percentile latency">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/performance-best-practices/latency_p50.png" alt="Istio sidecar proxy, 50th percentile latency" />
&lt;/a>
&lt;/div>
&lt;figcaption>&lt;/figcaption>
&lt;/figure>
&lt;p>In the 90th percentile, with 16 concurrent connections, Istio adds &lt;strong>6ms&lt;/strong>; with 64 connections, Istio adds &lt;strong>20ms&lt;/strong>.&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/performance-best-practices/latency_p90.png" title="Istio sidecar proxy, 90th percentile latency">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/performance-best-practices/latency_p90.png" alt="Istio sidecar proxy, 90th percentile latency" />
&lt;/a>
&lt;/div>
&lt;figcaption>&lt;/figcaption>
&lt;/figure>
&lt;p>Finally, in the 99th percentile, with 16 connections, Istio adds &lt;strong>10ms&lt;/strong> over the baseline. At 64 connections, Istio adds &lt;strong>25ms&lt;/strong> with Mixer, or &lt;strong>10ms&lt;/strong> without Mixer.&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/performance-best-practices/latency_p99.png" title="Istio sidecar proxy, 99th percentile latency">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/performance-best-practices/latency_p99.png" alt="Istio sidecar proxy, 99th percentile latency" />
&lt;/a>
&lt;/div>
&lt;figcaption>&lt;/figcaption>
&lt;/figure>
&lt;p>For CPU usage, we measured with an increasing request throughput (RPS), and a constant number of concurrent connections. We found that Envoy&amp;rsquo;s maximum CPU usage at 3000 RPS, with Mixer enabled, was &lt;strong>1.2 vCPUs&lt;/strong>. At 1000 RPS, one Envoy uses approximately half of a CPU.&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/performance-best-practices/cpu_max.png" title="Istio sidecar proxy, max CPU usage">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/performance-best-practices/cpu_max.png" alt="Istio sidecar proxy, max CPU usage" />
&lt;/a>
&lt;/div>
&lt;figcaption>&lt;/figcaption>
&lt;/figure>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>In the process of benchmarking Istio&amp;rsquo;s performance, we learned several key lessons:&lt;/p>
&lt;ul>
&lt;li>Use an environment that mimics production.&lt;/li>
&lt;li>Focus on data plane traffic.&lt;/li>
&lt;li>Measure against a baseline.&lt;/li>
&lt;li>Increase concurrent connections as well as total throughput.&lt;/li>
&lt;/ul>
&lt;p>For a mesh with 1000 RPS across 16 connections, Istio 1.2 adds just &lt;strong>3 milliseconds&lt;/strong> of latency over the baseline, in the 50th percentile.&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">Istio&amp;rsquo;s performance depends on your specific setup and traffic load. Because of this variance, make sure your test setup accurately reflects your production workloads. To try out the benchmarking scripts, head over &lt;a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark">to the Istio Tools repository&lt;/a>.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Also check out the &lt;a href="/v1.5/docs/ops/deployment/performance-and-scalability">Istio Performance and Scalability guide&lt;/a> for the most up-to-date performance data.&lt;/p>
&lt;p>Thank you for reading, and happy benchmarking!&lt;/p></description><pubDate>Tue, 09 Jul 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/performance-best-practices/</link><author>Megan O'Keefe (Google), John Howard (Google), Mandar Jog (Google)</author><guid isPermaLink="true">/v1.5/blog/2019/performance-best-practices/</guid><category>performance</category><category>scalability</category><category>scale</category><category>benchmarks</category></item><item><title>Extending Istio Self-Signed Root Certificate Lifetime</title><description>&lt;p>Istio self-signed certificates have historically had a 1 year default lifetime.
If you are using Istio self-signed certificates,
you need to schedule regular root transitions before they expire.
An expiration of a root certificate may lead to an unexpected cluster-wide outage.
The issue affects new clusters created with versions up to 1.0.7 and 1.1.7.&lt;/p>
&lt;p>See &lt;a href="/v1.5/docs/ops/configuration/security/root-transition/">Extending Self-Signed Certificate Lifetime&lt;/a> for
information on how to gauge the age of your certificates and how to perform rotation.&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">We strongly recommend you rotate root keys and root certificates annually as a security best practice.
We will send out instructions for root key/cert rotation soon.&lt;/div>
&lt;/aside>
&lt;/div></description><pubDate>Fri, 07 Jun 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/root-transition/</link><author>Oliver Liu</author><guid isPermaLink="true">/v1.5/blog/2019/root-transition/</guid><category>security</category><category>PKI</category><category>certificate</category><category>Citadel</category></item><item><title>Secure Control of Egress Traffic in Istio, part 1</title><description>
&lt;p>This is part 1 in a new series about secure control of egress traffic in Istio that I am going to publish.
In this installment, I explain why you should apply egress traffic control to your cluster, the attacks
involving egress traffic you want to prevent, and the requirements for a system for egress traffic control
to do so.
Once you agree that you should control the egress traffic coming from your cluster, the following questions arise:
What is required from a system for secure control of egress traffic? Which is the best solution to fulfill
these requirements? (spoiler: Istio in my opinion)
Future installments will describe
&lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/">the implementation of the secure control of egress traffic in Istio&lt;/a>
and compare it with other solutions.&lt;/p>
&lt;p>The most important security aspect for a service mesh is probably ingress traffic. You definitely must prevent attackers
from penetrating the cluster through ingress APIs. Having said that, securing
the traffic leaving the mesh is also very important. Once your cluster is compromised, and you must be
prepared for that scenario, you want to reduce the damage as much as possible and prevent the attackers from using the
cluster for further attacks on external services and legacy systems outside of the cluster. To achieve that goal,
you need secure control of egress traffic.&lt;/p>
&lt;p>Compliance requirements are another reason to implement secure control of egress traffic. For example, the &lt;a href="https://www.pcisecuritystandards.org/pci_security/">Payment Card
Industry (PCI) Data Security Standard&lt;/a> requires that inbound
and outbound traffic must be restricted to that which is necessary:&lt;/p>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">&lt;em>1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.&lt;/em>&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>And specifically regarding outbound traffic:&lt;/p>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">&lt;em>1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet&amp;hellip; All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).&lt;/em>&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Let&amp;rsquo;s start with the attacks that involve egress traffic.&lt;/p>
&lt;h2 id="the-attacks">The attacks&lt;/h2>
&lt;p>An IT organization must assume it will be attacked if it hasn&amp;rsquo;t been attacked already, and that
part of its infrastructure could already be compromised or become compromised in the future.
Once attackers are able to penetrate an application in a cluster, they can proceed to attack external services:
legacy systems, external web services and databases. The attackers may want to steal the data of the application and to
transfer it to their external servers. Attackers&amp;rsquo; malware may require access to attackers&amp;rsquo; servers to download
updates. The attackers may use pods in the cluster to perform DDOS attacks or to break into external systems.
Even though you &lt;a href="https://en.wikipedia.org/wiki/There_are_known_knowns">cannot know&lt;/a> all the possible types of
attacks, you want to reduce possibilities for any attacks, both for known and unknown ones.&lt;/p>
&lt;p>The external attackers gain access to the applications container from outside the mesh through a
bug in the application but attackers can also be internal, for example, malicious DevOps people inside the
organization.&lt;/p>
&lt;p>To prevent the attacks described above, some form of egress traffic control must be applied. Let me present egress
traffic control in the following section.&lt;/p>
&lt;h2 id="the-solution-secure-control-of-egress-traffic">The solution: secure control of egress traffic&lt;/h2>
&lt;p>Secure control of egress traffic means monitoring the egress traffic and enforcing all the security policies regarding
the egress traffic.
Monitoring the egress traffic, enables you to analyze it, possibly offline, and detect the attacks even if
you were unable to prevent them in real time.
Another good practice to reduce possibilities of attacks is to specify policies that limit access following the
&lt;a href="https://en.wikipedia.org/wiki/Need_to_know#In_computer_technology]">Need to know&lt;/a> principle: only the applications that
need external services should be allowed to access the external services they need.&lt;/p>
&lt;p>Let me now turn to the requirements for egress traffic control we collected.&lt;/p>
&lt;h2 id="requirements-for-egress-traffic-control">Requirements for egress traffic control&lt;/h2>
&lt;p>My colleagues at IBM and I collected requirements for secure control of egress traffic from several customers, and
combined them with the
&lt;a href="https://docs.google.com/document/d/1-Cq_Y-yuyNklvdnaZF9Qngl3xe0NnArT7Xt_Wno9beg">egress traffic control requirements from Kubernetes Network Special Interest Group&lt;/a>.&lt;/p>
&lt;p>Istio 1.1 satisfies all gathered requirements:&lt;/p>
&lt;ol>
&lt;li>&lt;p>Support for &lt;a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS&lt;/a> with
&lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI&lt;/a> or for &lt;a href="/v1.5/docs/reference/glossary/#tls-origination">TLS origination&lt;/a> by Istio.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Monitor&lt;/strong> SNI and the source workload of every egress access.&lt;/p>&lt;/li>
&lt;li>&lt;p>Define and enforce &lt;strong>policies per cluster&lt;/strong>, e.g.:&lt;/p>
&lt;ul>
&lt;li>&lt;p>all applications in the cluster may access &lt;code>service1.foo.com&lt;/code> (a specific host)&lt;/p>&lt;/li>
&lt;li>&lt;p>all applications in the cluster may access any host of the form &lt;code>*.bar.com&lt;/code> (a wildcarded domain)&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>All unspecified access must be blocked.&lt;/p>&lt;/li>
&lt;li>&lt;p>Define and enforce &lt;strong>policies per source&lt;/strong>, &lt;em>Kubernetes-aware&lt;/em>:&lt;/p>
&lt;ul>
&lt;li>&lt;p>application &lt;code>A&lt;/code> may access &lt;code>*.foo.com&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>application &lt;code>B&lt;/code> may access &lt;code>*.bar.com&lt;/code>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>All other access must be blocked, in particular access of application &lt;code>A&lt;/code> to &lt;code>service1.bar.com&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Prevent tampering&lt;/strong>. In case an application pod is compromised, prevent the compromised pod from escaping
monitoring, from sending fake information to the monitoring system, and from breaking the egress policies.&lt;/p>&lt;/li>
&lt;li>&lt;p>Nice to have: traffic control is &lt;strong>transparent&lt;/strong> to the applications.&lt;/p>&lt;/li>
&lt;/ol>
&lt;p>Let me explain each requirement in more detail. The first requirement states that only TLS traffic to the external
services must be supported.
The requirement emerged upon observation that all the traffic that leaves the cluster must be encrypted.
This means that either the applications perform TLS origination or Istio must perform TLS origination
for them.
Note that in the case an application performs TLS origination, the Istio proxies cannot see the original traffic,
only the encrypted one, so the proxies see the TLS protocol only. For the proxies it does not matter if the original
protocol is HTTP or MongoDB, all the Istio proxies can see is TLS traffic.&lt;/p>
&lt;p>The second requirement states that SNI and the source of the traffic must be monitored. Monitoring is the first step to
prevent attacks. Even if attackers would be able to access external services from the cluster, if the access is
monitored, there is a chance to discover the suspicious traffic and take a corrective action.&lt;/p>
&lt;p>Note that in the case of TLS originated by an application, the Istio sidecar proxies can only see TCP traffic and a
TLS handshake that includes SNI.
A label of the source pod could identify the source of the traffic but a service account of the pod or some
other source identifier could be used. We call this property of an egress control system as &lt;em>being Kubernetes-aware&lt;/em>:
the system must understand Kubernetes artifacts like pods and service accounts. If the system is not Kubernetes-aware,
it can only monitor the IP address as the identifier of the source.&lt;/p>
&lt;p>The third requirement states that Istio operators must be able to define policies for egress traffic for the entire
cluster.
The policies state which external services may be accessed by any pod in the cluster. The external services can be
identified either by a &lt;a href="https://en.wikipedia.org/wiki/Fully_qualified_domain_name">Fully qualified domain name&lt;/a> of the
service, e.g. &lt;code>www.ibm.com&lt;/code> or by a wildcarded domain, e.g. &lt;code>*.ibm.com&lt;/code>. Only the specified external services may be
accessed, all other egress traffic is blocked.&lt;/p>
&lt;p>This requirement originates from the need to prevent
attackers from accessing malicious sites, for example for downloading updates/instructions for their malware. You also
want to limit the number of external sites that the attackers can access and attack.
You want to allow access only to the external services that the applications in the cluster need to
access and to block access to all the other services, this way you reduce the
&lt;a href="https://en.wikipedia.org/wiki/Attack_surface">attack surface&lt;/a>. While the external services
can have their own security mechanisms, you want to exercise &lt;a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense in depth&lt;/a> and to have multiple security layers: a security layer in your cluster in addition to
the security layers in the external systems.&lt;/p>
&lt;p>This requirement means that the external services must be identifiable by domain names. We call this property
of an egress control system as &lt;em>being DNS-aware&lt;/em>.
If the system is not DNS-aware, the external services must be specified by IP addresses.
Using IP addresses is not convenient and often is not feasible, since the IP addresses of a service can change. Sometimes
all the IP addresses of a service are not even known, for example in the case of
&lt;a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDNs&lt;/a>.&lt;/p>
&lt;p>The fourth requirement states that the source of the egress traffic must be added to the policies effectively extending
the third requirement.
Policies can specify which source can access which external service and the source must be identified just as in the
second requirement, for example, by a label of the source pod or by service account of the pod.
It means that policy enforcement must also be &lt;em>Kubernetes-aware&lt;/em>.
If policy enforcement is not Kubernetes-aware, the policies must identify the source of traffic by
the IP of the pod, which is not convenient, especially since the pods can come and go so their IPs are not static.&lt;/p>
&lt;p>The fifth requirement states that even if the cluster is compromised and the attackers control some of the pods, they
must not be able to cheat the monitoring or to violate policies of the egress control system. We say that such a
system provides &lt;em>secure&lt;/em> control of egress traffic.&lt;/p>
&lt;p>The sixth requirement states that the traffic control should be provided without changing the application containers, in
particular without changing the code of the applications and without changing the environment of the containers.
We call such a control of egress traffic &lt;em>transparent&lt;/em>.&lt;/p>
&lt;p>In the next posts I will show that Istio can function as an example of an egress traffic control system that satisfies
all of these requirements, in particular it is transparent, DNS-aware, and Kubernetes-aware.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>I hope that you are convinced that controlling egress traffic is important for the security of your cluster. In &lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-2/">the
part 2 of this series&lt;/a> I describe the Istio way to perform secure
control of egress traffic. In
&lt;a href="/v1.5/blog/2019/egress-traffic-control-in-istio-part-3/">the
part 3 of this series&lt;/a> I compare it with alternative solutions such as
&lt;a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">Kubernetes Network Policies&lt;/a> and legacy
egress proxies/firewalls.&lt;/p></description><pubDate>Wed, 22 May 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/egress-traffic-control-in-istio-part-1/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/egress-traffic-control-in-istio-part-1/</guid><category>traffic-management</category><category>egress</category><category>security</category></item><item><title>Architecting Istio 1.1 for Performance</title><description>
&lt;p>Hyper-scale, microservice-based cloud environments have been exciting to build but challenging to manage. Along came Kubernetes (container orchestration) in 2014, followed by Istio (container service management) in 2017. Both open-source projects enable developers to scale container-based applications without spending too much time on administration tasks.&lt;/p>
&lt;p>Now, new enhancements in Istio 1.1 deliver scale-up with improved application performance and service management efficiency.
Simulations using our sample commercial airline reservation application show the following improvements, compared to Istio 1.0.&lt;/p>
&lt;p>We&amp;rsquo;ve seen substantial application performance gains:&lt;/p>
&lt;ul>
&lt;li>up to 30% reduction in application average latency&lt;/li>
&lt;li>up to 40% faster service startup times in a large mesh&lt;/li>
&lt;/ul>
&lt;p>As well as impressive improvements in service management efficiency:&lt;/p>
&lt;ul>
&lt;li>up to 90% reduction in Pilot CPU usage in a large mesh&lt;/li>
&lt;li>up to 50% reduction in Pilot memory usage in a large mesh&lt;/li>
&lt;/ul>
&lt;p>With Istio 1.1, organizations can be more confident in their ability to scale applications with consistency and control &amp;ndash; even in hyper-scale cloud environments.&lt;/p>
&lt;p>Congratulations to the Istio experts around the world who contributed to this release. We could not be more pleased with these results.&lt;/p>
&lt;h2 id="istio-1-1-performance-enhancements">Istio 1.1 performance enhancements&lt;/h2>
&lt;p>As members of the Istio Performance and Scalability workgroup, we have done extensive performance evaluations. We introduced many performance design features for Istio 1.1, in collaboration with other Istio contributors.
Some of the most visible performance enhancements in 1.1 include:&lt;/p>
&lt;ul>
&lt;li>Significant reduction in default collection of Envoy-generated statistics&lt;/li>
&lt;li>Added load-shedding functionality to Mixer workloads&lt;/li>
&lt;li>Improved the protocol between Envoy and Mixer&lt;/li>
&lt;li>Namespace isolation, to reduce operational overhead&lt;/li>
&lt;li>Configurable concurrent worker threads, which can improve overall throughput&lt;/li>
&lt;li>Configurable filters that limit telemetry data&lt;/li>
&lt;li>Removal of synchronization bottlenecks&lt;/li>
&lt;/ul>
&lt;h2 id="continuous-code-quality-and-performance-verification">Continuous code quality and performance verification&lt;/h2>
&lt;p>Regression Patrol drives continuous improvement in Istio performance and quality. Behind the scenes, the Regression Patrol helps Istio developers to identify and fix code issues. Daily builds are checked using a customer-centric benchmark, &lt;a href="https://github.com/blueperf/">BluePerf&lt;/a>. The results are published to the &lt;a href="https://ibmcloud-perf.istio.io/regpatrol/">Istio community web portal&lt;/a>. Various application configurations are evaluated to help provide insights on Istio component performance.&lt;/p>
&lt;p>Another tool that is used to evaluate the performance of Istios builds is &lt;a href="https://fortio.org/">Fortio&lt;/a>, which provides a synthetic end to end load testing benchmark.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Istio 1.1 was designed for performance and scalability. The Istio Performance and Scalability workgroup measured significant performance improvements over 1.0.
Istio 1.1 introduces new features and optimizations to help harden the service mesh for enterprise microservice workloads. The Istio 1.1 Performance and Tuning Guide documents performance simulations, provides sizing and capacity planning guidance, and includes best practices for tuning custom use cases.&lt;/p>
&lt;h2 id="useful-links">Useful links&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://www.youtube.com/watch?time_continue=349&amp;amp;v=G4F5aRFEXnU">Istio Service Mesh Performance (34:30)&lt;/a>, by Surya Duggirala, Laurent Demailly and Fawad Khaliq at KubeCon Europe 2018&lt;/li>
&lt;li>&lt;a href="https://discuss.istio.io/c/performance-and-scalability">Istio Performance and Scalability discussion forum&lt;/a>&lt;/li>
&lt;/ul>
&lt;h2 id="disclaimer">Disclaimer&lt;/h2>
&lt;p>The performance data contained herein was obtained in a controlled, isolated environment. Actual results that may be obtained in other operating environments may vary significantly. There is no guarantee that the same or similar results will be obtained elsewhere.&lt;/p></description><pubDate>Tue, 19 Mar 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/istio1.1_perf/</link><author>Surya V Duggirala (IBM), Mandar Jog (Google), Jose Nativio (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/istio1.1_perf/</guid><category>performance</category><category>scalability</category><category>scale</category><category>benchmarks</category></item><item><title>Version Routing in a Multicluster Service Mesh</title><description>
&lt;p>If you&amp;rsquo;ve spent any time looking at Istio, you&amp;rsquo;ve probably noticed that it includes a lot of features that
can be demonstrated with simple &lt;a href="/v1.5/docs/tasks/">tasks&lt;/a> and &lt;a href="/v1.5/docs/examples/">examples&lt;/a>
running on a single Kubernetes cluster.
Because most, if not all, real-world cloud and microservices-based applications are not that simple
and will need to have the services distributed and running in more than one location, you may be
wondering if all these things will be just as simple in your real production environment.&lt;/p>
&lt;p>Fortunately, Istio provides several ways to configure a service mesh so that applications
can, more-or-less transparently, be part of a mesh where the services are running
in more than one cluster, i.e., in a
&lt;a href="/v1.5/docs/ops/deployment/deployment-models/#multiple-clusters">multicluster deployment&lt;/a>.
The simplest way to set up a multicluster mesh, because it has no special networking requirements,
is using a replicated
&lt;a href="/v1.5/docs/ops/deployment/deployment-models/#control-plane-models">control plane model&lt;/a>.
In this configuration, each Kubernetes cluster contributing to the mesh has its own control plane,
but each control plane is synchronized and running under a single administrative control.&lt;/p>
&lt;p>In this article we&amp;rsquo;ll look at how one of the features of Istio,
&lt;a href="/v1.5/docs/concepts/traffic-management/">traffic management&lt;/a>, works in a multicluster mesh with
a dedicated control plane topology.
We&amp;rsquo;ll show how to configure Istio route rules to call remote services in a multicluster service mesh
by deploying the &lt;a href="https://github.com/istio/istio/tree/release-1.5/samples/bookinfo">Bookinfo sample&lt;/a> with version &lt;code>v1&lt;/code> of the &lt;code>reviews&lt;/code> service
running in one cluster, versions &lt;code>v2&lt;/code> and &lt;code>v3&lt;/code> running in a second cluster.&lt;/p>
&lt;h2 id="set-up-clusters">Set up clusters&lt;/h2>
&lt;p>To start, you&amp;rsquo;ll need two Kubernetes clusters, both running a slightly customized configuration of Istio.&lt;/p>
&lt;ul>
&lt;li>&lt;p>Set up a multicluster environment with two Istio clusters by following the
&lt;a href="/v1.5/docs/setup/install/multicluster/gateways/">replicated control planes&lt;/a> instructions.&lt;/p>&lt;/li>
&lt;li>&lt;p>The &lt;code>kubectl&lt;/code> command is used to access both clusters with the &lt;code>--context&lt;/code> flag.
Use the following command to list your contexts:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* cluster1 cluster1 user@foo.com default
cluster2 cluster2 user@foo.com default
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Export the following environment variables with the context names of your configuration:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export CTX_CLUSTER1=&amp;lt;cluster1 context name&amp;gt;
$ export CTX_CLUSTER2=&amp;lt;cluster2 context name&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ul>
&lt;h2 id="deploy-version-v1-of-the-bookinfo-application-in-cluster1">Deploy version v1 of the &lt;code>bookinfo&lt;/code> application in &lt;code>cluster1&lt;/code>&lt;/h2>
&lt;p>Run the &lt;code>productpage&lt;/code> and &lt;code>details&lt;/code> services and version &lt;code>v1&lt;/code> of the &lt;code>reviews&lt;/code> service in &lt;code>cluster1&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label --context=$CTX_CLUSTER1 namespace default istio-injection=enabled
$ kubectl apply --context=$CTX_CLUSTER1 -f - &amp;lt;&amp;lt;EOF
apiVersion: v1
kind: Service
metadata:
name: productpage
labels:
app: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: productpage-v1
spec:
replicas: 1
template:
metadata:
labels:
app: productpage
version: v1
spec:
containers:
- name: productpage
image: istio/examples-bookinfo-productpage-v1:1.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
---
apiVersion: v1
kind: Service
metadata:
name: details
labels:
app: details
spec:
ports:
- port: 9080
name: http
selector:
app: details
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: details-v1
spec:
replicas: 1
template:
metadata:
labels:
app: details
version: v1
spec:
containers:
- name: details
image: istio/examples-bookinfo-details-v1:1.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
---
apiVersion: v1
kind: Service
metadata:
name: reviews
labels:
app: reviews
spec:
ports:
- port: 9080
name: http
selector:
app: reviews
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: reviews-v1
spec:
replicas: 1
template:
metadata:
labels:
app: reviews
version: v1
spec:
containers:
- name: reviews
image: istio/examples-bookinfo-reviews-v1:1.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
EOF
&lt;/code>&lt;/pre>
&lt;h2 id="deploy-bookinfo-v2-and-v3-services-in-cluster2">Deploy &lt;code>bookinfo&lt;/code> v2 and v3 services in &lt;code>cluster2&lt;/code>&lt;/h2>
&lt;p>Run the &lt;code>ratings&lt;/code> service and version &lt;code>v2&lt;/code> and &lt;code>v3&lt;/code> of the &lt;code>reviews&lt;/code> service in &lt;code>cluster2&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label --context=$CTX_CLUSTER2 namespace default istio-injection=enabled
$ kubectl apply --context=$CTX_CLUSTER2 -f - &amp;lt;&amp;lt;EOF
apiVersion: v1
kind: Service
metadata:
name: ratings
labels:
app: ratings
spec:
ports:
- port: 9080
name: http
selector:
app: ratings
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ratings-v1
spec:
replicas: 1
template:
metadata:
labels:
app: ratings
version: v1
spec:
containers:
- name: ratings
image: istio/examples-bookinfo-ratings-v1:1.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
---
apiVersion: v1
kind: Service
metadata:
name: reviews
labels:
app: reviews
spec:
ports:
- port: 9080
name: http
selector:
app: reviews
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: reviews-v2
spec:
replicas: 1
template:
metadata:
labels:
app: reviews
version: v2
spec:
containers:
- name: reviews
image: istio/examples-bookinfo-reviews-v2:1.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: reviews-v3
spec:
replicas: 1
template:
metadata:
labels:
app: reviews
version: v3
spec:
containers:
- name: reviews
image: istio/examples-bookinfo-reviews-v3:1.10.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
EOF
&lt;/code>&lt;/pre>
&lt;h2 id="access-the-bookinfo-application">Access the &lt;code>bookinfo&lt;/code> application&lt;/h2>
&lt;p>Just like any application, we&amp;rsquo;ll use an Istio gateway to access the &lt;code>bookinfo&lt;/code> application.&lt;/p>
&lt;ul>
&lt;li>&lt;p>Create the &lt;code>bookinfo&lt;/code> gateway in &lt;code>cluster1&lt;/code>:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/bookinfo-gateway.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f @samples/bookinfo/networking/bookinfo-gateway.yaml@
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Follow the &lt;a href="/v1.5/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">Bookinfo sample instructions&lt;/a>
to determine the ingress IP and port and then point your browser to &lt;code>http://$GATEWAY_URL/productpage&lt;/code>.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>You should see the &lt;code>productpage&lt;/code> with reviews, but without ratings, because only &lt;code>v1&lt;/code> of the &lt;code>reviews&lt;/code> service
is running on &lt;code>cluster1&lt;/code> and we have not yet configured access to &lt;code>cluster2&lt;/code>.&lt;/p>
&lt;h2 id="create-a-service-entry-and-destination-rule-on-cluster1-for-the-remote-reviews-service">Create a service entry and destination rule on &lt;code>cluster1&lt;/code> for the remote reviews service&lt;/h2>
&lt;p>As described in the &lt;a href="/v1.5/docs/setup/install/multicluster/gateways/#setup-dns">setup instructions&lt;/a>,
remote services are accessed with a &lt;code>.global&lt;/code> DNS name. In our case, it&amp;rsquo;s &lt;code>reviews.default.global&lt;/code>,
so we need to create a service entry and destination rule for that host.
The service entry will use the &lt;code>cluster2&lt;/code> gateway as the endpoint address to access the service.
You can use the gateway&amp;rsquo;s DNS name, if it has one, or its public IP, like this:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export CLUSTER2_GW_ADDR=$(kubectl get --context=$CTX_CLUSTER2 svc --selector=app=istio-ingressgateway \
-n istio-system -o jsonpath=&amp;#34;{.items[0].status.loadBalancer.ingress[0].ip}&amp;#34;)
&lt;/code>&lt;/pre>
&lt;p>Now create the service entry and destination rule using the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: reviews-default
spec:
hosts:
- reviews.default.global
location: MESH_INTERNAL
ports:
- name: http1
number: 9080
protocol: http
resolution: DNS
addresses:
- 240.0.0.3
endpoints:
- address: ${CLUSTER2_GW_ADDR}
labels:
cluster: cluster2
ports:
http1: 15443 # Do not change this port value
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-global
spec:
host: reviews.default.global
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
subsets:
- name: v2
labels:
cluster: cluster2
- name: v3
labels:
cluster: cluster2
EOF
&lt;/code>&lt;/pre>
&lt;p>The address &lt;code>240.0.0.3&lt;/code> of the service entry can be any arbitrary unallocated IP.
Using an IP from the class E addresses range 240.0.0.0/4 is a good choice.
Check out the
&lt;a href="/v1.5/docs/setup/install/multicluster/gateways/#configure-the-example-services">gateway-connected multicluster example&lt;/a>
for more details.&lt;/p>
&lt;p>Note that the labels of the subsets in the destination rule map to the service entry
endpoint label (&lt;code>cluster: cluster2&lt;/code>) corresponding to the &lt;code>cluster2&lt;/code> gateway.
Once the request reaches the destination cluster, a local destination rule will be used
to identify the actual pod labels (&lt;code>version: v1&lt;/code> or &lt;code>version: v2&lt;/code>) corresponding to the
requested subset.&lt;/p>
&lt;h2 id="create-a-destination-rule-on-both-clusters-for-the-local-reviews-service">Create a destination rule on both clusters for the local reviews service&lt;/h2>
&lt;p>Technically, we only need to define the subsets of the local service that are being used
in each cluster (i.e., &lt;code>v1&lt;/code> in &lt;code>cluster1&lt;/code>, &lt;code>v2&lt;/code> and &lt;code>v3&lt;/code> in &lt;code>cluster2&lt;/code>), but for simplicity we&amp;rsquo;ll
just define all three subsets in both clusters, since there&amp;rsquo;s nothing wrong with defining subsets
for versions that are not actually deployed.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews.default.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
EOF
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER2 -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews.default.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
EOF
&lt;/code>&lt;/pre>
&lt;h2 id="create-a-virtual-service-to-route-reviews-service-traffic">Create a virtual service to route reviews service traffic&lt;/h2>
&lt;p>At this point, all calls to the &lt;code>reviews&lt;/code> service will go to the local &lt;code>reviews&lt;/code> pods (&lt;code>v1&lt;/code>) because
if you look at the source code you will see that the &lt;code>productpage&lt;/code> implementation is simply making
requests to &lt;code>http://reviews:9080&lt;/code> (which expands to host &lt;code>reviews.default.svc.cluster.local&lt;/code>), the
local version of the service.
The corresponding remote service is named &lt;code>reviews.default.global&lt;/code>, so route rules are needed to
redirect requests to the global host.&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">Note that if all of the versions of the &lt;code>reviews&lt;/code> service were remote, so there is no local &lt;code>reviews&lt;/code>
service defined, the DNS would resolve &lt;code>reviews&lt;/code> directly to &lt;code>reviews.default.global&lt;/code>. In that case
we could call the remote &lt;code>reviews&lt;/code> service without any route rules.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Apply the following virtual service to direct traffic for user &lt;code>jason&lt;/code> to &lt;code>reviews&lt;/code> versions &lt;code>v2&lt;/code> and &lt;code>v3&lt;/code> (&lt;sup>50&lt;/sup>&amp;frasl;&lt;sub>50&lt;/sub>)
which are running on &lt;code>cluster2&lt;/code>. Traffic for any other user will go to &lt;code>reviews&lt;/code> version &lt;code>v1&lt;/code>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews.default.svc.cluster.local
http:
- match:
- headers:
end-user:
exact: jason
route:
- destination:
host: reviews.default.global
subset: v2
weight: 50
- destination:
host: reviews.default.global
subset: v3
weight: 50
- route:
- destination:
host: reviews.default.svc.cluster.local
subset: v1
EOF
&lt;/code>&lt;/pre>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">This 50/50 rule isn&amp;rsquo;t a particularly realistic example. It&amp;rsquo;s just a convenient way to demonstrate
accessing multiple subsets of a remote service.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>Return to your browser and login as user &lt;code>jason&lt;/code>. If you refresh the page several times, you should see
the display alternating between black and red ratings stars (&lt;code>v2&lt;/code> and &lt;code>v3&lt;/code>). If you logout, you will
only see reviews without ratings (&lt;code>v1&lt;/code>).&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>In this article, we&amp;rsquo;ve seen how to use Istio route rules to distribute the versions of a service
across clusters in a multicluster service mesh with a replicated control plane model.
In this example, we manually configured the &lt;code>.global&lt;/code> service entry and destination rules needed to provide
connectivity to one remote service, &lt;code>reviews&lt;/code>. In general, however, if we wanted to enable any service
to run either locally or remotely, we would need to create &lt;code>.global&lt;/code> resources for every service.
Fortunately, this process could be automated and likely will be in a future Istio release.&lt;/p></description><pubDate>Thu, 07 Feb 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/multicluster-version-routing/</link><author>Frank Budinsky (IBM)</author><guid isPermaLink="true">/v1.5/blog/2019/multicluster-version-routing/</guid><category>traffic-management</category><category>multicluster</category></item><item><title>Sail the Blog!</title><description>&lt;p>Welcome to the Istio blog!&lt;/p>
&lt;p>To make it easier to publish your content on our website, we
&lt;a href="/v1.5/about/contribute/add-content/#content-types">updated the content types guide&lt;/a>.&lt;/p>
&lt;p>The goal of the updated guide is to make sharing and finding content easier.&lt;/p>
&lt;p>We want to make sharing timely information on Istio easy and the &lt;a href="/v1.5/blog">Istio blog&lt;/a>
is a good place to start.&lt;/p>
&lt;p>We welcome your posts to the blog if you think your content falls in one of the
following four categories:&lt;/p>
&lt;ul>
&lt;li>Your post details your experience using and configuring Istio. Ideally, your
post shares a novel experience or perspective.&lt;/li>
&lt;li>Your post highlights Istio features.&lt;/li>
&lt;li>Your post details how to accomplish a task or fulfill a specific use case
using Istio.&lt;/li>
&lt;/ul>
&lt;p>Posting your blog is only &lt;a href="/v1.5/about/contribute/github/">one PR away&lt;/a>
and, if you wish, you can &lt;a href="/v1.5/about/contribute/review">request a review&lt;/a>.&lt;/p>
&lt;p>We look forward to reading about your Istio experience on the blog soon!&lt;/p></description><pubDate>Tue, 05 Feb 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/sail-the-blog/</link><author>Rigs Caballero, Google</author><guid isPermaLink="true">/v1.5/blog/2019/sail-the-blog/</guid><category>community</category><category>blog</category><category>contribution</category><category>guide</category><category>guideline</category><category>event</category></item><item><title>Egress Gateway Performance Investigation</title><description>
&lt;p>The main objective of this investigation was to determine the impact on performance and resource utilization when an egress gateway is added in the service mesh to access an external service (MongoDB, in this case). The steps to configure an egress gateway for an external MongoDB are described in the blog &lt;a href="/v1.5/blog/2018/egress-mongo/">Consuming External MongoDB Services&lt;/a>.&lt;/p>
&lt;p>The application used for this investigation was the Java version of Acmeair, which simulates an airline reservation system. This application is used in the Performance Regression Patrol of Istio daily builds, but on that setup the microservices have been accessing the external MongoDB directly via their sidecars, without an egress gateway.&lt;/p>
&lt;p>The diagram below illustrates how regression patrol currently runs with Acmeair and Istio:&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:62.69230769230769%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/acmeair_regpatrol3.png" title="Acmeair benchmark in the Istio performance regression patrol environment">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/acmeair_regpatrol3.png" alt="Acmeair benchmark in the Istio performance regression patrol environment" />
&lt;/a>
&lt;/div>
&lt;figcaption>Acmeair benchmark in the Istio performance regression patrol environment&lt;/figcaption>
&lt;/figure>
&lt;p>Another difference is that the application communicates with the external DB with plain MongoDB protocol. The first change made for this study was to establish a TLS communication between the MongoDB and its clients running within the application, as this is a more realistic scenario.&lt;/p>
&lt;p>Several cases for accessing the external database from the mesh were tested and described next.&lt;/p>
&lt;h2 id="egress-traffic-cases">Egress traffic cases&lt;/h2>
&lt;h3 id="case-1-bypassing-the-sidecar">Case 1: Bypassing the sidecar&lt;/h3>
&lt;p>In this case, the sidecar does not intercept the communication between the application and the external DB. This is accomplished by setting the init container argument -x with the CIDR of the MongoDB, which makes the sidecar ignore messages to/from this IP address. For example:&lt;/p>
&lt;pre>&lt;code> - -x
- "169.47.232.211/32"&lt;/code>&lt;/pre>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:76.45536869340232%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/case1_sidecar_bypass3.png" title="Traffic to external MongoDB by-passing the sidecar">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/case1_sidecar_bypass3.png" alt="Traffic to external MongoDB by-passing the sidecar" />
&lt;/a>
&lt;/div>
&lt;figcaption>Traffic to external MongoDB by-passing the sidecar&lt;/figcaption>
&lt;/figure>
&lt;h3 id="case-2-through-the-sidecar-with-service-entry">Case 2: Through the sidecar, with service entry&lt;/h3>
&lt;p>This is the default configuration when the sidecar is injected into the application pod. All messages are intercepted by the sidecar and routed to the destination according to the configured rules, including the communication with external services. The MongoDB was defined as a &lt;code>ServiceEntry&lt;/code>.&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:74.41253263707573%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/case2_sidecar_passthru3.png" title="Sidecar intercepting traffic to external MongoDB">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/case2_sidecar_passthru3.png" alt="Sidecar intercepting traffic to external MongoDB" />
&lt;/a>
&lt;/div>
&lt;figcaption>Sidecar intercepting traffic to external MongoDB&lt;/figcaption>
&lt;/figure>
&lt;h3 id="case-3-egress-gateway">Case 3: Egress gateway&lt;/h3>
&lt;p>The egress gateway and corresponding destination rule and virtual service resources are defined for accessing MongoDB. All traffic to and from the external DB goes through the egress gateway (envoy).&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:62.309368191721134%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/case3_egressgw3.png" title="Introduction of the egress gateway to access MongoDB">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/case3_egressgw3.png" alt="Introduction of the egress gateway to access MongoDB" />
&lt;/a>
&lt;/div>
&lt;figcaption>Introduction of the egress gateway to access MongoDB&lt;/figcaption>
&lt;/figure>
&lt;h3 id="case-4-mutual-tls-between-sidecars-and-the-egress-gateway">Case 4: Mutual TLS between sidecars and the egress gateway&lt;/h3>
&lt;p>In this case, there is an extra layer of security between the sidecars and the gateway, so some impact in performance is expected.&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:63.968957871396896%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/case4_egressgw_mtls3.png" title="Enabling mutual TLS between sidecars and the egress gateway">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/case4_egressgw_mtls3.png" alt="Enabling mutual TLS between sidecars and the egress gateway" />
&lt;/a>
&lt;/div>
&lt;figcaption>Enabling mutual TLS between sidecars and the egress gateway&lt;/figcaption>
&lt;/figure>
&lt;h3 id="case-5-egress-gateway-with-sni-proxy">Case 5: Egress gateway with SNI proxy&lt;/h3>
&lt;p>This scenario is used to evaluate the case where another proxy is required to access wildcarded domains. This may be required due current limitations of envoy. An nginx proxy was created as sidecar in the egress gateway pod.&lt;/p>
&lt;figure style="width:70%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:65.2762119503946%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/case5_egressgw_sni_proxy3.png" title="Egress gateway with additional SNI Proxy">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/case5_egressgw_sni_proxy3.png" alt="Egress gateway with additional SNI Proxy" />
&lt;/a>
&lt;/div>
&lt;figcaption>Egress gateway with additional SNI Proxy&lt;/figcaption>
&lt;/figure>
&lt;h2 id="environment">Environment&lt;/h2>
&lt;ul>
&lt;li>Istio version: 1.0.2&lt;/li>
&lt;li>&lt;code>K8s&lt;/code> version: &lt;code>1.10.5_1517&lt;/code>&lt;/li>
&lt;li>Acmeair App: 4 services (1 replica of each), inter-services transactions, external Mongo DB, avg payload: 620 bytes.&lt;/li>
&lt;/ul>
&lt;h2 id="results">Results&lt;/h2>
&lt;p>&lt;code>Jmeter&lt;/code> was used to generate the workload which consisted in a sequence of 5-minute runs, each one using a growing number of clients making http requests. The number of clients used were 1, 5, 10, 20, 30, 40, 50 and 60.&lt;/p>
&lt;h3 id="throughput">Throughput&lt;/h3>
&lt;p>The chart below shows the throughput obtained for the different cases:&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.29638854296388%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/throughput3.png" title="Throughput obtained for the different cases">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/throughput3.png" alt="Throughput obtained for the different cases" />
&lt;/a>
&lt;/div>
&lt;figcaption>Throughput obtained for the different cases&lt;/figcaption>
&lt;/figure>
&lt;p>As you can see, there is no major impact in having sidecars and the egress gateway between the application and the external MongoDB, but enabling mutual TLS and then adding the SNI proxy caused a degradation in the throughput of about 10% and 24%, respectively.&lt;/p>
&lt;h3 id="response-time">Response time&lt;/h3>
&lt;p>The average response times for the different requests were collected when traffic was being driven with 20 clients. The chart below shows the average, median, 90%, 95% and 99% average values for each case:&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:48.76783398184176%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/response_times3.png" title="Response times obtained for the different configurations">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/response_times3.png" alt="Response times obtained for the different configurations" />
&lt;/a>
&lt;/div>
&lt;figcaption>Response times obtained for the different configurations&lt;/figcaption>
&lt;/figure>
&lt;p>Likewise, not much difference in the response times for the 3 first cases, but mutual TLS and the extra proxy adds noticeable latency.&lt;/p>
&lt;h3 id="cpu-utilization">CPU utilization&lt;/h3>
&lt;p>The CPU usage was collected for all Istio components as well as for the sidecars during the runs. For a fair comparison, CPU used by Istio was normalized by the throughput obtained for a given run. The results are shown in the following graph:&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:53.96174863387978%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/egress-performance/cpu_usage3.png" title="CPU usage normalized by TPS">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/egress-performance/cpu_usage3.png" alt="CPU usage normalized by TPS" />
&lt;/a>
&lt;/div>
&lt;figcaption>CPU usage normalized by TPS&lt;/figcaption>
&lt;/figure>
&lt;p>In terms of CPU consumption per transaction, Istio has used significantly more CPU only in the egress gateway + SNI proxy case.&lt;/p>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>In this investigation, we tried different options to access an external TLS-enabled MongoDB to compare their performance. The introduction of the Egress Gateway did not have a significant impact on the performance nor meaningful additional CPU consumption. Only when enabling mutual TLS between sidecars and egress gateway or using an additional SNI proxy for wildcarded domains we could observe some degradation.&lt;/p></description><pubDate>Thu, 31 Jan 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/egress-performance/</link><author>Jose Nativio, IBM</author><guid isPermaLink="true">/v1.5/blog/2019/egress-performance/</guid><category>performance</category><category>traffic-management</category><category>egress</category><category>mongo</category></item><item><title>Demystifying Istio's Sidecar Injection Model</title><description>
&lt;p>A simple overview of an Istio service-mesh architecture always starts with describing the control-plane and data-plane.&lt;/p>
&lt;p>&lt;a href="/v1.5/docs/ops/deployment/architecture/">From Istios documentation&lt;/a>:&lt;/p>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">&lt;p>An Istio service mesh is logically split into a data plane and a control plane.&lt;/p>
&lt;p>The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices along with Mixer, a general-purpose policy and telemetry hub.&lt;/p>
&lt;p>The control plane manages and configures the proxies to route traffic. Additionally, the control plane configures Mixers to enforce policies and collect telemetry.&lt;/p>
&lt;/div>
&lt;/aside>
&lt;/div>
&lt;figure style="width:40%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:80%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2019/data-plane-setup/arch-2.svg" title="Istio Architecture">
&lt;img class="element-to-stretch" src="/v1.5/blog/2019/data-plane-setup/arch-2.svg" alt="The overall architecture of an Istio-based application." />
&lt;/a>
&lt;/div>
&lt;figcaption>Istio Architecture&lt;/figcaption>
&lt;/figure>
&lt;p>It is important to understand that the sidecar injection into the application pods happens automatically, though manual injection is also possible. Traffic is directed from the application services to and from these sidecars without developers needing to worry about it. Once the applications are connected to the Istio service mesh, developers can start using and reaping the benefits of all that the service mesh has to offer. However, how does the data plane plumbing happen and what is really required to make it work seamlessly? In this post, we will deep-dive into the specifics of the sidecar injection models to gain a very clear understanding of how sidecar injection works.&lt;/p>
&lt;h2 id="sidecar-injection">Sidecar injection&lt;/h2>
&lt;p>In simple terms, sidecar injection is adding the configuration of additional containers to the pod template. The added containers needed for the Istio service mesh are:&lt;/p>
&lt;p>&lt;code>istio-init&lt;/code>
This &lt;a href="https://kubernetes.io/docs/concepts/workloads/pods/init-containers/">init container&lt;/a> is used to setup the &lt;code>iptables&lt;/code> rules so that inbound/outbound traffic will go through the sidecar proxy. An init container is different than an app container in following ways:&lt;/p>
&lt;ul>
&lt;li>It runs before an app container is started and it always runs to completion.&lt;/li>
&lt;li>If there are many init containers, each should complete with success before the next container is started.&lt;/li>
&lt;/ul>
&lt;p>So, you can see how this type of container is perfect for a set-up or initialization job which does not need to be a part of the actual application container. In this case, &lt;code>istio-init&lt;/code> does just that and sets up the &lt;code>iptables&lt;/code> rules.&lt;/p>
&lt;p>&lt;code>istio-proxy&lt;/code>
This is the actual sidecar proxy (based on Envoy).&lt;/p>
&lt;h3 id="manual-injection">Manual injection&lt;/h3>
&lt;p>In the manual injection method, you can use &lt;a href="/v1.5/docs/reference/commands/istioctl">&lt;code>istioctl&lt;/code>&lt;/a> to modify the pod template and add the configuration of the two containers previously mentioned. For both manual as well as automatic injection, Istio takes the configuration from the &lt;code>istio-sidecar-injector&lt;/code> configuration map (configmap) and the mesh&amp;rsquo;s &lt;code>istio&lt;/code> configmap.&lt;/p>
&lt;p>Lets look at the configuration of the &lt;code>istio-sidecar-injector&lt;/code> configmap, to get an idea of what actually is going on.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&amp;#39;{.data.config}&amp;#39;
SNIPPET from the output:
policy: enabled
template: |-
initContainers:
- name: istio-init
image: docker.io/istio/proxy_init:1.0.2
args:
- &amp;#34;-p&amp;#34;
- [[ .MeshConfig.ProxyListenPort ]]
- &amp;#34;-u&amp;#34;
- 1337
.....
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Always
containers:
- name: istio-proxy
image: [[ if (isset .ObjectMeta.Annotations &amp;#34;sidecar.istio.io/proxyImage&amp;#34;) -]]
&amp;#34;[[ index .ObjectMeta.Annotations &amp;#34;sidecar.istio.io/proxyImage&amp;#34; ]]&amp;#34;
[[ else -]]
docker.io/istio/proxyv2:1.0.2
[[ end -]]
args:
- proxy
- sidecar
.....
env:
.....
- name: ISTIO_META_INTERCEPTION_MODE
value: [[ or (index .ObjectMeta.Annotations &amp;#34;sidecar.istio.io/interceptionMode&amp;#34;) .ProxyConfig.InterceptionMode.String ]]
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
[[ if eq (or (index .ObjectMeta.Annotations &amp;#34;sidecar.istio.io/interceptionMode&amp;#34;) .ProxyConfig.InterceptionMode.String) &amp;#34;TPROXY&amp;#34; -]]
capabilities:
add:
- NET_ADMIN
restartPolicy: Always
.....
&lt;/code>&lt;/pre>
&lt;p>As you can see, the configmap contains the configuration for both, the &lt;code>istio-init&lt;/code> init container and the &lt;code>istio-proxy&lt;/code> proxy container. The configuration includes the name of the container image and arguments like interception mode, capabilities, etc.&lt;/p>
&lt;p>From a security point of view, it is important to note that &lt;code>istio-init&lt;/code> requires &lt;code>NET_ADMIN&lt;/code> capabilities to modify &lt;code>iptables&lt;/code> within the pod&amp;rsquo;s namespace and so does &lt;code>istio-proxy&lt;/code> if configured in &lt;code>TPROXY&lt;/code> mode. As this is restricted to a pod&amp;rsquo;s namespace, there should be no problem. However, I have noticed that recent open-shift versions may have some issues with it and a workaround is needed. One such option is mentioned at the end of this post.&lt;/p>
&lt;p>To modify the current pod template for sidecar injection, you can:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl kube-inject -f demo-red.yaml | kubectl apply -f -
&lt;/code>&lt;/pre>
&lt;p>OR&lt;/p>
&lt;p>To use modified configmaps or local configmaps:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Create &lt;code>inject-config.yaml&lt;/code> and &lt;code>mesh-config.yaml&lt;/code> from the configmaps&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&amp;#39;{.data.config}&amp;#39; &amp;gt; inject-config.yaml
$ kubectl -n istio-system get configmap istio -o=jsonpath=&amp;#39;{.data.mesh}&amp;#39; &amp;gt; mesh-config.yaml
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Modify the existing pod template, in my case, &lt;code>demo-red.yaml&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl kube-inject --injectConfigFile inject-config.yaml --meshConfigFile mesh-config.yaml --filename demo-red.yaml --output demo-red-injected.yaml
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Apply the &lt;code>demo-red-injected.yaml&lt;/code>&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f demo-red-injected.yaml
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ul>
&lt;p>As seen above, we create a new template using the &lt;code>sidecar-injector&lt;/code> and the mesh configuration to then apply that new template using &lt;code>kubectl&lt;/code>. If we look at the injected YAML file, it has the configuration of the Istio-specific containers, as we discussed above. Once we apply the injected YAML file, we see two containers running. One of them is the actual application container, and the other is the &lt;code>istio-proxy&lt;/code> sidecar.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep demo-red
demo-red-pod-8b5df99cc-pgnl7 2/2 Running 0 3d
&lt;/code>&lt;/pre>
&lt;p>The count is not 3 because the &lt;code>istio-init&lt;/code> container is an init type container that exits after doing what it supposed to do, which is setting up the &lt;code>iptable&lt;/code> rules within the pod. To confirm the init container exit, lets look at the output of &lt;code>kubectl describe&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl describe pod demo-red-pod-8b5df99cc-pgnl7
SNIPPET from the output:
Name: demo-red-pod-8b5df99cc-pgnl7
Namespace: default
.....
Labels: app=demo-red
pod-template-hash=8b5df99cc
version=version-red
Annotations: sidecar.istio.io/status={&amp;#34;version&amp;#34;:&amp;#34;3c0b8d11844e85232bc77ad85365487638ee3134c91edda28def191c086dc23e&amp;#34;,&amp;#34;initContainers&amp;#34;:[&amp;#34;istio-init&amp;#34;],&amp;#34;containers&amp;#34;:[&amp;#34;istio-proxy&amp;#34;],&amp;#34;volumes&amp;#34;:[&amp;#34;istio-envoy&amp;#34;,&amp;#34;istio-certs...
Status: Running
IP: 10.32.0.6
Controlled By: ReplicaSet/demo-red-pod-8b5df99cc
Init Containers:
istio-init:
Container ID: docker://bef731eae1eb3b6c9d926cacb497bb39a7d9796db49cd14a63014fc1a177d95b
Image: docker.io/istio/proxy_init:1.0.2
Image ID: docker-pullable://docker.io/istio/proxy_init@sha256:e16a0746f46cd45a9f63c27b9e09daff5432e33a2d80c8cc0956d7d63e2f9185
.....
State: Terminated
Reason: Completed
.....
Ready: True
Containers:
demo-red:
Container ID: docker://8cd9957955ff7e534376eb6f28b56462099af6dfb8b9bc37aaf06e516175495e
Image: chugtum/blue-green-image:v3
Image ID: docker-pullable://docker.io/chugtum/blue-green-image@sha256:274756dbc215a6b2bd089c10de24fcece296f4c940067ac1a9b4aea67cf815db
State: Running
Started: Sun, 09 Dec 2018 18:12:31 -0800
Ready: True
istio-proxy:
Container ID: docker://ca5d690be8cd6557419cc19ec4e76163c14aed2336eaad7ebf17dd46ca188b4a
Image: docker.io/istio/proxyv2:1.0.2
Image ID: docker-pullable://docker.io/istio/proxyv2@sha256:54e206530ba6ca9b3820254454e01b7592e9f986d27a5640b6c03704b3b68332
Args:
proxy
sidecar
.....
State: Running
Started: Sun, 09 Dec 2018 18:12:31 -0800
Ready: True
.....
&lt;/code>&lt;/pre>
&lt;p>As seen in the output, the &lt;code>State&lt;/code> of the &lt;code>istio-init&lt;/code> container is &lt;code>Terminated&lt;/code> with the &lt;code>Reason&lt;/code> being &lt;code>Completed&lt;/code>. The only two containers running are the main application &lt;code>demo-red&lt;/code> container and the &lt;code>istio-proxy&lt;/code> container.&lt;/p>
&lt;h3 id="automatic-injection">Automatic injection&lt;/h3>
&lt;p>Most of the times, you dont want to manually inject a sidecar every time you deploy an application, using the &lt;a href="/v1.5/docs/reference/commands/istioctl">&lt;code>istioctl&lt;/code>&lt;/a> command, but would prefer that Istio automatically inject the sidecar to your pod. This is the recommended approach and for it to work, all you need to do is to label the namespace where you are deploying the app with &lt;code>istio-injection=enabled&lt;/code>.&lt;/p>
&lt;p>Once labeled, Istio injects the sidecar automatically for any pod you deploy in that namespace. In the following example, the sidecar gets automatically injected in the deployed pods in the &lt;code>istio-dev&lt;/code> namespace.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get namespaces --show-labels
NAME STATUS AGE LABELS
default Active 40d &amp;lt;none&amp;gt;
istio-dev Active 19d istio-injection=enabled
istio-system Active 24d &amp;lt;none&amp;gt;
kube-public Active 40d &amp;lt;none&amp;gt;
kube-system Active 40d &amp;lt;none&amp;gt;
&lt;/code>&lt;/pre>
&lt;p>But how does this work? To get to the bottom of this, we need to understand Kubernetes admission controllers.&lt;/p>
&lt;p>&lt;a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/">From Kubernetes documentation:&lt;/a>&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. You can define two types of admission webhooks, validating admission Webhook and mutating admission webhook. With validating admission Webhooks, you may reject requests to enforce custom admission policies. With mutating admission Webhooks, you may change requests to enforce custom defaults.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>For automatic sidecar injection, Istio relies on &lt;code>Mutating Admission Webhook&lt;/code>. Lets look at the details of the &lt;code>istio-sidecar-injector&lt;/code> mutating webhook configuration.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml
SNIPPET from the output:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{&amp;#34;apiVersion&amp;#34;:&amp;#34;admissionregistration.k8s.io/v1beta1&amp;#34;,&amp;#34;kind&amp;#34;:&amp;#34;MutatingWebhookConfiguration&amp;#34;,&amp;#34;metadata&amp;#34;:{&amp;#34;annotations&amp;#34;:{},&amp;#34;labels&amp;#34;:{&amp;#34;app&amp;#34;:&amp;#34;istio-sidecar-injector&amp;#34;,&amp;#34;chart&amp;#34;:&amp;#34;sidecarInjectorWebhook-1.0.1&amp;#34;,&amp;#34;heritage&amp;#34;:&amp;#34;Tiller&amp;#34;,&amp;#34;release&amp;#34;:&amp;#34;istio-remote&amp;#34;},&amp;#34;name&amp;#34;:&amp;#34;istio-sidecar-injector&amp;#34;,&amp;#34;namespace&amp;#34;:&amp;#34;&amp;#34;},&amp;#34;webhooks&amp;#34;:[{&amp;#34;clientConfig&amp;#34;:{&amp;#34;caBundle&amp;#34;:&amp;#34;&amp;#34;,&amp;#34;service&amp;#34;:{&amp;#34;name&amp;#34;:&amp;#34;istio-sidecar-injector&amp;#34;,&amp;#34;namespace&amp;#34;:&amp;#34;istio-system&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/inject&amp;#34;}},&amp;#34;failurePolicy&amp;#34;:&amp;#34;Fail&amp;#34;,&amp;#34;name&amp;#34;:&amp;#34;sidecar-injector.istio.io&amp;#34;,&amp;#34;namespaceSelector&amp;#34;:{&amp;#34;matchLabels&amp;#34;:{&amp;#34;istio-injection&amp;#34;:&amp;#34;enabled&amp;#34;}},&amp;#34;rules&amp;#34;:[{&amp;#34;apiGroups&amp;#34;:[&amp;#34;&amp;#34;],&amp;#34;apiVersions&amp;#34;:[&amp;#34;v1&amp;#34;],&amp;#34;operations&amp;#34;:[&amp;#34;CREATE&amp;#34;],&amp;#34;resources&amp;#34;:[&amp;#34;pods&amp;#34;]}]}]}
creationTimestamp: 2018-12-10T08:40:15Z
generation: 2
labels:
app: istio-sidecar-injector
chart: sidecarInjectorWebhook-1.0.1
heritage: Tiller
release: istio-remote
name: istio-sidecar-injector
.....
webhooks:
- clientConfig:
service:
name: istio-sidecar-injector
namespace: istio-system
path: /inject
name: sidecar-injector.istio.io
namespaceSelector:
matchLabels:
istio-injection: enabled
rules:
- apiGroups:
- &amp;#34;&amp;#34;
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
&lt;/code>&lt;/pre>
&lt;p>This is where you can see the webhook &lt;code>namespaceSelector&lt;/code> label that is matched for sidecar injection with the label &lt;code>istio-injection: enabled&lt;/code>. In this case, you also see the operations and resources for which this is done when the pods are created. When an &lt;code>apiserver&lt;/code> receives a request that matches one of the rules, the &lt;code>apiserver&lt;/code> sends an admission review request to the webhook service as specified in the &lt;code>clientConfig:&lt;/code>configuration with the &lt;code>name: istio-sidecar-injector&lt;/code> key-value pair. We should be able to see that this service is running in the &lt;code>istio-system&lt;/code> namespace.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get svc --namespace=istio-system | grep sidecar-injector
istio-sidecar-injector ClusterIP 10.102.70.184 &amp;lt;none&amp;gt; 443/TCP 24d
&lt;/code>&lt;/pre>
&lt;p>This configuration ultimately does pretty much the same as we saw in manual injection. Just that it is done automatically during pod creation, so you wont see the change in the deployment. You need to use &lt;code>kubectl describe&lt;/code> to see the sidecar proxy and the init proxy.&lt;/p>
&lt;p>The automatic sidecar injection not only depends on the &lt;code>namespaceSelector&lt;/code> mechanism of the webhook, but also on the default injection policy and the per-pod override annotation.&lt;/p>
&lt;p>If you look at the &lt;code>istio-sidecar-injector&lt;/code> ConfigMap again, it has the default injection policy defined. In our case, it is enabled by default.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&amp;#39;{.data.config}&amp;#39;
SNIPPET from the output:
policy: enabled
template: |-
initContainers:
- name: istio-init
image: &amp;#34;gcr.io/istio-release/proxy_init:1.0.2&amp;#34;
args:
- &amp;#34;-p&amp;#34;
- [[ .MeshConfig.ProxyListenPort ]]
&lt;/code>&lt;/pre>
&lt;p>You can also use the annotation &lt;code>sidecar.istio.io/inject&lt;/code> in the pod template to override the default policy. The following example disables the automatic injection of the sidecar for the pods in a &lt;code>Deployment&lt;/code>.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ignored
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: &amp;#34;false&amp;#34;
spec:
containers:
- name: ignored
image: tutum/curl
command: [&amp;#34;/bin/sleep&amp;#34;,&amp;#34;infinity&amp;#34;]
&lt;/code>&lt;/pre>
&lt;p>This example shows there are many variables, based on whether the automatic sidecar injection is controlled in your namespace, ConfigMap, or pod and they are:&lt;/p>
&lt;ul>
&lt;li>webhooks &lt;code>namespaceSelector&lt;/code> (&lt;code>istio-injection: enabled&lt;/code>)&lt;/li>
&lt;li>default policy (Configured in the ConfigMap &lt;code>istio-sidecar-injector&lt;/code>)&lt;/li>
&lt;li>per-pod override annotation (&lt;code>sidecar.istio.io/inject&lt;/code>)&lt;/li>
&lt;/ul>
&lt;p>The &lt;a href="/v1.5/docs/ops/common-problems/injection/">injection status table&lt;/a> shows a clear picture of the final injection status based on the value of the above variables.&lt;/p>
&lt;h2 id="traffic-flow-from-application-container-to-sidecar-proxy">Traffic flow from application container to sidecar proxy&lt;/h2>
&lt;p>Now that we are clear about how a sidecar container and an init container are injected into an application manifest, how does the sidecar proxy grab the inbound and outbound traffic to and from the container? We did briefly mention that it is done by setting up the &lt;code>iptable&lt;/code> rules within the pod namespace, which in turn is done by the &lt;code>istio-init&lt;/code> container. Now, it is time to verify what actually gets updated within the namespace.&lt;/p>
&lt;p>Lets get into the application pod namespace we deployed in the previous section and look at the configured iptables. I am going to show an example using &lt;code>nsenter&lt;/code>. Alternatively, you can enter the container in a privileged mode to see the same information. For folks without access to the nodes, using &lt;code>exec&lt;/code> to get into the sidecar and running &lt;code>iptables&lt;/code> is more practical.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ docker inspect b8de099d3510 --format &amp;#39;{{ .State.Pid }}&amp;#39;
4125
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ nsenter -t 4215 -n iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N ISTIO_INBOUND
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-N ISTIO_REDIRECT
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 80 -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ISTIO_REDIRECT
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
&lt;/code>&lt;/pre>
&lt;p>The output above clearly shows that all the incoming traffic to port 80, which is the port our &lt;code>red-demo&lt;/code> application is listening, is now &lt;code>REDIRECTED&lt;/code> to port &lt;code>15001&lt;/code>, which is the port that the &lt;code>istio-proxy&lt;/code>, an Envoy proxy, is listening. The same holds true for the outgoing traffic.&lt;/p>
&lt;p>This brings us to the end of this post. I hope it helped to de-mystify how Istio manages to inject the sidecar proxies into an existing deployment and how Istio routes the traffic to the proxy.&lt;/p>
&lt;div>
&lt;aside class="callout idea">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-idea"/>&lt;/svg>
&lt;/div>
&lt;div class="content">Update: In place of &lt;code>istio-init&lt;/code>, there now seems to be an option of using the new CNI, which removes the need for the init container and associated privileges. This &lt;a href="https://github.com/istio/cni">&lt;code>istio-cni&lt;/code>&lt;/a> plugin sets up the pods&amp;rsquo; networking to fulfill this requirement in place of the current Istio injected pod &lt;code>istio-init&lt;/code> approach.&lt;/div>
&lt;/aside>
&lt;/div></description><pubDate>Thu, 31 Jan 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/data-plane-setup/</link><author>Manish Chugtu</author><guid isPermaLink="true">/v1.5/blog/2019/data-plane-setup/</guid><category>kubernetes</category><category>sidecar-injection</category><category>traffic-management</category></item><item><title>Sidestepping Dependency Ordering with AppSwitch</title><description>
&lt;p>We are going through an interesting cycle of application decomposition and recomposition. While the microservice paradigm is driving monolithic applications to be broken into separate individual services, the service mesh approach is helping them to be connected back together into well-structured applications. As such, microservices are logically separate but not independent. They are usually closely interdependent and taking them apart introduces many new concerns such as need for mutual authentication between services. Istio directly addresses most of those issues.&lt;/p>
&lt;h2 id="dependency-ordering-problem">Dependency ordering problem&lt;/h2>
&lt;p>An issue that arises due to application decomposition and one that Istio doesnt address is dependency ordering &amp;ndash; bringing up individual services of an application in an order that guarantees that the application as a whole comes up quickly and correctly. In a monolithic application, with all its components built-in, dependency ordering between the components is enforced by internal locking mechanisms. But with individual services potentially scattered across the cluster in a service mesh, starting a service first requires checking that the services it depends on are up and available.&lt;/p>
&lt;p>Dependency ordering is deceptively nuanced with a host of interrelated problems. Ordering individual services requires having the dependency graph of the services so that they can be brought up starting from leaf nodes back to the root nodes. It is not easy to construct such a graph and keep it updated over time as interdependencies evolve with the behavior of the application. Even if the dependency graph is somehow provided, enforcing the ordering itself is not easy. Simply starting the services in the specified order obviously wont do. A service may have started but not be ready to accept connections yet. This is the problem with docker-compose&amp;rsquo;s &lt;code>depends-on&lt;/code> tag, for example.&lt;/p>
&lt;p>Apart from introducing sufficiently long sleeps between service startups, a common pattern that is often used is to check for readiness of dependencies before starting a service. In Kubernetes, this could be done with a wait script as part of the init container of the pod. However that means that the entire application would be held up until all its dependencies come alive. Sometimes applications spend several minutes initializing themselves on startup before making their first outbound connection. Not allowing a service to start at all adds substantial overhead to overall startup time of the application. Also, the strategy of waiting on the init container won&amp;rsquo;t work for the case of multiple interdependent services within the same pod.&lt;/p>
&lt;h3 id="example-scenario-ibm-websphere-nd">Example scenario: IBM WebSphere ND&lt;/h3>
&lt;p>Let us consider IBM WebSphere ND &amp;ndash; a widely deployed application middleware &amp;ndash; to grok these problems more closely. It is a fairly complex framework in itself and consists of a central component called deployment manager (&lt;code>dmgr&lt;/code>) that manages a set of node instances. It uses UDP to negotiate cluster membership among the nodes and requires that deployment manager is up and operational before any of the node instances can come up and join the cluster.&lt;/p>
&lt;p>Why are we talking about a traditional application in the modern cloud-native context? It turns out that there are significant gains to be had by enabling them to run on the Kubernetes and Istio platforms. Essentially it&amp;rsquo;s a part of the modernization journey that allows running traditional apps alongside green-field apps on the same modern platform to facilitate interoperation between the two. In fact, WebSphere ND is a demanding application. It expects a consistent network environment with specific network interface attributes etc. AppSwitch is equipped to take care of those requirements. For the purpose of this blog however, I&amp;rsquo;ll focus on the dependency ordering requirement and how AppSwitch addresses it.&lt;/p>
&lt;p>Simply deploying &lt;code>dmgr&lt;/code> and node instances as pods on a Kubernetes cluster does not work. &lt;code>dmgr&lt;/code> and the node instances happen to have a lengthy initialization process that can take several minutes. If they are all co-scheduled, the application typically ends up in a funny state. When a node instance comes up and finds that &lt;code>dmgr&lt;/code> is missing, it would take an alternate startup path. Instead, if it had exited immediately, Kubernetes crash-loop would have taken over and perhaps the application would have come up. But even in that case, it turns out that a timely startup is not guaranteed.&lt;/p>
&lt;p>One &lt;code>dmgr&lt;/code> along with its node instances is a basic deployment configuration for WebSphere ND. Applications like IBM Business Process Manager that are built on top of WebSphere ND running in production environments include several other services. In those configurations, there could be a chain of interdependencies. Depending on the applications hosted by the node instances, there may be an ordering requirement among them as well. With long service initialization times and crash-loop restarts, there is little chance for the application to start in any reasonable length of time.&lt;/p>
&lt;h3 id="sidecar-dependency-in-istio">Sidecar dependency in Istio&lt;/h3>
&lt;p>Istio itself is affected by a version of the dependency ordering problem. Since connections into and out of a service running under Istio are redirected through its sidecar proxy, an implicit dependency is created between the application service and its sidecar. Unless the sidecar is fully operational, all requests from and to the service get dropped.&lt;/p>
&lt;h2 id="dependency-ordering-with-appswitch">Dependency ordering with AppSwitch&lt;/h2>
&lt;p>So how do we go about addressing these issues? One way is to defer it to the applications and say that they are supposed to be &amp;ldquo;well behaved&amp;rdquo; and implement appropriate logic to make themselves immune to startup order issues. However, many applications (especially traditional ones) either timeout or deadlock if misordered. Even for new applications, implementing one off logic for each service is substantial additional burden that is best avoided. Service mesh needs to provide adequate support around these problems. After all, factoring out common patterns into an underlying framework is really the point of service mesh.&lt;/p>
&lt;p>&lt;a href="http://appswitch.io">AppSwitch&lt;/a> explicitly addresses dependency ordering. It sits on the control path of the applications network interactions between clients and services in a cluster and knows precisely when a service becomes a client by making the &lt;code>connect&lt;/code> call and when a particular service becomes ready to accept connections by making the &lt;code>listen&lt;/code> call. It&amp;rsquo;s &lt;em>service router&lt;/em> component disseminates information about these events across the cluster and arbitrates interactions among clients and servers. That is how AppSwitch implements functionality such as load balancing and isolation in a simple and efficient manner. Leveraging the same strategic location of the application&amp;rsquo;s network control path, it is conceivable that the &lt;code>connect&lt;/code> and &lt;code>listen&lt;/code> calls made by those services can be lined up at a finer granularity rather than coarsely sequencing entire services as per a dependency graph. That would effectively solve the multilevel dependency problem and speedup application startup.&lt;/p>
&lt;p>But that still requires a dependency graph. A number of products and tools exist to help with discovering service dependencies. But they are typically based on passive monitoring of network traffic and cannot provide the information beforehand for any arbitrary application. Network level obfuscation due to encryption and tunneling also makes them unreliable. The burden of discovering and specifying the dependencies ultimately falls to the developer or the operator of the application. As it is, even consistency checking a dependency specification is itself quite complex and any way to avoid requiring a dependency graph would be most desirable.&lt;/p>
&lt;p>The point of a dependency graph is to know which clients depend on a particular service so that those clients can then be made to wait for the respective service to become live. But does it really matter which specific clients? Ultimately one tautology that always holds is that all clients of a service have an implicit dependency on the service. Thats what AppSwitch leverages to get around the requirement. In fact, that sidesteps dependency ordering altogether. All services of the application can be co-scheduled without regard to any startup order. Interdependencies among them automatically work themselves out at the granularity of individual requests and responses, resulting in quick and correct application startups.&lt;/p>
&lt;h3 id="appswitch-model-and-constructs">AppSwitch model and constructs&lt;/h3>
&lt;p>Now that we have a conceptual understanding of AppSwitchs high-level approach, lets look at the constructs involved. But first a quick summary of the usage model is in order. Even though it is written for a different context, reviewing my earlier &lt;a href="/v1.5/blog/2018/delayering-istio/">blog&lt;/a> on this topic would be useful as well. For completeness, let me also note AppSwitch doesnt bother with non-network dependencies. For example it may be possible for two services to interact using IPC mechanisms or through the shared file system. Processes with deep ties like that are typically part of the same service anyway and dont require frameworks intervention for ordering.&lt;/p>
&lt;p>At its core, AppSwitch is built on a mechanism that allows instrumenting the BSD socket API and other related calls like &lt;code>fcntl&lt;/code> and &lt;code>ioctl&lt;/code> that deal with sockets. As interesting as the details of its implementation are, its going to distract us from the main topic, so Id just summarize the key properties that distinguish it from other implementations. (1) Its fast. It uses a combination of &lt;code>seccomp&lt;/code> filtering and binary instrumentation to aggressively limit intervening with applications normal execution. AppSwitch is particularly suited for service mesh and application networking use cases given that it implements those features without ever having to actually touch the data. In contrast, network level approaches incur per-packet cost. Take a look at this &lt;a href="/v1.5/blog/2018/delayering-istio/">blog&lt;/a> for some of the performance measurements. (2) It doesnt require any kernel support, kernel module or a patch and works on standard distro kernels (3) It can run as regular user (no root). In fact, the mechanism can even make it possible to run &lt;a href="https://linuxpiter.com/en/materials/2478">Docker daemon without root&lt;/a> by removing root requirement to network containers (4) It doesnt require any changes to the applications whatsoever and works for any type of application &amp;ndash; from WebSphere ND and SAP to custom C apps to statically linked Go apps. Only requirement at this point is Linux/x86.&lt;/p>
&lt;h3 id="decoupling-services-from-their-references">Decoupling services from their references&lt;/h3>
&lt;p>AppSwitch is built on the fundamental premise that applications should be decoupled from their references. The identity of applications is traditionally derived from the identity of the host on which they run. However, applications and hosts are very different objects that need to be referenced independently. Detailed discussion around this topic along with a conceptual foundation of AppSwitch is presented in this &lt;a href="https://arxiv.org/abs/1711.02294">research paper&lt;/a>.&lt;/p>
&lt;p>The central AppSwitch construct that achieves the decoupling between services objects and their identities is &lt;em>service reference&lt;/em> (&lt;em>reference&lt;/em>, for short). AppSwitch implements service references based on the API instrumentation mechanism outlined above. A service reference consists of an IP:port pair (and optionally a DNS name) and a label-selector that selects the service represented by the reference and the clients to which this reference applies. A reference supports a few key properties. (1) It can be named independently of the name of the object it refers to. That is, a service may be listening on an IP and port but a reference allows that service to be reached on any other IP and port chosen by the user. This is what allows AppSwitch to run traditional applications captured from their source environments with static IP configurations to run on Kubernetes by providing them with necessary IP addresses and ports regardless of the target network environment. (2) It remains unchanged even if the location of the target service changes. A reference automatically redirects itself as its label-selector now resolves to the new instance of the service (3) Most important for this discussion, a reference remains valid even as the target service is coming up.&lt;/p>
&lt;p>To facilitate discovering services that can be accessed through service references, AppSwitch provides an &lt;em>auto-curated service registry&lt;/em>. The registry is automatically kept up to date as services come and go across the cluster based on the network API that AppSwitch tracks. Each entry in the registry consists of the IP and port where the respective service is bound. Along with that, it includes a set of labels indicating the application to which this service belongs, the IP and port that the application passed through the socket API when creating the service, the IP and port where AppSwitch actually bound the service on the underlying host on behalf of the application etc. In addition, applications created under AppSwitch carry a set of labels passed by the user that describe the application together with a few default system labels indicating the user that created the application and the host where the application is running etc. These labels are all available to be expressed in the label-selector carried by a service reference. A service in the registry can be made accessible to clients by creating a service reference. A client would then be able to reach the service at the references name (IP:port). Now lets look at how AppSwitch guarantees that the reference remains valid even when the target service has not yet come up.&lt;/p>
&lt;h3 id="non-blocking-requests">Non-blocking requests&lt;/h3>
&lt;p>AppSwitch leverages the semantics of the BSD socket API to ensure that service references appear valid from the perspective of clients as corresponding services come up. When a client makes a blocking connect call to another service that has not yet come up, AppSwitch blocks the call for a certain time waiting for the target service to become live. Since it is known that the target service is a part of the application and is expected to come up shortly, making the client block rather than returning an error such as &lt;code>ECONNREFUSED&lt;/code> prevents the application from failing to start. If the service doesnt come up within time, an error is returned to the application so that framework-level mechanisms like Kubernetes crash-loop can kick in.&lt;/p>
&lt;p>If the client request is marked as non-blocking, AppSwitch handles that by returning &lt;code>EAGAIN&lt;/code> to inform the application to retry rather than give up. Once again, that is in-line with the semantics of socket API and prevents failures due to startup races. AppSwitch essentially enables the retry logic already built into applications in support of the BSD socket API to be transparently repurposed for dependency ordering.&lt;/p>
&lt;h3 id="application-timeouts">Application timeouts&lt;/h3>
&lt;p>What if the application times out based on its own internal timer? Truth be told, AppSwitch can also fake applications perception of time if wanted but that would be overstepping and actually unnecessary. Application decides and knows best how long it should wait and its not appropriate for AppSwitch to mess with that. Application timeouts are conservatively long and if the target service still hasnt come up in time, it is unlikely to be a dependency ordering issue. There must be something else going on that should not be masked.&lt;/p>
&lt;h3 id="wildcard-service-references-for-sidecar-dependency">Wildcard service references for sidecar dependency&lt;/h3>
&lt;p>Service references can be used to address the Istio sidecar dependency issue mentioned earlier. AppSwitch allows the IP:port specified as part of a service reference to be a wildcard. That is, the service reference IP address can be a netmask indicating the IP address range to be captured. If the label selector of the service reference points to the sidecar service, then all outgoing connections of any application for which this service reference is applied, will be transparently redirected to the sidecar. And of course, the service reference remains valid while sidecar is still coming up and the race is removed.&lt;/p>
&lt;p>Using service references for sidecar dependency ordering also implicitly redirects applications connections to the sidecar without requiring iptables and attendant privilege issues. Essentially it works as if the application is directly making connections to the sidecar rather than the target destination, leaving the sidecar in charge of what to do. AppSwitch would interject metadata about the original destination etc. into the data stream of the connection using the proxy protocol that the sidecar could decode before passing the connection through to the application. Some of these details were discussed &lt;a href="/v1.5/blog/2018/delayering-istio/">here&lt;/a>. That takes care of outbound connections but what about incoming connections? With all services and their sidecars running under AppSwitch, any incoming connections that would have come from remote nodes would be redirected to their respective remote sidecars. So nothing special to do about incoming connections.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Dependency ordering is a pesky problem. This is mostly due to lack of access to fine-grain application-level events around inter-service interactions. Addressing this problem would have normally required applications to implement their own internal logic. But AppSwitch makes those internal application events to be instrumented without requiring application changes. AppSwitch then leverages the ubiquitous support for the BSD socket API to sidestep the requirement of ordering dependencies.&lt;/p>
&lt;h2 id="acknowledgements">Acknowledgements&lt;/h2>
&lt;p>Thanks to Eric Herness and team for their insights and support with IBM WebSphere and BPM products as we modernized them onto the Kubernetes platform and to Mandar Jog, Martin Taillefer and Shriram Rajagopalan for reviewing early drafts of this blog.&lt;/p></description><pubDate>Mon, 14 Jan 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/appswitch/</link><author>Dinesh Subhraveti (AppOrbit and Columbia University)</author><guid isPermaLink="true">/v1.5/blog/2019/appswitch/</guid><category>appswitch</category><category>performance</category></item><item><title>Deploy a Custom Ingress Gateway Using Cert-Manager</title><description>
&lt;p>This post provides instructions to manually create a custom ingress &lt;a href="/v1.5/docs/reference/config/networking/gateway/">gateway&lt;/a> with automatic provisioning of certificates based on cert-manager.&lt;/p>
&lt;p>The creation of custom ingress gateway could be used in order to have different &lt;code>loadbalancer&lt;/code> in order to isolate traffic.&lt;/p>
&lt;h2 id="before-you-begin">Before you begin&lt;/h2>
&lt;ul>
&lt;li>Setup Istio by following the instructions in the
&lt;a href="/v1.5/docs/setup/">Installation guide&lt;/a>.&lt;/li>
&lt;li>Setup &lt;code>cert-manager&lt;/code> with helm &lt;a href="https://github.com/helm/charts/tree/master/stable/cert-manager#installing-the-chart">chart&lt;/a>&lt;/li>
&lt;li>We will use &lt;code>demo.mydemo.com&lt;/code> for our example,
it must be resolved with your DNS&lt;/li>
&lt;/ul>
&lt;h2 id="configuring-the-custom-ingress-gateway">Configuring the custom ingress gateway&lt;/h2>
&lt;ol>
&lt;li>&lt;p>Check if &lt;a href="https://github.com/helm/charts/tree/master/stable/cert-manager">cert-manager&lt;/a> was installed using Helm with the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm ls
&lt;/code>&lt;/pre>
&lt;p>The output should be similar to the example below and show cert-manager with a &lt;code>STATUS&lt;/code> of &lt;code>DEPLOYED&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE
istio 1 Thu Oct 11 13:34:24 2018 DEPLOYED istio-1.0.X 1.0.X istio-system
cert 1 Wed Oct 24 14:08:36 2018 DEPLOYED cert-manager-v0.6.0-dev.2 v0.6.0-dev.2 istio-system
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>To create the cluster&amp;rsquo;s issuer, apply the following configuration:&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">Change the cluster&amp;rsquo;s &lt;a href="https://cert-manager.readthedocs.io/en/latest/reference/issuers.html">issuer&lt;/a> provider with your own configuration values. The example uses the values under &lt;code>route53&lt;/code>.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-demo
namespace: kube-system
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: &amp;lt;REDACTED&amp;gt;
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-demo
dns01:
# Here we define a list of DNS-01 providers that can solve DNS challenges
providers:
- name: your-dns
route53:
accessKeyID: &amp;lt;REDACTED&amp;gt;
region: eu-central-1
secretAccessKeySecretRef:
name: prod-route53-credentials-secret
key: secret-access-key
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>If you use the &lt;code>route53&lt;/code> &lt;a href="https://cert-manager.readthedocs.io/en/latest/tasks/acme/configuring-dns01/route53.html">provider&lt;/a>, you must provide a secret to perform DNS ACME Validation. To create the secret, apply the following configuration file:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Secret
metadata:
name: prod-route53-credentials-secret
type: Opaque
data:
secret-access-key: &amp;lt;REDACTED BASE64&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create your own certificate:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: demo-certificate
namespace: istio-system
spec:
acme:
config:
- dns01:
provider: your-dns
domains:
- &amp;#39;*.mydemo.com&amp;#39;
commonName: &amp;#39;*.mydemo.com&amp;#39;
dnsNames:
- &amp;#39;*.mydemo.com&amp;#39;
issuerRef:
kind: ClusterIssuer
name: letsencrypt-demo
secretName: istio-customingressgateway-certs
&lt;/code>&lt;/pre>
&lt;p>Make a note of the value of &lt;code>secretName&lt;/code> since a future step requires it.&lt;/p>&lt;/li>
&lt;li>&lt;p>To scale automatically, declare a new horizontal pod autoscaler with the following configuration:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: my-ingressgateway
namespace: istio-system
spec:
maxReplicas: 5
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: my-ingressgateway
targetCPUUtilizationPercentage: 80
status:
currentCPUUtilizationPercentage: 0
currentReplicas: 1
desiredReplicas: 1
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Apply your deployment with declaration provided in the &lt;a href="/v1.5/blog/2019/custom-ingress-gateway/deployment-custom-ingress.yaml">yaml definition&lt;/a>&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">The annotations used, for example &lt;code>aws-load-balancer-type&lt;/code>, only apply for AWS.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;/li>
&lt;li>&lt;p>Create your service:&lt;/p>
&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">The &lt;code>NodePort&lt;/code> used needs to be an available port.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Service
metadata:
name: my-ingressgateway
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
labels:
app: my-ingressgateway
istio: my-ingressgateway
spec:
type: LoadBalancer
selector:
app: my-ingressgateway
istio: my-ingressgateway
ports:
-
name: http2
nodePort: 32380
port: 80
targetPort: 80
-
name: https
nodePort: 32390
port: 443
-
name: tcp
nodePort: 32400
port: 31400
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create your Istio custom gateway configuration object:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
annotations:
name: istio-custom-gateway
namespace: default
spec:
selector:
istio: my-ingressgateway
servers:
- hosts:
- &amp;#39;*.mydemo.com&amp;#39;
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- &amp;#39;*.mydemo.com&amp;#39;
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Link your &lt;code>istio-custom-gateway&lt;/code> with your &lt;code>VirtualService&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-virtualservice
spec:
hosts:
- &amp;#34;demo.mydemo.com&amp;#34;
gateways:
- istio-custom-gateway
http:
- route:
- destination:
host: my-demoapp
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Correct certificate is returned by the server and it is successfully verified (&lt;em>SSL certificate verify ok&lt;/em> is printed):&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -v `https://demo.mydemo.com`
Server certificate:
SSL certificate verify ok.
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;p>&lt;strong>Congratulations!&lt;/strong> You can now use your custom &lt;code>istio-custom-gateway&lt;/code> &lt;a href="/v1.5/docs/reference/config/networking/gateway/">gateway&lt;/a> configuration object.&lt;/p></description><pubDate>Thu, 10 Jan 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/custom-ingress-gateway/</link><author>Julien Senon</author><guid isPermaLink="true">/v1.5/blog/2019/custom-ingress-gateway/</guid><category>ingress</category><category>traffic-management</category></item><item><title>Announcing discuss.istio.io</title><description>&lt;p>We in the Istio community have been working to find the right medium for users to engage with other members of the community &amp;ndash; to ask questions,
to get help from other users, and to engage with developers working on the project.&lt;/p>
&lt;p>Weve tried several different avenues, but each has had some downsides. RocketChat was our most recent endeavor, but the lack of certain
features (for example, threading) meant it wasnt ideal for any longer discussions around a single issue. It also led to a dilemma for
some users &amp;ndash; when should I email istio-users@googlegroups.com and when should I use RocketChat?&lt;/p>
&lt;p>We think weve found the right balance of features in a single platform, and were happy to announce
&lt;a href="https://discuss.istio.io">discuss.istio.io&lt;/a>. Its a full-featured forum where we will have discussions about Istio from here on out.
It will allow you to ask a question and get threaded replies! As a real bonus, you can use your GitHub identity.&lt;/p>
&lt;p>If you prefer emails, you can configure it to send emails just like Google groups did.&lt;/p>
&lt;p>We will be marking our Google groups &amp;ldquo;read only&amp;rdquo; so that the content remains, but we ask you to send further questions over to
&lt;a href="https://discuss.istio.io">discuss.istio.io&lt;/a>. If you have any outstanding questions or discussions in the groups, please move the conversation over.&lt;/p>
&lt;p>Happy meshing!&lt;/p></description><pubDate>Thu, 10 Jan 2019 00:00:00 +0000</pubDate><link>/v1.5/blog/2019/announcing-discuss.istio.io/</link><author/><guid isPermaLink="true">/v1.5/blog/2019/announcing-discuss.istio.io/</guid></item><item><title>Incremental Istio Part 1, Traffic Management</title><description>
&lt;p>Traffic management is one of the critical benefits provided by Istio. At the heart of Istios traffic management is the ability to decouple traffic flow and infrastructure scaling. This lets you control your traffic in ways that arent possible without a service mesh like Istio.&lt;/p>
&lt;p>For example, lets say you want to execute a &lt;a href="https://martinfowler.com/bliki/CanaryRelease.html">canary deployment&lt;/a>. With Istio, you can specify that &lt;strong>v1&lt;/strong> of a service receives 90% of incoming traffic, while &lt;strong>v2&lt;/strong> of that service only receives 10%. With standard Kubernetes deployments, the only way to achieve this is to manually control the number of available Pods for each version, for example 9 Pods running v1 and 1 Pod running v2. This type of manual control is hard to implement, and over time may have trouble scaling. For more information, check out &lt;a href="/v1.5/blog/2017/0.1-canary/">Canary Deployments using Istio&lt;/a>.&lt;/p>
&lt;p>The same issue exists when deploying updates to existing services. While you can update deployments with Kubernetes, it requires replacing v1 Pods with v2 Pods. Using Istio, you can deploy v2 of your service and use built-in traffic management mechanisms to shift traffic to your updated services at a network level, then remove the v1 Pods.&lt;/p>
&lt;p>In addition to canary deployments and general traffic shifting, Istio also gives you the ability to implement dynamic request routing (based on HTTP headers), failure recovery, retries, circuit breakers, and fault injection. For more information, check out the &lt;a href="/v1.5/docs/concepts/traffic-management/">Traffic Management documentation&lt;/a>.&lt;/p>
&lt;p>This post walks through a technique that highlights a particularly useful way that you can implement Istio incrementally &amp;ndash; in this case, only the traffic management features &amp;ndash; without having to individually update each of your Pods.&lt;/p>
&lt;h2 id="setup-why-implement-istio-traffic-management-features">Setup: why implement Istio traffic management features?&lt;/h2>
&lt;p>Of course, the first question is: Why would you want to do this?&lt;/p>
&lt;p>If youre part of one of the many organizations out there that have a large cluster with lots of teams deploying, the answer is pretty clear. Lets say Team A is getting started with Istio and wants to start some canary deployments on Service A, but Team B hasnt started using Istio, so they dont have sidecars deployed.&lt;/p>
&lt;p>With Istio, Team A can still implement their canaries by having Service B call Service A through Istios ingress gateway.&lt;/p>
&lt;h2 id="background-traffic-routing-in-an-istio-mesh">Background: traffic routing in an Istio mesh&lt;/h2>
&lt;p>But how can you use Istios traffic management capabilities without updating each of your applications Pods to include the Istio sidecar? Before answering that question, lets take a quick high-level look at how traffic enters an Istio mesh and how its routed.&lt;/p>
&lt;p>Pods that are part of the Istio mesh contain a sidecar proxy that is responsible for mediating all inbound and outbound traffic to the Pod. Within an Istio mesh, Pilot is responsible for converting high-level routing rules into configurations and propagating them to the sidecar proxies. That means when services communicate with one another, their routing decisions are determined from the client side.&lt;/p>
&lt;p>Lets say you have two services that are part of the Istio mesh, Service A and Service B. When A wants to communicate with B, the sidecar proxy of Pod A is responsible for directing traffic to Service B. For example, if you wanted to split traffic &lt;sup>50&lt;/sup>&amp;frasl;&lt;sub>50&lt;/sub> across Service B v1 and v2, the traffic would flow as follows:&lt;/p>
&lt;figure style="width:60%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.66666666666667%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/incremental-traffic-management/fifty-fifty.png" title="50/50 Traffic Split">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/incremental-traffic-management/fifty-fifty.png" alt="50/50 Traffic Split" />
&lt;/a>
&lt;/div>
&lt;figcaption>50/50 Traffic Split&lt;/figcaption>
&lt;/figure>
&lt;p>If Services A and B are not part of the Istio mesh, there is no sidecar proxy that knows how to route traffic to different versions of Service B. In that case you need to use another approach to get traffic from Service A to Service B, following the &lt;sup>50&lt;/sup>&amp;frasl;&lt;sub>50&lt;/sub> rules youve setup.&lt;/p>
&lt;p>Fortunately, a standard Istio deployment already includes a &lt;a href="/v1.5/docs/concepts/traffic-management/#gateways">Gateway&lt;/a> that specifically deals with ingress traffic outside of the Istio mesh. This Gateway is used to allow ingress traffic from outside the cluster via an external load balancer, or to allow ingress traffic from within the Kubernetes cluster but outside the service mesh. It can be configured to proxy incoming ingress traffic to the appropriate Pods, even if they dont have a sidecar proxy. While this approach allows you to leverage Istios traffic management features, it does mean that traffic going through the ingress gateway will incur an extra hop.&lt;/p>
&lt;figure style="width:60%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.83870967741935%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/incremental-traffic-management/fifty-fifty-ingress-gateway.png" title="50/50 Traffic Split using Ingress Gateway">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/incremental-traffic-management/fifty-fifty-ingress-gateway.png" alt="50/50 Traffic Split using Ingress Gateway" />
&lt;/a>
&lt;/div>
&lt;figcaption>50/50 Traffic Split using Ingress Gateway&lt;/figcaption>
&lt;/figure>
&lt;h2 id="in-action-traffic-routing-with-istio">In action: traffic routing with Istio&lt;/h2>
&lt;p>A simple way to see this type of approach in action is to first setup your Kubernetes environment using the &lt;a href="/v1.5/docs/setup/platform-setup/">Platform Setup&lt;/a> instructions, and then install the &lt;strong>minimal&lt;/strong> Istio profile using &lt;a href="/v1.5/docs/setup/install/helm/">Helm&lt;/a>, including only the traffic management components (ingress gateway, egress gateway, Pilot). The following example uses &lt;a href="https://cloud.google.com/gke">Google Kubernetes Engine&lt;/a>.&lt;/p>
&lt;p>First, setup and configure &lt;a href="/v1.5/docs/setup/platform-setup/gke/">GKE&lt;/a>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ gcloud container clusters create istio-inc --zone us-central1-f
$ gcloud container clusters get-credentials istio-inc
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
&lt;/code>&lt;/pre>
&lt;p>Next, &lt;a href="https://helm.sh/docs/intro/install/">install Helm&lt;/a> and &lt;a href="/v1.5/docs/setup/install/helm/">generate a minimal Istio install&lt;/a> &amp;ndash; only traffic management components:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template install/kubernetes/helm/istio \
--name istio \
--namespace istio-system \
--set security.enabled=false \
--set galley.enabled=false \
--set sidecarInjectorWebhook.enabled=false \
--set mixer.enabled=false \
--set prometheus.enabled=false \
--set pilot.sidecar=false &amp;gt; istio-minimal.yaml
&lt;/code>&lt;/pre>
&lt;p>Then create the &lt;code>istio-system&lt;/code> namespace and deploy Istio:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create namespace istio-system
$ kubectl apply -f istio-minimal.yaml
&lt;/code>&lt;/pre>
&lt;p>Next, deploy the Bookinfo sample without the Istio sidecar containers:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
&lt;/code>&lt;/pre>&lt;/div>
&lt;p>Now, configure a new Gateway that allows access to the reviews service from outside the Istio mesh, a new &lt;code>VirtualService&lt;/code> that splits traffic evenly between v1 and v2 of the reviews service, and a set of new &lt;code>DestinationRule&lt;/code> resources that match destination subsets to service versions:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: reviews-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &amp;#34;*&amp;#34;
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- &amp;#34;*&amp;#34;
gateways:
- reviews-gateway
http:
- match:
- uri:
prefix: /reviews
route:
- destination:
host: reviews
subset: v1
weight: 50
- destination:
host: reviews
subset: v2
weight: 50
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
- name: v3
labels:
version: v3
EOF
&lt;/code>&lt;/pre>
&lt;p>Finally, deploy a pod that you can use for testing with &lt;code>curl&lt;/code> (and without the Istio sidecar container):&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/sleep/sleep.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/sleep/sleep.yaml@
&lt;/code>&lt;/pre>&lt;/div>
&lt;h2 id="testing-your-deployment">Testing your deployment&lt;/h2>
&lt;p>Now, you can test different behaviors using the &lt;code>curl&lt;/code> commands via the sleep Pod.&lt;/p>
&lt;p>The first example is to issue requests to the reviews service using standard Kubernetes service DNS behavior (&lt;strong>note&lt;/strong>: &lt;a href="https://stedolan.github.io/jq/">&lt;code>jq&lt;/code>&lt;/a> is used in the examples below to filter the output from &lt;code>curl&lt;/code>):&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export SLEEP_POD=$(kubectl get pod -l app=sleep \
-o jsonpath={.items..metadata.name})
$ for i in `seq 3`; do \
kubectl exec -it $SLEEP_POD curl http://reviews:9080/reviews/0 | \
jq &amp;#39;.reviews|.[]|.rating?&amp;#39;; \
done
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;stars&amp;#34;: 5,
&amp;#34;color&amp;#34;: &amp;#34;black&amp;#34;
}
{
&amp;#34;stars&amp;#34;: 4,
&amp;#34;color&amp;#34;: &amp;#34;black&amp;#34;
}
null
null
{
&amp;#34;stars&amp;#34;: 5,
&amp;#34;color&amp;#34;: &amp;#34;red&amp;#34;
}
{
&amp;#34;stars&amp;#34;: 4,
&amp;#34;color&amp;#34;: &amp;#34;red&amp;#34;
}
&lt;/code>&lt;/pre>
&lt;p>Notice how were getting responses from all three versions of the reviews service (&lt;code>null&lt;/code> is from reviews v1 which doesnt have ratings) and not getting the even split across v1 and v2. This is expected behavior because the &lt;code>curl&lt;/code> command is using Kubernetes service load balancing across all three versions of the reviews service. In order to access the reviews &lt;sup>50&lt;/sup>&amp;frasl;&lt;sub>50&lt;/sub> split we need to access the service via the ingress Gateway:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ for i in `seq 4`; do \
kubectl exec -it $SLEEP_POD curl http://istio-ingressgateway.istio-system/reviews/0 | \
jq &amp;#39;.reviews|.[]|.rating?&amp;#39;; \
done
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;stars&amp;#34;: 5,
&amp;#34;color&amp;#34;: &amp;#34;black&amp;#34;
}
{
&amp;#34;stars&amp;#34;: 4,
&amp;#34;color&amp;#34;: &amp;#34;black&amp;#34;
}
null
null
{
&amp;#34;stars&amp;#34;: 5,
&amp;#34;color&amp;#34;: &amp;#34;black&amp;#34;
}
{
&amp;#34;stars&amp;#34;: 4,
&amp;#34;color&amp;#34;: &amp;#34;black&amp;#34;
}
null
null
&lt;/code>&lt;/pre>
&lt;p>Mission accomplished! This post showed how to deploy a minimal installation of Istio that only contains the traffic management components (Pilot, ingress Gateway), and then use those components to direct traffic to specific versions of the reviews service. And it wasn&amp;rsquo;t necessary to deploy the Istio sidecar proxy to gain these capabilities, so there was little to no interruption of existing workloads or applications.&lt;/p>
&lt;p>Using the built-in ingress gateway (along with some &lt;code>VirtualService&lt;/code> and &lt;code>DestinationRule&lt;/code> resources) this post showed how you can easily leverage Istios traffic management for cluster-external ingress traffic and cluster-internal service-to-service traffic. This technique is a great example of an incremental approach to adopting Istio, and can be especially useful in real-world cases where Pods are owned by different teams or deployed to different namespaces.&lt;/p></description><pubDate>Wed, 21 Nov 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/incremental-traffic-management/</link><author>Sandeep Parikh</author><guid isPermaLink="true">/v1.5/blog/2018/incremental-traffic-management/</guid><category>traffic-management</category><category>gateway</category></item><item><title>Consuming External MongoDB Services</title><description>
&lt;p>In the &lt;a href="/v1.5/blog/2018/egress-tcp/">Consuming External TCP Services&lt;/a> blog post, I described how external services
can be consumed by in-mesh Istio applications via TCP. In this post, I demonstrate consuming external MongoDB services.
You use the &lt;a href="/v1.5/docs/examples/bookinfo/">Istio Bookinfo sample application&lt;/a>, the version in which the book
ratings data is persisted in a MongoDB database. You deploy this database outside the cluster and configure the
&lt;em>ratings&lt;/em> microservice to use it. You will learn multiple options of controlling traffic to external MongoDB services and their
pros and cons.&lt;/p>
&lt;h2 id="bookinfo-with-external-ratings-database">Bookinfo with external ratings database&lt;/h2>
&lt;p>First, you set up a MongoDB database instance to hold book ratings data outside of your Kubernetes cluster. Then you
modify the &lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo sample application&lt;/a> to use your database.&lt;/p>
&lt;h3 id="setting-up-the-ratings-database">Setting up the ratings database&lt;/h3>
&lt;p>For this task you set up an instance of &lt;a href="https://www.mongodb.com">MongoDB&lt;/a>. You can use any MongoDB instance; I used
&lt;a href="https://www.ibm.com/cloud/compose/mongodb">Compose for MongoDB&lt;/a>.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Set an environment variable for the password of your &lt;code>admin&lt;/code> user. To prevent the password from being preserved in
the Bash history, remove the command from the history immediately after running the command, using
&lt;a href="https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins">history -d&lt;/a>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MONGO_ADMIN_PASSWORD=&amp;lt;your MongoDB admin password&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Set an environment variable for the password of the new user you will create, namely &lt;code>bookinfo&lt;/code>.
Remove the command from the history using
&lt;a href="https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins">history -d&lt;/a>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export BOOKINFO_PASSWORD=&amp;lt;password&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Set environment variables for your MongoDB service, &lt;code>MONGODB_HOST&lt;/code> and &lt;code>MONGODB_PORT&lt;/code>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Create the &lt;code>bookinfo&lt;/code> user:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.createUser(
{
user: &amp;#34;bookinfo&amp;#34;,
pwd: &amp;#34;$BOOKINFO_PASSWORD&amp;#34;,
roles: [ &amp;#34;read&amp;#34;]
}
);
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a &lt;em>collection&lt;/em> to hold ratings. The following command sets both ratings to be equal &lt;code>1&lt;/code> to provide a visual
clue when your database is used by the Bookinfo &lt;em>ratings&lt;/em> service (the default Bookinfo &lt;em>ratings&lt;/em> are &lt;code>4&lt;/code> and &lt;code>5&lt;/code>).&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.createCollection(&amp;#34;ratings&amp;#34;);
db.ratings.insert(
[{rating: 1},
{rating: 1}]
);
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Check that &lt;code>bookinfo&lt;/code> user can get ratings:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u bookinfo -p $BOOKINFO_PASSWORD --authenticationDatabase test
use test
db.ratings.find({});
EOF
&lt;/code>&lt;/pre>
&lt;p>The output should be similar to:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >MongoDB server version: 3.4.10
switched to db test
{ &amp;#34;_id&amp;#34; : ObjectId(&amp;#34;5b7c29efd7596e65b6ed2572&amp;#34;), &amp;#34;rating&amp;#34; : 1 }
{ &amp;#34;_id&amp;#34; : ObjectId(&amp;#34;5b7c29efd7596e65b6ed2573&amp;#34;), &amp;#34;rating&amp;#34; : 1 }
bye
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h3 id="initial-setting-of-bookinfo-application">Initial setting of Bookinfo application&lt;/h3>
&lt;p>To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with &lt;a href="/v1.5/docs/setup/getting-started/">Istio installed&lt;/a>. Then you deploy the
&lt;a href="/v1.5/docs/examples/bookinfo/">Istio Bookinfo sample application&lt;/a>, &lt;a href="/v1.5/docs/examples/bookinfo/#apply-default-destination-rules">apply the default destination rules&lt;/a>, and
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy">change Istio to the blocking-egress-by-default policy&lt;/a>.&lt;/p>
&lt;p>This application uses the &lt;code>ratings&lt;/code> microservice to fetch book ratings, a number between 1 and 5. The ratings are
displayed as stars for each review. There are several versions of the &lt;code>ratings&lt;/code> microservice. You will deploy the
version that uses &lt;a href="https://www.mongodb.com">MongoDB&lt;/a> as the ratings database in the next subsection.&lt;/p>
&lt;p>The example commands in this blog post work with Istio 1.0.&lt;/p>
&lt;p>As a reminder, here is the end-to-end architecture of the application from the
&lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo sample application&lt;/a>.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
&lt;a data-skipendnotes="true" href="/v1.5/docs/examples/bookinfo/withistio.svg" title="The original Bookinfo application">
&lt;img class="element-to-stretch" src="/v1.5/docs/examples/bookinfo/withistio.svg" alt="The original Bookinfo application" />
&lt;/a>
&lt;/div>
&lt;figcaption>The original Bookinfo application&lt;/figcaption>
&lt;/figure>
&lt;h3 id="use-the-external-database-in-bookinfo-application">Use the external database in Bookinfo application&lt;/h3>
&lt;ol>
&lt;li>&lt;p>Deploy the spec of the &lt;em>ratings&lt;/em> microservice that uses a MongoDB database (&lt;em>ratings v2&lt;/em>):&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
serviceaccount &amp;#34;bookinfo-ratings-v2&amp;#34; created
deployment &amp;#34;ratings-v2&amp;#34; created
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Update the &lt;code>MONGO_DB_URL&lt;/code> environment variable to the value of your MongoDB:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl set env deployment/ratings-v2 &amp;#34;MONGO_DB_URL=mongodb://bookinfo:$BOOKINFO_PASSWORD@$MONGODB_HOST:$MONGODB_PORT/test?authSource=test&amp;amp;ssl=true&amp;#34;
deployment.extensions/ratings-v2 env updated
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Route all the traffic destined to the &lt;em>reviews&lt;/em> service to its &lt;em>v3&lt;/em> version. You do this to ensure that the
&lt;em>reviews&lt;/em> service always calls the &lt;em>ratings&lt;/em> service. In addition, route all the traffic destined to the &lt;em>ratings&lt;/em>
service to &lt;em>ratings v2&lt;/em> that uses your database.&lt;/p>
&lt;p>Specify the routing for both services above by adding two
&lt;a href="/v1.5/docs/reference/config/networking/virtual-service/">virtual services&lt;/a>. These virtual services are
specified in &lt;code>samples/bookinfo/networking/virtual-service-ratings-mongodb.yaml&lt;/code> of an Istio release archive.
&lt;strong>&lt;em>Important:&lt;/em>&lt;/strong> make sure you
&lt;a href="/v1.5/docs/examples/bookinfo/#apply-default-destination-rules">applied the default destination rules&lt;/a> before running the
following command.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-ratings-db.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;/ol>
&lt;p>The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
to the virtual services we added. According to the virtual services, the traffic is sent to &lt;em>reviews v3&lt;/em> and
&lt;em>ratings v2&lt;/em>.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.314858206480224%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-mongo/bookinfo-ratings-v2-mongodb-external.svg" title="The Bookinfo application with ratings v2 and an external MongoDB database">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-mongo/bookinfo-ratings-v2-mongodb-external.svg" alt="The Bookinfo application with ratings v2 and an external MongoDB database" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Bookinfo application with ratings v2 and an external MongoDB database&lt;/figcaption>
&lt;/figure>
&lt;p>Note that the MongoDB database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
boundary of the service mesh is marked by a dashed line.&lt;/p>
&lt;h3 id="access-the-webpage">Access the webpage&lt;/h3>
&lt;p>Access the webpage of the application, after
&lt;a href="/v1.5/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">determining the ingress IP and port&lt;/a>.&lt;/p>
&lt;p>Since you did not configure the egress traffic control yet, the access to the MongoDB service is blocked by Istio.
This is why instead of the rating stars, the message &lt;em>&amp;ldquo;Ratings service is currently unavailable&amp;rdquo;&lt;/em> is currently
displayed below each review:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.18705035971223%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-mongo/errorFetchingBookRating.png" title="The Ratings service error messages">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-mongo/errorFetchingBookRating.png" alt="The Ratings service error messages" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Ratings service error messages&lt;/figcaption>
&lt;/figure>
&lt;p>In the following sections you will configure egress access to the external MongoDB service, using different options for
egress control in Istio.&lt;/p>
&lt;h2 id="egress-control-for-tcp">Egress control for TCP&lt;/h2>
&lt;p>Since &lt;a href="https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/">MongoDB Wire Protocol&lt;/a> runs on top of TCP, you
can control the egress traffic to your MongoDB as traffic to any other &lt;a href="/v1.5/blog/2018/egress-tcp/">external TCP service&lt;/a>. To
control TCP traffic, a block of IPs in the &lt;a href="https://tools.ietf.org/html/rfc2317">CIDR&lt;/a> notation that includes the IP
address of your MongoDB host must be specified. The caveat here is that sometimes the IP of the MongoDB host is not
stable or known in advance.&lt;/p>
&lt;p>In the cases when the IP of the MongoDB host is not stable, the egress traffic can either be
&lt;a href="#egress-control-for-tls">controlled as TLS traffic&lt;/a>, or the traffic can be routed
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services">directly&lt;/a>, bypassing the Istio sidecar
proxies.&lt;/p>
&lt;p>Get the IP address of your MongoDB database instance. As an option, you can use the
&lt;a href="https://linux.die.net/man/1/host">host&lt;/a> command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MONGODB_IP=$(host $MONGODB_HOST | grep &amp;#34; has address &amp;#34; | cut -d&amp;#34; &amp;#34; -f4)
&lt;/code>&lt;/pre>
&lt;h3 id="control-tcp-egress-traffic-without-a-gateway">Control TCP egress traffic without a gateway&lt;/h3>
&lt;p>In case you do not need to direct the traffic through an
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#use-case">egress gateway&lt;/a>, for example if you do not have a
requirement that all the traffic that exists your mesh must exit through the gateway, follow the
instructions in this section. Alternatively, if you do want to direct your traffic through an egress gateway, proceed to
&lt;a href="#direct-tcp-egress-traffic-through-an-egress-gateway">Direct TCP egress traffic through an egress gateway&lt;/a>.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Define a TCP mesh-external service entry:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- my-mongo.tcp.svc
addresses:
- $MONGODB_IP/32
ports:
- number: $MONGODB_PORT
name: tcp
protocol: TCP
location: MESH_EXTERNAL
resolution: STATIC
endpoints:
- address: $MONGODB_IP
EOF
&lt;/code>&lt;/pre>
&lt;p>Note that the protocol &lt;code>TCP&lt;/code> is specified instead of &lt;code>MONGO&lt;/code> due to the fact that the traffic can be encrypted in
case &lt;a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/">the MongoDB protocol runs on top of TLS&lt;/a>.
If the traffic is encrypted, the encrypted MongoDB protocol cannot be parsed by the Istio proxy.&lt;/p>
&lt;p>If you know that the plain MongoDB protocol is used, without encryption, you can specify the protocol as &lt;code>MONGO&lt;/code> and
let the Istio proxy produce
&lt;a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/mongo_proxy_filter#statistics">MongoDB related statistics&lt;/a>.
Also note that when the protocol &lt;code>TCP&lt;/code> is specified, the configuration is not specific for MongoDB, but is the same
for any other database with the protocol on top of TCP.&lt;/p>
&lt;p>Note that the host of your MongoDB is not used in TCP routing, so you can use any host, for example &lt;code>my-mongo.tcp.svc&lt;/code>. Notice the &lt;code>STATIC&lt;/code> resolution and the endpoint with the IP of your MongoDB service. Once you define such an endpoint, you can access MongoDB services that do not have a domain name.&lt;/p>&lt;/li>
&lt;li>&lt;p>Refresh the web page of the application. Now the application should display the ratings without error:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.69064748201439%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-mongo/externalDBRatings.png" title="Book Ratings Displayed Correctly">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-mongo/externalDBRatings.png" alt="Book Ratings Displayed Correctly" />
&lt;/a>
&lt;/div>
&lt;figcaption>Book Ratings Displayed Correctly&lt;/figcaption>
&lt;/figure>
&lt;p>Note that you see a one-star rating for both displayed reviews, as expected. You set the ratings to be one star to
provide yourself with a visual clue that your external database is indeed being used.&lt;/p>&lt;/li>
&lt;li>&lt;p>If you want to direct the traffic through an egress gateway, proceed to the next section. Otherwise, perform
&lt;a href="#cleanup-of-tcp-egress-traffic-control">cleanup&lt;/a>.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h3 id="direct-tcp-egress-traffic-through-an-egress-gateway">Direct TCP Egress traffic through an egress gateway&lt;/h3>
&lt;p>In this section you handle the case when you need to direct the traffic through an
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#use-case">egress gateway&lt;/a>. The sidecar proxy routes TCP
connections from the MongoDB client to the egress gateway, by matching the IP of the MongoDB host (a CIDR block of
length 32). The egress gateway forwards the traffic to the MongoDB host, by its hostname.&lt;/p>
&lt;ol>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway">Deploy Istio egress gateway&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>If you did not perform the steps in &lt;a href="#control-tcp-egress-traffic-without-a-gateway">the previous section&lt;/a>, perform them now.&lt;/p>&lt;/li>
&lt;li>&lt;p>You may want to enable &lt;span class="term" data-title="Mutual TLS Authentication" data-body="&amp;lt;p&amp;gt;Mutual TLS provides strong service-to-service authentication with built-in identity and credential management.
&amp;lt;a href=&amp;#34;/docs/concepts/security/#mutual-tls-authentication&amp;#34;&amp;gt;Learn more about mutual TLS authentication&amp;lt;/a&amp;gt;.&amp;lt;/p&amp;gt;
">mutual TLS Authentication&lt;/span> between the sidecar proxies of
your MongoDB clients and the egress gateway to let the egress gateway monitor the identity of the source pods and to
enable Mixer policy enforcement based on that identity. By enabling mutual TLS you also encrypt the traffic.
If you do not want to enable mutual TLS, proceed to the &lt;a href="http://localhost:1313/blog/2018/egress-mongo/#mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway">Mutual TLS between the sidecar proxies and the egress gateway&lt;/a> section.
Otherwise, proceed to the following section.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h4 id="configure-tcp-traffic-from-sidecars-to-the-egress-gateway">Configure TCP traffic from sidecars to the egress gateway&lt;/h4>
&lt;ol>
&lt;li>&lt;p>Define the &lt;code>EGRESS_GATEWAY_MONGODB_PORT&lt;/code> environment variable to hold some port for directing traffic through
the egress gateway, e.g. &lt;code>7777&lt;/code>. You must select a port that is not used for any other service in the mesh.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export EGRESS_GATEWAY_MONGODB_PORT=7777
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Add the selected port to the &lt;code>istio-egressgateway&lt;/code> service. You should use the same values you used for installing
Istio, in particular you have to specify all the ports of the &lt;code>istio-egressgateway&lt;/code> service that you previously
configured.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template install/kubernetes/helm/istio/ --name istio-egressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.enabled=false --set gateways.istio-egressgateway.enabled=true --set gateways.istio-egressgateway.ports[0].port=80 --set gateways.istio-egressgateway.ports[0].name=http --set gateways.istio-egressgateway.ports[1].port=443 --set gateways.istio-egressgateway.ports[1].name=https --set gateways.istio-egressgateway.ports[2].port=$EGRESS_GATEWAY_MONGODB_PORT --set gateways.istio-egressgateway.ports[2].name=mongo | kubectl apply -f -
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Check that the &lt;code>istio-egressgateway&lt;/code> service indeed has the selected port:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get svc istio-egressgateway -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-egressgateway ClusterIP 172.21.202.204 &amp;lt;none&amp;gt; 80/TCP,443/TCP,7777/TCP 34d
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Disable mutual TLS authentication for the &lt;code>istio-egressgateway&lt;/code> service:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
targets:
- name: istio-egressgateway
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create an egress &lt;code>Gateway&lt;/code> for your MongoDB service, and destination rules and a virtual service to direct the
traffic through the egress gateway and from the egress gateway to the external service.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: $EGRESS_GATEWAY_MONGODB_PORT
name: tcp
protocol: TCP
hosts:
- my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mongo
spec:
host: my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- my-mongo.tcp.svc
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
destinationSubnets:
- $MONGODB_IP/32
port: $MONGODB_PORT
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: $EGRESS_GATEWAY_MONGODB_PORT
- match:
- gateways:
- istio-egressgateway
port: $EGRESS_GATEWAY_MONGODB_PORT
route:
- destination:
host: my-mongo.tcp.svc
port:
number: $MONGODB_PORT
weight: 100
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>&lt;a href="#verify-that-egress-traffic-is-directed-through-the-egress-gateway">Verify that egress traffic is directed through the egress gateway&lt;/a>.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h4 id="mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway">Mutual TLS between the sidecar proxies and the egress gateway&lt;/h4>
&lt;ol>
&lt;li>&lt;p>Delete the previous configuration:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
$ kubectl delete virtualservice direct-mongo-through-egress-gateway --ignore-not-found=true
$ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-found=true
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Enforce mutual TLS authentication for the &lt;code>istio-egressgateway&lt;/code> service:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: istio-egressgateway
namespace: istio-system
spec:
targets:
- name: istio-egressgateway
peers:
- mtls: {}
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create an egress &lt;code>Gateway&lt;/code> for your MongoDB service, and destination rules and a virtual service
to direct the traffic through the egress gateway and from the egress gateway to the external service.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- my-mongo.tcp.svc
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mongo
spec:
host: my-mongo.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- my-mongo.tcp.svc
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
destinationSubnets:
- $MONGODB_IP/32
port: $MONGODB_PORT
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: my-mongo.tcp.svc
port:
number: $MONGODB_PORT
weight: 100
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Proceed to the next section.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h4 id="verify-that-egress-traffic-is-directed-through-the-egress-gateway">Verify that egress traffic is directed through the egress gateway&lt;/h4>
&lt;ol>
&lt;li>&lt;p>Refresh the web page of the application again and verify that the ratings are still displayed correctly.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoys access logging&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>Check the log of the egress gateway&amp;rsquo;s Envoy and see a line that corresponds to your
requests to the MongoDB service. If Istio is deployed in the &lt;code>istio-system&lt;/code> namespace, the command to print the
log is:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=egressgateway -n istio-system
[2019-04-14T06:12:07.636Z] &amp;#34;- - -&amp;#34; 0 - &amp;#34;-&amp;#34; 1591 4393 94 - &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;&amp;lt;Your MongoDB IP&amp;gt;:&amp;lt;your MongoDB port&amp;gt;&amp;#34; outbound|&amp;lt;your MongoDB port&amp;gt;||my-mongo.tcp.svc 172.30.146.119:59924 172.30.146.119:443 172.30.230.1:59206 -
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h3 id="cleanup-of-tcp-egress-traffic-control">Cleanup of TCP egress traffic control&lt;/h3>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
$ kubectl delete virtualservice direct-mongo-through-egress-gateway --ignore-not-found=true
$ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-found=true
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
&lt;/code>&lt;/pre>
&lt;h2 id="egress-control-for-tls">Egress control for TLS&lt;/h2>
&lt;p>In the real life, most of the communication to the external services must be encrypted and
&lt;a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/">the MongoDB protocol runs on top of TLS&lt;/a>.
Also, the TLS clients usually send
&lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">Server Name Indication&lt;/a>, SNI, as part of their handshake. If your
MongoDB server runs TLS and your MongoDB client sends SNI as part of the handshake, you can control your MongoDB egress
traffic as any other TLS-with-SNI traffic. With TLS and SNI, you do not need to specify the IP addresses of your MongoDB
servers. You specify their host names instead, which is more convenient since you do not have to rely on the stability of
the IP addresses. You can also specify wildcards as a prefix of the host names, for example allowing access to any
server from the &lt;code>*.com&lt;/code> domain.&lt;/p>
&lt;p>To check if your MongoDB server supports TLS, run:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ openssl s_client -connect $MONGODB_HOST:$MONGODB_PORT -servername $MONGODB_HOST
&lt;/code>&lt;/pre>
&lt;p>If the command above prints a certificate returned by the server, the server supports TLS. If not, you have to control
your MongoDB egress traffic on the TCP level, as described in the previous sections.&lt;/p>
&lt;h3 id="control-tls-egress-traffic-without-a-gateway">Control TLS egress traffic without a gateway&lt;/h3>
&lt;p>In case you &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#use-case">do not need an egress gateway&lt;/a>, follow the
instructions in this section. If you want to direct your traffic through an egress gateway, proceed to
&lt;a href="#direct-tcp-egress-traffic-through-an-egress-gateway">Direct TCP Egress traffic through an egress gateway&lt;/a>.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Create a &lt;code>ServiceEntry&lt;/code> for the MongoDB service:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- $MONGODB_HOST
ports:
- number: $MONGODB_PORT
name: tls
protocol: TLS
resolution: DNS
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Refresh the web page of the application. The application should display the ratings without error.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h4 id="cleanup-of-the-egress-configuration-for-tls">Cleanup of the egress configuration for TLS&lt;/h4>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
&lt;/code>&lt;/pre>
&lt;h3 id="direct-tls-egress-traffic-through-an-egress-gateway">Direct TLS Egress traffic through an egress gateway&lt;/h3>
&lt;p>In this section you handle the case when you need to direct the traffic through an
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#use-case">egress gateway&lt;/a>. The sidecar proxy routes TLS
connections from the MongoDB client to the egress gateway, by matching the SNI of the MongoDB host.
The egress gateway forwards the traffic to the MongoDB host. Note that the sidecar proxy rewrites the destination port
to be 443. The egress gateway accepts the MongoDB traffic on the port 443, matches the MongoDB host by SNI, and rewrites
the port again to be the port of the MongoDB server.&lt;/p>
&lt;ol>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway">Deploy Istio egress gateway&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Create a &lt;code>ServiceEntry&lt;/code> for the MongoDB service:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- $MONGODB_HOST
ports:
- number: $MONGODB_PORT
name: tls
protocol: TLS
- number: 443
name: tls-port-for-egress-gateway
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Refresh the web page of the application and verify that the ratings are displayed correctly.&lt;/p>&lt;/li>
&lt;li>&lt;p>Create an egress &lt;code>Gateway&lt;/code> for your MongoDB service, and destination rules and virtual services
to direct the traffic through the egress gateway and from the egress gateway to the external service.&lt;/p>
&lt;p>If you want to enable &lt;a href="/v1.5/docs/tasks/security/authentication/authn-policy/">mutual TLS Authentication&lt;/a> between the sidecar proxies of
your application pods and the egress gateway, use the following command. (You may want to enable mutual TLS to let
the egress gateway monitor the identity of the source pods and to enable Mixer policy enforcement based on that
identity.)&lt;/p>
&lt;div id="tabset-blog-2018-egress-mongo-2" role="tablist" class="tabset">
&lt;div class="tab-strip" data-category-name="mtls">&lt;button aria-selected="true" data-category-value="enabled"
aria-controls="tabset-blog-2018-egress-mongo-2-0-panel" id="tabset-blog-2018-egress-mongo-2-0-tab" role="tab">&lt;span>mutual TLS enabled&lt;/span>
&lt;/button>&lt;button tabindex="-1" data-category-value="disabled"
aria-controls="tabset-blog-2018-egress-mongo-2-1-panel" id="tabset-blog-2018-egress-mongo-2-1-tab" role="tab">&lt;span>mutual TLS disabled&lt;/span>
&lt;/button>&lt;/div>
&lt;div class="tab-content">&lt;div id="tabset-blog-2018-egress-mongo-2-0-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2018-egress-mongo-2-0-tab">&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- $MONGODB_HOST
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: $MONGODB_HOST
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- $MONGODB_HOST
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: $MONGODB_PORT
sni_hosts:
- $MONGODB_HOST
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
tcp:
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: $MONGODB_HOST
port:
number: $MONGODB_PORT
weight: 100
EOF
&lt;/code>&lt;/pre>&lt;/div>&lt;div hidden id="tabset-blog-2018-egress-mongo-2-1-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2018-egress-mongo-2-1-tab">&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- $MONGODB_HOST
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mongo
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: mongo
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- $MONGODB_HOST
gateways:
- mesh
- istio-egressgateway
tls:
- match:
- gateways:
- mesh
port: $MONGODB_PORT
sni_hosts:
- $MONGODB_HOST
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
- match:
- gateways:
- istio-egressgateway
port: 443
sni_hosts:
- $MONGODB_HOST
route:
- destination:
host: $MONGODB_HOST
port:
number: $MONGODB_PORT
weight: 100
EOF
&lt;/code>&lt;/pre>&lt;/div>&lt;/div>
&lt;/div>
&lt;/li>
&lt;li>&lt;p>&lt;a href="#verify-that-egress-traffic-is-directed-through-the-egress-gateway">Verify that the traffic is directed though the egress gateway&lt;/a>&lt;/p>&lt;/li>
&lt;/ol>
&lt;h4 id="cleanup-directing-tls-egress-traffic-through-an-egress-gateway">Cleanup directing TLS egress traffic through an egress gateway&lt;/h4>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
$ kubectl delete gateway istio-egressgateway
$ kubectl delete virtualservice direct-mongo-through-egress-gateway
$ kubectl delete destinationrule egressgateway-for-mongo
&lt;/code>&lt;/pre>
&lt;h3 id="enable-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains">Enable MongoDB TLS egress traffic to arbitrary wildcarded domains&lt;/h3>
&lt;p>Sometimes you want to configure egress traffic to multiple hostnames from the same domain, for example traffic to all
MongoDB services from &lt;code>*.&amp;lt;your company domain&amp;gt;.com&lt;/code>. You do not want to create multiple configuration items, one for
each and every MongoDB service in your company. To configure access to all the external services from the same domain by
a single configuration, you use &lt;em>wildcarded&lt;/em> hosts.&lt;/p>
&lt;p>In this section you configure egress traffic for a wildcarded domain. I used a MongoDB instance at &lt;code>composedb.com&lt;/code>
domain, so configuring egress traffic for &lt;code>*.com&lt;/code> worked for me (I could have used &lt;code>*.composedb.com&lt;/code> as well).
You can pick a wildcarded domain according to your MongoDB host.&lt;/p>
&lt;p>To configure egress gateway traffic for a wildcarded domain, you will first need to deploy a custom egress
gateway with
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains">an additional SNI proxy&lt;/a>.
This is needed due to current limitations of Envoy, the proxy used by the standard Istio egress gateway.&lt;/p>
&lt;h4 id="prepare-a-new-egress-gateway-with-an-sni-proxy">Prepare a new egress gateway with an SNI proxy&lt;/h4>
&lt;p>In this subsection you deploy an egress gateway with an SNI proxy, in addition to the standard Istio Envoy proxy. You
can use any SNI proxy that is capable of routing traffic according to arbitrary, not-preconfigured SNI values; we used
&lt;a href="http://nginx.org">Nginx&lt;/a> to achieve this functionality.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Create a configuration file for the Nginx SNI proxy. You may want to edit the file to specify additional Nginx
settings, if required.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF &amp;gt; ./sni-proxy.conf
user www-data;
events {
}
stream {
log_format log_stream &amp;#39;\$remote_addr [\$time_local] \$protocol [\$ssl_preread_server_name]&amp;#39;
&amp;#39;\$status \$bytes_sent \$bytes_received \$session_time&amp;#39;;
access_log /var/log/nginx/access.log log_stream;
error_log /var/log/nginx/error.log;
# tcp forward proxy by SNI
server {
resolver 8.8.8.8 ipv6=off;
listen 127.0.0.1:$MONGODB_PORT;
proxy_pass \$ssl_preread_server_name:$MONGODB_PORT;
ssl_preread on;
}
}
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a Kubernetes &lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/">ConfigMap&lt;/a>
to hold the configuration of the Nginx SNI proxy:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create configmap egress-sni-proxy-configmap -n istio-system --from-file=nginx.conf=./sni-proxy.conf
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>The following command will generate &lt;code>istio-egressgateway-with-sni-proxy.yaml&lt;/code> to edit and deploy.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | helm template install/kubernetes/helm/istio/ --name istio-egressgateway-with-sni-proxy --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.mtls.enabled=true --set global.istioNamespace=istio-system -f - &amp;gt; ./istio-egressgateway-with-sni-proxy.yaml
gateways:
enabled: true
istio-ingressgateway:
enabled: false
istio-egressgateway:
enabled: false
istio-egressgateway-with-sni-proxy:
enabled: true
labels:
app: istio-egressgateway-with-sni-proxy
istio: egressgateway-with-sni-proxy
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
serviceAnnotations: {}
type: ClusterIP
ports:
- port: 443
name: https
secretVolumes:
- name: egressgateway-certs
secretName: istio-egressgateway-certs
mountPath: /etc/istio/egressgateway-certs
- name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
mountPath: /etc/istio/egressgateway-ca-certs
configVolumes:
- name: sni-proxy-config
configMapName: egress-sni-proxy-configmap
additionalContainers:
- name: sni-proxy
image: nginx
volumeMounts:
- name: sni-proxy-config
mountPath: /etc/nginx
readOnly: true
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Deploy the new egress gateway:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f ./istio-egressgateway-with-sni-proxy.yaml
serviceaccount &amp;#34;istio-egressgateway-with-sni-proxy-service-account&amp;#34; created
role &amp;#34;istio-egressgateway-with-sni-proxy-istio-system&amp;#34; created
rolebinding &amp;#34;istio-egressgateway-with-sni-proxy-istio-system&amp;#34; created
service &amp;#34;istio-egressgateway-with-sni-proxy&amp;#34; created
deployment &amp;#34;istio-egressgateway-with-sni-proxy&amp;#34; created
horizontalpodautoscaler &amp;#34;istio-egressgateway-with-sni-proxy&amp;#34; created
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Verify that the new egress gateway is running. Note that the pod has two containers (one is the Envoy proxy and the
second one is the SNI proxy).&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system
NAME READY STATUS RESTARTS AGE
istio-egressgateway-with-sni-proxy-79f6744569-pf9t2 2/2 Running 0 17s
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a service entry with a static address equal to 127.0.0.1 (&lt;code>localhost&lt;/code>), and disable mutual TLS on the traffic directed to the new
service entry:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: sni-proxy
spec:
hosts:
- sni-proxy.local
location: MESH_EXTERNAL
ports:
- number: $MONGODB_PORT
name: tcp
protocol: TCP
resolution: STATIC
endpoints:
- address: 127.0.0.1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: disable-mtls-for-sni-proxy
spec:
host: sni-proxy.local
trafficPolicy:
tls:
mode: DISABLE
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h4 id="configure-access-to-com-using-the-new-egress-gateway">Configure access to &lt;code>*.com&lt;/code> using the new egress gateway&lt;/h4>
&lt;ol>
&lt;li>&lt;p>Define a &lt;code>ServiceEntry&lt;/code> for &lt;code>*.com&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mongo
spec:
hosts:
- &amp;#34;*.com&amp;#34;
ports:
- number: 443
name: tls
protocol: TLS
- number: $MONGODB_PORT
name: tls-mongodb
protocol: TLS
location: MESH_EXTERNAL
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create an egress &lt;code>Gateway&lt;/code> for &lt;em>*.com&lt;/em>, port 443, protocol TLS, a destination rule to set the
&lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI&lt;/a> for the gateway, and Envoy filters to prevent tampering
with SNI by a malicious application (the filters verify that the SNI issued by the application is the SNI reported
to Mixer).&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-with-sni-proxy
spec:
selector:
istio: egressgateway-with-sni-proxy
servers:
- port:
number: 443
name: tls
protocol: TLS
hosts:
- &amp;#34;*.com&amp;#34;
tls:
mode: MUTUAL
serverCertificate: /etc/certs/cert-chain.pem
privateKey: /etc/certs/key.pem
caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-for-egress-gateway
spec:
host: istio-egressgateway-with-sni-proxy.istio-system.svc.cluster.local
subsets:
- name: mongo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
---
# The following filter is used to forward the original SNI (sent by the application) as the SNI of the mutual TLS
# connection.
# The forwarded SNI will be reported to Mixer so that policies will be enforced based on the original SNI value.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: forward-downstream-sni
spec:
filters:
- listenerMatch:
