Istio 1.5 Change Notes

Traffic management

• Improved performance of the ServiceEntry resource by avoiding unnecessary full pushes #19305
• Improved Envoy sidecar readiness probe to more accurate determine readiness #18164.
• Improved performance of Envoy proxy configuration updates via xDS by sending partial updates where possible #18354.
• Added an option to configure locality load balancing settings for each targeted service via destination rule#18406.
• Fixed an issue where pods crashing would trigger excessive Envoy proxy configuration pushes #18574.
• Fixed issues with applications such as headless services to call themselves directly without going through Envoy proxy #19308.
• Added detection of iptables failure when using Istio CNI #19534
• Added consecutiveGatewayErrors and consecutive5xxErrors as outlier detection options within destination rule #19771.
• Improved EnvoyFilter matching performance #19786
• Added support for HTTP_PROXY protocol #19919.
• Improved iptables setup to use iptables-restore by default #18847.
• Improved Gateway performance by filtering unused clusters. This setting is disabled by default #20124.

Security

• Graduated SDS to stable and enabled by default. It provides identity provisioning for Istio Envoy proxies.
• Added Beta authentication API. The new API separates peer (i.e mutual TLS) and origin (JWT) authentication into PeerAuthentication and RequestAuthentication respectively. Both new APIs are workload-oriented, as opposed to service-oriented in alpha AuthenticationPolicy.
• Added deny semantics and exclusion matching to Authorization Policy.
• Graduated auto mutual TLS from alpha to beta. This feature is now enabled by default.
• Improved SDS security by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
• Improved Istio by including certificate provisioning functionality within Istiod.
• Added Support Kubernetes first-party-jwt as a fallback token for CSR authentication in clusters where third-party-jwt is not supported.
• Added Support Istio CA and Kubernetes CA to provision certificates for the control plane, configurable via values.global.pilotCertProvider.
• Added Istio Agent provisions a key and certificates for Prometheus.

Telemetry

• Added TCP protocol support for v2 telemetry.
• Added gRPC response status code support in metrics/logs.
• Added support for Istio Canonical Service.
• Improved stability of v2 telemetry pipeline.
• Added alpha-level support for configurability in v2 telemetry.
• Added support for populating AWS platform metadata in Envoy node metadata.
• Improved Stackdriver adapter for Mixer to support configurable flush intervals for tracing data.
• Added support for a headless collector service to the Jaeger addon.
• Fixed kubernetesenv adapter to provide proper support for pods that contain a dot in their name.
• Improved the Fluentd adapter for Mixer to provide millisecond-resolution in exported timestamps.

Configuration management

Operator

• Replaced the alpha IstioControlPlane API with the new IstioOperator API to align with existing MeshConfig API.
• Added istioctl operator init and istioctl operator remove commands.
• Improved reconciliation speed with caching operator#667.

istioctl

• Graduated Istioctl Analyze out of experimental.
• Added various analyzers: mutual TLS, JWT, ServiceAssociation, Secret, sidecar image, port name and policy deprecated analyzers.
• Updated more validation rules for RequestAuthentication.
• Added a new flag -A|--all-namespaces to istioctl analyze to analyze the entire cluster.
• Added support for analyzing content passed via stdin to istioctl analyze.
• Added istioctl analyze -L to show a list of all analyzers available.
• Added the ability to suppress messages from istioctl analyze.
• Added structured format options to istioctl analyze.
• Added links to relevant documentation to istioctl analyze output.
• Updated annotation methods provided by Istio API in Istioctl Analyze.
• Updated istioctl analyze now loads files from a directory.
• Updated istioctl analyze to try to associate message with their source filename.
• Updated istioctl analyze to print the namespace that is being analyzed.
• Updated istioctl analyze to analyze in-cluster resources by default.
• Fixed bug where istioctl analyze suppressed cluster-level resource messages.
• Added support for multiple input files to istioctl manifest.
• Replaced the IstioControlPlane API with the IstioOperator API.
• Added selector for istioctl dashboard.
• Added support for slices and lists in istioctl manifest --set flag.
• Added support for istioctl manifest to read profiles from stdin.
• Added a docker/istioctl image #19079.