Istio, the leading Open Source service mesh offering, today announced the general availability of their 1.7 release. The new features make it easier to bootstrap clusters and to maintain their own versions of software add-ons like Prometheus and Jaeger.
Istio’s 1.7 release was highly anticipated because of its focus on extending the mesh to work in virtual machine-based cloud environments. Tetrate was founded to solve this problem and has been solving this problem for the past year in partnership with customers in real deployments. In the 1.6 release, we expanded the mesh to include the VM environment while the 1.7 release, managed by Tetrate’s Cynthia Coan, addressed the gap of needing a verifiable identity for the VM.
Background
Istio is the de facto standard service mesh built by a global open source community. The project started three years ago by Google, Lyft and IBM, and is now used in production by companies such as HelloFresh, AutoTrader, and Gojek.
Since the 1.6 release there have been over 190 commits, 19 new features added, and 68 bug fixes.
The most notable updates that will improve user experience and onboarding include:
VM Identity
Istio 1.6 introduced WorkloadEntry
to address the problem that non-containerized workloads were only configurable as an IP address in a ServiceEntry
, which meant that they only existed as part of a service. Istio had lacked a first-class abstraction for these non-containerized workloads, something similar to how Kubernetes treats Pods as the fundamental unit of compute – a named object that serves as the collection point for all things related to a workload – name, labels, security properties, lifecycle status events, etc.
Identity bootstrapping has been a highly anticipated update in Istio. While it has always been possible to bootstrap identity to a VM, it has thus far not proven to be the most user-friendly, or secure, experience. Changes are underway to improve both UX and security, but with this release, most of the progress has been made in security. The process to bootstrap an identity to a VM is still very manual but for users who do this, they’ll see a JWT Token as opposed to a certificate.
Stay tuned for more improvements to the user experience coming through GetEnvoy! GetEnvoy is the open-source project created by Tetrate to make it easier to install and extend the Envoy proxy.
Starting the sidecar before the container
A temporary workaround released in 1.7 ensures that a sidecar that traps traffic is started before the application container. This mitigates a known issue where application containers that were started before the sidecar had crashed because they couldn’t communicate with the outside world.
Simplified certificate management at egress gateways
The overall experience has been simplified by using mTLS to talk to external services. This eliminates the need to mount certificates in the gateway pod and reference them in the DestinationRule. Instead, 1.7 allows users to directly refer to the Kubernetes secrets containing those certificates, in the DestinationRule. These secrets can be rotated without any egress gateway pod downtime.
Improved multi-cluster access control
In multicluster setups without flat networks, you can now use Istio authorization policies at the Ingress gateway of a cluster to allow/disallow traffic from a particular cluster based on the source cluster’s trust domain.
Istioctl updates
Changes to `istioctl` provide two updates to improve the user experience:
- Bootstrapping clusters has been improved by replacing the `istioctl manifest apply` command with `istioctl install`.
- Introduction of `istioctl x uninstall` to uninstall Istio.
Add-on software changes
Istio has extended more control to users to maintain their own versions of software add ons, including Prometheus and Jaeger. This means that users can maintain the updated versions of the software themselves. They can now implement updates and security patching faster because there will be no dependencies on the Istio community.
Updated installation requirements
In order to resolve some existing issues with webhook reliability, Kubernetes 1.16+ is now required for Istio installation. Istio will only support what Kubernetes supports. This update is due to changes in Kubernetes that resulted in previous versions being no longer compatible.
Additional Resources
- For more information read the Istio.io release notes: https://istio.io/news/announcing-1.7.0/
- Visit Tetrate’s library of resources
- Get updates on Twitter
Tetrate offers Istio support through Tetrate Istio Subscription. If you’d like to know more about what Tetrate can do for you, get in touch!
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Get a Demo