portNumber: $MONGODB_PORT
listenerType: SIDECAR_OUTBOUND
filterName: forward_downstream_sni
filterType: NETWORK
filterConfig: {}
---
# The following filter verifies that the SNI of the mutual TLS connection (the SNI reported to Mixer) is
# identical to the original SNI issued by the application (the SNI used for routing by the SNI proxy).
# The filter prevents Mixer from being deceived by a malicious application: routing to one SNI while
# reporting some other value of SNI. If the original SNI does not match the SNI of the mutual TLS connection, the
# filter will block the connection to the external service.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: egress-gateway-sni-verifier
spec:
workloadLabels:
app: istio-egressgateway-with-sni-proxy
filters:
- listenerMatch:
portNumber: 443
listenerType: GATEWAY
filterName: sni_verifier
filterType: NETWORK
filterConfig: {}
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Route the traffic destined for &lt;em>*.com&lt;/em> to the egress gateway and from the egress gateway to the SNI proxy.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-mongo-through-egress-gateway
spec:
hosts:
- &amp;#34;*.com&amp;#34;
gateways:
- mesh
- istio-egressgateway-with-sni-proxy
tls:
- match:
- gateways:
- mesh
port: $MONGODB_PORT
sni_hosts:
- &amp;#34;*.com&amp;#34;
route:
- destination:
host: istio-egressgateway-with-sni-proxy.istio-system.svc.cluster.local
subset: mongo
port:
number: 443
weight: 100
tcp:
- match:
- gateways:
- istio-egressgateway-with-sni-proxy
port: 443
route:
- destination:
host: sni-proxy.local
port:
number: $MONGODB_PORT
weight: 100
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Refresh the web page of the application again and verify that the ratings are still displayed correctly.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoys access logging&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>Check the log of the egress gateway&amp;rsquo;s Envoy proxy. If Istio is deployed in the &lt;code>istio-system&lt;/code> namespace, the command
to print the log is:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-system
&lt;/code>&lt;/pre>
&lt;p>You should see lines similar to the following:&lt;/p>
&lt;pre>&lt;code class='language-plain' data-expandlinks='true' data-repo='istio' >[2019-01-02T17:22:04.602Z] &amp;#34;- - -&amp;#34; 0 - 768 1863 88 - &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;127.0.0.1:28543&amp;#34; outbound|28543||sni-proxy.local 127.0.0.1:49976 172.30.146.115:443 172.30.146.118:58510 &amp;lt;your MongoDB host&amp;gt;
[2019-01-02T17:22:04.713Z] &amp;#34;- - -&amp;#34; 0 - 1534 2590 85 - &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;-&amp;#34; &amp;#34;127.0.0.1:28543&amp;#34; outbound|28543||sni-proxy.local 127.0.0.1:49988 172.30.146.115:443 172.30.146.118:58522 &amp;lt;your MongoDB host&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Check the logs of the SNI proxy. If Istio is deployed in the &lt;code>istio-system&lt;/code> namespace, the command to print the
log is:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=egressgateway-with-sni-proxy -n istio-system -c sni-proxy
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [&amp;lt;your MongoDB host&amp;gt;]200 1863 482 0.089
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [&amp;lt;your MongoDB host&amp;gt;]200 2590 1248 0.095
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h4 id="understanding-what-happened">Understanding what happened&lt;/h4>
&lt;p>In this section you configured egress traffic to your MongoDB host using a wildcarded domain. While for a single MongoDB
host there is no gain in using wildcarded domains (an exact hostname can be specified), it could be beneficial for
cases when the applications in the cluster access multiple MongoDB hosts that match some wildcarded domain. For example,
if the applications access &lt;code>mongodb1.composedb.com&lt;/code>, &lt;code>mongodb2.composedb.com&lt;/code> and &lt;code>mongodb3.composedb.com&lt;/code>, the egress
traffic can be configured by a single configuration for the wildcarded domain &lt;code>*.composedb.com&lt;/code>.&lt;/p>
&lt;p>I will leave it as an exercise for the reader to verify that no additional Istio configuration is required when you
configure an app to use another instance of MongoDB with a hostname that matches the wildcarded domain used in this
section.&lt;/p>
&lt;h4 id="cleanup-of-configuration-for-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains">Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains&lt;/h4>
&lt;ol>
&lt;li>&lt;p>Delete the configuration items for &lt;em>*.com&lt;/em>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
$ kubectl delete gateway istio-egressgateway-with-sni-proxy
$ kubectl delete virtualservice direct-mongo-through-egress-gateway
$ kubectl delete destinationrule mtls-for-egress-gateway
$ kubectl delete envoyfilter forward-downstream-sni egress-gateway-sni-verifier
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Delete the configuration items for the &lt;code>egressgateway-with-sni-proxy&lt;/code> deployment:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry sni-proxy
$ kubectl delete destinationrule disable-mtls-for-sni-proxy
$ kubectl delete -f ./istio-egressgateway-with-sni-proxy.yaml
$ kubectl delete configmap egress-sni-proxy-configmap -n istio-system
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Remove the configuration files you created:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ rm ./istio-egressgateway-with-sni-proxy.yaml
$ rm ./nginx-sni-proxy.conf
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h2 id="cleanup">Cleanup&lt;/h2>
&lt;ol>
&lt;li>&lt;p>Drop the &lt;code>bookinfo&lt;/code> user:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.dropUser(&amp;#34;bookinfo&amp;#34;);
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Drop the &lt;em>ratings&lt;/em> collection:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
use test
db.ratings.drop();
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Unset the environment variables you used:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ unset MONGO_ADMIN_PASSWORD BOOKINFO_PASSWORD MONGODB_HOST MONGODB_PORT MONGODB_IP
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Remove the virtual services:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-ratings-db.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
Deleted config: virtual-service/default/reviews
Deleted config: virtual-service/default/ratings
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Undeploy &lt;em>ratings v2-mongodb&lt;/em>:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
deployment &amp;#34;ratings-v2&amp;#34; deleted
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;/ol>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>In this blog post I demonstrated various options for MongoDB egress traffic control. You can control the MongoDB egress
traffic on a TCP or TLS level where applicable. In both TCP and TLS cases, you can direct the traffic from the sidecar
proxies directly to the external MongoDB host, or direct the traffic through an egress gateway, according to your
organization&amp;rsquo;s security requirements. In the latter case, you can also decide to apply or disable mutual TLS
authentication between the sidecar proxies and the egress gateway. If you want to control MongoDB egress traffic on the
TLS level by specifying wildcarded domains like &lt;code>*.com&lt;/code> and you need to direct the traffic through the egress gateway,
you must deploy a custom egress gateway with an SNI proxy.&lt;/p>
&lt;p>Note that the configuration and considerations described in this blog post for MongoDB are rather the same for other
non-HTTP protocols on top of TCP/TLS.&lt;/p></description><pubDate>Fri, 16 Nov 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/egress-mongo/</link><author>Vadim Eisenberg</author><guid isPermaLink="true">/v1.5/blog/2018/egress-mongo/</guid><category>traffic-management</category><category>egress</category><category>tcp</category><category>mongo</category></item><item><title>All Day Istio Twitch Stream</title><description>
&lt;p>To celebrate the 1.0 release and to promote the software to a wider audience, the Istio community is hosting an all day live stream on Twitch on August 17th.&lt;/p>
&lt;h2 id="what-is-twitch">What is Twitch?&lt;/h2>
&lt;p>&lt;a href="https://twitch.tv/">Twitch&lt;/a> is a popular video gaming live streaming platform and recently has seen a lot of coding content showing up. The IBM Advocates have been doing live coding and presentations there and it&amp;rsquo;s been fun. While mostly used for gaming content, there is a &lt;a href="https://www.twitch.tv/communities/programming">growing community&lt;/a> sharing and watching programming content on the site.&lt;/p>
&lt;h2 id="what-does-this-have-to-do-with-istio">What does this have to do with Istio?&lt;/h2>
&lt;p>The stream is going to be a full day of Istio content. Hopefully we&amp;rsquo;ll have a good mix of deep technical content, beginner content and line-of-business content for our audience. We&amp;rsquo;ll have developers, users, and evangelists on throughout the day to share their demos and stories. Expect live coding, q and a, and some surprises. We have stellar guests lined up from IBM, Google, Datadog, Pivotal, and more!&lt;/p>
&lt;h2 id="recordings">Recordings&lt;/h2>
&lt;p>Recordings are available &lt;a href="https://www.youtube.com/playlist?list=PLzpeuWUENMK0V3dwpx5gPJun-SLG0USqU">here&lt;/a>.&lt;/p>
&lt;h2 id="schedule">Schedule&lt;/h2>
&lt;p>All times are &lt;code>PDT&lt;/code>.&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Time&lt;/th>
&lt;th>Speaker&lt;/th>
&lt;th>Affiliation&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>10:00 - 10:30&lt;/td>
&lt;td>&lt;code>Spencer Krum + Lisa-Marie Namphy&lt;/code>&lt;/td>
&lt;td>&lt;code>IBM / Portworx&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>10:30 - 11:00&lt;/td>
&lt;td>&lt;code>Lin Sun / Spencer Krum / Sven Mawson&lt;/code>&lt;/td>
&lt;td>&lt;code>IBM / Google&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>11:00 - 11:10&lt;/td>
&lt;td>&lt;code>Lin Sun / Spencer Krum&lt;/code>&lt;/td>
&lt;td>&lt;code>IBM&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>11:10 - 11:30&lt;/td>
&lt;td>&lt;code>Jason Yee / Ilan Rabinovich&lt;/code>&lt;/td>
&lt;td>&lt;code>Datadog&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>11:30 - 11:50&lt;/td>
&lt;td>&lt;code>April Nassl&lt;/code>&lt;/td>
&lt;td>&lt;code>Google&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>11:50 - 12:10&lt;/td>
&lt;td>&lt;code>Spike Curtis&lt;/code>&lt;/td>
&lt;td>&lt;code>Tigera&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>12:10 - 12:30&lt;/td>
&lt;td>&lt;code>Shannon Coen&lt;/code>&lt;/td>
&lt;td>&lt;code>Pivotal&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>12:30 - 1:00&lt;/td>
&lt;td>&lt;code>Matt Klein&lt;/code>&lt;/td>
&lt;td>&lt;code>Lyft&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>1:00 - 1:20&lt;/td>
&lt;td>&lt;code>Zach Jory&lt;/code>&lt;/td>
&lt;td>&lt;code>F5/Aspen Mesh&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>1:20 - 1:40&lt;/td>
&lt;td>&lt;code>Dan Ciruli&lt;/code>&lt;/td>
&lt;td>&lt;code>Google&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>1:40 - 2:00&lt;/td>
&lt;td>&lt;code>Isaiah Snell-Feikema&lt;/code> / &lt;code>Greg Hanson&lt;/code>&lt;/td>
&lt;td>&lt;code>IBM&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>2:00 - 2:20&lt;/td>
&lt;td>&lt;code>Zach Butcher&lt;/code>&lt;/td>
&lt;td>&lt;code>Tetrate&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>2:20 - 2:40&lt;/td>
&lt;td>&lt;code>Ray Hudaihed&lt;/code>&lt;/td>
&lt;td>&lt;code>American Airlines&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>2:40 - 3:00&lt;/td>
&lt;td>&lt;code>Christian Posta&lt;/code>&lt;/td>
&lt;td>&lt;code>Red Hat&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>3:00 - 3:20&lt;/td>
&lt;td>&lt;code>Google/IBM China&lt;/code>&lt;/td>
&lt;td>&lt;code>Google / IBM&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>3:20 - 3:40&lt;/td>
&lt;td>&lt;code>Colby Dyess&lt;/code>&lt;/td>
&lt;td>&lt;code>Tuffin&lt;/code>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>3:40 - 4:00&lt;/td>
&lt;td>&lt;code>Rohit Agarwalla&lt;/code>&lt;/td>
&lt;td>&lt;code>Cisco&lt;/code>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table></description><pubDate>Fri, 03 Aug 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/istio-twitch-stream/</link><author>Spencer Krum, IBM</author><guid isPermaLink="true">/v1.5/blog/2018/istio-twitch-stream/</guid></item><item><title>Istio a Game Changer for HP's FitStation Platform</title><description>&lt;p>The FitStation team at HP strongly believes in the future of Kubernetes, BPF and service-mesh as the next standards in cloud infrastructure. We are also very happy to see Istio coming to its official Istio 1.0 release &amp;ndash; thanks to the joint collaboration that started at Google, IBM and Lyft beginning in May 2017.&lt;/p>
&lt;p>Throughout the development of FitStations large scale and progressive cloud platform, Istio, Cilium and Kubernetes technologies have delivered a multitude of opportunities to make our systems more robust and scalable. Istio was a game changer in creating reliable and dynamic network communication.&lt;/p>
&lt;p>&lt;a href="http://www.fitstation.com">FitStation powered by HP&lt;/a> is a technology platform that captures 3D biometric data to design personalized footwear to perfectly fit individual foot size and shape as well as gait profile. It uses 3D scanning, pressure sensing, 3D printing and variable density injection molding to create unique footwear. Footwear brands such as Brooks, Steitz Secura or Superfeet are connecting to FitStation to build their next generation of high performance sports, professional and medical shoes.&lt;/p>
&lt;p>FitStation is built on the promise of ultimate security and privacy for users&amp;rsquo; biometric data. ISTIO is the cornerstone to make that possible for data-at-flight within our cloud. By managing these aspects at the infrastructure level, we focused on solving business problems instead of spending time on individual implementations of secure service communication. Using Istio allowed us to dramatically reduce the complexity of maintaining a multitude of libraries and services to provide secure service communication.&lt;/p>
&lt;p>As a bonus benefit of Istio 1.0, we gained network visibility, metrics and tracing out of the box. This radically improved decision-making and response quality for our development
and devops teams. The team got in-depth insight in the network communication across the entire platform, both for new as well as legacy applications. The integration of Cilium
with Envoy delivered a remarkable performance benefit on Istio service mesh communication, combined with a fine-grained kernel driven L7 network security layer. This was due to the powers of BPF brought to Istio by Cilium. We believe this will drive the future of Linux kernel security.&lt;/p>
&lt;p>It has been very exciting to follow Istios growth. We have been able to see clear improvements of performance and stability over the different development versions. The improvements between version 0.7 and 0.8 made our teams feel comfortable with version 1.0, we can state that Istio is now ready for real production usage.&lt;/p>
&lt;p>We are looking forward to the promising roadmaps of Istio, Envoy, Cilium and CNCF.&lt;/p></description><pubDate>Tue, 31 Jul 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/hp/</link><author>Steven Ceuppens, Chief Software Architect @ HP FitStation, Open Source Advocate &amp; Contributor</author><guid isPermaLink="true">/v1.5/blog/2018/hp/</guid></item><item><title>Delayering Istio with AppSwitch</title><description>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">All problems in computer science can be solved with another layer, except of course the problem of too many layers. &amp;ndash; David Wheeler&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>The sidecar proxy approach enables a lot of awesomeness. Squarely in the datapath between microservices, the sidecar can precisely tell what the application is trying to do. It can monitor and instrument protocol traffic, not in the bowels of the networking layers but at the application level, to enable deep visibility, access controls and traffic management.&lt;/p>
&lt;p>If we look closely however, there are many intermediate layers that the data has to pass through before the high-value analysis of application-traffic can be performed. Most of those layers are part of the base plumbing infrastructure that are there just to push the data along. In doing so, they add latency to communication and complexity to the overall system.&lt;/p>
&lt;p>Over the years, there has been much collective effort in implementing aggressive fine-grained optimizations within the layers of the network datapath. Each iteration may shave another few microseconds. But then the true necessity of those layers itself has not been questioned.&lt;/p>
&lt;h2 id="don-t-optimize-layers-remove-them">Dont optimize layers, remove them&lt;/h2>
&lt;p>In my belief, optimizing something is a poor fallback to removing its requirement altogether. That was the goal of my initial work (broken link: &lt;code>https://apporbit.com/a-brief-history-of-containers-from-reality-to-hype/&lt;/code>) on OS-level virtualization that led to Linux containers which effectively &lt;a href="https://www.oreilly.com/ideas/the-unwelcome-guest-why-vms-arent-the-solution-for-next-gen-applications">removed virtual machines&lt;/a> by running applications directly on the host operating system without requiring an intermediate guest. For a long time the industry was fighting the wrong battle distracted by optimizing VMs rather than removing the additional layer altogether.&lt;/p>
&lt;p>I see the same pattern repeat itself with the connectivity of microservices, and networking in general. The network has been going through the changes that physical servers have gone through a decade earlier. New set of layers and constructs are being introduced. They are being baked deep into the protocol stack and even silicon without adequately considering low-touch alternatives. Perhaps there is a way to remove those additional layers altogether.&lt;/p>
&lt;p>I have been thinking about these problems for some time and believe that an approach similar in concept to containers can be applied to the network stack that would fundamentally simplify how application endpoints are connected across the complexity of many intermediate layers. I have reapplied the same principles from the original work on containers to create &lt;a href="http://appswitch.io">AppSwitch&lt;/a>. Similar to the way containers provide an interface that applications can directly consume, AppSwitch plugs directly into well-defined and ubiquitous network API that applications currently use and directly connects application clients to appropriate servers, skipping all intermediate layers. In the end, that&amp;rsquo;s what networking is all about.&lt;/p>
&lt;p>Before going into the details of how AppSwitch promises to remove unnecessary layers from the Istio stack, let me give a very brief introduction to its architecture. Further details are available at the &lt;a href="https://appswitch.readthedocs.io/en/latest/">documentation&lt;/a> page.&lt;/p>
&lt;h2 id="appswitch">AppSwitch&lt;/h2>
&lt;p>Not unlike the container runtime, AppSwitch consists of a client and a daemon that speak over HTTP via a REST API. Both the client and the daemon are built as one self-contained binary, &lt;code>ax&lt;/code>. The client transparently plugs into the application and tracks its system calls related to network connectivity and notifies the daemon about their occurrences. As an example, lets say an application makes the &lt;code>connect(2)&lt;/code> system call to the service IP of a Kubernetes service. The AppSwitch client intercepts the connect call, nullifies it and notifies the daemon about its occurrence along with some context that includes the system call arguments. The daemon would then handle the system call, potentially by directly connecting to the Pod IP of the upstream server on behalf of the application.&lt;/p>
&lt;p>It is important to note that no data is forwarded between AppSwitch client and daemon. They are designed to exchange file descriptors (FDs) over a Unix domain socket to avoid having to copy data. Note also that client is not a separate process. Rather it directly runs in the context of the application itself. There is no data copy between the application and AppSwitch client either.&lt;/p>
&lt;h2 id="delayering-the-stack">Delayering the stack&lt;/h2>
&lt;p>Now that we have an idea about what AppSwitch does, lets look at the layers that it optimizes away from a standard service mesh.&lt;/p>
&lt;h3 id="network-devirtualization">Network devirtualization&lt;/h3>
&lt;p>Kubernetes offers simple and well-defined network constructs to the microservice applications it runs. In order to support them however, it imposes specific &lt;a href="https://kubernetes.io/docs/concepts/cluster-administration/networking/">requirements&lt;/a> on the underlying network. Meeting those requirements is often not easy. The go-to solution of adding another layer is typically adopted to satisfy the requirements. In most cases the additional layer consists of a network overlay that sits between Kubernetes and underlying network. Traffic produced by the applications is encapsulated at the source and decapsulated at the target, which not only costs network resources but also takes up compute cores.&lt;/p>
&lt;p>Because AppSwitch arbitrates what the application sees through its touchpoints with the platform, it projects a consistent virtual view of the underlying network to the application similar to an overlay but without introducing an additional layer of processing along the datapath. Just to draw a parallel to containers, the inside of a container looks and feels like a VM. However the underlying implementation does not intervene along the high-incidence control paths of low-level interrupts etc.&lt;/p>
&lt;p>AppSwitch can be injected into a standard Kubernetes manifest (similar to Istio injection) such that the applications network is directly handled by AppSwitch bypassing any network overlay underneath. More details to follow in just a bit.&lt;/p>
&lt;h3 id="artifacts-of-container-networking">Artifacts of container networking&lt;/h3>
&lt;p>Extending network connectivity from host into the container has been a &lt;a href="https://kubernetes.io/blog/2016/01/why-kubernetes-doesnt-use-libnetwork/">major challenge&lt;/a>. New layers of network plumbing were invented explicitly for that purpose. As such, an application running in a container is simply a process on the host. However due to a &lt;a href="http://appswitch.io/blog/kubernetes_istio_and_network_function_devirtualization_with_appswitch/">fundamental misalignment&lt;/a> between the network abstraction expected by the application and the abstraction exposed by container network namespace, the process cannot directly access the host network. Applications think of networking in terms of sockets or sessions whereas network namespaces expose a device abstraction. Once placed in a network namespace, the process suddenly loses all connectivity. The notion of veth-pair and corresponding tooling were invented just to close that gap. The data would now have to go from a host interface into a virtual switch and then through a veth-pair to the virtual network interface of the container network namespace.&lt;/p>
&lt;p>AppSwitch can effectively remove both the virtual switch and veth-pair layers on both ends of the connection. Since the connections are established by the daemon running on the host using the network thats already available on the host, there is no need for additional plumbing to bridge host network into the container. The socket FDs created on the host are passed to the application running within the pods network namespace. By the time the application receives the FD, all control path work (security checks, connection establishment) is already done and the FD is ready for actual IO.&lt;/p>
&lt;h3 id="skip-tcp-ip-for-colocated-endpoints">Skip TCP/IP for colocated endpoints&lt;/h3>
&lt;p>TCP/IP is the universal protocol medium over which pretty much all communication occurs. But if application endpoints happen to be on the same host, is TCP/IP really required? After all, it does do quite a bit of work and it is quite complex. Unix sockets are explicitly designed for intrahost communication and AppSwitch can transparently switch the communication to occur over a Unix socket for colocated endpoints.&lt;/p>
&lt;p>For each listening socket of an application, AppSwitch maintains two listening sockets, one each for TCP and Unix. When a client tries to connect to a server that happens to be colocated, AppSwitch daemon would choose to connect to the Unix listening socket of the server. The resulting Unix sockets on each end are passed into respective applications. Once a fully connected FD is returned, the application would simply treat it as a bit pipe. The protocol doesnt really matter. The application may occasionally make protocol specific calls such as &lt;code>getsockname(2)&lt;/code> and AppSwitch would handle them in kind. It would present consistent responses such that the application would continue to run on.&lt;/p>
&lt;h3 id="data-pushing-proxy">Data pushing proxy&lt;/h3>
&lt;p>As we continue to look for layers to remove, let us also reconsider the requirement of the proxy layer itself. There are times when the role of the proxy may degenerate into a plain data pusher:&lt;/p>
&lt;ul>
&lt;li>There may not be a need for any protocol decoding&lt;/li>
&lt;li>The protocol may not be recognized by the proxy&lt;/li>
&lt;li>The communication may be encrypted and the proxy cannot access relevant headers&lt;/li>
&lt;li>The application (redis, memcached etc.) may be too latency-sensitive and cannot afford the cost of an intermediate proxy&lt;/li>
&lt;/ul>
&lt;p>In all these cases, the proxy is not different from any low-level plumbing layer. In fact, the latency introduced can be far higher because the same level of optimizations wont be available to a proxy.&lt;/p>
&lt;p>To illustrate this with an example, consider the application shown below. It consists of a Python app and a set of memcached servers behind it. An upstream memcached server is selected based on connection time routing. Speed is the primary concern here.&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:38.63965267727931%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/delayering-istio/memcached.png" title="Latency-sensitive application scenario">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/delayering-istio/memcached.png" alt="Proxyless datapath" />
&lt;/a>
&lt;/div>
&lt;figcaption>Latency-sensitive application scenario&lt;/figcaption>
&lt;/figure>
&lt;p>If we look at the data flow in this setup, the Python app makes a connection to the service IP of memcached. It is redirected to the client-side sidecar. The sidecar routes the connection to one of the memcached servers and copies the data between the two sockets &amp;ndash; one connected to the app and another connected to memcached. And the same also occurs on the server side between the server-side sidecar and memcached. The role of proxy at that point is just boring shoveling of bits between the two sockets. However, it ends up adding substantial latency to the end-to-end connection.&lt;/p>
&lt;p>Now let us imagine that the app is somehow made to connect directly to memcached, then the two intermediate proxies could be skipped. The data would flow directly between the app and memcached without any intermediate hops. AppSwitch can arrange for that by transparently tweaking the target address passed by the Python app when it makes the &lt;code>connect(2)&lt;/code> system call.&lt;/p>
&lt;h3 id="proxyless-protocol-decoding">Proxyless protocol decoding&lt;/h3>
&lt;p>Things are going to get a bit strange here. We have seen that the proxy can be bypassed for cases that dont involve looking into application traffic. But is there anything we can do even for those other cases? It turns out, yes.&lt;/p>
&lt;p>In a typical communication between microservices, much of the interesting information is exchanged in the initial headers. Headers are followed by body or payload which typically represents bulk of the communication. And once again the proxy degenerates into a data pusher for this part of communication. AppSwitch provides a nifty mechanism to skip proxy for these cases.&lt;/p>
&lt;p>Even though AppSwitch is not a proxy, it &lt;em>does&lt;/em> arbitrate connections between application endpoints and it &lt;em>does&lt;/em> have access to corresponding socket FDs. Normally, AppSwitch simply passes those FDs to the application. But it can also peek into the initial message received on the connection using the &lt;code>MSG_PEEK&lt;/code> option of the &lt;code>recvfrom(2)&lt;/code> system call on the socket. It allows AppSwitch to examine application traffic without actually removing it from the socket buffers. When AppSwitch returns the FD to the application and steps out of the datapath, the application would do an actual read on the connection. AppSwitch uses this technique to perform deeper analysis of application-level traffic and implement sophisticated network functions as discussed in the next section, all without getting into the datapath.&lt;/p>
&lt;h3 id="zero-cost-load-balancer-firewall-and-network-analyzer">Zero-cost load balancer, firewall and network analyzer&lt;/h3>
&lt;p>Typical implementations of network functions such as load balancers and firewalls require an intermediate layer that needs to tap into data/packet stream. Kubernetes&amp;rsquo; implementation of load balancer (&lt;code>kube-proxy&lt;/code>) for example introduces a probe into the packet stream through iptables and Istio implements the same at the proxy layer. But if all that is required is to redirect or drop connections based on policy, it is not really necessary to stay in the datapath during the entire course of the connection. AppSwitch can take care of that much more efficiently by simply manipulating the control path at the API level. Given its intimate proximity to the application, AppSwitch also has easy access to various pieces of application level metrics such as dynamics of stack and heap usage, precisely when a service comes alive, attributes of active connections etc., all of which could potentially form a rich signal for monitoring and analytics.&lt;/p>
&lt;p>To go a step further, AppSwitch can also perform L7 load balancing and firewall functions based on the protocol data that it obtains from the socket buffers. It can synthesize the protocol data and various other signals with the policy information acquired from Pilot to implement a highly efficient form of routing and access control enforcement. It can essentially &amp;ldquo;influence&amp;rdquo; the application to connect to the right backend server without requiring any changes to the application or its configuration. It is as if the application itself is infused with policy and traffic-management intelligence. Except in this case, the application can&amp;rsquo;t escape the influence.&lt;/p>
&lt;p>There is some more black-magic possible that would actually allow modifying the application data stream without getting into the datapath but I am going to save that for a later post. Current implementation of AppSwitch uses a proxy if the use case requires application protocol traffic to be modified. For those cases, AppSwitch provides a highly optimal mechanism to attract traffic to the proxy as discussed in the next section.&lt;/p>
&lt;h3 id="traffic-redirection">Traffic redirection&lt;/h3>
&lt;p>Before the sidecar proxy can look into application protocol traffic, it needs to first receive the connections. Redirection of connections coming into and going out of the application is currently done by a layer of packet filtering that rewrites packets such that they go to respective sidecars. Creating potentially large number of rules required to represent the redirection policy is tedious. And the process of applying the rules and updating them, as the target subnets to be captured by the sidecar change, is expensive.&lt;/p>
&lt;p>While some of the performance concerns are being addressed by the Linux community, there is another concern related to privilege: iptables rules need to be updated whenever the policy changes. Given the current architecture, all privileged operations are performed in an init container that runs just once at the very beginning before privileges are dropped for the actual application. Since updating iptables rules requires root privileges, there is no way to do that without restarting the application.&lt;/p>
&lt;p>AppSwitch provides a way to redirect application connections without root privilege. As such, an unprivileged application is already able to connect to any host (modulo firewall rules etc.) and the owner of the application should be allowed to change the host address passed by its application via &lt;code>connect(2)&lt;/code> without requiring additional privilege.&lt;/p>
&lt;h4 id="socket-delegation">Socket delegation&lt;/h4>
&lt;p>Let&amp;rsquo;s see how AppSwitch could help redirect connections without using iptables. Imagine that the application somehow voluntarily passes the socket FDs that it uses for its communication to the sidecar, then there would be no need for iptables. AppSwitch provides a feature called &lt;em>socket delegation&lt;/em> that does exactly that. It allows the sidecar to transparently gain access to copies of socket FDs that the application uses for its communication without any changes to the application itself.&lt;/p>
&lt;p>Here are the sequence of steps that would achieve this in the context of the Python application example.&lt;/p>
&lt;ol>
&lt;li>The application initiates a connection request to the service IP of memcached service.&lt;/li>
&lt;li>The connection request from client is forwarded to the daemon.&lt;/li>
&lt;li>The daemon creates a pair of pre-connected Unix sockets (using &lt;code>socketpair(2)&lt;/code> system call).&lt;/li>
&lt;li>It passes one end of the socket pair into the application such that the application would use that socket FD for read/write. It also ensures that the application consistently sees it as a legitimate TCP socket as it expects by interposing all calls that query connection properties.&lt;/li>
&lt;li>The other end is passed to sidecar over a different Unix socket where the daemon exposes its API. Information such as the original destination that the application was connecting to is also conveyed over the same interface.&lt;/li>
&lt;/ol>
&lt;figure style="width:50%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:22.442748091603054%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/delayering-istio/socket-delegation.png" title="Socket delegation based connection redirection">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/delayering-istio/socket-delegation.png" alt="Socket delegation protocol" />
&lt;/a>
&lt;/div>
&lt;figcaption>Socket delegation based connection redirection&lt;/figcaption>
&lt;/figure>
&lt;p>Once the application and sidecar are connected, the rest happens as usual. Sidecar would initiate a connection to upstream server and proxy data between the socket received from the daemon and the socket connected to upstream server. The main difference here is that sidecar would get the connection, not through the &lt;code>accept(2)&lt;/code> system call as it is in the normal case, but from the daemon over the Unix socket. In addition to listening for connections from applications through the normal &lt;code>accept(2)&lt;/code> channel, the sidecar proxy would connect to the AppSwitch daemons REST endpoint and receive sockets that way.&lt;/p>
&lt;p>For completeness, here are the sequence of steps that would occur on the server side:&lt;/p>
&lt;ol>
&lt;li>The application receives a connection&lt;/li>
&lt;li>AppSwitch daemon accepts the connection on behalf of the application&lt;/li>
&lt;li>It creates a pair of pre-connected Unix sockets using &lt;code>socketpair(2)&lt;/code> system call&lt;/li>
&lt;li>One end of the socket pair is returned to the application through the &lt;code>accept(2)&lt;/code> system call&lt;/li>
&lt;li>The other end of the socket pair along with the socket originally accepted by the daemon on behalf of the application is sent to sidecar&lt;/li>
&lt;li>Sidecar would extract the two socket FDs &amp;ndash; a Unix socket FD connected to the application and a TCP socket FD connected to the remote client&lt;/li>
&lt;li>Sidecar would read the metadata supplied by the daemon about the remote client and perform its usual operations&lt;/li>
&lt;/ol>
&lt;h4 id="sidecar-aware-applications">&amp;ldquo;Sidecar-aware&amp;rdquo; applications&lt;/h4>
&lt;p>Socket delegation feature can be very useful for applications that are explicitly aware of the sidecar and wish to take advantage of its features. They can voluntarily delegate their network interactions by passing their sockets to the sidecar using the same feature. In a way, AppSwitch transparently turns every application into a sidecar-aware application.&lt;/p>
&lt;h2 id="how-does-it-all-come-together">How does it all come together?&lt;/h2>
&lt;p>Just to step back, Istio offloads common connectivity concerns from applications to a sidecar proxy that performs those functions on behalf of the application. And AppSwitch simplifies and optimizes the service mesh by sidestepping intermediate layers and invoking the proxy only for cases where it is truly necessary.&lt;/p>
&lt;p>In the rest of this section, I outline how AppSwitch may be integrated with Istio based on a very cursory initial implementation. This is not intended to be anything like a design doc &amp;ndash; not every possible way of integration is explored and not every detail is worked out. The intent is to discuss high-level aspects of the implementation to present a rough idea of how the two systems may come together. The key is that AppSwitch would act as a cushion between Istio and a real proxy. It would serve as the &amp;ldquo;fast-path&amp;rdquo; for cases that can be performed more efficiently without invoking the sidecar proxy. And for the cases where the proxy is used, it would shorten the datapath by cutting through unnecessary layers. Look at this &lt;a href="http://appswitch.io/blog/kubernetes_istio_and_network_function_devirtualization_with_appswitch/">blog&lt;/a> for a more detailed walk through of the integration.&lt;/p>
&lt;h3 id="appswitch-client-injection">AppSwitch client injection&lt;/h3>
&lt;p>Similar to Istio sidecar-injector, a simple tool called &lt;code>ax-injector&lt;/code> injects AppSwitch client into a standard Kubernetes manifest. Injected client transparently monitors the application and intimates AppSwitch daemon of the control path network API events that the application produces.&lt;/p>
&lt;p>It is possible to not require the injection and work with standard Kubernetes manifests if AppSwitch CNI plugin is used. In that case, the CNI plugin would perform necessary injection when it gets the initialization callback. Using injector does have some advantages, however: (1) It works in tightly-controlled environments like GKE (2) It can be easily extended to support other frameworks such as Mesos (3) Same cluster would be able to run standard applications alongside &amp;ldquo;AppSwitch-enabled&amp;rdquo; applications.&lt;/p>
&lt;h3 id="appswitch-daemonset">AppSwitch &lt;code>DaemonSet&lt;/code>&lt;/h3>
&lt;p>AppSwitch daemon can be configured to run as a &lt;code>DaemonSet&lt;/code> or as an extension to the application that is directly injected into application manifest. In either case it handles network events coming in from the applications that it supports.&lt;/p>
&lt;h3 id="agent-for-policy-acquisition">Agent for policy acquisition&lt;/h3>
&lt;p>This is the component that conveys policy and configuration dictated by Istio to AppSwitch. It implements xDS API to listen from Pilot and calls appropriate AppSwitch APIs to program the daemon. For example, it allows the load balancing strategy, as specified by &lt;code>istioctl&lt;/code>, to be translated into equivalent AppSwitch capability.&lt;/p>
&lt;h3 id="platform-adapter-for-appswitch-auto-curated-service-registry">Platform adapter for AppSwitch &amp;ldquo;Auto-Curated&amp;rdquo; service registry&lt;/h3>
&lt;p>Given that AppSwitch is in the control path of applications network APIs, it has ready access to the topology of services across the cluster. AppSwitch exposes that information in the form of a service registry that is automatically and (almost) synchronously updated as applications and their services come and go. A new platform adapter for AppSwitch alongside Kubernetes, Eureka etc. would provide the details of upstream services to Istio. This is not strictly necessary but it does make it easier to correlate service endpoints received from Pilot by AppSwitch agent above.&lt;/p>
&lt;h3 id="proxy-integration-and-chaining">Proxy integration and chaining&lt;/h3>
&lt;p>Connections that do require deep scanning and mutation of application traffic are handed off to an external proxy through the socket delegation mechanism discussed earlier. It uses an extended version of &lt;a href="https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">proxy protocol&lt;/a>. In addition to the simple parameters supported by the proxy protocol, a variety of other metadata (including the initial protocol headers obtained from the socket buffers) and live socket FDs (representing application connections) are forwarded to the proxy.&lt;/p>
&lt;p>The proxy can look at the metadata and decide how to proceed. It could respond by accepting the connection to do the proxying or by directing AppSwitch to allow the connection and use the fast-path or to just drop the connection.&lt;/p>
&lt;p>One of the interesting aspects of the mechanism is that, when the proxy accepts a socket from AppSwitch, it can in turn delegate the socket to another proxy. In fact that is how AppSwitch currently works. It uses a simple built-in proxy to examine the metadata and decide whether to handle the connection internally or to hand it off to an external proxy (Envoy). The same mechanism can be potentially extended to allow for a chain of plugins, each looking for a specific signature, with the last one in the chain doing the real proxy work.&lt;/p>
&lt;h2 id="it-s-not-just-about-performance">It&amp;rsquo;s not just about performance&lt;/h2>
&lt;p>Removing intermediate layers along the datapath is not just about improving performance. Performance is a great side effect, but it &lt;em>is&lt;/em> a side effect. There are a number of important advantages to an API level approach.&lt;/p>
&lt;h3 id="automatic-application-onboarding-and-policy-authoring">Automatic application onboarding and policy authoring&lt;/h3>
&lt;p>Before microservices and service mesh, traffic management was done by load balancers and access controls were enforced by firewalls. Applications were identified by IP addresses and DNS names which were relatively static. In fact, that&amp;rsquo;s still the status quo in most environments. Such environments stand to benefit immensely from service mesh. However a practical and scalable bridge to the new world needs to be provided. The difficulty in transformation is not as much due to lack of features and functionality but the investment required to rethink and reimplement the entire application infrastructure. Currently most of the policy and configuration exists in the form of load balancer and firewall rules. Somehow that existing context needs to be leveraged in providing a scalable path to adopting the service mesh model.&lt;/p>
&lt;p>AppSwitch can substantially ease the onboarding process. It can project the same network environment to the application at the target as its current source environment. Not having any assistance here is typically a non-starter in case of traditional applications which have complex configuration files with static IP addresses or specific DNS names hard-coded in them. AppSwitch could help capture those applications along with their existing configuration and connect them over a service mesh without requiring any changes.&lt;/p>
&lt;h3 id="broader-application-and-protocol-support">Broader application and protocol support&lt;/h3>
&lt;p>HTTP clearly dominates the modern application landscapes but once we talk about traditional applications and environments, we&amp;rsquo;d encounter all kinds of protocols and transports. Particularly, support for UDP becomes unavoidable. Traditional application servers such as IBM WebSphere rely extensively on UDP. Most multimedia applications use UDP media streams. Of course DNS is probably the most widely used UDP &amp;ldquo;application&amp;rdquo;. AppSwitch supports UDP at the API level much the same way as TCP and when it detects a UDP connection, it can transparently handle it in its &amp;ldquo;fast-path&amp;rdquo; rather than delegating it to the proxy.&lt;/p>
&lt;h3 id="client-ip-preservation-and-end-to-end-principle">Client IP preservation and end-to-end principle&lt;/h3>
&lt;p>The same mechanism that preserves the source network environment can also preserve client IP addresses as seen by the servers. With a sidecar proxy in place, connection requests come from the proxy rather than the client. As a result, the peer address (IP:port) of the connection as seen by the server would be that of the proxy rather than the client. AppSwitch ensures that the server sees correct address of the client, logs it correctly and any decisions made based on the client address remain valid. More generally, AppSwitch preserves the &lt;a href="https://en.wikipedia.org/wiki/End-to-end_principle">end-to-end principle&lt;/a> which is otherwise broken by intermediate layers that obfuscate the true underlying context.&lt;/p>
&lt;h3 id="enhanced-application-signal-with-access-to-encrypted-headers">Enhanced application signal with access to encrypted headers&lt;/h3>
&lt;p>Encrypted traffic completely undermines the ability of the service mesh to analyze application traffic. API level interposition could potentially offer a way around it. Current implementation of AppSwitch gains access to application&amp;rsquo;s network API at the system call level. However it is possible in principle to influence the application at an API boundary, higher in the stack where application data is not yet encrypted or already decrypted. Ultimately the data is always produced in the clear by the application and then encrypted at some point before it goes out. Since AppSwitch directly runs within the memory context of the application, it is possible to tap into the data higher on the stack where it is still held in clear. Only requirement for this to work is that the API used for encryption should be well-defined and amenable for interposition. Particularly, it requires access to the symbol table of the application binaries. Just to be clear, AppSwitch doesn&amp;rsquo;t implement this today.&lt;/p>
&lt;h2 id="so-what-s-the-net">So whats the net?&lt;/h2>
&lt;p>AppSwitch removes a number of layers and processing from the standard service mesh stack. What does all that translate to in terms of performance?&lt;/p>
&lt;p>We ran some initial experiments to characterize the extent of the opportunity for optimization based on the initial integration of AppSwitch discussed earlier. The experiments were run on GKE using &lt;code>fortio-0.11.0&lt;/code>, &lt;code>istio-0.8.0&lt;/code> and &lt;code>appswitch-0.4.0-2&lt;/code>. In case of the proxyless test, AppSwitch daemon was run as a &lt;code>DaemonSet&lt;/code> on the Kubernetes cluster and the Fortio pod spec was modified to inject AppSwitch client. These were the only two changes made to the setup. The test was configured to measure the latency of GRPC requests across 100 concurrent connections.&lt;/p>
&lt;figure style="width:100%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.66034755134282%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/delayering-istio/perf.png" title="Latency with and without AppSwitch">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/delayering-istio/perf.png" alt="Performance comparison" />
&lt;/a>
&lt;/div>
&lt;figcaption>Latency with and without AppSwitch&lt;/figcaption>
&lt;/figure>
&lt;p>Initial results indicate a difference of over 18x in p50 latency with and without AppSwitch (3.99ms vs 72.96ms). The difference was around 8x when mixer and access logs were disabled. Clearly the difference was due to sidestepping all those intermediate layers along the datapath. Unix socket optimization wasn&amp;rsquo;t triggered in case of AppSwitch because client and server pods were scheduled to separate hosts. End-to-end latency of AppSwitch case would have been even lower if the client and server happened to be colocated. Essentially the client and server running in their respective pods of the Kubernetes cluster are directly connected over a TCP socket going over the GKE network &amp;ndash; no tunneling, bridge or proxies.&lt;/p>
&lt;h2 id="net-net">Net Net&lt;/h2>
&lt;p>I started out with David Wheeler&amp;rsquo;s seemingly reasonable quote that says adding another layer is not a solution for the problem of too many layers. And I argued through most of the blog that current network stack already has too many layers and that they should be removed. But isn&amp;rsquo;t AppSwitch itself a layer?&lt;/p>
&lt;p>Yes, AppSwitch is clearly another layer. However it is one that can remove multiple other layers. In doing so, it seamlessly glues the new service mesh layer with existing layers of traditional network environments. It offsets the cost of sidecar proxy and as Istio graduates to 1.0, it provides a bridge for existing applications and their network environments to transition to the new world of service mesh.&lt;/p>
&lt;p>Perhaps Wheelers quote should read:&lt;/p>
&lt;div>
&lt;aside class="callout quote">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-quote"/>&lt;/svg>
&lt;/div>
&lt;div class="content">All problems in computer science can be solved with another layer, &lt;strong>even&lt;/strong> the problem of too many layers!&lt;/div>
&lt;/aside>
&lt;/div>
&lt;h2 id="acknowledgements">Acknowledgements&lt;/h2>
&lt;p>Thanks to Mandar Jog (Google) for several discussions about the value of AppSwitch for Istio and to the following individuals (in alphabetical order) for their review of early drafts of this blog.&lt;/p>
&lt;ul>
&lt;li>Frank Budinsky (IBM)&lt;/li>
&lt;li>Lin Sun (IBM)&lt;/li>
&lt;li>Shriram Rajagopalan (VMware)&lt;/li>
&lt;/ul></description><pubDate>Mon, 30 Jul 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/delayering-istio/</link><author>Dinesh Subhraveti (AppOrbit and Columbia University)</author><guid isPermaLink="true">/v1.5/blog/2018/delayering-istio/</guid><category>appswitch</category><category>performance</category></item><item><title>Micro-Segmentation with Istio Authorization</title><description>
&lt;p>Micro-segmentation is a security technique that creates secure zones in cloud deployments and allows organizations to
isolate workloads from one another and secure them individually.
&lt;a href="/v1.5/docs/concepts/security/#authorization">Istio&amp;rsquo;s authorization feature&lt;/a>, also known as Istio Role Based Access Control,
provides micro-segmentation for services in an Istio mesh. It features:&lt;/p>
&lt;ul>
&lt;li>Authorization at different levels of granularity, including namespace level, service level, and method level.&lt;/li>
&lt;li>Service-to-service and end-user-to-service authorization.&lt;/li>
&lt;li>High performance, as it is enforced natively on Envoy.&lt;/li>
&lt;li>Role-based semantics, which makes it easy to use.&lt;/li>
&lt;li>High flexibility as it allows users to define conditions using
&lt;a href="/v1.5/docs/reference/config/security/constraints-and-properties/">combinations of attributes&lt;/a>.&lt;/li>
&lt;/ul>
&lt;p>In this blog post, you&amp;rsquo;ll learn about the main authorization features and how to use them in different situations.&lt;/p>
&lt;h2 id="characteristics">Characteristics&lt;/h2>
&lt;h3 id="rpc-level-authorization">RPC level authorization&lt;/h3>
&lt;p>Authorization is performed at the level of individual RPCs. Specifically, it controls &amp;ldquo;who can access my &lt;code>bookstore&lt;/code> service”,
or &amp;ldquo;who can access method &lt;code>getBook&lt;/code> in my &lt;code>bookstore&lt;/code> service”. It is not designed to control access to application-specific
resource instances, like access to &amp;ldquo;storage bucket X” or access to &amp;ldquo;3rd book on 2nd shelf”. Today this kind of application
specific access control logic needs to be handled by the application itself.&lt;/p>
&lt;h3 id="role-based-access-control-with-conditions">Role-based access control with conditions&lt;/h3>
&lt;p>Authorization is a &lt;a href="https://en.wikipedia.org/wiki/Role-based_access_control">role-based access control (RBAC)&lt;/a> system,
contrast this to an &lt;a href="https://en.wikipedia.org/wiki/Attribute-based_access_control">attribute-based access control (ABAC)&lt;/a>
system. Compared to ABAC, RBAC has the following advantages:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Roles allow grouping of attributes.&lt;/strong> Roles are groups of permissions, which specifies the actions you are allowed
to perform on a system. Users are grouped based on the roles within an organization. You can define the roles and reuse
them for different cases.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>It is easier to understand and reason about who has access.&lt;/strong> The RBAC concepts map naturally to business concepts.
For example, a DB admin may have all access to DB backend services, while a web client may only be able to view the
frontend service.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>It reduces unintentional errors.&lt;/strong> RBAC policies make otherwise complex security changes easier. You won&amp;rsquo;t have
duplicate configurations in multiple places and later forget to update some of them when you need to make changes.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>On the other hand, Istio&amp;rsquo;s authorization system is not a traditional RBAC system. It also allows users to define &lt;strong>conditions&lt;/strong> using
&lt;a href="/v1.5/docs/reference/config/security/constraints-and-properties/">combinations of attributes&lt;/a>. This gives Istio
flexibility to express complex access control policies. In fact, &lt;strong>the &amp;ldquo;RBAC + conditions” model
that Istio authorization adopts, has all the benefits an RBAC system has, and supports the level of flexibility that
normally an ABAC system provides.&lt;/strong> You&amp;rsquo;ll see some &lt;a href="#examples">examples&lt;/a> below.&lt;/p>
&lt;h3 id="high-performance">High performance&lt;/h3>
&lt;p>Because of its simple semantics, Istio authorization is enforced on Envoy as a native authorization support. At runtime, the
authorization decision is completely done locally inside an Envoy filter, without dependency to any external module.
