1.8 is the last version of Istio to be released in 2020, it keeps following the trade winds and listen to the users’ feedback, which has the following major updates:
- Supports installation and upgrades using Helm 3
- Mixer was officially removed
- Added Istio DNS proxy to transparently intercept DNS queries from applications
- WorkloadGroup has been added to simplify the integration of virtual machines
WorkloadGroup is a new API object, it is intended to be used with non Kubernetes workloads like Virtual Machines, and is meant to mimic the existing sidecar injection and deployment specification model used for Kubernetes workloads to bootstrap Istio proxies.
Installation and upgrades
Istio starts to officially support the use of Helm v3 for installations and upgrades. In previous versions, the installation was done with the istioctl command line tool or Operator. With version 1.8, Istio supports in-place and canary upgrades with Helm.
Enhancing Istio’s usability
The istioctl command-line tool has a new bug reporting feature (istioctl bug-report), which can be used to collect debugging information and get cluster status.
The way to install the add-on has changed: 1.7 istioctl is no longer recommended, and has been removed in 1.8 to help solve the problem of add-on lagging upstream and to make it easier to maintain.
Mixer, the Istio component that had been responsible for policy controls and telemetry collection, has been removed. Its functionalities are now being served by the Envoy proxies. For extensibility, service mesh experts recommend using WebAssembly (Wasm) to extend Envoy, and you can also try the GetEnvoy Toolkit that makes it easier for developers to create Wasm extensions for Envoy. If you still want to use Mixer, you must use version 1.7 or older. Mixer continued receiving bug fixes and security fixes until Istio 1.7. Many features supported by Mixer have alternatives as specified in the Mixer Deprecation document including the in-proxy extensions based on the Wasm sandbox API.
Support for virtual machines
Istio’s recent upgrades have steadily focused on making virtual machines first class citizens in the mesh; Istio 1.7 made progress to support virtual machines, and Istio 1.8 adds a smart DNS proxy, which is an Istio sidecar agent written by Go. The Istio agent on the sidecar will come with a cache that is dynamically programmed by Istiod DNS Proxy. DNS queries from applications are transparently intercepted and served by an Istio proxy in a pod or VM that intelligently responds to DNS query requests, enabling seamless multi-cluster access from virtual machines to the service mesh.
Istio 1.8 adds a WorkloadGroup, which describes a collection of workload instances. It provides a specification that the workload instances can use to bootstrap their proxies, including the metadata and identity. It is only intended to be used with non-k8s workloads like Virtual Machines, and is meant to mimic the existing sidecar injection and deployment specification model used for Kubernetes workloads to bootstrap Istio proxies. Using WorkloadGroups, Istio has started to help automate VM registration with istioctl experimental workload group.
Tetrate, the enterprise service mesh company, uses these VM features extensively in customers’ multicluster deployments to enable sidecars to resolve DNS for hosts exposed at ingress gateways of all the clusters in a mesh, and access them over mutual TLS.
Conclusion
All in all, the Istio team has kept the promise made at the beginning of the year to maintain a regular release cadence of one release every 3 months since the 1.1 release in 2018, with continuous optimizations in performance and user experience for a seamless experience of brownfield and greenfield apps on Istio. We look forward to many more surprises from Istio in 2021.
This article was written by Tetrate’s Jimmy Song, and originally appeared in The New Stack.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo