Istio 1.21 Enables Running Ambient Mode With Any CNI

Istio 1.21 is the first release in 2024, bringing many fixes, improvements, and new features. One of the big changes in the new release is regarding ambient mode.

Ambient mode was announced in September 2022 and brought a new data plane mode for Istio without sidecars. Ambient mode decoupled the single L4 and L7 proxy into two separate components – a dedicated L4 proxy called ztunnel and an optional L7 waypoint proxy.

The latest innovation that Istio 1.21 brings in ambient mode is the in-pod redirection mode that enables ambient mode to work with any CNI.

In-Pod Redirection Mode

The biggest change in the ambient space is the significant innovation in capturing and redirecting ambient traffic to enable ambient mode to work with any CNI. The new mechanism is called in-pod redirection, and it removes the need for any iptables and redirections to be made on the node level.

in-pod redirection mode

As pods get added to ambient mode, the istio-cni component sets up the iptables rules inside the pods network namespace and notifies the resident ztunnel. The ztunnel then sets up listening sockets inside the pods network namespaces so that the packets can be sent directly to the ztunnel.

For a more detailed technical overview, read the Maturing Istio Ambient: Compatibility Across Various Kubernetes Providers and CNIs blog post and watch the ambient mesh with CNI video.

Compatibility Versions to Minimize Risks During Upgrades

The compatibility version feature allows you to upgrade and install a new version of Istio, but makes it behave like a different version.

For example, when installing Istio 1.21, you can use the compatibilityVersion field and make it behave as Istio 1.20:

istioctl install --set values.compatibilityVersion=1.20

With the current plan, each compatibility version will be available for at least two versions. This will give you enough time to upgrade or migrate your resources to match the behavior in the latest version.

Just like before each upgrade, ensure you review the release changes and upgrade notes. Additionally, you can run istioctl x precheck using the --from-version flag to check whether a compatibility version should be used.

Look at the upgrade notes to check which new behavior is gated behind the compatibility version.

Traffic Management Improvements

There were numerous fixes and improvements in the traffic management area. Here are a couple of interesting new additions:

  • You can now use the :authority header in the VirtualService, allowing you to do host rewrites for both host and :authority.
  • ExternalName support has been revamped to fix existing issues around how these services are treated. If you’re using Kubernetes ExternalName services, check out the upgrade for details on what exactly is changing and how to opt out of the implementation.
  • New workloads added to ambient mode have the default network automatically set.
  • There is added support for TCP idle timeout and max concurrent streams in DestinationRule.

In addition to the new features above, there were several bug fixes and memory leaks that were fixed and resolved. Check out the full list here.

Security Improvements

Istio used a custom proxy filter for request JWT authentication. With the 1.21 release, Istio will use the upstream Envoy JWT filter instead when the proxies support them. Note that if you’re using the istio_authn dynamic metadata key in your Envoy or Wasm filters, you’ll have to update them to envoy.filters.http.jwt_authn metadata key.

A couple of changes to consider before upgrading to the latest version are changing of the default values for ENABLE_AUTO_SNI and VERTIFY_CERT_AT_CLIENT flags. Both are now set to true by default. If these changes are not desired, make sure you either use the new compatibility version feature or change the default values.

Other Improvements

Legacy EnvoyFilter implementation for Telemetry was removed. Note that the following fields are no longer respected: prometheus.configOverride, stackdriver.configOverride, stackdriver.disableOutbound, stackdriver.outboundAccessLogging.

There were also multiple improvements in the Istio CLI, including the commands that support deleting multiple or all waypoint proxies, additional analyzers, improved bug-report command and performance, and others.

Want to learn more about our latest release? Join us at KubeCon + CloudNativeCon Europe 2024 in Paris, France. We’ll be at booth E3 in the Solutions Showcase.