This allows Istio authorization to achieve high performance and availability.&lt;/p>
&lt;h3 id="work-with-without-primary-identities">Work with/without primary identities&lt;/h3>
&lt;p>Like any other RBAC system, Istio authorization is identity aware. In Istio authorization policy, there is a primary
identity called &lt;code>user&lt;/code>, which represents the principal of the client.&lt;/p>
&lt;p>In addition to the primary identity, you can also specify any conditions that define the identities. For example,
you can specify the client identity as &amp;ldquo;user Alice calling from Bookstore frontend service”, in which case,
you have a combined identity of the calling service (&lt;code>Bookstore frontend&lt;/code>) and the end user (&lt;code>Alice&lt;/code>).&lt;/p>
&lt;p>To improve security, you should enable &lt;a href="/v1.5/docs/concepts/security/#authentication">authentication features&lt;/a>,
and use authenticated identities in authorization policies. However, strongly authenticated identity is not required
for using authorization. Istio authorization works with or without identities. If you are working with a legacy system,
you may not have mutual TLS or JWT authentication setup for your mesh. In this case, the only way to identify the client is, for example,
through IP. You can still use Istio authorization to control which IP addresses or IP ranges are allowed to access your service.&lt;/p>
&lt;h2 id="examples">Examples&lt;/h2>
&lt;p>The &lt;a href="/v1.5/docs/tasks/security/authorization/authz-http/">authorization task&lt;/a> shows you how to
use Istio&amp;rsquo;s authorization feature to control namespace level and service level access using the
&lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo application&lt;/a>. In this section, you&amp;rsquo;ll see more examples on how to achieve
micro-segmentation with Istio authorization.&lt;/p>
&lt;h3 id="namespace-level-segmentation-via-rbac-conditions">Namespace level segmentation via RBAC + conditions&lt;/h3>
&lt;p>Suppose you have services in the &lt;code>frontend&lt;/code> and &lt;code>backend&lt;/code> namespaces. You would like to allow all your services
in the &lt;code>frontend&lt;/code> namespace to access all services that are marked &lt;code>external&lt;/code> in the &lt;code>backend&lt;/code> namespace.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRole
metadata:
name: external-api-caller
namespace: backend
spec:
rules:
- services: [&amp;#34;*&amp;#34;]
methods: [&amp;#34;*”]
constraints:
- key: &amp;#34;destination.labels[visibility]”
values: [&amp;#34;external&amp;#34;]
---
apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRoleBinding
metadata:
name: external-api-caller
namespace: backend
spec:
subjects:
- properties:
source.namespace: &amp;#34;frontend”
roleRef:
kind: ServiceRole
name: &amp;#34;external-api-caller&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>The &lt;code>ServiceRole&lt;/code> and &lt;code>ServiceRoleBinding&lt;/code> above expressed &amp;ldquo;&lt;em>who&lt;/em> is allowed to do &lt;em>what&lt;/em> under *which conditions*”
(RBAC + conditions). Specifically:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>&amp;ldquo;who”&lt;/strong> are the services in the &lt;code>frontend&lt;/code> namespace.&lt;/li>
&lt;li>&lt;strong>&amp;ldquo;what”&lt;/strong> is to call services in &lt;code>backend&lt;/code> namespace.&lt;/li>
&lt;li>&lt;strong>&amp;ldquo;conditions”&lt;/strong> is the &lt;code>visibility&lt;/code> label of the destination service having the value &lt;code>external&lt;/code>.&lt;/li>
&lt;/ul>
&lt;h3 id="service-method-level-isolation-with-without-primary-identities">Service/method level isolation with/without primary identities&lt;/h3>
&lt;p>Here is another example that demonstrates finer grained access control at service/method level. The first step
is to define a &lt;code>book-reader&lt;/code> service role that allows READ access to &lt;code>/books/*&lt;/code> resource in &lt;code>bookstore&lt;/code> service.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRole
metadata:
name: book-reader
namespace: default
spec:
rules:
- services: [&amp;#34;bookstore.default.svc.cluster.local&amp;#34;]
paths: [&amp;#34;/books/*”]
methods: [&amp;#34;GET”]
&lt;/code>&lt;/pre>
&lt;h4 id="using-authenticated-client-identities">Using authenticated client identities&lt;/h4>
&lt;p>Suppose you want to grant this &lt;code>book-reader&lt;/code> role to your &lt;code>bookstore-frontend&lt;/code> service. If you have enabled
&lt;a href="/v1.5/docs/concepts/security/#mutual-tls-authentication">mutual TLS authentication&lt;/a> for your mesh, you can use a
service account to identify your &lt;code>bookstore-frontend&lt;/code> service. Granting the &lt;code>book-reader&lt;/code> role to the &lt;code>bookstore-frontend&lt;/code>
service can be done by creating a &lt;code>ServiceRoleBinding&lt;/code> as shown below:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- user: &amp;#34;cluster.local/ns/default/sa/bookstore-frontend”
roleRef:
kind: ServiceRole
name: &amp;#34;book-reader&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>You may want to restrict this further by adding a condition that &amp;ldquo;only users who belong to the &lt;code>qualified-reviewer&lt;/code> group are
allowed to read books”. The &lt;code>qualified-reviewer&lt;/code> group is the end user identity that is authenticated by
&lt;a href="/v1.5/docs/concepts/security/#authentication">JWT authentication&lt;/a>. In this case, the combination of the client service identity
(&lt;code>bookstore-frontend&lt;/code>) and the end user identity (&lt;code>qualified-reviewer&lt;/code>) is used in the authorization policy.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- user: &amp;#34;cluster.local/ns/default/sa/bookstore-frontend”
properties:
request.auth.claims[group]: &amp;#34;qualified-reviewer”
roleRef:
kind: ServiceRole
name: &amp;#34;book-reader&amp;#34;
&lt;/code>&lt;/pre>
&lt;h4 id="client-does-not-have-identity">Client does not have identity&lt;/h4>
&lt;p>Using authenticated identities in authorization policies is strongly recommended for security. However, if you have a
legacy system that does not support authentication, you may not have authenticated identities for your services.
You can still use Istio authorization to protect your services even without authenticated identities. The example below
shows that you can specify allowed source IP range in your authorization policy.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;rbac.istio.io/v1alpha1&amp;#34;
kind: ServiceRoleBinding
metadata:
name: book-reader
namespace: default
spec:
subjects:
- properties:
source.ip: 10.20.0.0/9
roleRef:
kind: ServiceRole
name: &amp;#34;book-reader&amp;#34;
&lt;/code>&lt;/pre>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Istios authorization feature provides authorization at namespace-level, service-level, and method-level granularity.
It adopts &amp;ldquo;RBAC + conditions” model, which makes it easy to use and understand as an RBAC system, while providing the level of
flexibility that an ABAC system normally provides. Istio authorization achieves high performance as it is enforced
natively on Envoy. While it provides the best security by working together with
&lt;a href="/v1.5/docs/concepts/security/#authentication">Istio authentication features&lt;/a>, Istio authorization can also be used to
provide access control for legacy systems that do not have authentication.&lt;/p></description><pubDate>Fri, 20 Jul 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/istio-authorization/</link><author>Limin Wang</author><guid isPermaLink="true">/v1.5/blog/2018/istio-authorization/</guid><category>authorization</category><category>rbac</category><category>security</category></item><item><title>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</title><description>
&lt;p>This post shows how to direct Istio logs to &lt;a href="https://cloud.google.com/stackdriver/">Stackdriver&lt;/a>
and export those logs to various configured sinks such as such as
&lt;a href="https://cloud.google.com/bigquery/">BigQuery&lt;/a>, &lt;a href="https://cloud.google.com/storage/">Google Cloud Storage&lt;/a>
or &lt;a href="https://cloud.google.com/pubsub/">Cloud Pub/Sub&lt;/a>. At the end of this post you can perform
analytics on Istio data from your favorite places such as BigQuery, GCS or Cloud Pub/Sub.&lt;/p>
&lt;p>The &lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo&lt;/a> sample application is used as the example
application throughout this task.&lt;/p>
&lt;h2 id="before-you-begin">Before you begin&lt;/h2>
&lt;p>&lt;a href="/v1.5/docs/setup/">Install Istio&lt;/a> in your cluster and deploy an application.&lt;/p>
&lt;h2 id="configuring-istio-to-export-logs">Configuring Istio to export logs&lt;/h2>
&lt;p>Istio exports logs using the &lt;code>logentry&lt;/code> &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/templates/logentry">template&lt;/a>.
This specifies all the variables that are available for analysis. It
contains information like source service, destination service, auth
metrics (coming..) among others. Following is a diagram of the pipeline:&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/export-logs-through-stackdriver/istio-analytics-using-stackdriver.png" title="Exporting logs from Istio to Stackdriver for analysis">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/export-logs-through-stackdriver/istio-analytics-using-stackdriver.png" alt="Exporting logs from Istio to Stackdriver for analysis" />
&lt;/a>
&lt;/div>
&lt;figcaption>Exporting logs from Istio to Stackdriver for analysis&lt;/figcaption>
&lt;/figure>
&lt;p>Istio supports exporting logs to Stackdriver which can in turn be configured to export
logs to your favorite sink like BigQuery, Pub/Sub or GCS. Please follow the steps
below to setup your favorite sink for exporting logs first and then Stackdriver
in Istio.&lt;/p>
&lt;h3 id="setting-up-various-log-sinks">Setting up various log sinks&lt;/h3>
&lt;p>Common setup for all sinks:&lt;/p>
&lt;ol>
&lt;li>Enable &lt;a href="https://cloud.google.com/monitoring/api/enable-api">Stackdriver Monitoring API&lt;/a> for the project.&lt;/li>
&lt;li>Make sure &lt;code>principalEmail&lt;/code> that would be setting up the sink has write access to the project and Logging Admin role permissions.&lt;/li>
&lt;li>Make sure the &lt;code>GOOGLE_APPLICATION_CREDENTIALS&lt;/code> environment variable is set. Please follow instructions &lt;a href="https://cloud.google.com/docs/authentication/getting-started">here&lt;/a> to set it up.&lt;/li>
&lt;/ol>
&lt;h4 id="bigquery">BigQuery&lt;/h4>
&lt;ol>
&lt;li>&lt;a href="https://cloud.google.com/bigquery/docs/datasets">Create a BigQuery dataset&lt;/a> as a destination for the logs export.&lt;/li>
&lt;li>Record the ID of the dataset. It will be needed to configure the Stackdriver handler.
It would be of the form &lt;code>bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]&lt;/code>&lt;/li>
&lt;li>Give &lt;a href="https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination">sinks writer identity&lt;/a>: &lt;code>cloud-logs@system.gserviceaccount.com&lt;/code> BigQuery Data Editor role in IAM.&lt;/li>
&lt;li>If using &lt;a href="/v1.5/docs/setup/platform-setup/gke/">Google Kubernetes Engine&lt;/a>, make sure &lt;code>bigquery&lt;/code> &lt;a href="https://cloud.google.com/sdk/gcloud/reference/container/clusters/create">Scope&lt;/a> is enabled on the cluster.&lt;/li>
&lt;/ol>
&lt;h4 id="google-cloud-storage-gcs">Google Cloud Storage (GCS)&lt;/h4>
&lt;ol>
&lt;li>&lt;a href="https://cloud.google.com/storage/docs/creating-buckets">Create a GCS bucket&lt;/a> where you would like logs to get exported in GCS.&lt;/li>
&lt;li>Recode the ID of the bucket. It will be needed to configure Stackdriver.
It would be of the form &lt;code>storage.googleapis.com/[BUCKET_ID]&lt;/code>&lt;/li>
&lt;li>Give &lt;a href="https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination">sinks writer identity&lt;/a>: &lt;code>cloud-logs@system.gserviceaccount.com&lt;/code> Storage Object Creator role in IAM.&lt;/li>
&lt;/ol>
&lt;h4 id="google-cloud-pub-sub">Google Cloud Pub/Sub&lt;/h4>
&lt;ol>
&lt;li>&lt;a href="https://cloud.google.com/pubsub/docs/admin">Create a topic&lt;/a> where you would like logs to get exported in Google Cloud Pub/Sub.&lt;/li>
&lt;li>Recode the ID of the topic. It will be needed to configure Stackdriver.
It would be of the form &lt;code>pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]&lt;/code>&lt;/li>
&lt;li>Give &lt;a href="https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination">sinks writer identity&lt;/a>: &lt;code>cloud-logs@system.gserviceaccount.com&lt;/code> Pub/Sub Publisher role in IAM.&lt;/li>
&lt;li>If using &lt;a href="/v1.5/docs/setup/platform-setup/gke/">Google Kubernetes Engine&lt;/a>, make sure &lt;code>pubsub&lt;/code> &lt;a href="https://cloud.google.com/sdk/gcloud/reference/container/clusters/create">Scope&lt;/a> is enabled on the cluster.&lt;/li>
&lt;/ol>
&lt;h3 id="setting-up-stackdriver">Setting up Stackdriver&lt;/h3>
&lt;p>A Stackdriver handler must be created to export data to Stackdriver. The configuration for
a Stackdriver handler is described &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/stackdriver/">here&lt;/a>.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Save the following yaml file as &lt;code>stackdriver.yaml&lt;/code>. Replace &lt;code>&amp;lt;project_id&amp;gt;,
&amp;lt;sink_id&amp;gt;, &amp;lt;sink_destination&amp;gt;, &amp;lt;log_filter&amp;gt;&lt;/code> with their specific values.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: stackdriver
metadata:
name: handler
namespace: istio-system
spec:
# We&amp;#39;ll use the default value from the adapter, once per minute, so we don&amp;#39;t need to supply a value.
# pushInterval: 1m
# Must be supplied for the Stackdriver adapter to work
project_id: &amp;#34;&amp;lt;project_id&amp;gt;&amp;#34;
# One of the following must be set; the preferred method is `appCredentials`, which corresponds to
# Google Application Default Credentials.
# If none is provided we default to app credentials.
# appCredentials:
# apiKey:
# serviceAccountPath:
# Describes how to map Istio logs into Stackdriver.
logInfo:
accesslog.logentry.istio-system:
payloadTemplate: &amp;#39;{{or (.sourceIp) &amp;#34;-&amp;#34;}} - {{or (.sourceUser) &amp;#34;-&amp;#34;}} [{{or (.timestamp.Format &amp;#34;02/Jan/2006:15:04:05 -0700&amp;#34;) &amp;#34;-&amp;#34;}}] &amp;#34;{{or (.method) &amp;#34;-&amp;#34;}} {{or (.url) &amp;#34;-&amp;#34;}} {{or (.protocol) &amp;#34;-&amp;#34;}}&amp;#34; {{or (.responseCode) &amp;#34;-&amp;#34;}} {{or (.responseSize) &amp;#34;-&amp;#34;}}&amp;#39;
httpMapping:
url: url
status: responseCode
requestSize: requestSize
responseSize: responseSize
latency: latency
localIp: sourceIp
remoteIp: destinationIp
method: method
userAgent: userAgent
referer: referer
labelNames:
- sourceIp
- destinationIp
- sourceService
- sourceUser
- sourceNamespace
- destinationIp
- destinationService
- destinationNamespace
- apiClaims
- apiKey
- protocol
- method
- url
- responseCode
- responseSize
- requestSize
- latency
- connectionMtls
- userAgent
- responseTimestamp
- receivedBytes
- sentBytes
- referer
sinkInfo:
id: &amp;#39;&amp;lt;sink_id&amp;gt;&amp;#39;
destination: &amp;#39;&amp;lt;sink_destination&amp;gt;&amp;#39;
filter: &amp;#39;&amp;lt;log_filter&amp;gt;&amp;#39;
---
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: stackdriver
namespace: istio-system
spec:
match: &amp;#34;true&amp;#34; # If omitted match is true.
actions:
- handler: handler.stackdriver
instances:
- accesslog.logentry
---
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Push the configuration&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f stackdriver.yaml
stackdriver &amp;#34;handler&amp;#34; created
rule &amp;#34;stackdriver&amp;#34; created
logentry &amp;#34;stackdriverglobalmr&amp;#34; created
metric &amp;#34;stackdriverrequestcount&amp;#34; created
metric &amp;#34;stackdriverrequestduration&amp;#34; created
metric &amp;#34;stackdriverrequestsize&amp;#34; created
metric &amp;#34;stackdriverresponsesize&amp;#34; created
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Send traffic to the sample application.&lt;/p>
&lt;p>For the Bookinfo sample, visit &lt;code>http://$GATEWAY_URL/productpage&lt;/code> in your web
browser or issue the following command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl http://$GATEWAY_URL/productpage
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Verify that logs are flowing through Stackdriver to the configured sink.&lt;/p>
&lt;ul>
&lt;li>Stackdriver: Navigate to the &lt;a href="https://pantheon.corp.google.com/logs/viewer">Stackdriver Logs
Viewer&lt;/a> for your project
and look under &amp;ldquo;GKE Container&amp;rdquo; -&amp;gt; &amp;ldquo;Cluster Name&amp;rdquo; -&amp;gt; &amp;ldquo;Namespace Id&amp;rdquo; for
Istio Access logs.&lt;/li>
&lt;li>BigQuery: Navigate to the &lt;a href="https://bigquery.cloud.google.com/">BigQuery
Interface&lt;/a> for your project and you
should find a table with prefix &lt;code>accesslog_logentry_istio&lt;/code> in your sink
dataset.&lt;/li>
&lt;li>GCS: Navigate to the &lt;a href="https://pantheon.corp.google.com/storage/browser/">Storage
Browser&lt;/a> for your
project and you should find a bucket named
&lt;code>accesslog.logentry.istio-system&lt;/code> in your sink bucket.&lt;/li>
&lt;li>Pub/Sub: Navigate to the &lt;a href="https://pantheon.corp.google.com/cloudpubsub/topicList">Pub/Sub
Topic List&lt;/a> for
your project and you should find a topic for &lt;code>accesslog&lt;/code> in your sink
topic.&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ol>
&lt;h2 id="understanding-what-happened">Understanding what happened&lt;/h2>
&lt;p>&lt;code>Stackdriver.yaml&lt;/code> file above configured Istio to send access logs to
Stackdriver and then added a sink configuration where these logs could be
exported. In detail as follows:&lt;/p>
&lt;ol>
&lt;li>&lt;p>Added a handler of kind &lt;code>stackdriver&lt;/code>&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: stackdriver
metadata:
name: handler
namespace: &amp;lt;your defined namespace&amp;gt;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Added &lt;code>logInfo&lt;/code> in spec&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >spec:
logInfo: accesslog.logentry.istio-system:
labelNames:
- sourceIp
- destinationIp
...
...
sinkInfo:
id: &amp;#39;&amp;lt;sink_id&amp;gt;&amp;#39;
destination: &amp;#39;&amp;lt;sink_destination&amp;gt;&amp;#39;
filter: &amp;#39;&amp;lt;log_filter&amp;gt;&amp;#39;
&lt;/code>&lt;/pre>
&lt;p>In the above configuration sinkInfo contains information about the sink where you want
the logs to get exported to. For more information on how this gets filled for different sinks please refer
&lt;a href="https://cloud.google.com/logging/docs/export/#sink-terms">here&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Added a rule for Stackdriver&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: stackdriver
namespace: istio-system spec:
match: &amp;#34;true&amp;#34; # If omitted match is true
actions:
- handler: handler.stackdriver
instances:
- accesslog.logentry
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h2 id="cleanup">Cleanup&lt;/h2>
&lt;ul>
&lt;li>&lt;p>Remove the new Stackdriver configuration:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f stackdriver.yaml
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>If you are not planning to explore any follow-on tasks, refer to the
&lt;a href="/v1.5/docs/examples/bookinfo/#cleanup">Bookinfo cleanup&lt;/a> instructions to shutdown
the application.&lt;/p>&lt;/li>
&lt;/ul>
&lt;h2 id="availability-of-logs-in-export-sinks">Availability of logs in export sinks&lt;/h2>
&lt;p>Export to BigQuery is within minutes (we see it to be almost instant), GCS can
have a delay of 2 to 12 hours and Pub/Sub is almost immediately.&lt;/p></description><pubDate>Mon, 09 Jul 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/export-logs-through-stackdriver/</link><author>Nupur Garg and Douglas Reid</author><guid isPermaLink="true">/v1.5/blog/2018/export-logs-through-stackdriver/</guid></item><item><title>Monitoring and Access Policies for HTTP Egress Traffic</title><description>
&lt;p>While Istio&amp;rsquo;s main focus is management of traffic between microservices inside a service mesh, Istio can also manage
ingress (from outside into the mesh) and egress (from the mesh outwards) traffic. Istio can uniformly enforce access
policies and aggregate telemetry data for mesh-internal, ingress and egress traffic.&lt;/p>
&lt;p>In this blog post, we show how to apply monitoring and access policies to HTTP egress traffic with Istio.&lt;/p>
&lt;h2 id="use-case">Use case&lt;/h2>
&lt;p>Consider an organization that runs applications that process content from &lt;em>cnn.com&lt;/em>. The applications are decomposed
into microservices deployed in an Istio service mesh. The applications access pages of various topics from &lt;em>cnn.com&lt;/em>: &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a>, &lt;a href="https://edition.cnn.com/sport">edition.cnn.com/sport&lt;/a> and &lt;a href="https://edition.cnn.com/health">edition.cnn.com/health&lt;/a>. The organization &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">configures Istio to allow access to edition.cnn.com&lt;/a> and everything works fine. However, at some
point in time, the organization decides to banish politics. Practically, it means blocking access to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> and allowing access to
&lt;a href="https://edition.cnn.com/sport">edition.cnn.com/sport&lt;/a> and &lt;a href="https://edition.cnn.com/health">edition.cnn.com/health&lt;/a>
only. The organization will grant permissions to individual applications and to particular users to access &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a>, on a case-by-case basis.&lt;/p>
&lt;p>To achieve that goal, the organization&amp;rsquo;s operations people monitor access to the external services and
analyze Istio logs to verify that no unauthorized request was sent to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a>. They also configure Istio to prevent access to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> automatically.&lt;/p>
&lt;p>The organization is resolved to prevent any tampering with the new policy. It decides to put mechanisms in place that
will prevent any possibility for a malicious application to access the forbidden topic.&lt;/p>
&lt;h2 id="related-tasks-and-examples">Related tasks and examples&lt;/h2>
&lt;ul>
&lt;li>The &lt;a href="/v1.5/docs/tasks/traffic-management/egress/">Control Egress Traffic&lt;/a> task demonstrates how external (outside the
Kubernetes cluster) HTTP and HTTPS services can be accessed by applications inside the mesh.&lt;/li>
&lt;li>The &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/">Configure an Egress Gateway&lt;/a> example describes how to configure
Istio to direct egress traffic through a dedicated gateway service called &lt;em>egress gateway&lt;/em>.&lt;/li>
&lt;li>The &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">Egress Gateway with TLS Origination&lt;/a> example
demonstrates how to allow applications to send HTTP requests to external servers that require HTTPS, while directing
traffic through egress gateway.&lt;/li>
&lt;li>The &lt;a href="/v1.5/docs/tasks/observability/mixer/metrics/collecting-metrics/">Collecting Metrics&lt;/a> task describes how to configure metrics for services in a mesh.&lt;/li>
&lt;li>The &lt;a href="/v1.5/docs/tasks/observability/metrics/using-istio-dashboard/">Visualizing Metrics with Grafana&lt;/a>
describes the Istio Dashboard to monitor mesh traffic.&lt;/li>
&lt;li>The &lt;a href="/v1.5/docs/tasks/policy-enforcement/denial-and-list/">Basic Access Control&lt;/a> task shows how to control access to
in-mesh services.&lt;/li>
&lt;li>The &lt;a href="/v1.5/docs/tasks/policy-enforcement/denial-and-list/">Denials and White/Black Listing&lt;/a> task shows how to configure
access policies using black or white list checkers.&lt;/li>
&lt;/ul>
&lt;p>As opposed to the observability and security tasks above, this blog post describes Istio&amp;rsquo;s monitoring and access policies
applied exclusively to the egress traffic.&lt;/p>
&lt;h2 id="before-you-begin">Before you begin&lt;/h2>
&lt;p>Follow the steps in the &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">Egress Gateway with TLS Origination&lt;/a> example, &lt;strong>with mutual TLS authentication enabled&lt;/strong>, without
the &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination//#cleanup">Cleanup&lt;/a> step.
After completing that example, you can access &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> from an in-mesh container with &lt;code>curl&lt;/code> installed. This blog post assumes that the &lt;code>SOURCE_POD&lt;/code> environment variable contains the source pod&amp;rsquo;s name and that the container&amp;rsquo;s name is &lt;code>sleep&lt;/code>.&lt;/p>
&lt;h2 id="configure-monitoring-and-access-policies">Configure monitoring and access policies&lt;/h2>
&lt;p>Since you want to accomplish your tasks in a &lt;em>secure way&lt;/em>, you should direct egress traffic through
&lt;em>egress gateway&lt;/em>, as described in the &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">Egress Gateway with TLS Origination&lt;/a>
task. The &lt;em>secure way&lt;/em> here means that you want to prevent malicious applications from bypassing Istio monitoring and
policy enforcement.&lt;/p>
&lt;p>According to our scenario, the organization performed the instructions in the
&lt;a href="#before-you-begin">Before you begin&lt;/a> section, enabled HTTP traffic to &lt;em>edition.cnn.com&lt;/em>, and configured that traffic
to pass through the egress gateway. The egress gateway performs TLS origination to &lt;em>edition.cnn.com&lt;/em>, so the traffic
leaves the mesh encrypted. At this point, the organization is ready to configure Istio to monitor and apply access policies for
the traffic to &lt;em>edition.cnn.com&lt;/em>.&lt;/p>
&lt;h3 id="logging">Logging&lt;/h3>
&lt;p>Configure Istio to log access to &lt;em>*.cnn.com&lt;/em>. You create a &lt;code>logentry&lt;/code> and two
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/stdio/">stdio&lt;/a> &lt;code>handlers&lt;/code>, one for logging forbidden access
(&lt;em>error&lt;/em> log level) and another one for logging all access to &lt;em>*.cnn.com&lt;/em> (&lt;em>info&lt;/em> log level). Then you create &lt;code>rules&lt;/code> to
direct your &lt;code>logentry&lt;/code> instances to your &lt;code>handlers&lt;/code>. One rule directs access to &lt;em>*.cnn.com/politics&lt;/em> to the handler for
logging forbidden access, another rule directs log entries to the handler that outputs each access to &lt;em>*.cnn.com&lt;/em> as an
&lt;em>info&lt;/em> log entry. To understand the Istio &lt;code>logentries&lt;/code>, &lt;code>rules&lt;/code>, and &lt;code>handlers&lt;/code>, see
&lt;a href="/v1.5/blog/2017/adapter-model/">Istio Adapter Model&lt;/a>. A diagram with the involved entities and dependencies between them
appears below:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:46.46700562636976%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg" title="Instances, rules and handlers for egress monitoring">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg" alt="Instances, rules and handlers for egress monitoring" />
&lt;/a>
&lt;/div>
&lt;figcaption>Instances, rules and handlers for egress monitoring&lt;/figcaption>
&lt;/figure>
&lt;ol>
&lt;li>&lt;p>Create the &lt;code>logentry&lt;/code>, &lt;code>rules&lt;/code> and &lt;code>handlers&lt;/code>. Note that you specify &lt;code>context.reporter.uid&lt;/code> as
&lt;code>kubernetes://istio-egressgateway&lt;/code> in the rules to get logs from the egress gateway only.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
# Log entry for egress access
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: logentry
metadata:
name: egress-access
namespace: istio-system
spec:
severity: &amp;#39;&amp;#34;info&amp;#34;&amp;#39;
timestamp: request.time
variables:
destination: request.host | &amp;#34;unknown&amp;#34;
path: request.path | &amp;#34;unknown&amp;#34;
responseCode: response.code | 0
responseSize: response.size | 0
reporterUID: context.reporter.uid | &amp;#34;unknown&amp;#34;
sourcePrincipal: source.principal | &amp;#34;unknown&amp;#34;
monitored_resource_type: &amp;#39;&amp;#34;UNSPECIFIED&amp;#34;&amp;#39;
---
# Handler for error egress access entries
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: stdio
metadata:
name: egress-error-logger
namespace: istio-system
spec:
severity_levels:
info: 2 # output log level as error
outputAsJson: true
---
# Rule to handle access to *.cnn.com/politics
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: handle-politics
namespace: istio-system
spec:
match: request.host.endsWith(&amp;#34;cnn.com&amp;#34;) &amp;amp;&amp;amp; request.path.startsWith(&amp;#34;/politics&amp;#34;) &amp;amp;&amp;amp; context.reporter.uid.startsWith(&amp;#34;kubernetes://istio-egressgateway&amp;#34;)
actions:
- handler: egress-error-logger.stdio
instances:
- egress-access.logentry
---
# Handler for info egress access entries
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: stdio
metadata:
name: egress-access-logger
namespace: istio-system
spec:
severity_levels:
info: 0 # output log level as info
outputAsJson: true
---
# Rule to handle access to *.cnn.com
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: handle-cnn-access
namespace: istio-system
spec:
match: request.host.endsWith(&amp;#34;.cnn.com&amp;#34;) &amp;amp;&amp;amp; context.reporter.uid.startsWith(&amp;#34;kubernetes://istio-egressgateway&amp;#34;)
actions:
- handler: egress-access-logger.stdio
instances:
- egress-access.logentry
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Send three HTTP requests to &lt;em>cnn.com&lt;/em>, to &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a>, &lt;a href="https://edition.cnn.com/sport">edition.cnn.com/sport&lt;/a> and &lt;a href="https://edition.cnn.com/health">edition.cnn.com/health&lt;/a>.
All three should return &lt;em>200 OK&lt;/em>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
200
200
200
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Query the Mixer log and see that the information about the requests appears in the log:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:43:24.611462Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/politics&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:1883355,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:43:24.886316Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/sport&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:2094561,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:43:25.369663Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/health&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:2157009,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;error&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:43:24.611462Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/politics&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:1883355,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
&lt;/code>&lt;/pre>
&lt;p>You see four log entries related to your three requests. Three &lt;em>info&lt;/em> entries about the access to &lt;em>edition.cnn.com&lt;/em>
and one &lt;em>error&lt;/em> entry about the access to &lt;em>edition.cnn.com/politics&lt;/em>. The service mesh operators can see all the
access instances, and can also search the log for &lt;em>error&lt;/em> log entries that represent forbidden accesses. This is the
first security measure the organization can apply before blocking the forbidden accesses automatically, namely
logging all the forbidden access instances as errors. In some settings this can be a sufficient security measure.&lt;/p>
&lt;p>Note the attributes:&lt;/p>
&lt;ul>
&lt;li>&lt;code>destination&lt;/code>, &lt;code>path&lt;/code>, &lt;code>responseCode&lt;/code>, &lt;code>responseSize&lt;/code> are related to HTTP parameters of the requests&lt;/li>
&lt;li>&lt;code>sourcePrincipal&lt;/code>:&lt;code>cluster.local/ns/default/sa/sleep&lt;/code> - a string that represents the &lt;code>sleep&lt;/code> service account in
the &lt;code>default&lt;/code> namespace&lt;/li>
&lt;li>&lt;code>reporterUID&lt;/code>: &lt;code>kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&lt;/code> - a UID of the reporting pod, in
this case &lt;code>istio-egressgateway-747b6764b8-44rrh&lt;/code> in the &lt;code>istio-system&lt;/code> namespace&lt;/li>
&lt;/ul>&lt;/li>
&lt;/ol>
&lt;h3 id="access-control-by-routing">Access control by routing&lt;/h3>
&lt;p>After enabling logging of access to &lt;em>edition.cnn.com&lt;/em>, automatically enforce an access policy, namely allow
accessing &lt;em>/health&lt;/em> and &lt;em>/sport&lt;/em> URL paths only. Such a simple policy control can be implemented with Istio routing.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Redefine your &lt;code>VirtualService&lt;/code> for &lt;em>edition.cnn.com&lt;/em>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- edition.cnn.com
gateways:
- istio-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 443
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 443
uri:
regex: &amp;#34;/health|/sport&amp;#34;
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
&lt;/code>&lt;/pre>
&lt;p>Note that you added a &lt;code>match&lt;/code> by &lt;code>uri&lt;/code> condition that checks that the URL path is
either &lt;em>/health&lt;/em> or &lt;em>/sport&lt;/em>. Also note that this condition is added to the &lt;code>istio-egressgateway&lt;/code>
section of the &lt;code>VirtualService&lt;/code>, since the egress gateway is a hardened component in terms of security (see
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">egress gateway security considerations&lt;/a>). You don&amp;rsquo;t want any tampering
with your policies.&lt;/p>&lt;/li>
&lt;li>&lt;p>Send the previous three HTTP requests to &lt;em>cnn.com&lt;/em>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
404
200
200
&lt;/code>&lt;/pre>
&lt;p>The request to &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> returned &lt;em>404 Not Found&lt;/em>, while requests
to &lt;a href="https://edition.cnn.com/sport">edition.cnn.com/sport&lt;/a> and
&lt;a href="https://edition.cnn.com/health">edition.cnn.com/health&lt;/a> returned &lt;em>200 OK&lt;/em>, as expected.&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">You may need to wait several seconds for the update of the &lt;code>VirtualService&lt;/code> to propagate to the egress
gateway.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;/li>
&lt;li>&lt;p>Query the Mixer log and see that the information about the requests appears again in the log:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:55:59.686082Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/politics&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:404,&amp;#34;responseSize&amp;#34;:0,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:55:59.697565Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/sport&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:2094561,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:56:00.264498Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/health&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:2157009,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;error&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T07:55:59.686082Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/politics&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:404,&amp;#34;responseSize&amp;#34;:0,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/sleep&amp;#34;}
&lt;/code>&lt;/pre>
&lt;p>You still get info and error messages regarding accesses to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a>, however this time the &lt;code>responseCode&lt;/code> is &lt;code>404&lt;/code>, as
expected.&lt;/p>&lt;/li>
&lt;/ol>
&lt;p>While implementing access control using Istio routing worked for us in this simple case, it would not suffice for more
complex cases. For example, the organization may want to allow access to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> under certain conditions, so more complex policy logic than
just filtering by URL paths will be required. You may want to apply &lt;a href="/v1.5/blog/2017/adapter-model/">Istio Mixer Adapters&lt;/a>,
for example
&lt;a href="/v1.5/docs/tasks/policy-enforcement/denial-and-list/#attribute-based-whitelists-or-blacklists">white lists or black lists&lt;/a>
of allowed/forbidden URL paths, respectively.
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/">Policy Rules&lt;/a> allow specifying complex conditions,
specified in a &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/expression-language/">rich expression language&lt;/a>, which
includes AND and OR logical operators. The rules can be reused for both logging and policy checks. More advanced users
may want to apply &lt;a href="/v1.5/docs/concepts/security/#authorization">Istio Role-Based Access Control&lt;/a>.&lt;/p>
&lt;p>An additional aspect is integration with remote access policy systems. If the organization in our use case operates some
&lt;a href="https://en.wikipedia.org/wiki/Identity_management">Identity and Access Management&lt;/a> system, you may want to configure
Istio to use access policy information from such a system. You implement this integration by applying
&lt;a href="/v1.5/blog/2017/adapter-model/">Istio Mixer Adapters&lt;/a>.&lt;/p>
&lt;p>Cancel the access control by routing you used in this section and implement access control by Mixer policy checks
in the next section.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Replace the &lt;code>VirtualService&lt;/code> for &lt;em>edition.cnn.com&lt;/em> with your previous version from the &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway">Configure an Egress Gateway&lt;/a> example:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- edition.cnn.com
gateways:
- istio-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 443
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 443
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Send the previous three HTTP requests to &lt;em>cnn.com&lt;/em>, this time you should get three &lt;em>200 OK&lt;/em> responses as
previously:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
200
200
200
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">You may need to wait several seconds for the update of the &lt;code>VirtualService&lt;/code> to propagate to the egress
gateway.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;h3 id="access-control-by-mixer-policy-checks">Access control by Mixer policy checks&lt;/h3>
&lt;p>In this step you use a Mixer
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/adapters/list/">&lt;code>Listchecker&lt;/code> adapter&lt;/a>, its whitelist
variety. You define a &lt;code>listentry&lt;/code> with the URL path of the request and a &lt;code>listchecker&lt;/code> to check the &lt;code>listentry&lt;/code> using a
static list of allowed URL paths, specified by the &lt;code>overrides&lt;/code> field. For an external &lt;a href="https://en.wikipedia.org/wiki/Identity_management">Identity and Access Management&lt;/a> system, use the &lt;code>providerurl&lt;/code> field instead. The updated
diagram of the instances, rules and handlers appears below. Note that you reuse the same policy rule, &lt;code>handle-cnn-access&lt;/code>
both for logging and for access policy checks.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:52.79420593027812%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg" title="Instances, rules and handlers for egress monitoring and access policies">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg" alt="Instances, rules and handlers for egress monitoring and access policies" />
&lt;/a>
&lt;/div>
&lt;figcaption>Instances, rules and handlers for egress monitoring and access policies&lt;/figcaption>
&lt;/figure>
&lt;ol>
&lt;li>&lt;p>Define &lt;code>path-checker&lt;/code> and &lt;code>request-path&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl create -f -
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: listchecker
metadata:
name: path-checker
namespace: istio-system
spec:
overrides: [&amp;#34;/health&amp;#34;, &amp;#34;/sport&amp;#34;] # overrides provide a static list
blacklist: false
---
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: listentry
metadata:
name: request-path
namespace: istio-system
spec:
value: request.path
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Modify the &lt;code>handle-cnn-access&lt;/code> policy rule to send &lt;code>request-path&lt;/code> instances to the &lt;code>path-checker&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
# Rule handle egress access to cnn.com
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: handle-cnn-access
namespace: istio-system
spec:
match: request.host.endsWith(&amp;#34;.cnn.com&amp;#34;) &amp;amp;&amp;amp; context.reporter.uid.startsWith(&amp;#34;kubernetes://istio-egressgateway&amp;#34;)
actions:
- handler: egress-access-logger.stdio
instances:
- egress-access.logentry
- handler: path-checker.listchecker
instances:
- request-path.listentry
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Perform your usual test by sending HTTP requests to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a>, &lt;a href="https://edition.cnn.com/sport">edition.cnn.com/sport&lt;/a>
and &lt;a href="https://edition.cnn.com/health">edition.cnn.com/health&lt;/a>. As expected, the request to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> returns &lt;em>403&lt;/em> (Forbidden).&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
403
200
200
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h3 id="access-control-by-mixer-policy-checks-part-2">Access control by Mixer policy checks, part 2&lt;/h3>
&lt;p>After the organization in our use case managed to configure logging and access control, it decided to extend its access
policy by allowing the applications with a special
&lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/">Service Account&lt;/a> to access any topic of &lt;em>cnn.com&lt;/em>, without being monitored. You&amp;rsquo;ll see how this requirement can be configured in Istio.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Start the &lt;a href="https://github.com/istio/istio/tree/release-1.5/samples/sleep">sleep&lt;/a> sample with the &lt;code>politics&lt;/code> service account.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/sleep/sleep.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ sed &amp;#39;s/: sleep/: politics/g&amp;#39; @samples/sleep/sleep.yaml@ | kubectl create -f -
serviceaccount &amp;#34;politics&amp;#34; created
service &amp;#34;politics&amp;#34; created
deployment &amp;#34;politics&amp;#34; created
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Define the &lt;code>SOURCE_POD_POLITICS&lt;/code> shell variable to hold the name of the source pod with the &lt;code>politics&lt;/code> service
account, for sending requests to external services.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export SOURCE_POD_POLITICS=$(kubectl get pod -l app=politics -o jsonpath={.items..metadata.name})
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Perform your usual test of sending three HTTP requests this time from &lt;code>SOURCE_POD_POLITICS&lt;/code>.
The request to &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> returns &lt;em>403&lt;/em>, since you did not configure
the exception for the &lt;em>politics&lt;/em> namespace.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
403
200
200
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Query the Mixer log and see that the information about the requests from the &lt;em>politics&lt;/em> namespace appears in
the log:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T08:04:42.559812Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/politics&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:403,&amp;#34;responseSize&amp;#34;:84,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/politics&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T08:04:42.568424Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/sport&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:2094561,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/politics&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;error&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T08:04:42.559812Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/politics&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:403,&amp;#34;responseSize&amp;#34;:84,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/politics&amp;#34;}
{&amp;#34;level&amp;#34;:&amp;#34;info&amp;#34;,&amp;#34;time&amp;#34;:&amp;#34;2019-01-29T08:04:42.615641Z&amp;#34;,&amp;#34;instance&amp;#34;:&amp;#34;egress-access.logentry.istio-system&amp;#34;,&amp;#34;destination&amp;#34;:&amp;#34;edition.cnn.com&amp;#34;,&amp;#34;path&amp;#34;:&amp;#34;/health&amp;#34;,&amp;#34;reporterUID&amp;#34;:&amp;#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&amp;#34;,&amp;#34;responseCode&amp;#34;:200,&amp;#34;responseSize&amp;#34;:2157009,&amp;#34;sourcePrincipal&amp;#34;:&amp;#34;cluster.local/ns/default/sa/politics&amp;#34;}
&lt;/code>&lt;/pre>
&lt;p>Note that &lt;code>sourcePrincipal&lt;/code> is &lt;code>cluster.local/ns/default/sa/politics&lt;/code> which represents the &lt;code>politics&lt;/code> service
account in the &lt;code>default&lt;/code> namespace.&lt;/p>&lt;/li>
&lt;li>&lt;p>Redefine &lt;code>handle-cnn-access&lt;/code> and &lt;code>handle-politics&lt;/code> policy rules, to make the applications in the &lt;em>politics&lt;/em>
namespace exempt from monitoring and policy enforcement.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &amp;lt;&amp;lt;EOF | kubectl apply -f -
# Rule to handle access to *.cnn.com/politics
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: handle-politics
namespace: istio-system
spec:
match: request.host.endsWith(&amp;#34;cnn.com&amp;#34;) &amp;amp;&amp;amp; context.reporter.uid.startsWith(&amp;#34;kubernetes://istio-egressgateway&amp;#34;) &amp;amp;&amp;amp; request.path.startsWith(&amp;#34;/politics&amp;#34;) &amp;amp;&amp;amp; source.principal != &amp;#34;cluster.local/ns/default/sa/politics&amp;#34;
actions:
- handler: egress-error-logger.stdio
instances:
- egress-access.logentry
---
# Rule handle egress access to cnn.com
apiVersion: &amp;#34;config.istio.io/v1alpha2&amp;#34;
kind: rule
metadata:
name: handle-cnn-access
namespace: istio-system
spec:
match: request.host.endsWith(&amp;#34;.cnn.com&amp;#34;) &amp;amp;&amp;amp; context.reporter.uid.startsWith(&amp;#34;kubernetes://istio-egressgateway&amp;#34;) &amp;amp;&amp;amp; source.principal != &amp;#34;cluster.local/ns/default/sa/politics&amp;#34;
actions:
- handler: egress-access-logger.stdio
instances:
- egress-access.logentry
- handler: path-checker.listchecker
instances:
- request-path.listentry
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Perform your usual test from &lt;code>SOURCE_POD&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
403
200
200
&lt;/code>&lt;/pre>
&lt;p>Since &lt;code>SOURCE_POD&lt;/code> does not have &lt;code>politics&lt;/code> service account, access to
&lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> is forbidden, as previously.&lt;/p>&lt;/li>
&lt;li>&lt;p>Perform the previous test from &lt;code>SOURCE_POD_POLITICS&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c &amp;#39;curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &amp;#34;%{http_code}\n&amp;#34; http://edition.cnn.com/health&amp;#39;
200
200
200
&lt;/code>&lt;/pre>
&lt;p>Access to all the topics of &lt;em>edition.cnn.com&lt;/em> is allowed.&lt;/p>&lt;/li>
&lt;li>&lt;p>Examine the Mixer log and see that no more requests with &lt;code>sourcePrincipal&lt;/code> equal
&lt;code>cluster.local/ns/default/sa/politics&lt;/code> appear in the log.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h2 id="comparison-with-https-egress-traffic-control">Comparison with HTTPS egress traffic control&lt;/h2>
&lt;p>In this use case the applications use HTTP and Istio Egress Gateway performs TLS origination for them. Alternatively,
the applications could originate TLS themselves by issuing HTTPS requests to &lt;em>edition.cnn.com&lt;/em>. In this section we
describe both approaches and their pros and cons.&lt;/p>
&lt;p>In the HTTP approach, the requests are sent unencrypted on the local host, intercepted by the Istio sidecar proxy and
forwarded to the egress gateway. Since you configure Istio to use mutual TLS between the sidecar proxy and the egress
gateway, the traffic leaves the pod encrypted. The egress gateway decrypts the traffic, inspects the URL path, the
HTTP method and headers, reports telemetry and performs policy checks. If the request is not blocked by some policy
check, the egress gateway performs TLS origination to the external destination (&lt;em>cnn.com&lt;/em> in our case), so the request
is encrypted again and sent encrypted to the external destination. The diagram below demonstrates the network flow of
this approach. The HTTP protocol inside the gateway designates the protocol as seen by the gateway after decryption.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:64.81718469808756%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-monitoring-access-control/http-to-gateway.svg" title="HTTP egress traffic through an egress gateway">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-monitoring-access-control/http-to-gateway.svg" alt="HTTP egress traffic through an egress gateway" />
&lt;/a>
&lt;/div>
&lt;figcaption>HTTP egress traffic through an egress gateway&lt;/figcaption>
&lt;/figure>
&lt;p>The drawback of this approach is that the requests are sent unencrypted inside the pod, which may be against security
policies in some organizations. Also some SDKs have external service URLs hard-coded, including the protocol, so
sending HTTP requests could be impossible. The advantage of this approach is the ability to inspect HTTP methods,
headers and URL paths, and to apply policies based on them.&lt;/p>
&lt;p>In the HTTPS approach, the requests are encrypted end-to-end, from the application to the external destination. The
diagram below demonstrates the network flow of this approach. The HTTPS protocol inside the gateway designates the
protocol as seen by the gateway.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:64.81718469808756%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-monitoring-access-control/https-to-gateway.svg" title="HTTPS egress traffic through an egress gateway">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-monitoring-access-control/https-to-gateway.svg" alt="HTTPS egress traffic through an egress gateway" />
&lt;/a>
&lt;/div>
&lt;figcaption>HTTPS egress traffic through an egress gateway&lt;/figcaption>
&lt;/figure>
&lt;p>The end-to-end HTTPS is considered a better approach from the security point of view. However, since the traffic is
encrypted the Istio proxies and the egress gateway can only see the source and destination IPs and the &lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI&lt;/a> of the destination. Since you configure Istio to use mutual TLS between the sidecar proxy
and the egress gateway, the &lt;a href="/v1.5/docs/concepts/security/#istio-identity">identity of the source&lt;/a> is also known.
The gateway is unable to inspect the URL path, the HTTP method and the headers of the requests, so no monitoring and
policies based on the HTTP information can be possible.
In our use case, the organization would be able to allow access to &lt;em>edition.cnn.com&lt;/em> and to specify which applications
are allowed to access &lt;em>edition.cnn.com&lt;/em>.
However, it will not be possible to allow or block access to specific URL paths of &lt;em>edition.cnn.com&lt;/em>.
Neither blocking access to &lt;a href="https://edition.cnn.com/politics">edition.cnn.com/politics&lt;/a> nor monitoring such access are
possible with the HTTPS approach.&lt;/p>
&lt;p>We guess that each organization will consider the pros and cons of the two approaches and choose the one most
appropriate to its needs.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>In this blog post we showed how different monitoring and policy mechanisms of Istio can be applied to HTTP egress
traffic. Monitoring can be implemented by configuring a logging adapter. Access
policies can be implemented by configuring &lt;code>VirtualServices&lt;/code> or by configuring various policy check adapters. We
demonstrated a simple policy that allowed certain URL paths only. We also showed a more complex policy that extended the
simple policy by making an exemption to the applications with a certain service account. Finally, we compared
HTTP-with-TLS-origination egress traffic with HTTPS egress traffic, in terms of control possibilities by Istio.&lt;/p>
&lt;h2 id="cleanup">Cleanup&lt;/h2>
&lt;ol>
&lt;li>&lt;p>Perform the instructions in &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway//#cleanup">Cleanup&lt;/a> section of the
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-gateway//">Configure an Egress Gateway&lt;/a> example.&lt;/p>&lt;/li>
&lt;li>&lt;p>Delete the logging and policy checks configuration:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete logentry egress-access -n istio-system
$ kubectl delete stdio egress-error-logger -n istio-system
$ kubectl delete stdio egress-access-logger -n istio-system
$ kubectl delete rule handle-politics -n istio-system
$ kubectl delete rule handle-cnn-access -n istio-system
$ kubectl delete -n istio-system listchecker path-checker
$ kubectl delete -n istio-system listentry request-path
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Delete the &lt;em>politics&lt;/em> source pod:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/sleep/sleep.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ sed &amp;#39;s/: sleep/: politics/g&amp;#39; @samples/sleep/sleep.yaml@ | kubectl delete -f -
serviceaccount &amp;#34;politics&amp;#34; deleted
service &amp;#34;politics&amp;#34; deleted
deployment &amp;#34;politics&amp;#34; deleted
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;/ol></description><pubDate>Fri, 22 Jun 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/egress-monitoring-access-control/</link><author>Vadim Eisenberg and Ronen Schaffer (IBM)</author><guid isPermaLink="true">/v1.5/blog/2018/egress-monitoring-access-control/</guid><category>egress</category><category>traffic-management</category><category>access-control</category><category>monitoring</category></item><item><title>Introducing the Istio v1alpha3 routing API</title><description>
&lt;p>Up until now, Istio has provided a simple API for traffic management using four configuration resources:
&lt;code>RouteRule&lt;/code>, &lt;code>DestinationPolicy&lt;/code>, &lt;code>EgressRule&lt;/code>, and (Kubernetes) &lt;code>Ingress&lt;/code>.
With this API, users have been able to easily manage the flow of traffic in an Istio service mesh.
The API has allowed users to route requests to specific versions of services, inject delays and failures for resilience
testing, add timeouts and circuit breakers, and more, all without changing the application code itself.&lt;/p>
&lt;p>While this functionality has proven to be a very compelling part of Istio, user feedback has also shown that this API does
have some shortcomings, specifically when using it to manage very large applications containing thousands of services, and
when working with protocols other than HTTP. Furthermore, the use of Kubernetes &lt;code>Ingress&lt;/code> resources to configure external
traffic has proven to be woefully insufficient for our needs.&lt;/p>
&lt;p>To address these, and other concerns, a new traffic management API, a.k.a. &lt;code>v1alpha3&lt;/code>, is being introduced, which will
completely replace the previous API going forward. Although the &lt;code>v1alpha3&lt;/code> model is fundamentally the same, it is not
backward compatible and will require manual conversion from the old API.&lt;/p>
&lt;p>To justify this disruption, the &lt;code>v1alpha3&lt;/code> API has gone through a long and painstaking community
review process that has hopefully resulted in a greatly improved API that will stand the test of time. In this article,
we will introduce the new configuration model and attempt to explain some of the motivation and design principles that
influenced it.&lt;/p>
&lt;h2 id="design-principles">Design principles&lt;/h2>
&lt;p>A few key design principles played a role in the routing model redesign:&lt;/p>
&lt;ul>
&lt;li>Explicitly model infrastructure as well as intent. For example, in addition to configuring an ingress gateway, the
component (controller) implementing it can also be specified.&lt;/li>
&lt;li>The authoring model should be &amp;ldquo;producer oriented&amp;rdquo; and &amp;ldquo;host centric&amp;rdquo; as opposed to compositional. For example, all
rules associated with a particular host are configured together, instead of individually.&lt;/li>
&lt;li>Clear separation of routing from post-routing behaviors.&lt;/li>
&lt;/ul>
&lt;h2 id="configuration-resources-in-v1alpha3">Configuration resources in v1alpha3&lt;/h2>
&lt;p>A typical mesh will have one or more load balancers (we call them gateways)
that terminate TLS from external networks and allow traffic into the mesh.
Traffic then flows through internal services via sidecar gateways.
It is also common for applications to consume external
services (e.g., Google Maps API). These may be called directly or, in certain deployments, all traffic
exiting the mesh may be forced through dedicated egress gateways. The following diagram depicts
this mental model.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:35.204472660409245%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/v1alpha3-routing/gateways.svg" title="Gateways in an Istio service mesh">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/v1alpha3-routing/gateways.svg" alt="Role of gateways in the mesh" />
&lt;/a>
&lt;/div>
&lt;figcaption>Gateways in an Istio service mesh&lt;/figcaption>
&lt;/figure>
&lt;p>With the above setup in mind, &lt;code>v1alpha3&lt;/code> introduces the following new
configuration resources to control traffic routing into, within, and out of the mesh.&lt;/p>
&lt;ol>
&lt;li>&lt;code>Gateway&lt;/code>&lt;/li>
&lt;li>&lt;code>VirtualService&lt;/code>&lt;/li>
&lt;li>&lt;code>DestinationRule&lt;/code>&lt;/li>
&lt;li>&lt;code>ServiceEntry&lt;/code>&lt;/li>
&lt;/ol>
&lt;p>&lt;code>VirtualService&lt;/code>, &lt;code>DestinationRule&lt;/code>, and &lt;code>ServiceEntry&lt;/code> replace &lt;code>RouteRule&lt;/code>,
&lt;code>DestinationPolicy&lt;/code>, and &lt;code>EgressRule&lt;/code> respectively. The &lt;code>Gateway&lt;/code> is a
platform independent abstraction to model the traffic flowing into
dedicated middleboxes.&lt;/p>
&lt;p>The figure below depicts the flow of control across configuration
resources.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:41.164966727369595%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/v1alpha3-routing/virtualservices-destrules.svg" title="Relationship between different v1alpha3 elements">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/v1alpha3-routing/virtualservices-destrules.svg" alt="Relationship between different v1alpha3 elements" />
&lt;/a>
&lt;/div>
&lt;figcaption>Relationship between different v1alpha3 elements&lt;/figcaption>
&lt;/figure>
&lt;h3 id="gateway">&lt;code>Gateway&lt;/code>&lt;/h3>
&lt;p>A &lt;a href="/v1.5/docs/reference/config/networking/gateway/">&lt;code>Gateway&lt;/code>&lt;/a>
configures a load balancer for HTTP/TCP traffic, regardless of
where it will be running. Any number of gateways can exist within the mesh
and multiple different gateway implementations can co-exist. In fact, a
gateway configuration can be bound to a particular workload by specifying
the set of workload (pod) labels as part of the configuration, allowing
users to reuse off the shelf network appliances by writing a simple gateway
controller.&lt;/p>
&lt;p>For ingress traffic management, you might ask: &lt;em>Why not reuse Kubernetes Ingress APIs&lt;/em>?
The Ingress APIs proved to be incapable of expressing Istio&amp;rsquo;s routing needs.
By trying to draw a common denominator across different HTTP proxies, the
Ingress is only able to support the most basic HTTP routing and ends up
pushing every other feature of modern proxies into non-portable
annotations.&lt;/p>
&lt;p>Istio &lt;code>Gateway&lt;/code> overcomes the &lt;code>Ingress&lt;/code> shortcomings by separating the
L4-L6 spec from L7. It only configures the L4-L6 functions (e.g., ports to
expose, TLS configuration) that are uniformly implemented by all good L7
proxies. Users can then use standard Istio rules to control HTTP
requests as well as TCP traffic entering a &lt;code>Gateway&lt;/code> by binding a
&lt;code>VirtualService&lt;/code> to it.&lt;/p>
&lt;p>For example, the following simple &lt;code>Gateway&lt;/code> configures a load balancer
to allow external https traffic for host &lt;code>bookinfo.com&lt;/code> into the mesh:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- bookinfo.com
tls:
mode: SIMPLE
serverCertificate: /tmp/tls.crt
privateKey: /tmp/tls.key
&lt;/code>&lt;/pre>
&lt;p>To configure the corresponding routes, a &lt;code>VirtualService&lt;/code> (described in the &lt;a href="#virtualservice">following section&lt;/a>)
must be defined for the same host and bound to the &lt;code>Gateway&lt;/code> using
the &lt;code>gateways&lt;/code> field in the configuration:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.com
gateways:
- bookinfo-gateway # &amp;lt;---- bind to gateway
http:
- match:
- uri:
prefix: /reviews
route:
...
&lt;/code>&lt;/pre>
&lt;p>The &lt;code>Gateway&lt;/code> can be used to model an edge-proxy or a purely internal proxy
as shown in the first figure. Irrespective of the location, all gateways
can be configured and controlled in the same way.&lt;/p>
&lt;h3 id="virtualservice">&lt;code>VirtualService&lt;/code>&lt;/h3>
&lt;p>Replacing route rules with something called &amp;ldquo;virtual services” might seem peculiar at first, but in reality its
fundamentally a much better name for what is being configured, especially after redesigning the API to address the
scalability issues with the previous model.&lt;/p>
&lt;p>In effect, what has changed is that instead of configuring routing using a set of individual configuration resources
(rules) for a particular destination service, each containing a precedence field to control the order of evaluation, we
now configure the (virtual) destination itself, with all of its rules in an ordered list within a corresponding
&lt;a href="/v1.5/docs/reference/config/networking/virtual-service/">&lt;code>VirtualService&lt;/code>&lt;/a> resource.
For example, where previously we had two &lt;code>RouteRule&lt;/code> resources for the
&lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo&lt;/a> applications &lt;code>reviews&lt;/code> service, like this:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: reviews-default
spec:
destination:
name: reviews
precedence: 1
route:
- labels:
version: v1
---
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: reviews-test-v2
spec:
destination:
name: reviews
precedence: 2
match:
request:
headers:
cookie:
regex: &amp;#34;^(.*?;)?(user=jason)(;.*)?$&amp;#34;
route:
- labels:
version: v2
&lt;/code>&lt;/pre>
&lt;p>In &lt;code>v1alpha3&lt;/code>, we provide the same configuration in a single &lt;code>VirtualService&lt;/code> resource:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews
spec:
hosts:
- reviews
http:
- match:
- headers:
cookie:
regex: &amp;#34;^(.*?;)?(user=jason)(;.*)?$&amp;#34;
route:
- destination:
host: reviews
subset: v2
- route:
- destination:
host: reviews
subset: v1
&lt;/code>&lt;/pre>
&lt;p>As you can see, both of the rules for the &lt;code>reviews&lt;/code> service are consolidated in one place, which at first may or may not
seem preferable. However, if you look closer at this new model, youll see there are fundamental differences that make
&lt;code>v1alpha3&lt;/code> vastly more functional.&lt;/p>
&lt;p>First of all, notice that the destination service for the &lt;code>VirtualService&lt;/code> is specified using a &lt;code>hosts&lt;/code> field (repeated field, in fact) and is then again specified in a &lt;code>destination&lt;/code> field of each of the route specifications. This is a
very important difference from the previous model.&lt;/p>
&lt;p>A &lt;code>VirtualService&lt;/code> describes the mapping between one or more user-addressable destinations to the actual destination workloads inside the mesh. In our example, they are the same, however, the user-addressed hosts can be any DNS
names with optional wildcard prefix or CIDR prefix that will be used to address the service. This can be particularly
useful in facilitating turning monoliths into a composite service built out of distinct microservices without requiring the
consumers of the service to adapt to the transition.&lt;/p>
&lt;p>For example, the following rule allows users to address both the &lt;code>reviews&lt;/code> and &lt;code>ratings&lt;/code> services of the Bookinfo application
as if they are parts of a bigger (virtual) service at &lt;code>http://bookinfo.com/&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- bookinfo.com
http:
- match:
- uri:
prefix: /reviews
route:
- destination:
host: reviews
- match:
- uri:
prefix: /ratings
route:
- destination:
host: ratings
...
&lt;/code>&lt;/pre>
&lt;p>The hosts of a &lt;code>VirtualService&lt;/code> do not actually have to be part of the service registry, they are simply virtual
destinations. This allows users to model traffic for virtual hosts that do not have routable entries inside the mesh.
These hosts can be exposed outside the mesh by binding the &lt;code>VirtualService&lt;/code> to a &lt;code>Gateway&lt;/code> configuration for the same host
(as described in the &lt;a href="#gateway">previous section&lt;/a>).&lt;/p>
&lt;p>In addition to this fundamental restructuring, &lt;code>VirtualService&lt;/code> includes several other important changes:&lt;/p>
&lt;ol>
&lt;li>&lt;p>Multiple match conditions can be expressed inside the &lt;code>VirtualService&lt;/code> configuration, reducing the need for redundant
rules.&lt;/p>&lt;/li>
&lt;li>&lt;p>Each service version has a name (called a service subset). The set of pods/VMs belonging to a subset is defined in a
&lt;code>DestinationRule&lt;/code>, described in the following section.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;code>VirtualService&lt;/code> hosts can be specified using wildcard DNS prefixes to create a single rule for all matching services.
For example, in Kubernetes, to apply the same rewrite rule for all services in the &lt;code>foo&lt;/code> namespace, the &lt;code>VirtualService&lt;/code>
would use &lt;code>*.foo.svc.cluster.local&lt;/code> as the host.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h3 id="destinationrule">&lt;code>DestinationRule&lt;/code>&lt;/h3>
&lt;p>A &lt;a href="/v1.5/docs/reference/config/networking/destination-rule/">&lt;code>DestinationRule&lt;/code>&lt;/a>
configures the set of policies to be applied while forwarding traffic to a service. They are
intended to be authored by service owners, describing the circuit breakers, load balancer settings, TLS settings, etc..
&lt;code>DestinationRule&lt;/code> is more or less the same as its predecessor, &lt;code>DestinationPolicy&lt;/code>, with the following exceptions:&lt;/p>
&lt;ol>
&lt;li>The &lt;code>host&lt;/code> of a &lt;code>DestinationRule&lt;/code> can include wildcard prefixes, allowing a single rule to be specified for many actual
services.&lt;/li>
&lt;li>A &lt;code>DestinationRule&lt;/code> defines addressable &lt;code>subsets&lt;/code> (i.e., named versions) of the corresponding destination host. These
subsets are used in &lt;code>VirtualService&lt;/code> route specifications when sending traffic to specific versions of the service.
Naming versions this way allows us to cleanly refer to them across different virtual services, simplify the stats that
Istio proxies emit, and to encode subsets in SNI headers.&lt;/li>
&lt;/ol>
&lt;p>A &lt;code>DestinationRule&lt;/code> that configures policies and subsets for the reviews service might look something like this:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews
spec:
host: reviews
trafficPolicy:
loadBalancer:
simple: RANDOM
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
- name: v3
labels:
version: v3
&lt;/code>&lt;/pre>
&lt;p>Notice that, unlike &lt;code>DestinationPolicy&lt;/code>, multiple policies (e.g., default and v2-specific) are specified in a single
&lt;code>DestinationRule&lt;/code> configuration.&lt;/p>
&lt;h3 id="serviceentry">&lt;code>ServiceEntry&lt;/code>&lt;/h3>
&lt;p>&lt;a href="/v1.5/docs/reference/config/networking/service-entry/">&lt;code>ServiceEntry&lt;/code>&lt;/a>
is used to add additional entries into the service registry that Istio maintains internally.
It is most commonly used to allow one to model traffic to external dependencies of the mesh
such as APIs consumed from the web or traffic to services in legacy infrastructure.&lt;/p>
&lt;p>Everything you could previously configure using an &lt;code>EgressRule&lt;/code> can just as easily be done with a &lt;code>ServiceEntry&lt;/code>.
For example, access to a simple external service from inside the mesh can be enabled using a configuration
something like this:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: foo-ext
spec:
hosts:
- foo.com
ports:
- number: 80
name: http
protocol: HTTP
&lt;/code>&lt;/pre>
&lt;p>That said, &lt;code>ServiceEntry&lt;/code> has significantly more functionality than its predecessor.
First of all, a &lt;code>ServiceEntry&lt;/code> is not limited to external service configuration,
it can be of two types: mesh-internal or mesh-external.
Mesh-internal entries are like all other internal services but are used to explicitly add services
to the mesh. They can be used to add services as part of expanding the service mesh to include unmanaged infrastructure
(e.g., VMs added to a Kubernetes-based service mesh).
Mesh-external entries represent services external to the mesh.
For them, mutual TLS authentication is disabled and policy enforcement is performed on the client-side,
instead of on the usual server-side for internal service requests.&lt;/p>
&lt;p>Because a &lt;code>ServiceEntry&lt;/code> configuration simply adds a destination to the internal service registry, it can be
used in conjunction with a &lt;code>VirtualService&lt;/code> and/or &lt;code>DestinationRule&lt;/code>, just like any other service in the registry.
The following &lt;code>DestinationRule&lt;/code>, for example, can be used to initiate mutual TLS connections for an external service:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: foo-ext
spec:
host: foo.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
&lt;/code>&lt;/pre>
&lt;p>In addition to its expanded generality, &lt;code>ServiceEntry&lt;/code> provides several other improvements over &lt;code>EgressRule&lt;/code>
including the following:&lt;/p>
&lt;ol>
&lt;li>A single &lt;code>ServiceEntry&lt;/code> can configure multiple service endpoints, which previously would have required multiple
&lt;code>EgressRules&lt;/code>.&lt;/li>
&lt;li>The resolution mode for the endpoints is now configurable (&lt;code>NONE&lt;/code>, &lt;code>STATIC&lt;/code>, or &lt;code>DNS&lt;/code>).&lt;/li>
&lt;li>Additionally, we are working on addressing another pain point: the need to access secure external services over plain
text ports (e.g., &lt;code>http://google.com:443&lt;/code>). This should be fixed in the coming weeks, allowing you to directly access
&lt;code>https://google.com&lt;/code> from your application. Stay tuned for an Istio patch release (0.8.x) that addresses this limitation.&lt;/li>
&lt;/ol>
&lt;h2 id="creating-and-deleting-v1alpha3-route-rules">Creating and deleting v1alpha3 route rules&lt;/h2>
&lt;p>Because all route rules for a given destination are now stored together as an ordered
list in a single &lt;code>VirtualService&lt;/code> resource, adding a second and subsequent rules for a particular destination
is no longer done by creating a new (&lt;code>RouteRule&lt;/code>) resource, but instead by updating the one-and-only &lt;code>VirtualService&lt;/code>
resource for the destination.&lt;/p>
&lt;p>old routing rules:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f my-second-rule-for-destination-abc.yaml
&lt;/code>&lt;/pre>
&lt;p>&lt;code>v1alpha3&lt;/code> routing rules:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f my-updated-rules-for-destination-abc.yaml
&lt;/code>&lt;/pre>
&lt;p>Deleting route rules other than the last one for a particular destination is also done by updating
the existing resource using &lt;code>kubectl apply&lt;/code>.&lt;/p>
&lt;p>When adding or removing routes that refer to service versions, the &lt;code>subsets&lt;/code> will need to be updated in
the service&amp;rsquo;s corresponding &lt;code>DestinationRule&lt;/code>.
As you might have guessed, this is also done using &lt;code>kubectl apply&lt;/code>.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>The Istio &lt;code>v1alpha3&lt;/code> routing API has significantly more functionality than
its predecessor, but unfortunately is not backwards compatible, requiring a
one time manual conversion. The previous configuration resources,
&lt;code>RouteRule&lt;/code>, &lt;code>DesintationPolicy&lt;/code>, and &lt;code>EgressRule&lt;/code>, will not be supported
from Istio 0.9 onwards. Kubernetes users can continue to use &lt;code>Ingress&lt;/code> to
configure their edge load balancers for basic routing. However, advanced
routing features (e.g., traffic split across two versions) will require use
of &lt;code>Gateway&lt;/code>, a significantly more functional and highly
recommended &lt;code>Ingress&lt;/code> replacement.&lt;/p>
&lt;h2 id="acknowledgments">Acknowledgments&lt;/h2>
&lt;p>Credit for the routing model redesign and implementation work goes to the
following people (in alphabetical order):&lt;/p>
&lt;ul>
&lt;li>Frank Budinsky (IBM)&lt;/li>
&lt;li>Zack Butcher (Google)&lt;/li>
&lt;li>Greg Hanson (IBM)&lt;/li>
&lt;li>Costin Manolache (Google)&lt;/li>
&lt;li>Martin Ostrowski (Google)&lt;/li>
&lt;li>Shriram Rajagopalan (VMware)&lt;/li>
&lt;li>Louis Ryan (Google)&lt;/li>
&lt;li>Isaiah Snell-Feikema (IBM)&lt;/li>
&lt;li>Kuat Yessenov (Google)&lt;/li>
&lt;/ul></description><pubDate>Wed, 25 Apr 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/v1alpha3-routing/</link><author>Frank Budinsky (IBM) and Shriram Rajagopalan (VMware)</author><guid isPermaLink="true">/v1.5/blog/2018/v1alpha3-routing/</guid><category>traffic-management</category></item><item><title>Configuring Istio Ingress with AWS NLB</title><description>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">This post was updated on January 16, 2019 to include some usage warnings.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>This post provides instructions to use and configure ingress Istio with &lt;a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html">AWS Network Load Balancer&lt;/a>.&lt;/p>
&lt;p>Network load balancer (NLB) could be used instead of classical load balancer. You can see the &lt;a href="https://aws.amazon.com/elasticloadbalancing/details/#Product_comparisons">comparison&lt;/a> between different AWS &lt;code>loadbalancer&lt;/code> for more explanation.&lt;/p>
&lt;h2 id="prerequisites">Prerequisites&lt;/h2>
&lt;p>The following instructions require a Kubernetes &lt;strong>1.9.0 or newer&lt;/strong> cluster.&lt;/p>
&lt;div>
&lt;aside class="callout warning">
&lt;div class="type">
&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-warning"/>&lt;/svg>
&lt;/div>
&lt;div class="content">&lt;p>Usage of AWS &lt;code>nlb&lt;/code> on Kubernetes is an Alpha feature and not recommended for production clusters.&lt;/p>
&lt;p>Usage of AWS &lt;code>nlb&lt;/code> does not support the creation of two or more Kubernetes clusters running Istio in the same zone as a result of &lt;a href="https://github.com/kubernetes/kubernetes/issues/69264">Kubernetes Bug #69264&lt;/a>.&lt;/p>
&lt;/div>
&lt;/aside>
&lt;/div>
&lt;h2 id="iam-policy">IAM policy&lt;/h2>
&lt;p>You need to apply policy on the master role in order to be able to provision network load balancer.&lt;/p>
&lt;ol>
&lt;li>&lt;p>In AWS &lt;code>iam&lt;/code> console click on policies and click on create a new one:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:52.430278884462155%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/aws-nlb/createpolicystart.png" title="Create a new policy">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/aws-nlb/createpolicystart.png" alt="Create a new policy" />
&lt;/a>
&lt;/div>
&lt;figcaption>Create a new policy&lt;/figcaption>
&lt;/figure>&lt;/li>
&lt;li>&lt;p>Select &lt;code>json&lt;/code>:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:50.63492063492063%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/aws-nlb/createpolicyjson.png" title="Select json">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/aws-nlb/createpolicyjson.png" alt="Select json" />
&lt;/a>
&lt;/div>
&lt;figcaption>Select json&lt;/figcaption>
&lt;/figure>&lt;/li>
&lt;li>&lt;p>Copy/paste text below:&lt;/p>
&lt;pre>&lt;code class='language-json' data-expandlinks='true' data-repo='istio' >{
&amp;#34;Version&amp;#34;: &amp;#34;2012-10-17&amp;#34;,
&amp;#34;Statement&amp;#34;: [
{
&amp;#34;Sid&amp;#34;: &amp;#34;kopsK8sNLBMasterPermsRestrictive&amp;#34;,
&amp;#34;Effect&amp;#34;: &amp;#34;Allow&amp;#34;,
&amp;#34;Action&amp;#34;: [
&amp;#34;ec2:DescribeVpcs&amp;#34;,
&amp;#34;elasticloadbalancing:AddTags&amp;#34;,
&amp;#34;elasticloadbalancing:CreateListener&amp;#34;,
&amp;#34;elasticloadbalancing:CreateTargetGroup&amp;#34;,
&amp;#34;elasticloadbalancing:DeleteListener&amp;#34;,
&amp;#34;elasticloadbalancing:DeleteTargetGroup&amp;#34;,
&amp;#34;elasticloadbalancing:DescribeListeners&amp;#34;,
&amp;#34;elasticloadbalancing:DescribeLoadBalancerPolicies&amp;#34;,
&amp;#34;elasticloadbalancing:DescribeTargetGroups&amp;#34;,
&amp;#34;elasticloadbalancing:DescribeTargetHealth&amp;#34;,
&amp;#34;elasticloadbalancing:ModifyListener&amp;#34;,
&amp;#34;elasticloadbalancing:ModifyTargetGroup&amp;#34;,
&amp;#34;elasticloadbalancing:RegisterTargets&amp;#34;,
&amp;#34;elasticloadbalancing:SetLoadBalancerPoliciesOfListener&amp;#34;
],
&amp;#34;Resource&amp;#34;: [
&amp;#34;*&amp;#34;
]
},
{
&amp;#34;Effect&amp;#34;: &amp;#34;Allow&amp;#34;,
&amp;#34;Action&amp;#34;: [
&amp;#34;ec2:DescribeVpcs&amp;#34;,
&amp;#34;ec2:DescribeRegions&amp;#34;
],
&amp;#34;Resource&amp;#34;: &amp;#34;*&amp;#34;
}
]
}
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Click review policy, fill all fields and click create policy:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60.08097165991902%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/aws-nlb/create_policy.png" title="Validate policy">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/aws-nlb/create_policy.png" alt="Validate policy" />
&lt;/a>
&lt;/div>
&lt;figcaption>Validate policy&lt;/figcaption>
&lt;/figure>&lt;/li>
&lt;li>&lt;p>Click on roles, select you master role nodes, and click attach policy:&lt;/p>
&lt;figure style="width:100%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:30.328324986087924%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/aws-nlb/roles_summary.png" title="Attach policy">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/aws-nlb/roles_summary.png" alt="Attach policy" />
&lt;/a>
&lt;/div>
&lt;figcaption>Attach policy&lt;/figcaption>
&lt;/figure>&lt;/li>
&lt;li>&lt;p>Your policy is now attach to your master node.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h2 id="generate-the-istio-manifest">Generate the Istio manifest&lt;/h2>
&lt;p>To use an AWS &lt;code>nlb&lt;/code> load balancer, it is necessary to add an AWS specific
annotation to the Istio installation. These instructions explain how to
add the annotation.&lt;/p>
&lt;p>Save this as the file &lt;code>override.yaml&lt;/code>:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >gateways:
istio-ingressgateway:
serviceAnnotations:
service.beta.kubernetes.io/aws-load-balancer-type: &amp;#34;nlb&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>Generate a manifest with Helm:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template install/kubernetes/helm/istio --namespace istio-system -f override.yaml &amp;gt; $HOME/istio.yaml
&lt;/code>&lt;/pre></description><pubDate>Fri, 20 Apr 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/aws-nlb/</link><author>Julien SENON</author><guid isPermaLink="true">/v1.5/blog/2018/aws-nlb/</guid><category>ingress</category><category>traffic-management</category><category>aws</category></item><item><title>Istio Soft Multi-Tenancy Support</title><description>
&lt;p>Multi-tenancy is commonly used in many environments across many different applications,
but the implementation details and functionality provided on a per tenant basis does not
follow one model in all environments. The &lt;a href="https://github.com/kubernetes/community/blob/master/wg-multitenancy/README.md">Kubernetes multi-tenancy working group&lt;/a>
is working to define the multi-tenant use cases and functionality that should be available
within Kubernetes. However, from their work so far it is clear that only &amp;ldquo;soft multi-tenancy&amp;rdquo;
is possible due to the inability to fully protect against malicious containers or workloads
gaining access to other tenant&amp;rsquo;s pods or kernel resources.&lt;/p>
&lt;h2 id="soft-multi-tenancy">Soft multi-tenancy&lt;/h2>
&lt;p>For this blog, &amp;ldquo;soft multi-tenancy&amp;rdquo; is defined as having a single Kubernetes control plane
with multiple Istio control planes and multiple meshes, one control plane and one mesh
per tenant. The cluster administrator gets control and visibility across all the Istio
control planes, while the tenant administrator only gets control of a specific Istio
instance. Separation between the tenants is provided by Kubernetes namespaces and RBAC.&lt;/p>
&lt;p>One use case for this deployment model is a shared corporate infrastructure where malicious
actions are not expected, but a clean separation of the tenants is still required.&lt;/p>
&lt;p>Potential future Istio multi-tenant deployment models are described at the bottom of this
blog.&lt;/p>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">This blog is a high-level description of how to deploy Istio in a
limited multi-tenancy environment. The &lt;a href="/v1.5/docs/">docs&lt;/a> section will be updated
when official multi-tenancy support is provided.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;h2 id="deployment">Deployment&lt;/h2>
&lt;h3 id="multiple-istio-control-planes">Multiple Istio control planes&lt;/h3>
&lt;p>Deploying multiple Istio control planes starts by replacing all &lt;code>namespace&lt;/code> references
in a manifest file with the desired namespace. Using &lt;code>istio.yaml&lt;/code> as an example, if two tenant
level Istio control planes are required; the first can use the &lt;code>istio.yaml&lt;/code> default name of
&lt;code>istio-system&lt;/code> and a second control plane can be created by generating a new yaml file with
a different namespace. As an example, the following command creates a yaml file with
the Istio namespace of &lt;code>istio-system1&lt;/code>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat istio.yaml | sed s/istio-system/istio-system1/g &amp;gt; istio-system1.yaml
&lt;/code>&lt;/pre>
&lt;p>The &lt;code>istio.yaml&lt;/code> file contains the details of the Istio control plane deployment, including the
pods that make up the control plane (Mixer, Pilot, Ingress, Galley, CA). Deploying the two Istio
control plane yaml files:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f install/kubernetes/istio.yaml
$ kubectl apply -f install/kubernetes/istio-system1.yaml
&lt;/code>&lt;/pre>
&lt;p>Results in two Istio control planes running in two namespaces.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
istio-system istio-ca-ffbb75c6f-98w6x 1/1 Running 0 15d
istio-system istio-ingress-68d65fc5c6-dnvfl 1/1 Running 0 15d
istio-system istio-mixer-5b9f8dffb5-8875r 3/3 Running 0 15d
istio-system istio-pilot-678fc976c8-b8tv6 2/2 Running 0 15d
istio-system1 istio-ca-5f496fdbcd-lqhlk 1/1 Running 0 15d
istio-system1 istio-ingress-68d65fc5c6-2vldg 1/1 Running 0 15d
istio-system1 istio-mixer-7d4f7b9968-66z44 3/3 Running 0 15d
istio-system1 istio-pilot-5bb6b7669c-779vb 2/2 Running 0 15d
&lt;/code>&lt;/pre>
&lt;p>The Istio &lt;a href="/v1.5/docs/setup/additional-setup/sidecar-injection/">sidecar&lt;/a>
and &lt;a href="/v1.5/docs/tasks/observability/">addons&lt;/a>, if required, manifests must also be
deployed to match the configured &lt;code>namespace&lt;/code> in use by the tenant&amp;rsquo;s Istio
control plane.&lt;/p>
&lt;p>The execution of these two yaml files is the responsibility of the cluster
administrator, not the tenant level administrator. Additional RBAC restrictions will also
need to be configured and applied by the cluster administrator, limiting the tenant
administrator to only the assigned namespace.&lt;/p>
&lt;h3 id="split-common-and-namespace-specific-resources">Split common and namespace specific resources&lt;/h3>
&lt;p>The manifest files in the Istio repositories create both common resources that would
be used by all Istio control planes as well as resources that are replicated per control
plane. Although it is a simple matter to deploy multiple control planes by replacing the
&lt;code>istio-system&lt;/code> namespace references as described above, a better approach is to split the
manifests into a common part that is deployed once for all tenants and a tenant
specific part. For the &lt;a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions">Custom Resource Definitions&lt;/a>, the roles and the role
bindings should be separated out from the provided Istio manifests. Additionally, the
roles and role bindings in the provided Istio manifests are probably unsuitable for a
multi-tenant environment and should be modified or augmented as described in the next
section.&lt;/p>
&lt;h3 id="kubernetes-rbac-for-istio-control-plane-resources">Kubernetes RBAC for Istio control plane resources&lt;/h3>
&lt;p>To restrict a tenant administrator to a single Istio namespace, the cluster
administrator would create a manifest containing, at a minimum, a &lt;code>Role&lt;/code> and &lt;code>RoleBinding&lt;/code>
similar to the one below. In this example, a tenant administrator named &lt;em>sales-admin&lt;/em>
is limited to the namespace &lt;code>istio-system1&lt;/code>. A completed manifest would contain many
more &lt;code>apiGroups&lt;/code> under the &lt;code>Role&lt;/code> providing resource access to the tenant administrator.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: istio-system1
name: ns-access-for-sales-admin-istio-system1
rules:
- apiGroups: [&amp;#34;&amp;#34;] # &amp;#34;&amp;#34; indicates the core API group
resources: [&amp;#34;*&amp;#34;]
verbs: [&amp;#34;*&amp;#34;]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: access-all-istio-system1
namespace: istio-system1
subjects:
- kind: User
name: sales-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: ns-access-for-sales-admin-istio-system1
apiGroup: rbac.authorization.k8s.io
&lt;/code>&lt;/pre>
&lt;h3 id="watching-specific-namespaces-for-service-discovery">Watching specific namespaces for service discovery&lt;/h3>
&lt;p>In addition to creating RBAC rules limiting the tenant administrator&amp;rsquo;s access to a specific
Istio control plane, the Istio manifest must be updated to specify the application namespace
that Pilot should watch for creation of its xDS cache. This is done by starting the Pilot
component with the additional command line arguments &lt;code>--appNamespace, ns-1&lt;/code>. Where &lt;em>ns-1&lt;/em>
is the namespace that the tenants application will be deployed in. An example snippet from
the &lt;code>istio-system1.yaml&lt;/code> file is shown below.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-pilot
namespace: istio-system1
annotations:
sidecar.istio.io/inject: &amp;#34;false&amp;#34;
spec:
replicas: 1
template:
metadata:
labels:
istio: pilot
spec:
serviceAccountName: istio-pilot-service-account
containers:
- name: discovery
image: docker.io/&amp;lt;user ID&amp;gt;/pilot:&amp;lt;tag&amp;gt;
imagePullPolicy: IfNotPresent
args: [&amp;#34;discovery&amp;#34;, &amp;#34;-v&amp;#34;, &amp;#34;2&amp;#34;, &amp;#34;--admission-service&amp;#34;, &amp;#34;istio-pilot&amp;#34;, &amp;#34;--appNamespace&amp;#34;, &amp;#34;ns-1&amp;#34;]
ports:
- containerPort: 8080
- containerPort: 443
&lt;/code>&lt;/pre>
&lt;h3 id="deploying-the-tenant-application-in-a-namespace">Deploying the tenant application in a namespace&lt;/h3>
&lt;p>Now that the cluster administrator has created the tenant&amp;rsquo;s namespace (ex. &lt;code>istio-system1&lt;/code>) and
Pilot&amp;rsquo;s service discovery has been configured to watch for a specific application
namespace (ex. &lt;em>ns-1&lt;/em>), create the application manifests to deploy in that tenant&amp;rsquo;s specific
namespace. For example:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Namespace
metadata:
name: ns-1
&lt;/code>&lt;/pre>
&lt;p>And add the namespace reference to each resource type included in the application&amp;rsquo;s manifest
file. For example:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Service
metadata:
name: details
labels:
app: details
namespace: ns-1
&lt;/code>&lt;/pre>
&lt;p>Although not shown, the application namespaces will also have RBAC settings limiting access
to certain resources. These RBAC settings could be set by the cluster administrator and/or
the tenant administrator.&lt;/p>
&lt;h3 id="using-kubectl-in-a-multi-tenant-environment">Using &lt;code>kubectl&lt;/code> in a multi-tenant environment&lt;/h3>
&lt;p>When defining &lt;a href="https://archive.istio.io/v0.7/docs/reference/config/istio.routing.v1alpha1/#RouteRule">route rules&lt;/a>
or &lt;a href="https://archive.istio.io/v0.7/docs/reference/config/istio.routing.v1alpha1/#DestinationPolicy">destination policies&lt;/a>,
it is necessary to ensure that the &lt;code>kubectl&lt;/code> command is scoped to
the namespace the Istio control plane is running in to ensure the resource is created
in the proper namespace. Additionally, the rule itself must be scoped to the tenant&amp;rsquo;s namespace
so that it will be applied properly to that tenant&amp;rsquo;s mesh. The &lt;em>-i&lt;/em> option is used to create
(or get or describe) the rule in the namespace that the Istio control plane is deployed in.
