- Added automatic protocol determination of HTTP or TCP for outbound traffic when ports are not named according to Istio’s conventions.
- Added a mode to the Gateway API for mutual TLS operation.
- Fixed issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.
- Improved Envoy proxy readiness checks. They now check Envoy’s readiness status.
- Improved container ports are no longer required in the pod spec. All ports are captured by default.
- Improved the
EnvoyFilter API. You can now add or update all configurations.
- Improved the Redis load balancer to now default to
MAGLEV when using the Redis proxy.
- Improved load balancing to direct traffic to the same region and zone by default.
- Improved Pilot by reducing CPU utilization. The reduction approaches 90% depending on the specific deployment.
- Improved the
ServiceEntry API to allow for the same hostname in different namespaces.
- Improved the Sidecar API to customize the
- Added trust domain validation for services using mutual TLS. By default, the server only authenticates the requests from the same trust domain.
- Added [labels]((/docs/ops/configuration/mesh/secret-creation/) to control service account secret generation by namespace.
- Added SDS support to deliver the private key and certificates to each Istio control plane service.
- Added support for introspection to Citadel.
- Added metrics to the
/metrics endpoint of Citadel Agent on port 15014 to monitor the SDS service.
- Added diagnostics to the Citadel Agent using the
/debug/sds/gateway on port 8080.
- Improved the ingress gateway to load the trusted CA certificate from a separate secret when using SDS.
- Improved SDS security by enforcing the usage of Kubernetes Trustworthy JWTs.
- Improved Citadel Agent logs by unifying the logging pattern.
- Removed support for Istio SDS when using Kubernetes versions earlier than 1.13.
- Removed integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.
- Enabled the Envoy JWT filter by default to improve security and reliability.
- Added Access Log Service ALS support for Envoy gRPC.
- Added a Grafana dashboard for Citadel monitoring.
- Added metrics for monitoring the sidecar injector webhook.
- Added control plane metrics to monitor Istio’s configuration state.
- Added telemetry reporting for traffic destined to the
- Added alpha support for in-proxy generation of service metrics using Prometheus.
- Added alpha support for environmental metadata in Envoy node metadata.
- Added alpha support for Proxy Metadata Exchange.
- Added alpha support for the OpenCensus trace driver.
- Improved reporting for external services by removing requirements to add a service entry.
- Improved the mesh dashboard to provide monitoring of Istio’s configuration state.
- Improved the Pilot dashboard to expose additional key metrics to more clearly identify errors.
- Removed deprecated
Template custom resource definitions (CRDs).
- Deprecated the HTTP API spec used to produce API attributes. We will remove support for producing API attributes in Istio 1.4.
- Improved rate limit enforcement to allow communication when the quota backend is unavailable.
- Fixed Galley to stop too many gRPC pings from closing connections.
- Improved Galley to avoid control plane upgrade failures.
- Added new images based on distroless base images.
- Improved the Istio CNI Helm chart to have consistent versions with Istio.
- Improved Kubernetes Jobs behavior. Kubernetes Jobs now exit correctly when the job manually calls the
Was this information useful?
Thanks for your feedback!