What’s new in Istio 1.7? VM Identity, simplified cert management and more!

Istio, the leading Open Source service mesh offering, today announced the general availability of their 1.7 release. The new features make it easier to bootstrap clusters and to maintain their own versions of software add-ons like Prometheus and Jaeger.

Istio’s 1.7 release was highly anticipated because of its focus on extending the mesh to work in virtual machine-based cloud environments. Tetrate was founded to solve this problem and has been solving this problem for the past year in partnership with customers in real deployments. In the 1.6 release, we expanded the mesh to include the VM environment while the 1.7 release, managed by Tetrate’s Cynthia Coan, addressed the gap of needing a verifiable identity for the VM.

Background 

Istio is the de facto standard service mesh built by a global open source community. The project started three years ago by Google, Lyft and IBM, and is now used in production by companies such as HelloFresh, AutoTrader, and Gojek.

Since the 1.6 release there have been over 190 commits, 19 new features added, and 68 bug fixes. 

The most notable updates that will improve user experience and onboarding include:

VM Identity

Istio 1.6 introduced  WorkloadEntry to address the problem that non-containerized workloads were only configurable as an IP address in a ServiceEntry, which meant that they only existed as part of a service. Istio had lacked a first-class abstraction for these non-containerized workloads, something similar to how Kubernetes treats Pods as the fundamental unit of compute – a named object that serves as the collection point for all things related to a workload – name, labels, security properties, lifecycle status events, etc.

Identity bootstrapping has been a highly anticipated update in Istio. While it has always been possible to bootstrap identity to a VM, it has thus far not proven to be the most user-friendly, or secure, experience. Changes are underway to improve both UX and security, but with this release, most of the progress has been made in security. The process to bootstrap an identity to a VM is still very manual but for users who do this, they’ll see a JWT Token as opposed to a certificate.

Stay tuned for more improvements to the user experience coming through GetEnvoy! GetEnvoy is the open-source project created by Tetrate to make it easier to install and extend the Envoy proxy.

Starting the sidecar before the container

A temporary workaround released in 1.7 ensures that a sidecar that traps traffic is started before the application container. This mitigates a known issue where application containers that were started before the sidecar had crashed because they couldn’t communicate with the outside world. 

Simplified certificate management at egress gateways

The overall experience has been simplified by using mTLS to talk to external services. This eliminates the need to mount certificates in the gateway pod and reference them in the DestinationRule. Instead, 1.7 allows users to directly refer to the Kubernetes secrets containing those certificates, in the DestinationRule. These secrets can be rotated without any egress gateway pod downtime.

Improved multi-cluster access control

In multicluster setups without flat networks, you can now use Istio authorization policies at the Ingress gateway of a cluster to allow/disallow traffic from a particular cluster based on the source cluster’s trust domain.

Istioctl updates

Changes to `istioctl` provide two updates to improve the user experience:

1. Bootstrapping clusters has been improved by replacing the `istioctl manifest apply` command with `istioctl install`.
2. Introduction of `istioctl x uninstall` to uninstall Istio.

Add-on software changes

Istio has extended more control to users to maintain their own versions of software add ons, including Prometheus and Jaeger. This means that users can maintain the updated versions of the software themselves. They can now implement updates and security patching faster because there will be no dependencies on the Istio community. 

Updated installation requirements

In order to resolve some existing issues with webhook reliability, Kubernetes 1.16+ is now required for Istio installation. Istio will only support what Kubernetes supports. This update is due to changes in Kubernetes that resulted in previous versions being no longer compatible.

Additional Resources

• For more information read the Istio.io release notes: https://istio.io/news/announcing-1.7.0/
• Visit Tetrate’s library of resources 
• Get updates on Twitter

Tetrate offers Istio support through Tetrate Istio Subscription. If you’d like to know more about what Tetrate can do for you, get in touch!