The &lt;em>-n&lt;/em> option will scope the rule to the tenant&amp;rsquo;s mesh and should be set to the namespace that
the tenant&amp;rsquo;s app is deployed in. Note that the &lt;em>-n&lt;/em> option can be skipped on the command line if
the .yaml file for the resource scopes it properly instead.&lt;/p>
&lt;p>For example, the following command would be required to add a route rule to the &lt;code>istio-system1&lt;/code>
namespace:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl i istio-system1 apply -n ns-1 -f route_rule_v2.yaml
&lt;/code>&lt;/pre>
&lt;p>And can be displayed using the command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -i istio-system1 -n ns-1 get routerule
NAME KIND NAMESPACE
details-Default RouteRule.v1alpha2.config.istio.io ns-1
productpage-default RouteRule.v1alpha2.config.istio.io ns-1
ratings-default RouteRule.v1alpha2.config.istio.io ns-1
reviews-default RouteRule.v1alpha2.config.istio.io ns-1
&lt;/code>&lt;/pre>
&lt;p>See the &lt;a href="/v1.5/blog/2018/soft-multitenancy/#multiple-istio-control-planes">Multiple Istio control planes&lt;/a> section of this document for more details on &lt;code>namespace&lt;/code> requirements in a
multi-tenant environment.&lt;/p>
&lt;h3 id="test-results">Test results&lt;/h3>
&lt;p>Following the instructions above, a cluster administrator can create an environment limiting,
via RBAC and namespaces, what a tenant administrator can deploy.&lt;/p>
&lt;p>After deployment, accessing the Istio control plane pods assigned to a specific tenant
administrator is permitted:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n istio-system
NAME READY STATUS RESTARTS AGE
grafana-78d649479f-8pqk9 1/1 Running 0 1d
istio-ca-ffbb75c6f-98w6x 1/1 Running 0 1d
istio-ingress-68d65fc5c6-dnvfl 1/1 Running 0 1d
istio-mixer-5b9f8dffb5-8875r 3/3 Running 0 1d
istio-pilot-678fc976c8-b8tv6 2/2 Running 0 1d
istio-sidecar-injector-7587bd559d-5tgk6 1/1 Running 0 1d
prometheus-cf8456855-hdcq7 1/1 Running 0 1d
&lt;/code>&lt;/pre>
&lt;p>However, accessing all the cluster&amp;rsquo;s pods is not permitted:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User &amp;#34;dev-admin&amp;#34; cannot list pods at the cluster scope
&lt;/code>&lt;/pre>
&lt;p>And neither is accessing another tenant&amp;rsquo;s namespace:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n istio-system1
Error from server (Forbidden): pods is forbidden: User &amp;#34;dev-admin&amp;#34; cannot list pods in the namespace &amp;#34;istio-system1&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>The tenant administrator can deploy applications in the application namespace configured for
that tenant. As an example, updating the &lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo&lt;/a>
manifests and then deploying under the tenant&amp;rsquo;s application namespace of &lt;em>ns-0&lt;/em>, listing the
pods in use by this tenant&amp;rsquo;s namespace is permitted:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n ns-0
NAME READY STATUS RESTARTS AGE
details-v1-64b86cd49-b7rkr 2/2 Running 0 1d
productpage-v1-84f77f8747-rf2mt 2/2 Running 0 1d
ratings-v1-5f46655b57-5b4c5 2/2 Running 0 1d
reviews-v1-ff6bdb95b-pm5lb 2/2 Running 0 1d
reviews-v2-5799558d68-b989t 2/2 Running 0 1d
reviews-v3-58ff7d665b-lw5j9 2/2 Running 0 1d
&lt;/code>&lt;/pre>
&lt;p>But accessing another tenant&amp;rsquo;s application namespace is not:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n ns-1
Error from server (Forbidden): pods is forbidden: User &amp;#34;dev-admin&amp;#34; cannot list pods in the namespace &amp;#34;ns-1&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>If the &lt;a href="/v1.5/docs/tasks/observability/">add-on tools&lt;/a>, example
&lt;a href="/v1.5/docs/tasks/observability/metrics/querying-metrics/">Prometheus&lt;/a>, are deployed
(also limited by an Istio &lt;code>namespace&lt;/code>) the statistical results returned would represent only
that traffic seen from that tenant&amp;rsquo;s application namespace.&lt;/p>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>The evaluation performed indicates Istio has sufficient capabilities and security to meet a
small number of multi-tenant use cases. It also shows that Istio and Kubernetes &lt;strong>cannot&lt;/strong>
provide sufficient capabilities and security for other use cases, especially those use
cases that require complete security and isolation between untrusted tenants. The improvements
required to reach a more secure model of security and isolation require work in container
technology, ex. Kubernetes, rather than improvements in Istio capabilities.&lt;/p>
&lt;h2 id="issues">Issues&lt;/h2>
&lt;ul>
&lt;li>The CA (Certificate Authority) and Mixer pod logs from one tenant&amp;rsquo;s Istio control
plane (e.g. &lt;code>istio-system&lt;/code> namespace) contained &amp;lsquo;info&amp;rsquo; messages from a second tenant&amp;rsquo;s
Istio control plane (e.g. &lt;code>istio-system1&lt;/code> namespace).&lt;/li>
&lt;/ul>
&lt;h2 id="challenges-with-other-multi-tenancy-models">Challenges with other multi-tenancy models&lt;/h2>
&lt;p>Other multi-tenancy deployment models were considered:&lt;/p>
&lt;ol>
&lt;li>&lt;p>A single mesh with multiple applications, one for each tenant on the mesh. The cluster
administrator gets control and visibility mesh wide and across all applications, while the
tenant administrator only gets control of a specific application.&lt;/p>&lt;/li>
&lt;li>&lt;p>A single Istio control plane with multiple meshes, one mesh per tenant. The cluster
administrator gets control and visibility across the entire Istio control plane and all
meshes, while the tenant administrator only gets control of a specific mesh.&lt;/p>&lt;/li>
&lt;li>&lt;p>A single cloud environment (cluster controlled), but multiple Kubernetes control planes
(tenant controlled).&lt;/p>&lt;/li>
&lt;/ol>
&lt;p>These options either can&amp;rsquo;t be properly supported without code changes or don&amp;rsquo;t fully
address the use cases.&lt;/p>
&lt;p>Current Istio capabilities are poorly suited to support the first model as it lacks
sufficient RBAC capabilities to support cluster versus tenant operations. Additionally,
having multiple tenants under one mesh is too insecure with the current mesh model and the
way Istio drives configuration to the Envoy proxies.&lt;/p>
&lt;p>Regarding the second option, the current Istio paradigm assumes a single mesh per Istio control
plane. The needed changes to support this model are substantial. They would require
finer grained scoping of resources and security domains based on namespaces, as well as,
additional Istio RBAC changes. This model will likely be addressed by future work, but not
currently possible.&lt;/p>
&lt;p>The third model doesnt satisfy most use cases, as most cluster administrators prefer
a common Kubernetes control plane which they provide as a
&lt;a href="https://en.wikipedia.org/wiki/Platform_as_a_service">PaaS&lt;/a> to their tenants.&lt;/p>
&lt;h2 id="future-work">Future work&lt;/h2>
&lt;p>Allowing a single Istio control plane to control multiple meshes would be an obvious next
feature. An additional improvement is to provide a single mesh that can host different
tenants with some level of isolation and security between the tenants. This could be done
by partitioning within a single control plane using the same logical notion of namespace as
Kubernetes. A &lt;a href="https://docs.google.com/document/d/14Hb07gSrfVt5KX9qNi7FzzGwB_6WBpAnDpPG6QEEd9Q">document&lt;/a>
has been started within the Istio community to define additional use cases and the
Istio functionality required to support those use cases.&lt;/p>
&lt;h2 id="references">References&lt;/h2>
&lt;ul>
&lt;li>Video on Kubernetes multi-tenancy support, &lt;a href="https://www.youtube.com/watch?v=ahwCkJGItkU">Multi-Tenancy Support &amp;amp; Security Modeling with RBAC and Namespaces&lt;/a>, and the &lt;a href="https://schd.ws/hosted_files/kccncna17/21/Multi-tenancy%20Support%20%26%20Security%20Modeling%20with%20RBAC%20and%20Namespaces.pdf">supporting slide deck&lt;/a>.&lt;/li>
&lt;li>KubeCon talk on security that discusses Kubernetes support for &amp;ldquo;Cooperative soft multi-tenancy&amp;rdquo;, &lt;a href="https://www.youtube.com/watch?v=YRR-kZub0cA">Building for Trust: How to Secure Your Kubernetes&lt;/a>.&lt;/li>
&lt;li>Kubernetes documentation on &lt;a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">RBAC&lt;/a> and &lt;a href="https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/">namespaces&lt;/a>.&lt;/li>
&lt;li>KubeCon slide deck on &lt;a href="https://schd.ws/hosted_files/kccncna17/a9/kubecon-multitenancy.pdf">Multi-tenancy Deep Dive&lt;/a>.&lt;/li>
&lt;li>Google document on &lt;a href="https://docs.google.com/document/d/15w1_fesSUZHv-vwjiYa9vN_uyc--PySRoLKTuDhimjc">Multi-tenancy models for Kubernetes&lt;/a>. (Requires permission)&lt;/li>
&lt;li>Cloud Foundry WIP document, &lt;a href="https://docs.google.com/document/d/14Hb07gSrfVt5KX9qNi7FzzGwB_6WBpAnDpPG6QEEd9Q">Multi-cloud and Multi-tenancy&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://docs.google.com/document/d/12F183NIRAwj2hprx-a-51ByLeNqbJxK16X06vwH5OWE">Istio Auto Multi-Tenancy 101&lt;/a>&lt;/li>
&lt;/ul></description><pubDate>Thu, 19 Apr 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/soft-multitenancy/</link><author>John Joyce and Rich Curran</author><guid isPermaLink="true">/v1.5/blog/2018/soft-multitenancy/</guid><category>tenancy</category></item><item><title>Traffic Mirroring with Istio for Testing in Production</title><description>&lt;p>Trying to enumerate all the possible combinations of test cases for testing services in non-production/test environments can be daunting. In some cases, you&amp;rsquo;ll find that all of the effort that goes into cataloging these use cases doesn&amp;rsquo;t match up to real production use cases. Ideally, we could use live production use cases and traffic to help illuminate all of the feature areas of the service under test that we might miss in more contrived testing environments.&lt;/p>
&lt;p>Istio can help here. With the release of &lt;a href="/v1.5/news/releases/0.x/announcing-0.5">Istio 0.5&lt;/a>, Istio can mirror traffic to help test your services. You can write route rules similar to the following to enable traffic mirroring:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
name: mirror-traffic-to-httbin-v2
spec:
destination:
name: httpbin
precedence: 11
route:
- labels:
version: v1
weight: 100
- labels:
version: v2
weight: 0
mirror:
name: httpbin
labels:
version: v2
&lt;/code>&lt;/pre>
&lt;p>A few things to note here:&lt;/p>
&lt;ul>
&lt;li>When traffic gets mirrored to a different service, that happens outside the critical path of the request&lt;/li>
&lt;li>Responses to any mirrored traffic is ignored; traffic is mirrored as &amp;ldquo;fire-and-forget&amp;rdquo;&lt;/li>
&lt;li>You&amp;rsquo;ll need to have the 0-weighted route to hint to Istio to create the proper Envoy cluster under the covers; &lt;a href="https://github.com/istio/istio/issues/3270">this should be ironed out in future releases&lt;/a>.&lt;/li>
&lt;/ul>
&lt;p>Learn more about mirroring by visiting the &lt;a href="/v1.5/docs/tasks/traffic-management/mirroring/">Mirroring Task&lt;/a> and see a more
&lt;a href="https://dzone.com/articles/traffic-shadowing-with-istio-reducing-the-risk-of">comprehensive treatment of this scenario on my blog&lt;/a>.&lt;/p></description><pubDate>Thu, 08 Feb 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/traffic-mirroring/</link><author>Christian Posta</author><guid isPermaLink="true">/v1.5/blog/2018/traffic-mirroring/</guid><category>traffic-management</category><category>mirroring</category></item><item><title>Consuming External TCP Services</title><description>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">This blog post was updated on July 23, 2018 to use the new
&lt;a href="/v1.5/blog/2018/v1alpha3-routing/">v1alpha3 traffic management API&lt;/a>. If you need to use the old version, follow these &lt;a href="https://archive.istio.io/v0.7/blog/2018/egress-tcp.html">docs&lt;/a>.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>In my previous blog post, &lt;a href="/v1.5/blog/2018/egress-https/">Consuming External Web Services&lt;/a>, I described how external services
can be consumed by in-mesh Istio applications via HTTPS. In this post, I demonstrate consuming external services
over TCP. You will use the &lt;a href="/v1.5/docs/examples/bookinfo/">Istio Bookinfo sample application&lt;/a>, the version in which the book
ratings data is persisted in a MySQL database. You deploy this database outside the cluster and configure the
&lt;em>ratings&lt;/em> microservice to use it. You define a
&lt;a href="/v1.5/docs/reference/config/networking/service-entry/">Service Entry&lt;/a> to allow the in-mesh applications to
access the external database.&lt;/p>
&lt;h2 id="bookinfo-sample-application-with-external-ratings-database">Bookinfo sample application with external ratings database&lt;/h2>
&lt;p>First, you set up a MySQL database instance to hold book ratings data outside of your Kubernetes cluster. Then you
modify the &lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo sample application&lt;/a> to use your database.&lt;/p>
&lt;h3 id="setting-up-the-database-for-ratings-data">Setting up the database for ratings data&lt;/h3>
&lt;p>For this task you set up an instance of &lt;a href="https://www.mysql.com">MySQL&lt;/a>. You can use any MySQL instance; I used
&lt;a href="https://www.ibm.com/cloud/compose/mysql">Compose for MySQL&lt;/a>. I used &lt;code>mysqlsh&lt;/code>
(&lt;a href="https://dev.mysql.com/doc/mysql-shell/en/">MySQL Shell&lt;/a>) as a MySQL client to feed the ratings data.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Set the &lt;code>MYSQL_DB_HOST&lt;/code> and &lt;code>MYSQL_DB_PORT&lt;/code> environment variables:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MYSQL_DB_HOST=&amp;lt;your MySQL database host&amp;gt;
$ export MYSQL_DB_PORT=&amp;lt;your MySQL database port&amp;gt;
&lt;/code>&lt;/pre>
&lt;p>In case of a local MySQL database with the default port, the values are &lt;code>localhost&lt;/code> and &lt;code>3306&lt;/code>, respectively.&lt;/p>&lt;/li>
&lt;li>&lt;p>To initialize the database, run the following command entering the password when prompted. The command is
performed with the credentials of the &lt;code>admin&lt;/code> user, created by default by
&lt;a href="https://www.ibm.com/cloud/compose/mysql">Compose for MySQL&lt;/a>.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -s https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/src/mysql/mysqldb-init.sql | mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT
&lt;/code>&lt;/pre>
&lt;p>&lt;em>&lt;strong>OR&lt;/strong>&lt;/em>&lt;/p>
&lt;p>When using the &lt;code>mysql&lt;/code> client and a local MySQL database, run:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -s https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/src/mysql/mysqldb-init.sql | mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Create a user with the name &lt;code>bookinfo&lt;/code> and grant it &lt;em>SELECT&lt;/em> privilege on the &lt;code>test.ratings&lt;/code> table:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;CREATE USER &amp;#39;bookinfo&amp;#39; IDENTIFIED BY &amp;#39;&amp;lt;password you choose&amp;gt;&amp;#39;; GRANT SELECT ON test.ratings to &amp;#39;bookinfo&amp;#39;;&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>&lt;em>&lt;strong>OR&lt;/strong>&lt;/em>&lt;/p>
&lt;p>For &lt;code>mysql&lt;/code> and the local database, the command is:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;CREATE USER &amp;#39;bookinfo&amp;#39; IDENTIFIED BY &amp;#39;&amp;lt;password you choose&amp;gt;&amp;#39;; GRANT SELECT ON test.ratings to &amp;#39;bookinfo&amp;#39;;&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>Here you apply the &lt;a href="https://en.wikipedia.org/wiki/Principle_of_least_privilege">principle of least privilege&lt;/a>. This
means that you do not use your &lt;code>admin&lt;/code> user in the Bookinfo application. Instead, you create a special user for the
Bookinfo application , &lt;code>bookinfo&lt;/code>, with minimal privileges. In this case, the &lt;em>bookinfo&lt;/em> user only has the &lt;code>SELECT&lt;/code>
privilege on a single table.&lt;/p>
&lt;p>After running the command to create the user, you may want to clean your bash history by checking the number of the last
command and running &lt;code>history -d &amp;lt;the number of the command that created the user&amp;gt;&lt;/code>. You don&amp;rsquo;t want the password of the
new user to be stored in the bash history. If you&amp;rsquo;re using &lt;code>mysql&lt;/code>, remove the last command from
&lt;code>~/.mysql_history&lt;/code> file as well. Read more about password protection of the newly created user in &lt;a href="https://dev.mysql.com/doc/refman/5.5/en/create-user.html">MySQL documentation&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Inspect the created ratings to see that everything worked as expected:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u bookinfo -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;select * from test.ratings;&amp;#34;
Enter password:
+----------+--------+
| ReviewID | Rating |
+----------+--------+
| 1 | 5 |
| 2 | 4 |
+----------+--------+
&lt;/code>&lt;/pre>
&lt;p>&lt;em>&lt;strong>OR&lt;/strong>&lt;/em>&lt;/p>
&lt;p>For &lt;code>mysql&lt;/code> and the local database:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u bookinfo -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;select * from test.ratings;&amp;#34;
Enter password:
+----------+--------+
| ReviewID | Rating |
+----------+--------+
| 1 | 5 |
| 2 | 4 |
+----------+--------+
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Set the ratings temporarily to &lt;code>1&lt;/code> to provide a visual clue when our database is used by the Bookinfo &lt;em>ratings&lt;/em>
service:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;update test.ratings set rating=1; select * from test.ratings;&amp;#34;
Enter password:
Rows matched: 2 Changed: 2 Warnings: 0
+----------+--------+
| ReviewID | Rating |
+----------+--------+
| 1 | 1 |
| 2 | 1 |
+----------+--------+
&lt;/code>&lt;/pre>
&lt;p>&lt;em>&lt;strong>OR&lt;/strong>&lt;/em>&lt;/p>
&lt;p>For &lt;code>mysql&lt;/code> and the local database:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;update test.ratings set rating=1; select * from test.ratings;&amp;#34;
Enter password:
+----------+--------+
| ReviewID | Rating |
+----------+--------+
| 1 | 1 |
| 2 | 1 |
+----------+--------+
&lt;/code>&lt;/pre>
&lt;p>You used the &lt;code>admin&lt;/code> user (and &lt;code>root&lt;/code> for the local database) in the last command since the &lt;code>bookinfo&lt;/code> user does not
have the &lt;code>UPDATE&lt;/code> privilege on the &lt;code>test.ratings&lt;/code> table.&lt;/p>&lt;/li>
&lt;/ol>
&lt;p>Now you are ready to deploy a version of the Bookinfo application that will use your database.&lt;/p>
&lt;h3 id="initial-setting-of-bookinfo-application">Initial setting of Bookinfo application&lt;/h3>
&lt;p>To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with &lt;a href="/v1.5/docs/setup/getting-started/">Istio installed&lt;/a>. Then you deploy the
&lt;a href="/v1.5/docs/examples/bookinfo/">Istio Bookinfo sample application&lt;/a>, &lt;a href="/v1.5/docs/examples/bookinfo/#apply-default-destination-rules">apply the default destination rules&lt;/a>, and &lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy">change Istio to the blocking-egress-by-default policy&lt;/a>.&lt;/p>
&lt;p>This application uses the &lt;code>ratings&lt;/code> microservice to fetch
book ratings, a number between 1 and 5. The ratings are displayed as stars for each review. There are several versions
of the &lt;code>ratings&lt;/code> microservice. Some use &lt;a href="https://www.mongodb.com">MongoDB&lt;/a>, others use &lt;a href="https://www.mysql.com">MySQL&lt;/a>
as their database.&lt;/p>
&lt;p>The example commands in this blog post work with Istio 0.8+, with or without
&lt;a href="/v1.5/docs/concepts/security/#mutual-tls-authentication">mutual TLS&lt;/a> enabled.&lt;/p>
&lt;p>As a reminder, here is the end-to-end architecture of the application from the
&lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo sample application&lt;/a>.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
&lt;a data-skipendnotes="true" href="/v1.5/docs/examples/bookinfo/withistio.svg" title="The original Bookinfo application">
&lt;img class="element-to-stretch" src="/v1.5/docs/examples/bookinfo/withistio.svg" alt="The original Bookinfo application" />
&lt;/a>
&lt;/div>
&lt;figcaption>The original Bookinfo application&lt;/figcaption>
&lt;/figure>
&lt;h3 id="use-the-database-for-ratings-data-in-bookinfo-application">Use the database for ratings data in Bookinfo application&lt;/h3>
&lt;ol>
&lt;li>&lt;p>Modify the deployment spec of a version of the &lt;em>ratings&lt;/em> microservice that uses a MySQL database, to use your
database instance. The spec is in &lt;a href="https://github.com/istio/istio/blob/release-1.5/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml">&lt;code>samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml&lt;/code>&lt;/a>
of an Istio release archive. Edit the following lines:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >- name: MYSQL_DB_HOST
value: mysqldb
- name: MYSQL_DB_PORT
value: &amp;#34;3306&amp;#34;
- name: MYSQL_DB_USER
value: root
- name: MYSQL_DB_PASSWORD
value: password
&lt;/code>&lt;/pre>
&lt;p>Replace the values in the snippet above, specifying the database host, port, user, and password. Note that the
correct way to work with passwords in container&amp;rsquo;s environment variables in Kubernetes is &lt;a href="https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables">to use secrets&lt;/a>. For this
example task only, you may want to write the password directly in the deployment spec. &lt;strong>Do not do it&lt;/strong> in a real
environment! I also assume everyone realizes that &lt;code>&amp;quot;password&amp;quot;&lt;/code> should not be used as a password&amp;hellip;&lt;/p>&lt;/li>
&lt;li>&lt;p>Apply the modified spec to deploy the version of the &lt;em>ratings&lt;/em> microservice, &lt;em>v2-mysql&lt;/em>, that will use your
database.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml@
deployment &amp;#34;ratings-v2-mysql&amp;#34; created
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Route all the traffic destined to the &lt;em>reviews&lt;/em> service to its &lt;em>v3&lt;/em> version. You do this to ensure that the
&lt;em>reviews&lt;/em> service always calls the &lt;em>ratings&lt;/em> service. In addition, route all the traffic destined to the &lt;em>ratings&lt;/em>
service to &lt;em>ratings v2-mysql&lt;/em> that uses your database.&lt;/p>
&lt;p>Specify the routing for both services above by adding two
&lt;a href="/v1.5/docs/reference/config/networking/virtual-service/">virtual services&lt;/a>. These virtual services are
specified in &lt;code>samples/bookinfo/networking/virtual-service-ratings-mysql.yaml&lt;/code> of an Istio release archive.
&lt;strong>&lt;em>Important:&lt;/em>&lt;/strong> make sure you
&lt;a href="/v1.5/docs/examples/bookinfo/#apply-default-destination-rules">applied the default destination rules&lt;/a> before running the
following command.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-mysql.yaml@
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;/ol>
&lt;p>The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
to the virtual services we added. According to the virtual services, the traffic is sent to &lt;em>reviews v3&lt;/em> and
&lt;em>ratings v2-mysql&lt;/em>.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.314858206480224%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-tcp/bookinfo-ratings-v2-mysql-external.svg" title="The Bookinfo application with ratings v2-mysql and an external MySQL database">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-tcp/bookinfo-ratings-v2-mysql-external.svg" alt="The Bookinfo application with ratings v2-mysql and an external MySQL database" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Bookinfo application with ratings v2-mysql and an external MySQL database&lt;/figcaption>
&lt;/figure>
&lt;p>Note that the MySQL database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
boundary of the service mesh is marked by a dashed line.&lt;/p>
&lt;h3 id="access-the-webpage">Access the webpage&lt;/h3>
&lt;p>Access the webpage of the application, after
&lt;a href="/v1.5/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">determining the ingress IP and port&lt;/a>.&lt;/p>
&lt;p>You have a problem&amp;hellip; Instead of the rating stars, the message &lt;em>&amp;ldquo;Ratings service is currently unavailable&amp;rdquo;&lt;/em> is currently
displayed below each review:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.18705035971223%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-tcp/errorFetchingBookRating.png" title="The Ratings service error messages">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-tcp/errorFetchingBookRating.png" alt="The Ratings service error messages" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Ratings service error messages&lt;/figcaption>
&lt;/figure>
&lt;p>As in &lt;a href="/v1.5/blog/2018/egress-https/">Consuming External Web Services&lt;/a>, you experience &lt;strong>graceful service degradation&lt;/strong>,
which is good. The application did not crash due to the error in the &lt;em>ratings&lt;/em> microservice. The webpage of the
application correctly displayed the book information, the details, and the reviews, just without the rating stars.&lt;/p>
&lt;p>You have the same problem as in &lt;a href="/v1.5/blog/2018/egress-https/">Consuming External Web Services&lt;/a>, namely all the traffic
outside the Kubernetes cluster, both TCP and HTTP, is blocked by default by the sidecar proxies. To enable such traffic
for TCP, a mesh-external service entry for TCP must be defined.&lt;/p>
&lt;h3 id="mesh-external-service-entry-for-an-external-mysql-instance">Mesh-external service entry for an external MySQL instance&lt;/h3>
&lt;p>TCP mesh-external service entries come to our rescue.&lt;/p>
&lt;ol>
&lt;li>&lt;p>Get the IP address of your MySQL database instance. As an option, you can use the
&lt;a href="https://linux.die.net/man/1/host">host&lt;/a> command:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MYSQL_DB_IP=$(host $MYSQL_DB_HOST | grep &amp;#34; has address &amp;#34; | cut -d&amp;#34; &amp;#34; -f4)
&lt;/code>&lt;/pre>
&lt;p>For a local database, set &lt;code>MYSQL_DB_IP&lt;/code> to contain the IP of your machine, accessible from your cluster.&lt;/p>&lt;/li>
&lt;li>&lt;p>Define a TCP mesh-external service entry:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mysql-external
spec:
hosts:
- $MYSQL_DB_HOST
addresses:
- $MYSQL_DB_IP/32
ports:
- name: tcp
number: $MYSQL_DB_PORT
protocol: tcp
location: MESH_EXTERNAL
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Review the service entry you just created and check that it contains the correct values:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get serviceentry mysql-external -o yaml
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
...
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;p>Note that for a TCP service entry, you specify &lt;code>tcp&lt;/code> as the protocol of a port of the entry. Also note that you have to
specify the IP of the external service in the list of addresses, as a &lt;a href="https://tools.ietf.org/html/rfc2317">CIDR&lt;/a> block
with suffix &lt;code>32&lt;/code>.&lt;/p>
&lt;p>I will talk more about TCP service entries
&lt;a href="#service-entries-for-tcp-traffic">below&lt;/a>. For now, verify that the service entry we added fixed the problem. Access the
webpage and see if the stars are back.&lt;/p>
&lt;p>It worked! Accessing the web page of the application displays the ratings without error:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.69064748201439%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-tcp/externalMySQLRatings.png" title="Book Ratings Displayed Correctly">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-tcp/externalMySQLRatings.png" alt="Book Ratings Displayed Correctly" />
&lt;/a>
&lt;/div>
&lt;figcaption>Book Ratings Displayed Correctly&lt;/figcaption>
&lt;/figure>
&lt;p>Note that you see a one-star rating for both displayed reviews, as expected. You changed the ratings to be one star to
provide us with a visual clue that our external database is indeed being used.&lt;/p>
&lt;p>As with service entries for HTTP/HTTPS, you can delete and create service entries for TCP using &lt;code>kubectl&lt;/code>, dynamically.&lt;/p>
&lt;h2 id="motivation-for-egress-tcp-traffic-control">Motivation for egress TCP traffic control&lt;/h2>
&lt;p>Some in-mesh Istio applications must access external services, for example legacy systems. In many cases, the access is
not performed over HTTP or HTTPS protocols. Other TCP protocols are used, such as database-specific protocols like
&lt;a href="https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/">MongoDB Wire Protocol&lt;/a> and &lt;a href="https://dev.mysql.com/doc/internals/en/client-server-protocol.html">MySQL Client/Server Protocol&lt;/a> to communicate with external databases.&lt;/p>
&lt;p>Next let me provide more details about the service entries for TCP traffic.&lt;/p>
&lt;h2 id="service-entries-for-tcp-traffic">Service entries for TCP traffic&lt;/h2>
&lt;p>The service entries for enabling TCP traffic to a specific port must specify &lt;code>TCP&lt;/code> as the protocol of the port.
Additionally, for the &lt;a href="https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/">MongoDB Wire Protocol&lt;/a>, the
protocol can be specified as &lt;code>MONGO&lt;/code>, instead of &lt;code>TCP&lt;/code>.&lt;/p>
&lt;p>For the &lt;code>addresses&lt;/code> field of the entry, a block of IPs in &lt;a href="https://tools.ietf.org/html/rfc2317">CIDR&lt;/a>
notation must be used. Note that the &lt;code>hosts&lt;/code> field is ignored for TCP service entries.&lt;/p>
&lt;p>To enable TCP traffic to an external service by its hostname, all the IPs of the hostname must be specified. Each IP
must be specified by a CIDR block.&lt;/p>
&lt;p>Note that all the IPs of an external service are not always known. To enable egress TCP traffic, only the IPs that are
used by the applications must be specified.&lt;/p>
&lt;p>Also note that the IPs of an external service are not always static, for example in the case of
&lt;a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDNs&lt;/a>. Sometimes the IPs are static most of the time, but can
be changed from time to time, for example due to infrastructure changes. In these cases, if the range of the possible
IPs is known, you should specify the range by CIDR blocks. If the range of the possible IPs is not known, service
entries for TCP cannot be used and
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services">the external services must be called directly&lt;/a>,
bypassing the sidecar proxies.&lt;/p>
&lt;h2 id="relation-to-virtual-machines-support">Relation to virtual machines support&lt;/h2>
&lt;p>Note that the scenario described in this post is different from the
&lt;a href="/v1.5/docs/examples/virtual-machines/bookinfo/">Bookinfo with Virtual Machines&lt;/a> example. In that scenario, a MySQL instance runs on an
external
(outside the cluster) machine (a bare metal or a VM), integrated with the Istio service mesh. The MySQL service becomes
a first-class citizen of the mesh with all the beneficial features of Istio applicable. Among other things, the service
becomes addressable by a local cluster domain name, for example by &lt;code>mysqldb.vm.svc.cluster.local&lt;/code>, and the communication
to it can be secured by
&lt;a href="/v1.5/docs/concepts/security/#mutual-tls-authentication">mutual TLS authentication&lt;/a>. There is no need to create a service
entry to access this service; however, the service must be registered with Istio. To enable such integration, Istio
components (&lt;em>Envoy proxy&lt;/em>, &lt;em>node-agent&lt;/em>, &lt;code>_istio-agent_&lt;/code>) must be installed on the machine and the Istio control plane
(&lt;em>Pilot&lt;/em>, &lt;em>Mixer&lt;/em>, &lt;em>Citadel&lt;/em>) must be accessible from it. See the
&lt;a href="/v1.5/docs/examples/virtual-machines/">Istio VM-related&lt;/a> tasks for more details.&lt;/p>
&lt;p>In our case, the MySQL instance can run on any machine or can be provisioned as a service by a cloud provider. There is
no requirement to integrate the machine with Istio. The Istio control plane does not have to be accessible from the
machine. In the case of MySQL as a service, the machine which MySQL runs on may be not accessible and installing on it
the required components may be impossible. In our case, the MySQL instance is addressable by its global domain name,
which could be beneficial if the consuming applications expect to use that domain name. This is especially relevant when
that expected domain name cannot be changed in the deployment configuration of the consuming applications.&lt;/p>
&lt;h2 id="cleanup">Cleanup&lt;/h2>
&lt;ol>
&lt;li>&lt;p>Drop the &lt;code>test&lt;/code> database and the &lt;code>bookinfo&lt;/code> user:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;drop database test; drop user bookinfo;&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>&lt;em>&lt;strong>OR&lt;/strong>&lt;/em>&lt;/p>
&lt;p>For &lt;code>mysql&lt;/code> and the local database:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &amp;#34;drop database test; drop user bookinfo;&amp;#34;
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Remove the virtual services:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-mysql.yaml@
Deleted config: virtual-service/default/reviews
Deleted config: virtual-service/default/ratings
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Undeploy &lt;em>ratings v2-mysql&lt;/em>:&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml@
deployment &amp;#34;ratings-v2-mysql&amp;#34; deleted
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Delete the service entry:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mysql-external -n default
Deleted config: serviceentry mysql-external
&lt;/code>&lt;/pre>&lt;/li>
&lt;/ol>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>In this blog post, I demonstrated how the microservices in an Istio service mesh can consume external services via TCP.
By default, Istio blocks all the traffic, TCP and HTTP, to the hosts outside the cluster. To enable such traffic for
TCP, TCP mesh-external service entries must be created for the service mesh.&lt;/p></description><pubDate>Tue, 06 Feb 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/egress-tcp/</link><author>Vadim Eisenberg</author><guid isPermaLink="true">/v1.5/blog/2018/egress-tcp/</guid><category>traffic-management</category><category>egress</category><category>tcp</category></item><item><title>Consuming External Web Services</title><description>
&lt;p>In many cases, not all the parts of a microservices-based application reside in a &lt;em>service mesh&lt;/em>. Sometimes, the
microservices-based applications use functionality provided by legacy systems that reside outside the mesh. You may want
to migrate these systems to the service mesh gradually. Until these systems are migrated, they must be accessed by the
applications inside the mesh. In other cases, the applications use web services provided by third parties.&lt;/p>
&lt;p>In this blog post, I modify the &lt;a href="/v1.5/docs/examples/bookinfo/">Istio Bookinfo Sample Application&lt;/a> to fetch book details from
an external web service (&lt;a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs&lt;/a>). I show how
to enable egress HTTPS traffic in Istio by using &lt;em>mesh-external service entries&lt;/em>. I provide two options for egress
HTTPS traffic and describe the pros and cons of each of the options.&lt;/p>
&lt;h2 id="initial-setting">Initial setting&lt;/h2>
&lt;p>To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with &lt;a href="/v1.5/docs/setup/getting-started/">Istio installed&lt;/a>. Then I deploy
&lt;a href="/v1.5/docs/examples/bookinfo/">Istio Bookinfo Sample Application&lt;/a>. This application uses the &lt;em>details&lt;/em> microservice to fetch
book details, such as the number of pages and the publisher. The original &lt;em>details&lt;/em> microservice provides the book
details without consulting any external service.&lt;/p>
&lt;p>The example commands in this blog post work with Istio 1.0+, with or without
&lt;a href="/v1.5/docs/concepts/security/#mutual-tls-authentication">mutual TLS&lt;/a> enabled. The Bookinfo configuration files reside in the
&lt;code>samples/bookinfo&lt;/code> directory of the Istio release archive.&lt;/p>
&lt;p>Here is a copy of the end-to-end architecture of the application from the original
&lt;a href="/v1.5/docs/examples/bookinfo/">Bookinfo sample application&lt;/a>.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
&lt;a data-skipendnotes="true" href="/v1.5/docs/examples/bookinfo/withistio.svg" title="The Original Bookinfo Application">
&lt;img class="element-to-stretch" src="/v1.5/docs/examples/bookinfo/withistio.svg" alt="The Original Bookinfo Application" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Original Bookinfo Application&lt;/figcaption>
&lt;/figure>
&lt;p>Perform the steps in the
&lt;a href="/v1.5/docs/examples/bookinfo/#deploying-the-application">Deploying the application&lt;/a>,
&lt;a href="/v1.5/docs/examples/bookinfo/#confirm-the-app-is-accessible-from-outside-the-cluster">Confirm the app is running&lt;/a>,
&lt;a href="/v1.5/docs/examples/bookinfo/#apply-default-destination-rules">Apply default destination rules&lt;/a>
sections, and
&lt;a href="/v1.5/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy">change Istio to the blocking-egress-by-default policy&lt;/a>.&lt;/p>
&lt;h2 id="bookinfo-with-https-access-to-a-google-books-web-service">Bookinfo with HTTPS access to a Google Books web service&lt;/h2>
&lt;p>Deploy a new version of the &lt;em>details&lt;/em> microservice, &lt;em>v2&lt;/em>, that fetches the book details from &lt;a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs&lt;/a>. Run the following command; it sets the
&lt;code>DO_NOT_ENCRYPT&lt;/code> environment variable of the service&amp;rsquo;s container to &lt;code>false&lt;/code>. This setting will instruct the deployed
service to use HTTPS (instead of HTTP) to access to the external service.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@ --dry-run -o yaml | kubectl set env --local -f - &amp;#39;DO_NOT_ENCRYPT=false&amp;#39; -o yaml | kubectl apply -f -
&lt;/code>&lt;/pre>&lt;/div>
&lt;p>The updated architecture of the application now looks as follows:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:65.1654485092242%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-https/bookinfo-details-v2.svg" title="The Bookinfo Application with details V2">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-https/bookinfo-details-v2.svg" alt="The Bookinfo Application with details V2" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Bookinfo Application with details V2&lt;/figcaption>
&lt;/figure>
&lt;p>Note that the Google Books web service is outside the Istio service mesh, the boundary of which is marked by a dashed
line.&lt;/p>
&lt;p>Now direct all the traffic destined to the &lt;em>details&lt;/em> microservice, to &lt;em>details version v2&lt;/em>.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
&lt;/code>&lt;/pre>&lt;/div>
&lt;p>Note that the virtual service relies on a destination rule that you created in the &lt;a href="/v1.5/docs/examples/bookinfo/#apply-default-destination-rules">Apply default destination rules&lt;/a> section.&lt;/p>
&lt;p>Access the web page of the application, after
&lt;a href="/v1.5/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">determining the ingress IP and port&lt;/a>.&lt;/p>
&lt;p>Oops&amp;hellip; Instead of the book details you have the &lt;em>Error fetching product details&lt;/em> message displayed:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.18649965205289%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-https/errorFetchingBookDetails.png" title="The Error Fetching Product Details Message">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-https/errorFetchingBookDetails.png" alt="The Error Fetching Product Details Message" />
&lt;/a>
&lt;/div>
&lt;figcaption>The Error Fetching Product Details Message&lt;/figcaption>
&lt;/figure>
&lt;p>The good news is that your application did not crash. With a good microservice design, you do not have &lt;strong>failure
propagation&lt;/strong>. In your case, the failing &lt;em>details&lt;/em> microservice does not cause the &lt;code>productpage&lt;/code> microservice to fail.
Most of the functionality of the application is still provided, despite the failure in the &lt;em>details&lt;/em> microservice. You
have &lt;strong>graceful service degradation&lt;/strong>: as you can see, the reviews and the ratings are displayed correctly, and the
application is still useful.&lt;/p>
&lt;p>So what might have gone wrong? Ah&amp;hellip; The answer is that I forgot to tell you to enable traffic from inside the mesh to
an external service, in this case to the Google Books web service. By default, the Istio sidecar proxies
(&lt;a href="https://www.envoyproxy.io">Envoy proxies&lt;/a>) &lt;strong>block all the traffic to destinations outside the cluster&lt;/strong>. To enable
such traffic, you must define a
&lt;a href="/v1.5/docs/reference/config/networking/service-entry/">mesh-external service entry&lt;/a>.&lt;/p>
&lt;h3 id="enable-https-access-to-a-google-books-web-service">Enable HTTPS access to a Google Books web service&lt;/h3>
&lt;p>No worries, define a &lt;strong>mesh-external service entry&lt;/strong> and fix your application. You must also define a &lt;em>virtual
service&lt;/em> to perform routing by &lt;a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI&lt;/a> to the external service.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: googleapis
spec:
hosts:
- www.googleapis.com
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: googleapis
spec:
hosts:
- www.googleapis.com
tls:
- match:
- port: 443
sni_hosts:
- www.googleapis.com
route:
- destination:
host: www.googleapis.com
port:
number: 443
weight: 100
EOF
&lt;/code>&lt;/pre>
&lt;p>Now accessing the web page of the application displays the book details without error:&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:34.82831114225648%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-https/externalBookDetails.png" title="Book Details Displayed Correctly">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-https/externalBookDetails.png" alt="Book Details Displayed Correctly" />
&lt;/a>
&lt;/div>
&lt;figcaption>Book Details Displayed Correctly&lt;/figcaption>
&lt;/figure>
&lt;p>You can query your service entries:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get serviceentries
NAME AGE
googleapis 8m
&lt;/code>&lt;/pre>
&lt;p>You can delete your service entry:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry googleapis
serviceentry &amp;#34;googleapis&amp;#34; deleted
&lt;/code>&lt;/pre>
&lt;p>and see in the output that the service entry is deleted.&lt;/p>
&lt;p>Accessing the web page after deleting the service entry produces the same error that you experienced before, namely
&lt;em>Error fetching product details&lt;/em>. As you can see, the service entries are defined &lt;strong>dynamically&lt;/strong>, as are many other
Istio configuration artifacts. The Istio operators can decide dynamically which domains they allow the microservices to
access. They can enable and disable traffic to the external domains on the fly, without redeploying the microservices.&lt;/p>
&lt;h3 id="cleanup-of-https-access-to-a-google-books-web-service">Cleanup of HTTPS access to a Google Books web service&lt;/h3>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip&lt;/a>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry googleapis
$ kubectl delete virtualservice googleapis
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@
&lt;/code>&lt;/pre>&lt;/div>
&lt;h2 id="tls-origination-by-istio">TLS origination by Istio&lt;/h2>
&lt;p>There is a caveat to this story. Suppose you want to monitor which specific set of
&lt;a href="https://developers.google.com/apis-explorer/">Google APIs&lt;/a> your microservices use
(&lt;a href="https://developers.google.com/books/docs/v1/getting_started">Books&lt;/a>,
&lt;a href="https://developers.google.com/calendar/">Calendar&lt;/a>, &lt;a href="https://developers.google.com/tasks/">Tasks&lt;/a> etc.)
Suppose you want to enforce a policy that using only
&lt;a href="https://developers.google.com/books/docs/v1/getting_started">Books APIs&lt;/a> is allowed. Suppose you want to monitor the
book identifiers that your microservices access. For these monitoring and policy tasks you need to know the URL path.
Consider for example the URL
&lt;a href="https://www.googleapis.com/books/v1/volumes?q=isbn:0486424618">&lt;code>www.googleapis.com/books/v1/volumes?q=isbn:0486424618&lt;/code>&lt;/a>.
In that URL, &lt;a href="https://developers.google.com/books/docs/v1/getting_started">Books APIs&lt;/a> is specified by the path segment
&lt;code>/books&lt;/code>, and the &lt;a href="https://en.wikipedia.org/wiki/International_Standard_Book_Number">ISBN&lt;/a> number by the path segment
&lt;code>/volumes?q=isbn:0486424618&lt;/code>. However, in HTTPS, all the HTTP details (hostname, path, headers etc.) are encrypted and
such monitoring and policy enforcement by the sidecar proxies is not possible. Istio can only know the server name of
the encrypted requests by the &lt;a href="https://tools.ietf.org/html/rfc3546#section-3.1">SNI&lt;/a> (&lt;em>Server Name Indication&lt;/em>) field,
in this case &lt;code>www.googleapis.com&lt;/code>.&lt;/p>
&lt;p>To allow Istio to perform monitoring and policy enforcement of egress requests based on HTTP details, the microservices
must issue HTTP requests. Istio then opens an HTTPS connection to the destination (performs TLS origination). The code
of the microservices must be written differently or configured differently, according to whether the microservice runs
inside or outside an Istio service mesh. This contradicts the Istio design goal of &lt;a href="/v1.5/docs/ops/deployment/architecture/#design-goals">maximizing transparency&lt;/a>. Sometimes you need to compromise&amp;hellip;&lt;/p>
&lt;p>The diagram below shows two options for sending HTTPS traffic to external services. On the top, a microservice sends
regular HTTPS requests, encrypted end-to-end. On the bottom, the same microservice sends unencrypted HTTP requests
inside a pod, which are intercepted by the sidecar Envoy proxy. The sidecar proxy performs TLS origination, so the
traffic between the pod and the external service is encrypted.&lt;/p>
&lt;figure style="width:60%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:95.1355088590701%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2018/egress-https/https_from_the_app.svg" title="HTTPS traffic to external services, with TLS originated by the microservice vs. by the sidecar proxy">
&lt;img class="element-to-stretch" src="/v1.5/blog/2018/egress-https/https_from_the_app.svg" alt="HTTPS traffic to external services, with TLS originated by the microservice vs. by the sidecar proxy" />
&lt;/a>
&lt;/div>
&lt;figcaption>HTTPS traffic to external services, with TLS originated by the microservice vs. by the sidecar proxy&lt;/figcaption>
&lt;/figure>
&lt;p>Here is how both patterns are supported in the
&lt;a href="https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/src/details/details.rb">Bookinfo details microservice code&lt;/a>, using the Ruby
&lt;a href="https://docs.ruby-lang.org/en/2.0.0/Net/HTTP.html">net/http module&lt;/a>:&lt;/p>
&lt;pre>&lt;code class='language-ruby' data-expandlinks='true' data-repo='istio' >uri = URI.parse(&amp;#39;https://www.googleapis.com/books/v1/volumes?q=isbn:&amp;#39; + isbn)
http = Net::HTTP.new(uri.host, ENV[&amp;#39;DO_NOT_ENCRYPT&amp;#39;] === &amp;#39;true&amp;#39; ? 80:443)
...
unless ENV[&amp;#39;DO_NOT_ENCRYPT&amp;#39;] === &amp;#39;true&amp;#39; then
http.use_ssl = true
end
&lt;/code>&lt;/pre>
&lt;p>When the &lt;code>DO_NOT_ENCRYPT&lt;/code> environment variable is defined, the request is performed without SSL (plain HTTP) to port 80.&lt;/p>
&lt;p>You can set the &lt;code>DO_NOT_ENCRYPT&lt;/code> environment variable to &lt;em>&amp;ldquo;true&amp;rdquo;&lt;/em> in the
&lt;a href="https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml">Kubernetes deployment spec of details v2&lt;/a>,
the &lt;code>container&lt;/code> section:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >env:
- name: DO_NOT_ENCRYPT
value: &amp;#34;true&amp;#34;
&lt;/code>&lt;/pre>
&lt;p>In the next section you will configure TLS origination for accessing an external web service.&lt;/p>
&lt;h2 id="bookinfo-with-tls-origination-to-a-google-books-web-service">Bookinfo with TLS origination to a Google Books web service&lt;/h2>
&lt;ol>
&lt;li>&lt;p>Deploy a version of &lt;em>details v2&lt;/em> that sends an HTTP request to
&lt;a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs&lt;/a>. The &lt;code>DO_NOT_ENCRYPT&lt;/code> variable
is set to true in
&lt;a href="https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml">&lt;code>bookinfo-details-v2.yaml&lt;/code>&lt;/a>.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Direct the traffic destined to the &lt;em>details&lt;/em> microservice, to &lt;em>details version v2&lt;/em>.&lt;/p>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>&lt;p>Create a mesh-external service entry for &lt;code>www.google.apis&lt;/code> , a virtual service to rewrite the destination port from
80 to 443, and a destination rule to perform TLS origination.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: googleapis
spec:
hosts:
- www.googleapis.com
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rewrite-port-for-googleapis
spec:
hosts:
- www.googleapis.com
http:
- match:
- port: 80
route:
- destination:
host: www.googleapis.com
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-tls-for-googleapis
spec:
host: www.googleapis.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com
EOF
&lt;/code>&lt;/pre>&lt;/li>
&lt;li>&lt;p>Access the web page of the application and verify that the book details are displayed without errors.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;a href="/v1.5/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoys access logging&lt;/a>&lt;/p>&lt;/li>
&lt;li>&lt;p>Check the log of of the sidecar proxy of &lt;em>details v2&lt;/em> and see the HTTP request.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs $(kubectl get pods -l app=details -l version=v2 -o jsonpath=&amp;#39;{.items[0].metadata.name}&amp;#39;) istio-proxy | grep googleapis
[2018-08-09T11:32:58.171Z] &amp;#34;GET /books/v1/volumes?q=isbn:0486424618 HTTP/1.1&amp;#34; 200 - 0 1050 264 264 &amp;#34;-&amp;#34; &amp;#34;Ruby&amp;#34; &amp;#34;b993bae7-4288-9241-81a5-4cde93b2e3a6&amp;#34; &amp;#34;www.googleapis.com:80&amp;#34; &amp;#34;172.217.20.74:80&amp;#34;
EOF
&lt;/code>&lt;/pre>
&lt;p>Note the URL path in the log, the path can be monitored and access policies can be applied based on it. To read more
about monitoring and access policies for HTTP egress traffic, check out &lt;a href="https://archive.istio.io/v0.8/blog/2018/egress-monitoring-access-control/#logging">this blog post&lt;/a>.&lt;/p>&lt;/li>
&lt;/ol>
&lt;h3 id="cleanup-of-tls-origination-to-a-google-books-web-service">Cleanup of TLS origination to a Google Books web service&lt;/h3>
&lt;div>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip&lt;/a>&lt;a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.5/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip&lt;/a>&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry googleapis
$ kubectl delete virtualservice rewrite-port-for-googleapis
$ kubectl delete destinationrule originate-tls-for-googleapis
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@
&lt;/code>&lt;/pre>&lt;/div>
&lt;h3 id="relation-to-istio-mutual-tls">Relation to Istio mutual TLS&lt;/h3>
&lt;p>Note that the TLS origination in this case is unrelated to
&lt;a href="/v1.5/docs/concepts/security/#mutual-tls-authentication">the mutual TLS&lt;/a> applied by Istio. The TLS origination for the
external services will work, whether the Istio mutual TLS is enabled or not. The &lt;strong>mutual&lt;/strong> TLS secures
service-to-service communication &lt;strong>inside&lt;/strong> the service mesh and provides each service with a strong identity. The
&lt;strong>external services&lt;/strong> in this blog post were accessed using &lt;strong>one-way TLS&lt;/strong>, the same mechanism used to secure communication between a
web browser and a web server. TLS is applied to the communication with external services to verify the identity of the
external server and to encrypt the traffic.&lt;/p>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>In this blog post I demonstrated how microservices in an Istio service mesh can consume external web services by
HTTPS. By default, Istio blocks all the traffic to the hosts outside the cluster. To enable such traffic, mesh-external
service entries must be created for the service mesh. It is possible to access the external sites either by
issuing HTTPS requests, or by issuing HTTP requests with Istio performing TLS origination. When the microservices issue
HTTPS requests, the traffic is encrypted end-to-end, however Istio cannot monitor HTTP details like the URL paths of the
requests. When the microservices issue HTTP requests, Istio can monitor the HTTP details of the requests and enforce
HTTP-based access policies. However, in that case the traffic between microservice and the sidecar proxy is unencrypted.
Having part of the traffic unencrypted can be forbidden in organizations with very strict security requirements.&lt;/p></description><pubDate>Wed, 31 Jan 2018 00:00:00 +0000</pubDate><link>/v1.5/blog/2018/egress-https/</link><author>Vadim Eisenberg</author><guid isPermaLink="true">/v1.5/blog/2018/egress-https/</guid><category>traffic-management</category><category>egress</category><category>https</category></item><item><title>Mixer and the SPOF Myth</title><description>
&lt;p>As &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/">Mixer&lt;/a> is in the request path, it is natural to question how it impacts
overall system availability and latency. A common refrain we hear when people first glance at Istio architecture diagrams is
&amp;ldquo;Isn&amp;rsquo;t this just introducing a single point of failure?&amp;rdquo;&lt;/p>
&lt;p>In this post, well dig deeper and cover the design principles that underpin Mixer and the surprising fact Mixer actually
increases overall mesh availability and reduces average request latency.&lt;/p>
&lt;p>Istio&amp;rsquo;s use of Mixer has two main benefits in terms of overall system availability and latency:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Increased SLO&lt;/strong>. Mixer insulates proxies and services from infrastructure backend failures, enabling higher effective mesh availability. The mesh as a whole tends to experience a lower rate of failure when interacting with the infrastructure backends than if Mixer were not present.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Reduced Latency&lt;/strong>. Through aggressive use of shared multi-level caches and sharding, Mixer reduces average observed latencies across the mesh.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>We&amp;rsquo;ll explain this in more detail below.&lt;/p>
&lt;h2 id="how-we-got-here">How we got here&lt;/h2>
&lt;p>For many years at Google, weve been using an internal API &amp;amp; service management system to handle the many APIs exposed by Google. This system has been fronting the worlds biggest services (Google Maps, YouTube, Gmail, etc) and sustains a peak rate of hundreds of millions of QPS. Although this system has served us well, it had problems keeping up with Googles rapid growth, and it became clear that a new architecture was needed in order to tamp down ballooning operational costs.&lt;/p>
&lt;p>In 2014, we started an initiative to create a replacement architecture that would scale better. The result has proven extremely successful and has been gradually deployed throughout Google, saving in the process millions of dollars a month in ops costs.&lt;/p>
&lt;p>The older system was built around a centralized fleet of fairly heavy proxies into which all incoming traffic would flow, before being forwarded to the services where the real work was done. The newer architecture jettisons the shared proxy design and instead consists of a very lean and efficient distributed sidecar proxy sitting next to service instances, along with a shared fleet of sharded control plane intermediaries:&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:74.79295535770372%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2017/mixer-spof-myth/mixer-spof-myth-1.svg" title="Google System Topology">
&lt;img class="element-to-stretch" src="/v1.5/blog/2017/mixer-spof-myth/mixer-spof-myth-1.svg" alt="Google System Topology" />
&lt;/a>
&lt;/div>
&lt;figcaption>Google&amp;#39;s API &amp;amp; Service Management System&lt;/figcaption>
&lt;/figure>
&lt;p>Look familiar? Of course: its just like Istio! Istio was conceived as a second generation of this distributed proxy architecture. We took the core lessons from this internal system, generalized many of the concepts by working with our partners, and created Istio.&lt;/p>
&lt;h2 id="architecture-recap">Architecture recap&lt;/h2>
&lt;p>As shown in the diagram below, Mixer sits between the mesh and the infrastructure backends that support it:&lt;/p>
&lt;figure style="width:75%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:65.89948886170049%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2017/mixer-spof-myth/mixer-spof-myth-2.svg" title="Istio Topology">
&lt;img class="element-to-stretch" src="/v1.5/blog/2017/mixer-spof-myth/mixer-spof-myth-2.svg" alt="Istio Topology" />
&lt;/a>
&lt;/div>
&lt;figcaption>Istio Topology&lt;/figcaption>
&lt;/figure>
&lt;p>The Envoy sidecar logically calls Mixer before each request to perform precondition checks, and after each request to report telemetry.
