Explore What’s New in Istio 1.19
In the ever-evolving landscape of cloud-native technologies, service mesh has emerged as a key component for simplifying the management of microservices-based applications. As the leading open source service mesh, Istio and Ambient mesh stand out as a powerful and versatile–as well as widely adopted–solution.
With its new release, Istio 1.19 is poised to bring a wave of enhancements, features, and optimizations to further elevate the capabilities of service mesh management. Let’s dive into the exciting offerings that Istio 1.19 brings to the table.
What’s New in Istio 1.19
Istio 1.19 features more than 90 updates, fixes and improvements across traffic management, telemetry, installation, extensibility, and other areas. Thanks to the many contributors and maintainers who helped bring this release to life!
In this post, we’ll highlights a couple of interesting updates and enhancements the new release brings. For a full list of changes, refer to the Istio 1.19 release notes.
If you’re upgrading from 1.18.x to 1.19, make sure you consider the changes in the upgrade notes. There are a couple of changes that can affect the upgrade.
Enhanced Traffic Management
Istio has always been renowned for its traffic management capabilities, and Istio 1.19 takes it a step further. The upcoming release introduces various improvements and fixes:
- JWT claim-based routing: supports
for nested claims
- Regex rewrite support: added regex rewrite support in VirutalService
- Removed v2 type support: types support for v2 types in EnvoyFilters was removed. Make sure you use v3 interface
cipher_suites Support for Mesh-internal Traffic Through MeshConfig API
A new feature in Istio 1.19.0 allows mesh operators to use MeshConfig to set the
cipher_suites to be used for mesh-internal traffic.
In previous versions, configuring TLS parameters such as TLS versions, TLS cipher suites, curves, etc. was only possible using an EnvoyFilter resource. You can now use this feature when you need to use a specific TLS version or cipher suite for mesh-internal traffic (when using TLSv1.2).
Check out this new lab that shows how the
cipher_suites support works.
Ambient Mesh Enhancements
A number of improvements have been made for Ambient mode. Visit these labs for more details on new Ambient mesh features in Istio 1.19.
- WorkloadEntry: initial support for WorkloadEntry in Ambient mode
- ServiceEntry: initial support for ServiceEntry in Ambient mode
- PeerAuthentication: support for PeerAuthentication policies in Ambient mode
Support for PeerAuthentication Policies in Ambient
Support for PeerAuthentication resource in Ambient mesh allows us to configure how the traffic gets tunneled and whether it allows mTLS traffic only or both plaintext and mTLS traffic.
Check out this hands-on lab to explore PeerAuthenticaiton’s
PERMISSIVE mode in action.
Ambient Support for ServiceEntry and WorkloadEntry
ServiceEntry resource support in Ambient mesh allows us to add additional entries into Istio’s internal service registry. With the ServiceEntry resource we can use properties such as DNS name, VIPs, ports, protocols, and endpoints to describe the service.
This lab walks you through the ServiceEntry and WorkloadEntry resources in Ambient mesh, and you’ll learn how different configurations impact the ztunnel configuration in the mesh.
Security is a top concern for any application architecture. Istio 1.19 introduces a new TLS mode (
OPTIONAL_MUTUAL), a new flag that’s usef for SPIRE integration, CRL support and other fixes.
- New TLS mode: new TLS mode called
OPTIONAL_MUTUALadded to the Gateway, and it validates the client certificate if present, but doesn’t mandate it
insecureSkipVerifyimplementation: if set, the feature disables CA certificate and SAN verification for the host
- New flag
USE_EXTERNAL_WORKLOAD_SDS:if set, it prevents istio-proxy from starting if the workload SDS socket is not found (useful for SPIRE integration)
- Certificate revocation list (CRL) support: by creating a Kubernetes secret called
crl, you can provide a certificate revocation list and Envoy will verify the presented peer certificate has not been revoked by this CRL.
Observability is crucial for understanding the behavior of your applications. Istio 1.19 enhances telemetry features by introducing a couple of new metrics, ability to customize histograms and other fixes.
- New metric:
provider_lookup_cluster_failuresmetric was added which measures the number of times cluster lookup failed
- New metrics: if environment variable
ISTIO_ENABLE_CONTROLLER_QUEUE_METRICSis enabled, metrics for queue depth, latency and processing times are published
- Customize histograms: added annotation
sidecar.istio.io/statsHistogramBucketsfor customizing histogram buckets
Installation and Configuration Improvements
Istio 1.19 places emphasis on making the installation and configuration process smoother. With improvements to the Istio operator and more intuitive installation options, developers and operators can set up and manage their service meshes with reduced friction.
- Kiali: Kiali addon version was updated to v1.72.0
- Helm chart: added support for configuring container arguments, volumeMounts, and volumes
- Removed experimental commands:
kube-uninjectexperimental commands were removed
- Promoted experimental commands: create-remote-secret and remote-clusters were promoted to top-level command
Unlock Service Mesh Success with Istio and Ambient Mesh
Whether you’re a seasoned Istio user or just beginning to explore the world of service meshes, Istio 1.19 presents a compelling array of features that can elevate your application management strategies to new heights.
Check out this new release and take advantage of these new features in your deployments.
To learn more about Istio through hands-on labs, visit these complimentary resources: