Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

Istio 1.8 – A smart DNS proxy takes support for virtual machines a step further

Jimmy Song
Istio%201.8%20%E2%80%93%20A%20smart%20DNS%20proxy%20takes%20support%20for%20virtual%20machines%20a%20step%20further

1.8 is the last version of Istio to be released in 2020, it keeps following the trade winds and listen to the users’ feedback, which has the following major updates:

  • Supports installation and upgrades using Helm 3
  • Mixer was officially removed
  • Added Istio DNS proxy to transparently intercept DNS queries from applications
  • WorkloadGroup has been added to simplify the integration of virtual machines

WorkloadGroup is a new API object, it is intended to be used with non Kubernetes workloads like Virtual Machines, and is meant to mimic the existing sidecar injection and deployment specification model used for Kubernetes workloads to bootstrap Istio proxies.

Installation and upgrades

Istio starts to officially support the use of Helm v3 for installations and upgrades. In previous versions, the installation was done with the istioctl command line tool or Operator. With version 1.8, Istio supports in-place and canary upgrades with Helm.

Enhancing Istio’s usability

The istioctl command-line tool has a new bug reporting feature (istioctl bug-report), which can be used to collect debugging information and get cluster status.

The way to install the add-on has changed: 1.7 istioctl is no longer recommended, and has been removed in 1.8 to help solve the problem of add-on lagging upstream and to make it easier to maintain.

Mixer, the Istio component that had been responsible for policy controls and telemetry collection, has been removed. Its functionalities are now being served by the Envoy proxies. For extensibility, service mesh experts recommend using WebAssembly (Wasm) to extend  Envoy, and you can also try the GetEnvoy Toolkit that makes it easier for developers to create Wasm extensions for Envoy. If you still want to use Mixer, you must use version 1.7 or older. Mixer continued receiving bug fixes and security fixes until Istio 1.7. Many features supported by Mixer have alternatives as specified in the Mixer Deprecation document including the in-proxy extensions based on the Wasm sandbox API.

Support for virtual machines

Istio’s recent upgrades have steadily focused on making virtual machines first class citizens in the mesh; Istio 1.7 made progress to support virtual machines, and Istio 1.8 adds a smart DNS proxy, which is an Istio sidecar agent written by Go. The Istio agent on the sidecar will come with a cache that is dynamically programmed by Istiod DNS Proxy. DNS queries from applications are transparently intercepted and served by an Istio proxy in a pod or VM that intelligently responds to DNS query requests, enabling seamless multi-cluster access from virtual machines to the service mesh.

Istio 1.8 adds a WorkloadGroup, which describes a collection of workload instances. It provides a specification that the workload instances can use to bootstrap their proxies, including the metadata and identity. It is only intended to be used with non-k8s workloads like Virtual Machines, and is meant to mimic the existing sidecar injection and deployment specification model used for Kubernetes workloads to bootstrap Istio proxies. Using WorkloadGroups, Istio has started to help automate VM registration with istioctl experimental workload group.

Tetrate, the enterprise service mesh company, uses these VM features extensively in customers’ multicluster deployments to enable sidecars to resolve DNS for hosts exposed at ingress gateways of all the clusters in a mesh, and access them over mutual TLS.

Conclusion

All in all, the Istio team has kept the promise made at the beginning of the year to maintain a regular release cadence of one release every 3 months since the 1.1 release in 2018, with continuous optimizations in performance and user experience for a seamless experience of brownfield and greenfield apps on Istio. We look forward to many more surprises from Istio in 2021.

This article was written by Tetrate’s Jimmy Song, and originally appeared in The New Stack.

Jimmy Song
Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
    • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
    • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network
    with more
    intelligence?