The sidecar has local caching such that a relatively large percentage of precondition checks can be performed from cache. Additionally, the
sidecar buffers outgoing telemetry such that it only actually needs to call Mixer once for every several thousands requests. Whereas precondition
checks are synchronous to request processing, telemetry reports are done asynchronously with a fire-and-forget pattern.&lt;/p>
&lt;p>At a high level, Mixer provides:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Backend Abstraction&lt;/strong>. Mixer insulates the Istio components and services within the mesh from the implementation details of individual infrastructure backends.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Intermediation&lt;/strong>. Mixer allows operators to have fine-grained control over all interactions between the mesh and the infrastructure backends.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>However, even beyond these purely functional aspects, Mixer has other characteristics that provide the system with additional benefits.&lt;/p>
&lt;h2 id="mixer-slo-booster">Mixer: SLO booster&lt;/h2>
&lt;p>Contrary to the claim that Mixer is a SPOF and can therefore lead to mesh outages, we believe it in fact improves the effective availability of a mesh. How can that be? There are three basic characteristics at play:&lt;/p>
&lt;ul>
&lt;li>&lt;p>&lt;strong>Statelessness&lt;/strong>. Mixer is stateless in that it doesnt manage any persistent storage of its own.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Hardening&lt;/strong>. Mixer proper is designed to be a highly reliable component. The design intent is to achieve &amp;gt; 99.999% uptime for any individual Mixer instance.&lt;/p>&lt;/li>
&lt;li>&lt;p>&lt;strong>Caching and Buffering&lt;/strong>. Mixer is designed to accumulate a large amount of transient ephemeral state.&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>The sidecar proxies that sit next to each service instance in the mesh must necessarily be frugal in terms of memory consumption, which constrains the possible amount of local caching and buffering. Mixer, however, lives independently and can use considerably larger caches and output buffers. Mixer thus acts as a highly-scaled and highly-available second-level cache for the sidecars.&lt;/p>
&lt;p>Mixers expected availability is considerably higher than most infrastructure backends (those often have availability of perhaps 99.9%). Its local caches and buffers help mask infrastructure backend failures by being able to continue operating even when a backend has become unresponsive.&lt;/p>
&lt;h2 id="mixer-latency-slasher">Mixer: Latency slasher&lt;/h2>
&lt;p>As we explained above, the Istio sidecars generally have fairly effective first-level caching. They can serve the majority of their traffic from cache. Mixer provides a much greater shared pool of second-level cache, which helps Mixer contribute to a lower average per-request latency.&lt;/p>
&lt;p>While its busy cutting down latency, Mixer is also inherently cutting down the number of calls your mesh makes to infrastructure backends. Depending on how youre paying for these backends, this might end up saving you some cash by cutting down the effective QPS to the backends.&lt;/p>
&lt;h2 id="work-ahead">Work ahead&lt;/h2>
&lt;p>We have opportunities ahead to continue improving the system in many ways.&lt;/p>
&lt;h3 id="configuration-canaries">Configuration canaries&lt;/h3>
&lt;p>Mixer is highly scaled so it is generally resistant to individual instance failures. However, Mixer is still susceptible to cascading
failures in the case when a poison configuration is deployed which causes all Mixer instances to crash basically at the same time
(yeah, that would be a bad day). To prevent this from happening, configuration changes can be canaried to a small set of Mixer instances,
and then more broadly rolled out.&lt;/p>
&lt;p>Mixer doesnt yet do canarying of configuration changes, but we expect this to come online as part of Istios ongoing work on reliable
configuration distribution.&lt;/p>
&lt;h3 id="cache-tuning">Cache tuning&lt;/h3>
&lt;p>We have yet to fine-tune the sizes of the sidecar and Mixer caches. This work will focus on achieving the highest performance possible using the least amount of resources.&lt;/p>
&lt;h3 id="cache-sharing">Cache sharing&lt;/h3>
&lt;p>At the moment, each Mixer instance operates independently of all other instances. A request handled by one Mixer instance will not leverage data cached in a different instance. We will eventually experiment with a distributed cache such as memcached or Redis in order to provide a much larger mesh-wide shared cache, and further reduce the number of calls to infrastructure backends.&lt;/p>
&lt;h3 id="sharding">Sharding&lt;/h3>
&lt;p>In very large meshes, the load on Mixer can be great. There can be a large number of Mixer instances, each straining to keep caches primed to
satisfy incoming traffic. We expect to eventually introduce intelligent sharding such that Mixer instances become slightly specialized in
handling particular data streams in order to increase the likelihood of cache hits. In other words, sharding helps improve cache
efficiency by routing related traffic to the same Mixer instance over time, rather than randomly dispatching to
any available Mixer instance.&lt;/p>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>Practical experience at Google showed that the model of a slim sidecar proxy and a large shared caching control plane intermediary hits a sweet
spot, delivering excellent perceived availability and latency. Weve taken the lessons learned there and applied them to create more sophisticated and
effective caching, prefetching, and buffering strategies in Istio. Weve also optimized the communication protocols to reduce overhead when a cache miss does occur.&lt;/p>
&lt;p>Mixer is still young. As of Istio 0.3, we havent really done significant performance work within Mixer itself. This means when a request misses the sidecar
cache, we spend more time in Mixer to respond to requests than we should. Were doing a lot of work to improve this in coming months to reduce the overhead
that Mixer imparts in the synchronous precondition check case.&lt;/p>
&lt;p>We hope this post makes you appreciate the inherent benefits that Mixer brings to Istio.
Dont hesitate to post comments or questions to &lt;a href="https://groups.google.com/forum/#!forum/istio-policies-and-telemetry">istio-policies-and-telemetry@&lt;/a>.&lt;/p></description><pubDate>Thu, 07 Dec 2017 00:00:00 +0000</pubDate><link>/v1.5/blog/2017/mixer-spof-myth/</link><author>Martin Taillefer</author><guid isPermaLink="true">/v1.5/blog/2017/mixer-spof-myth/</guid><category>adapters</category><category>mixer</category><category>policies</category><category>telemetry</category><category>availability</category><category>latency</category></item><item><title>Mixer Adapter Model</title><description>
&lt;p>Istio 0.2 introduced a new Mixer adapter model which is intended to increase Mixers flexibility to address a varied set of infrastructure backends. This post intends to put the adapter model in context and explain how it works.&lt;/p>
&lt;h2 id="why-adapters">Why adapters?&lt;/h2>
&lt;p>Infrastructure backends provide support functionality used to build services. They include such things as access control systems, telemetry capturing systems, quota enforcement systems, billing systems, and so forth. Services traditionally directly integrate with these backend systems, creating a hard coupling and baking-in specific semantics and usage options.&lt;/p>
&lt;p>Mixer serves as an abstraction layer between Istio and an open-ended set of infrastructure backends. The Istio components and services that run within the mesh can interact with these backends, while not being coupled to the backends specific interfaces.&lt;/p>
&lt;p>In addition to insulating application-level code from the details of infrastructure backends, Mixer provides an intermediation model that allows operators to inject and control policies between application code and backends. Operators can control which data is reported to which backend, which backend to consult for authorization, and much more.&lt;/p>
&lt;p>Given that individual infrastructure backends each have different interfaces and operational models, Mixer needs custom
code to deal with each and we call these custom bundles of code &lt;a href="https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide">&lt;em>adapters&lt;/em>&lt;/a>.&lt;/p>
&lt;p>Adapters are Go packages that are directly linked into the Mixer binary. Its fairly simple to create custom Mixer binaries linked with specialized sets of adapters, in case the default set of adapters is not sufficient for specific use cases.&lt;/p>
&lt;h2 id="philosophy">Philosophy&lt;/h2>
&lt;p>Mixer is essentially an attribute processing and routing machine. The proxy sends it &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/#attributes">attributes&lt;/a> as part of doing precondition checks and telemetry reports, which it turns into a series of calls into adapters. The operator supplies configuration which describes how to map incoming attributes to inputs for the adapters.&lt;/p>
&lt;figure style="width:60%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.60859894197215%">
&lt;a data-skipendnotes="true" href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/machine.svg" title="Attribute Machine">
&lt;img class="element-to-stretch" src="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/machine.svg" alt="Attribute Machine" />
&lt;/a>
&lt;/div>
&lt;figcaption>Attribute Machine&lt;/figcaption>
&lt;/figure>
&lt;p>Configuration is a complex task. In fact, evidence shows that the overwhelming majority of service outages are caused by configuration errors. To help combat this, Mixers configuration model enforces a number of constraints designed to avoid errors. For example, the configuration model uses strong typing to ensure that only meaningful attributes or attribute expressions are used in any given context.&lt;/p>
&lt;h2 id="handlers-configuring-adapters">Handlers: configuring adapters&lt;/h2>
&lt;p>Each adapter that Mixer uses requires some configuration to operate. Typically, adapters need things like the URL to their backend, credentials, caching options, and so forth. Each adapter defines the exact configuration data it needs via a &lt;a href="https://developers.google.com/protocol-buffers/">protobuf&lt;/a> message.&lt;/p>
&lt;p>You configure each adapter by creating &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/#handlers">&lt;em>handlers&lt;/em>&lt;/a> for them. A handler is a
configuration resource which represents a fully configured adapter ready for use. There can be any number of handlers for a single adapter, making it possible to reuse an adapter in different scenarios.&lt;/p>
&lt;h2 id="templates-adapter-input-schema">Templates: adapter input schema&lt;/h2>
&lt;p>Mixer is typically invoked twice for every incoming request to a mesh service, once for precondition checks and once for telemetry reporting. For every such call, Mixer invokes one or more adapters. Different adapters need different pieces of data as input in order to do their work. A logging adapter needs a log entry, a metric adapter needs a metric, an authorization adapter needs credentials, etc.
Mixer &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/templates/">&lt;em>templates&lt;/em>&lt;/a> are used to describe the exact data that an adapter consumes at request time.&lt;/p>
&lt;p>Each template is specified as a &lt;a href="https://developers.google.com/protocol-buffers/">protobuf&lt;/a> message. A single template describes a bundle of data that is delivered to one or more adapters at runtime. Any given adapter can be designed to support any number of templates, the specific templates the adapter supports is determined by the adapter developer.&lt;/p>
&lt;p>&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/templates/metric/">&lt;code>metric&lt;/code>&lt;/a> and &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/templates/logentry/">&lt;code>logentry&lt;/code>&lt;/a> are two of the most essential templates used within Istio. They represent respectively the payload to report a single metric and a single log entry to appropriate backends.&lt;/p>
&lt;h2 id="instances-attribute-mapping">Instances: attribute mapping&lt;/h2>
&lt;p>You control which data is delivered to individual adapters by creating
&lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/#instances">&lt;em>instances&lt;/em>&lt;/a>.
Instances control how Mixer uses the &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/#attributes">attributes&lt;/a> delivered
by the proxy into individual bundles of data that can be routed to different adapters.&lt;/p>
&lt;p>Creating instances generally requires using &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/expression-language/">attribute expressions&lt;/a>. The point of these expressions is to use any attribute or literal value in order to produce a result that can be assigned to an instances field.&lt;/p>
&lt;p>Every instance field has a type, as defined in the template, every attribute has a
&lt;a href="https://github.com/istio/api/blob/release-1.5/policy/v1beta1/value_type.proto">type&lt;/a>, and every attribute expression has a type.
You can only assign type-compatible expressions to any given instance fields. For example, you cant assign an integer expression
to a string field. This kind of strong typing is designed to minimize the risk of creating bogus configurations.&lt;/p>
&lt;h2 id="rules-delivering-data-to-adapters">Rules: delivering data to adapters&lt;/h2>
&lt;p>The last piece to the puzzle is telling Mixer which instances to send to which handler and when. This is done by
creating &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/#rules">&lt;em>rules&lt;/em>&lt;/a>. Each rule identifies a specific handler and the set of
instances to send to that handler. Whenever Mixer processes an incoming call, it invokes the indicated handler and gives it the specific set of instances for processing.&lt;/p>
&lt;p>Rules contain matching predicates. A predicate is an attribute expression which returns a true/false value. A rule only takes effect if its predicate expression returns true. Otherwise, its like the rule didnt exist and the indicated handler isnt invoked.&lt;/p>
&lt;h2 id="future">Future&lt;/h2>
&lt;p>We are working to improve the end to end experience of using and developing adapters. For example, several new features are planned to make templates more expressive. Additionally, the expression language is being substantially enhanced to be more powerful and well-rounded.&lt;/p>
&lt;p>Longer term, we are evaluating ways to support adapters which arent directly linked into the main Mixer binary. This would simplify deployment and composition.&lt;/p>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>The refreshed Mixer adapter model is designed to provide a flexible framework to support an open-ended set of infrastructure backends.&lt;/p>
&lt;p>Handlers provide configuration data for individual adapters, templates determine exactly what kind of data different adapters want to consume at runtime, instances let operators prepare this data, rules direct the data to one or more handlers.&lt;/p>
&lt;p>You can learn more about Mixer&amp;rsquo;s overall architecture &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/">here&lt;/a>, and learn the specifics of templates, handlers,
and rules &lt;a href="/v1.5/docs/reference/config/policy-and-telemetry">here&lt;/a>. You can find many examples of Mixer configuration resources in the Bookinfo sample
&lt;a href="https://github.com/istio/istio/tree/release-1.5/samples/bookinfo">here&lt;/a>.&lt;/p></description><pubDate>Fri, 03 Nov 2017 00:00:00 +0000</pubDate><link>/v1.5/blog/2017/adapter-model/</link><author>Martin Taillefer</author><guid isPermaLink="true">/v1.5/blog/2017/adapter-model/</guid><category>adapters</category><category>mixer</category><category>policies</category><category>telemetry</category></item><item><title>Using Network Policy with Istio</title><description>
&lt;p>The use of Network Policy to secure applications running on Kubernetes is a now a widely accepted industry best practice. Given that Istio also supports policy, we want to spend some time explaining how Istio policy and Kubernetes Network Policy interact and support each other to deliver your application securely.&lt;/p>
&lt;p>Lets start with the basics: why might you want to use both Istio and Kubernetes Network Policy? The short answer is that they are good at different things. Consider the main differences between Istio and Network Policy (we will describe &amp;ldquo;typical” implementations, e.g. Calico, but implementation details can vary with different network providers):&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>&lt;/th>
&lt;th>Istio Policy&lt;/th>
&lt;th>Network Policy&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;strong>Layer&lt;/strong>&lt;/td>
&lt;td>&amp;ldquo;Service&amp;rdquo; &amp;mdash; L7&lt;/td>
&lt;td>&amp;ldquo;Network&amp;rdquo; &amp;mdash; L3-4&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Implementation&lt;/strong>&lt;/td>
&lt;td>User space&lt;/td>
&lt;td>Kernel&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Enforcement Point&lt;/strong>&lt;/td>
&lt;td>Pod&lt;/td>
&lt;td>Node&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="layer">Layer&lt;/h2>
&lt;p>Istio policy operates at the &amp;ldquo;service” layer of your network application. This is Layer 7 (Application) from the perspective of the OSI model, but the de facto model of cloud native applications is that Layer 7 actually consists of at least two layers: a service layer and a content layer. The service layer is typically HTTP, which encapsulates the actual application data (the content layer). It is at this service layer of HTTP that the Istios Envoy proxy operates. In contrast, Network Policy operates at Layers 3 (Network) and 4 (Transport) in the OSI model.&lt;/p>
&lt;p>Operating at the service layer gives the Envoy proxy a rich set of attributes to base policy decisions on, for protocols it understands, which at present includes HTTP/1.1 &amp;amp; HTTP/2 (gRPC operates over HTTP/2). So, you can apply policy based on virtual host, URL, or other HTTP headers. In the future, Istio will support a wide range of Layer 7 protocols, as well as generic TCP and UDP transport.&lt;/p>
&lt;p>In contrast, operating at the network layer has the advantage of being universal, since all network applications use IP. At the network layer you can apply policy regardless of the layer 7 protocol: DNS, SQL databases, real-time streaming, and a plethora of other services that do not use HTTP can be secured. Network Policy isnt limited to a classic firewalls tuple of IP addresses, proto, and ports. Both Istio and Network Policy are aware of rich Kubernetes labels to describe pod endpoints.&lt;/p>
&lt;h2 id="implementation">Implementation&lt;/h2>
&lt;p>The Istios proxy is based on &lt;a href="https://envoyproxy.github.io/envoy/">Envoy&lt;/a>, which is implemented as a user space daemon in the data plane that
interacts with the network layer using standard sockets. This gives it a large amount of flexibility in processing, and allows it to be
distributed (and upgraded!) in a container.&lt;/p>
&lt;p>Network Policy data plane is typically implemented in kernel space (e.g. using iptables, eBPF filters, or even custom kernel modules). Being in kernel space
allows them to be extremely fast, but not as flexible as the Envoy proxy.&lt;/p>
&lt;h2 id="enforcement-point">Enforcement point&lt;/h2>
&lt;p>Policy enforcement using the Envoy proxy is implemented inside the pod, as a sidecar container in the same network namespace. This allows a simple deployment model. Some containers are given permission to reconfigure the networking inside their pod (&lt;code>CAP_NET_ADMIN&lt;/code>). If such a service instance is compromised, or misbehaves (as in a malicious tenant) the proxy can be bypassed.&lt;/p>
&lt;p>While this wont let an attacker access other Istio-enabled pods, so long as they are correctly configured, it opens several attack vectors:&lt;/p>
&lt;ul>
&lt;li>Attacking unprotected pods&lt;/li>
&lt;li>Attempting to deny service to protected pods by sending lots of traffic&lt;/li>
&lt;li>Exfiltrating data collected in the pod&lt;/li>
&lt;li>Attacking the cluster infrastructure (servers or Kubernetes services)&lt;/li>
&lt;li>Attacking services outside the mesh, like databases, storage arrays, or legacy systems.&lt;/li>
&lt;/ul>
&lt;p>Network Policy is typically enforced at the host node, outside the network namespace of the guest pods. This means that compromised or misbehaving pods must break into the root namespace to avoid enforcement. With the addition of egress policy due in Kubernetes 1.8, this difference makes Network Policy a key part of protecting your infrastructure from compromised workloads.&lt;/p>
&lt;h2 id="examples">Examples&lt;/h2>
&lt;p>Lets walk through a few examples of what you might want to do with Kubernetes Network Policy for an Istio-enabled application. Consider the Bookinfo sample application. Were going to cover the following use cases for Network Policy:&lt;/p>
&lt;ul>
&lt;li>Reduce attack surface of the application ingress&lt;/li>
&lt;li>Enforce fine-grained isolation within the application&lt;/li>
&lt;/ul>
&lt;h3 id="reduce-attack-surface-of-the-application-ingress">Reduce attack surface of the application ingress&lt;/h3>
&lt;p>Our application ingress controller is the main entry-point to our application from the outside world. A quick peek at &lt;code>istio.yaml&lt;/code> (used to install Istio) defines the Istio ingress like this:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Service
metadata:
name: istio-ingress
labels:
istio: ingress
spec:
type: LoadBalancer
ports:
- port: 80
name: http
- port: 443
name: https
selector:
istio: ingress
&lt;/code>&lt;/pre>
&lt;p>The &lt;code>istio-ingress&lt;/code> exposes ports 80 and 443. Lets limit incoming traffic to just these two ports. Envoy has a &lt;a href="https://www.envoyproxy.io/docs/envoy/latest/operations/admin.html#operations-admin-interface">built-in administrative interface&lt;/a>, and we dont want a misconfigured &lt;code>istio-ingress&lt;/code> image to accidentally expose our admin interface to the outside world. This is an example of defense in depth: a properly configured image should not expose the interface, and a properly configured Network Policy will prevent anyone from connecting to it. Either can fail or be misconfigured and we are still protected.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: istio-ingress-lockdown
namespace: default
spec:
podSelector:
matchLabels:
istio: ingress
ingress:
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
&lt;/code>&lt;/pre>
&lt;h3 id="enforce-fine-grained-isolation-within-the-application">Enforce fine-grained isolation within the application&lt;/h3>
&lt;p>Here is the service graph for the Bookinfo application.&lt;/p>
&lt;figure style="width:80%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
&lt;a data-skipendnotes="true" href="/v1.5/docs/examples/bookinfo/withistio.svg" title="Bookinfo Service Graph">
&lt;img class="element-to-stretch" src="/v1.5/docs/examples/bookinfo/withistio.svg" alt="Bookinfo Service Graph" />
&lt;/a>
&lt;/div>
&lt;figcaption>Bookinfo Service Graph&lt;/figcaption>
&lt;/figure>
&lt;p>This graph shows every connection that a correctly functioning application should be allowed to make. All other connections, say from the Istio Ingress directly to the Rating service, are not part of the application. Lets lock out those extraneous connections so they cannot be used by an attacker. Imagine, for example, that the Ingress pod is compromised by an exploit that allows an attacker to run arbitrary code. If we only allow connections to the Product Page pods using Network Policy, the attacker has gained no more access to my application backends &lt;em>even though they have compromised a member of the service mesh&lt;/em>.&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: product-page-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: productpage
ingress:
- ports:
- protocol: TCP
port: 9080
from:
- podSelector:
matchLabels:
istio: ingress
&lt;/code>&lt;/pre>
&lt;p>You can and should write a similar policy for each service to enforce which other pods are allowed to access each.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>Our take is that Istio and Network Policy have different strengths in applying policy. Istio is application-protocol aware and highly flexible, making it ideal for applying policy in support of operational goals, like service routing, retries, circuit-breaking, etc, and for security that operates at the application layer, such as token validation. Network Policy is universal, highly efficient, and isolated from the pods, making it ideal for applying policy in support of network security goals. Furthermore, having policy that operates at different layers of the network stack is a really good thing as it gives each layer specific context without commingling of state and allows separation of responsibility.&lt;/p>
&lt;p>This post is based on the three part blog series by Spike Curtis, one of the Istio team members at Tigera. The full series can be found here: &lt;a href="https://www.projectcalico.org/using-network-policy-in-concert-with-istio/">https://www.projectcalico.org/using-network-policy-in-concert-with-istio/&lt;/a>&lt;/p></description><pubDate>Thu, 10 Aug 2017 00:00:00 +0000</pubDate><link>/v1.5/blog/2017/0.1-using-network-policy/</link><author>Spike Curtis</author><guid isPermaLink="true">/v1.5/blog/2017/0.1-using-network-policy/</guid></item><item><title>Canary Deployments using Istio</title><description>
&lt;div>
&lt;aside class="callout tip">
&lt;div class="type">&lt;svg class="large-icon">&lt;use xlink:href="/v1.5/img/icons.svg#callout-tip"/>&lt;/svg>&lt;/div>
&lt;div class="content">This post was updated on May 16, 2018 to use the latest version of the traffic management model.&lt;/div>
&lt;/aside>
&lt;/div>
&lt;p>One of the benefits of the &lt;a href="/v1.5/">Istio&lt;/a> project is that it provides the control needed to deploy canary services. The idea behind
canary deployment (or rollout) is to introduce a new version of a service by first testing it using a small percentage of user
traffic, and then if all goes well, increase, possibly gradually in increments, the percentage while simultaneously phasing out
the old version. If anything goes wrong along the way, we abort and rollback to the previous version. In its simplest form,
the traffic sent to the canary version is a randomly selected percentage of requests, but in more sophisticated schemes it
can be based on the region, user, or other properties of the request.&lt;/p>
&lt;p>Depending on your level of expertise in this area, you may wonder why Istio&amp;rsquo;s support for canary deployment is even needed, given that platforms like Kubernetes already provide a way to do &lt;a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment">version rollout&lt;/a> and &lt;a href="https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments">canary deployment&lt;/a>. Problem solved, right? Well, not exactly. Although doing a rollout this way works in simple cases, its very limited, especially in large scale cloud environments receiving lots of (and especially varying amounts of) traffic, where autoscaling is needed.&lt;/p>
&lt;h2 id="canary-deployment-in-kubernetes">Canary deployment in Kubernetes&lt;/h2>
&lt;p>As an example, let&amp;rsquo;s say we have a deployed service, &lt;strong>helloworld&lt;/strong> version &lt;strong>v1&lt;/strong>, for which we would like to test (or simply rollout) a new version, &lt;strong>v2&lt;/strong>. Using Kubernetes, you can rollout a new version of the &lt;strong>helloworld&lt;/strong> service by simply updating the image in the services corresponding &lt;a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/">Deployment&lt;/a> and letting the &lt;a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment">rollout&lt;/a> happen automatically. If we take particular care to ensure that there are enough &lt;strong>v1&lt;/strong> replicas running when we start and &lt;a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#pausing-and-resuming-a-deployment">pause&lt;/a> the rollout after only one or two &lt;strong>v2&lt;/strong> replicas have been started, we can keep the canarys effect on the system very small. We can then observe the effect before deciding to proceed or, if necessary, &lt;a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-back-a-deployment">rollback&lt;/a>. Best of all, we can even attach a &lt;a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment">horizontal pod autoscaler&lt;/a> to the Deployment and it will keep the replica ratios consistent if, during the rollout process, it also needs to scale replicas up or down to handle traffic load.&lt;/p>
&lt;p>Although fine for what it does, this approach is only useful when we have a properly tested version that we want to deploy, i.e., more of a blue/green, a.k.a. red/black, kind of upgrade than a &amp;ldquo;dip your feet in the water&amp;rdquo; kind of canary deployment. In fact, for the latter (for example, testing a canary version that may not even be ready or intended for wider exposure), the canary deployment in Kubernetes would be done using two Deployments with &lt;a href="https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively">common pod labels&lt;/a>. In this case, we cant use autoscaling anymore because its now being done by two independent autoscalers, one for each Deployment, so the replica ratios (percentages) may vary from the desired ratio, depending purely on load.&lt;/p>
&lt;p>Whether we use one deployment or two, canary management using deployment features of container orchestration platforms like Docker, Mesos/Marathon, or Kubernetes has a fundamental problem: the use of instance scaling to manage the traffic; traffic version distribution and replica deployment are not independent in these systems. All replica pods, regardless of version, are treated the same in the &lt;code>kube-proxy&lt;/code> round-robin pool, so the only way to manage the amount of traffic that a particular version receives is by controlling the replica ratio. Maintaining canary traffic at small percentages requires many replicas (e.g., 1% would require a minimum of 100 replicas). Even if we ignore this problem, the deployment approach is still very limited in that it only supports the simple (random percentage) canary approach. If, instead, we wanted to limit the visibility of the canary to requests based on some specific criteria, we still need another solution.&lt;/p>
&lt;h2 id="enter-istio">Enter Istio&lt;/h2>
&lt;p>With Istio, traffic routing and replica deployment are two completely independent functions. The number of pods implementing services are free to scale up and down based on traffic load, completely orthogonal to the control of version traffic routing. This makes managing a canary version in the presence of autoscaling a much simpler problem. Autoscalers may, in fact, respond to load variations resulting from traffic routing changes, but they are nevertheless functioning independently and no differently than when loads change for other reasons.&lt;/p>
&lt;p>Istios &lt;a href="/v1.5/docs/concepts/traffic-management/#routing-rules">routing rules&lt;/a> also provide other important advantages; you can easily control
fine-grained traffic percentages (e.g., route 1% of traffic without requiring 100 pods) and you can control traffic using other criteria (e.g., route traffic for specific users to the canary version). To illustrate, lets look at deploying the &lt;strong>helloworld&lt;/strong> service and see how simple the problem becomes.&lt;/p>
&lt;p>We begin by defining the &lt;strong>helloworld&lt;/strong> Service, just like any other Kubernetes service, something like this:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
kind: Service
metadata:
name: helloworld
labels:
app: helloworld
spec:
selector:
app: helloworld
...
&lt;/code>&lt;/pre>
&lt;p>We then add 2 Deployments, one for each version (&lt;strong>v1&lt;/strong> and &lt;strong>v2&lt;/strong>), both of which include the service selectors &lt;code>app: helloworld&lt;/code> label:&lt;/p>
&lt;pre>&lt;code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-v1
spec:
replicas: 1
template:
metadata:
labels:
app: helloworld
version: v1
spec:
containers:
- image: helloworld-v1
...
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-v2
spec:
replicas: 1
template:
metadata:
labels:
app: helloworld
version: v2
spec:
containers:
- image: helloworld-v2
...
&lt;/code>&lt;/pre>
&lt;p>Note that this is exactly the same way we would do a &lt;a href="https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments">canary deployment&lt;/a> using plain Kubernetes, but in that case we would need to adjust the number of replicas of each Deployment to control the distribution of traffic. For example, to send 10% of the traffic to the canary version (&lt;strong>v2&lt;/strong>), the replicas for &lt;strong>v1&lt;/strong> and &lt;strong>v2&lt;/strong> could be set to 9 and 1, respectively.&lt;/p>
&lt;p>However, since we are going to deploy the service in an &lt;a href="/v1.5/docs/setup/">Istio enabled&lt;/a> cluster, all we need to do is set a routing
rule to control the traffic distribution. For example if we want to send 10% of the traffic to the canary, we could use &lt;code>kubectl&lt;/code>
to set a routing rule something like this:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld
spec:
hosts:
- helloworld
http:
- route:
- destination:
host: helloworld
subset: v1
weight: 90
- destination:
host: helloworld
subset: v2
weight: 10
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: helloworld
spec:
host: helloworld
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
EOF
&lt;/code>&lt;/pre>
&lt;p>After setting this rule, Istio will ensure that only one tenth of the requests will be sent to the canary version, regardless of how many replicas of each version are running.&lt;/p>
&lt;h2 id="autoscaling-the-deployments">Autoscaling the deployments&lt;/h2>
&lt;p>Because we dont need to maintain replica ratios anymore, we can safely add Kubernetes &lt;a href="https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/">horizontal pod autoscalers&lt;/a> to manage the replicas for both version Deployments:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10
deployment &amp;#34;helloworld-v1&amp;#34; autoscaled
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10
deployment &amp;#34;helloworld-v2&amp;#34; autoscaled
&lt;/code>&lt;/pre>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get hpa
NAME REFERENCE TARGET CURRENT MINPODS MAXPODS AGE
Helloworld-v1 Deployment/helloworld-v1 50% 47% 1 10 17s
Helloworld-v2 Deployment/helloworld-v2 50% 40% 1 10 15s
&lt;/code>&lt;/pre>
&lt;p>If we now generate some load on the &lt;strong>helloworld&lt;/strong> service, we would notice that when scaling begins, the &lt;strong>v1&lt;/strong> autoscaler will scale up its replicas significantly higher than the &lt;strong>v2&lt;/strong> autoscaler will for its replicas because &lt;strong>v1&lt;/strong> pods are handling 90% of the load.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep helloworld
helloworld-v1-3523621687-3q5wh 0/2 Pending 0 15m
helloworld-v1-3523621687-73642 2/2 Running 0 11m
helloworld-v1-3523621687-7hs31 2/2 Running 0 19m
helloworld-v1-3523621687-dt7n7 2/2 Running 0 50m
helloworld-v1-3523621687-gdhq9 2/2 Running 0 11m
helloworld-v1-3523621687-jxs4t 0/2 Pending 0 15m
helloworld-v1-3523621687-l8rjn 2/2 Running 0 19m
helloworld-v1-3523621687-wwddw 2/2 Running 0 15m
helloworld-v1-3523621687-xlt26 0/2 Pending 0 19m
helloworld-v2-4095161145-963wt 2/2 Running 0 50m
&lt;/code>&lt;/pre>
&lt;p>If we then change the routing rule to send 50% of the traffic to &lt;strong>v2&lt;/strong>, we should, after a short delay, notice that the &lt;strong>v1&lt;/strong> autoscaler will scale down the replicas of &lt;strong>v1&lt;/strong> while the &lt;strong>v2&lt;/strong> autoscaler will perform a corresponding scale up.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep helloworld
helloworld-v1-3523621687-73642 2/2 Running 0 35m
helloworld-v1-3523621687-7hs31 2/2 Running 0 43m
helloworld-v1-3523621687-dt7n7 2/2 Running 0 1h
helloworld-v1-3523621687-gdhq9 2/2 Running 0 35m
helloworld-v1-3523621687-l8rjn 2/2 Running 0 43m
helloworld-v2-4095161145-57537 0/2 Pending 0 21m
helloworld-v2-4095161145-9322m 2/2 Running 0 21m
helloworld-v2-4095161145-963wt 2/2 Running 0 1h
helloworld-v2-4095161145-c3dpj 0/2 Pending 0 21m
helloworld-v2-4095161145-t2ccm 0/2 Pending 0 17m
helloworld-v2-4095161145-v3v9n 0/2 Pending 0 13m
&lt;/code>&lt;/pre>
&lt;p>The end result is very similar to the simple Kubernetes Deployment rollout, only now the whole process is not being orchestrated and managed in one place. Instead, were seeing several components doing their jobs independently, albeit in a cause and effect manner.
What&amp;rsquo;s different, however, is that if we now stop generating load, the replicas of both versions will eventually scale down to their minimum (1), regardless of what routing rule we set.&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep helloworld
helloworld-v1-3523621687-dt7n7 2/2 Running 0 1h
helloworld-v2-4095161145-963wt 2/2 Running 0 1h
&lt;/code>&lt;/pre>
&lt;h2 id="focused-canary-testing">Focused canary testing&lt;/h2>
&lt;p>As mentioned above, the Istio routing rules can be used to route traffic based on specific criteria, allowing more sophisticated canary deployment scenarios. Say, for example, instead of exposing the canary to an arbitrary percentage of users, we want to try it out on internal users, maybe even just a percentage of them. The following command could be used to send 50% of traffic from users at &lt;em>some-company-name.com&lt;/em> to the canary version, leaving all other users unaffected:&lt;/p>
&lt;pre>&lt;code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &amp;lt;&amp;lt;EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: helloworld
spec:
hosts:
- helloworld
http:
- match:
- headers:
cookie:
regex: &amp;#34;^(.*?;)?(email=[^;]*@some-company-name.com)(;.*)?$&amp;#34;
route:
- destination:
host: helloworld
subset: v1
weight: 50
- destination:
host: helloworld
subset: v2
weight: 50
- route:
- destination:
host: helloworld
subset: v1
EOF
&lt;/code>&lt;/pre>
&lt;p>As before, the autoscalers bound to the 2 version Deployments will automatically scale the replicas accordingly, but that will have no affect on the traffic distribution.&lt;/p>
&lt;h2 id="summary">Summary&lt;/h2>
&lt;p>In this article weve seen how Istio supports general scalable canary deployments, and how this differs from the basic deployment support in Kubernetes. Istios service mesh provides the control necessary to manage traffic distribution with complete independence from deployment scaling. This allows for a simpler, yet significantly more functional, way to do canary test and rollout.&lt;/p>
&lt;p>Intelligent routing in support of canary deployment is just one of the many features of Istio that will make the production deployment of large-scale microservices-based applications much simpler. Check out &lt;a href="/v1.5/">istio.io&lt;/a> for more information and to try it out.
The sample code used in this article can be found &lt;a href="https://github.com/istio/istio/tree/release-1.5/samples/helloworld">here&lt;/a>.&lt;/p></description><pubDate>Wed, 14 Jun 2017 00:00:00 +0000</pubDate><link>/v1.5/blog/2017/0.1-canary/</link><author>Frank Budinsky</author><guid isPermaLink="true">/v1.5/blog/2017/0.1-canary/</guid><category>traffic-management</category><category>canary</category></item><item><title>Using Istio to Improve End-to-End Security</title><description>
&lt;p>Conventional network security approaches fail to address security threats to distributed applications deployed in dynamic production environments. Today, we describe how Istio authentication enables enterprises to transform their security posture from just protecting the edge to consistently securing all inter-service communications deep within their applications. With Istio authentication, developers and operators can protect services with sensitive data against unauthorized insider access and they can achieve this without any changes to the application code!&lt;/p>
&lt;p>Istio authentication is the security component of the broader Istio platform. It incorporates the learnings of securing millions of microservice
endpoints in Googles production environment.&lt;/p>
&lt;h2 id="background">Background&lt;/h2>
&lt;p>Modern application architectures are increasingly based on shared services that are deployed and scaled dynamically on cloud platforms. Traditional network edge security (e.g. firewall) is too coarse-grained and allows access from unintended clients. An example of a security risk is stolen authentication tokens that can be replayed from another client. This is a major risk for companies with sensitive data that are concerned about insider threats. Other network security approaches like IP whitelists have to be statically defined, are hard to manage at scale, and are unsuitable for dynamic production environments.&lt;/p>
&lt;p>Thus, security administrators need a tool that enables them to consistently, and by default, secure all communication between services across diverse production environments.&lt;/p>
&lt;h2 id="solution-strong-service-identity-and-authentication">Solution: strong service identity and authentication&lt;/h2>
&lt;p>Google has, over the years, developed architecture and technology to uniformly secure millions of microservice endpoints in its production environment against
external
attacks and insider threats. Key security principles include trusting the endpoints and not the network, strong mutual authentication based on service identity and service level authorization. Istio authentication is based on the same principles.&lt;/p>
&lt;p>The version 0.1 release of Istio authentication runs on Kubernetes and provides the following features:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Strong identity assertion between services&lt;/p>&lt;/li>
&lt;li>&lt;p>Access control to limit the identities that can access a service (and its data)&lt;/p>&lt;/li>
&lt;li>&lt;p>Automatic encryption of data in transit&lt;/p>&lt;/li>
&lt;li>&lt;p>Management of keys and certificates at scale&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>Istio authentication is based on industry standards like mutual TLS and X.509. Furthermore, Google is actively contributing to an open, community-driven service security framework called &lt;a href="https://spiffe.io/">SPIFFE&lt;/a>. As the &lt;a href="https://spiffe.io/">SPIFFE&lt;/a> specifications mature, we intend for Istio authentication to become a reference implementation of the same.&lt;/p>
&lt;p>The diagram below provides an overview of the Istio&amp;rsquo;s service authentication architecture on Kubernetes.&lt;/p>
&lt;figure style="width:100%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2017/0.1-auth/istio_auth_overview.svg" title="Istio Authentication Overview">
&lt;img class="element-to-stretch" src="/v1.5/blog/2017/0.1-auth/istio_auth_overview.svg" alt="Istio Authentication Overview" />
&lt;/a>
&lt;/div>
&lt;figcaption>Istio Authentication Overview&lt;/figcaption>
&lt;/figure>
&lt;p>The above diagram illustrates three key security features:&lt;/p>
&lt;h3 id="strong-identity">Strong identity&lt;/h3>
&lt;p>Istio authentication uses &lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/">Kubernetes service accounts&lt;/a> to identify who the service runs as. The identity is used to establish trust and define service level access policies. The identity is assigned at service deployment time and encoded in the SAN (Subject Alternative Name) field of an X.509 certificate. Using a service account as the identity has the following advantages:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Administrators can configure who has access to a Service Account by using the &lt;a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">RBAC&lt;/a> feature introduced in Kubernetes 1.6&lt;/p>&lt;/li>
&lt;li>&lt;p>Flexibility to identify a human user, a service, or a group of services&lt;/p>&lt;/li>
&lt;li>&lt;p>Stability of the service identity for dynamically placed and auto-scaled workloads&lt;/p>&lt;/li>
&lt;/ul>
&lt;h3 id="communication-security">Communication security&lt;/h3>
&lt;p>Service-to-service communication is tunneled through high performance client side and server side &lt;a href="https://envoyproxy.github.io/envoy/">Envoy&lt;/a> proxies. The communication between the proxies is secured using mutual TLS. The benefit of using mutual TLS is that the service identity is not expressed as a bearer token that can be stolen or replayed from another source. Istio authentication also introduces the concept of Secure Naming to protect from a server spoofing attacks - the client side proxy verifies that the authenticated server&amp;rsquo;s service account is allowed to run the named service.&lt;/p>
&lt;h3 id="key-management-and-distribution">Key management and distribution&lt;/h3>
&lt;p>Istio authentication provides a per-cluster CA (Certificate Authority) and automated key &amp;amp; certificate management. In this context, Istio authentication:&lt;/p>
&lt;ul>
&lt;li>&lt;p>Generates a key and certificate pair for each service account.&lt;/p>&lt;/li>
&lt;li>&lt;p>Distributes keys and certificates to the appropriate pods using &lt;a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes Secrets&lt;/a>.&lt;/p>&lt;/li>
&lt;li>&lt;p>Rotates keys and certificates periodically.&lt;/p>&lt;/li>
&lt;li>&lt;p>Revokes a specific key and certificate pair when necessary (future).&lt;/p>&lt;/li>
&lt;/ul>
&lt;p>The following diagram explains the end to end Istio authentication workflow on Kubernetes:&lt;/p>
&lt;figure style="width:100%">
&lt;div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
&lt;a data-skipendnotes="true" href="/v1.5/blog/2017/0.1-auth/istio_auth_workflow.svg" title="Istio Authentication Workflow">
&lt;img class="element-to-stretch" src="/v1.5/blog/2017/0.1-auth/istio_auth_workflow.svg" alt="Istio Authentication Workflow" />
&lt;/a>
&lt;/div>
&lt;figcaption>Istio Authentication Workflow&lt;/figcaption>
&lt;/figure>
&lt;p>Istio authentication is part of the broader security story for containers. Red Hat, a partner on the development of Kubernetes, has identified &lt;a href="https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper">10 Layers&lt;/a> of container security. Istio addresses two of these layers: &amp;ldquo;Network Isolation&amp;rdquo; and &amp;ldquo;API and Service Endpoint Management&amp;rdquo;. As cluster federation evolves on Kubernetes and other platforms, our intent is for Istio to secure communications across services spanning multiple federated clusters.&lt;/p>
&lt;h2 id="benefits-of-istio-authentication">Benefits of Istio authentication&lt;/h2>
&lt;p>&lt;strong>Defense in depth&lt;/strong>: When used in conjunction with Kubernetes (or infrastructure) network policies, users achieve higher levels of confidence, knowing that pod-to-pod or service-to-service communication is secured both at network and application layers.&lt;/p>
&lt;p>&lt;strong>Secure by default&lt;/strong>: When used with Istios proxy and centralized policy engine, Istio authentication can be configured during deployment with minimal or no application change. Administrators and operators can thus ensure that service communications are secured by default and that they can enforce these policies consistently across diverse protocols and runtimes.&lt;/p>
&lt;p>&lt;strong>Strong service authentication&lt;/strong>: Istio authentication secures service communication using mutual TLS to ensure that the service identity is not expressed as a bearer token that can be stolen or replayed from another source. This ensures that services with sensitive data can only be accessed from strongly authenticated and authorized clients.&lt;/p>
&lt;h2 id="join-us-in-this-journey">Join us in this journey&lt;/h2>
&lt;p>Istio authentication is the first step towards providing a full stack of capabilities to protect services with sensitive data from external attacks and insider
threats. While the initial version runs on Kubernetes, our goal is to enable Istio authentication to secure services across diverse production environments. We encourage the
community to &lt;a href="https://github.com/istio/istio/tree/release-1.5/security">join us&lt;/a> in making robust service security easy and ubiquitous across different application
stacks and runtime platforms.&lt;/p></description><pubDate>Thu, 25 May 2017 00:00:00 +0000</pubDate><link>/v1.5/blog/2017/0.1-auth/</link><author>The Istio Team</author><guid isPermaLink="true">/v1.5/blog/2017/0.1-auth/</guid></item></channel></rss>
Reference in New Issue View Git Blame Copy Permalink