Istio 1.20 signifies a notable advancement in the capabilities of the Istio service mesh, offering a better experience for operators and developers. This new release introduces several key features and updates that will influence the design and implementation of service mesh architectures.
Gateway API Support
Istio 1.20 provides comprehensive support for the Kubernetes Gateway API, now reaching general availability (GA). This marks a significant leap in the service mesh ecosystem, providing users with a stable and comprehensive set of networking APIs aligned with Kubernetes core services. Istio’s embrace of the Gateway API is a crucial step towards more seamless and flexible traffic management, allowing users to define how traffic is routed consistently within a Kubernetes cluster. Read What’s New in Istio 1.19: Gateway API and Beyond for more information on the Gateway API.
Enhanced ExternalName Service Support
In service discovery, Istio 1.20 brings a pivotal update to handling ExternalName services, making Istio’s behavior more aligned with Kubernetes. This change simplifies configuration and enables Istio to better handle DNS, which is crucial for services relying on external endpoints. For more information on ExternalName services, you can refer to the Kubernetes documentation.
ExternalName and ServiceEntry in Istio can be used for service discovery, especially for introducing services outside the Kubernetes cluster. However, there are some key differences:
- ExternalName is a native Kubernetes Service type, acting as an alias for external services within the cluster. It allows consistent management and usage of internal and external services. Care should be taken not to use the same ExternalName across multiple namespaces to avoid naming conflicts.
- ServiceEntry is a specific configuration object in Istio that provides more flexible control. It can describe services within or outside the mesh, specifying specific protocols, ports, and other attributes. For instance, ServiceEntry can facilitate accessing external services within the mesh or defining custom service entry points.
Other Updates
Consistent Envoy Filter Ordering: Envoy filter ordering has been made consistent across all traffic directions and protocols in the new release. This ensures a uniform application of filters, which is crucial for the predictable behavior and security of the service mesh.
Network WasmPlugin Expansion: Istio continues to push the boundaries of extensibility by broadening support for the new NETWORK type in network Wasm plugins. This extension solidifies Istio’s position as a leader in service mesh innovation, offering users more control and customization options.
TCP Metadata Exchange Enhancements: Two updates in Istio 1.20 aim to refine TCP metadata exchange: a fallback metadata discovery process and the ability to control ALPN tokens. These improvements showcase Istio’s commitment to robust and efficient networking.
Traffic Mirroring to Multiple Destinations: The new release extends Istio’s traffic mirroring capabilities to support multiple destinations. This feature is invaluable for debugging and monitoring, providing insights into traffic behavior across different service versions or configurations.
Pluggable Root Cert Rotation: Strengthening security, Istio now supports pluggable root certificate rotation, enhancing the service mesh’s ability to maintain trust across services with updated cryptographic credentials.
StartupProbe in Sidecar Containers: Aiming to improve startup times, Istio introduces a startupProbe in sidecar containers, which can aggressively poll during the initial phase without persisting throughout the pod’s lifecycle.
OpenShift Installation Enhancements: Istio simplifies the installation process on OpenShift by removing specific privilege requirements, thereby lowering the barrier to entry for OpenShift users.
Conclusion
The features and enhancements in Istio 1.20 streamline operations, fortify security, and provide a more dynamic and customizable service mesh experience. As the service mesh landscape continues to evolve, Istio’s latest release is a testament to the community’s relentless pursuit of improvement and innovation.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo