Istio gets experimental in major update v1.3

Istio security
Istio security

The Istio team has declared a “major update” in the shape of v1.3 of the service mesh, which comes with a brace of “experimental” features and a slew of other enhancements.

The first experimental feature is intelligence protocol detection, to solve problems arising from the current setup where service ports must use a special port naming format to explicitly declare the protocol.

“This requirement can cause problems for users that do not name their ports when they add their applications to the mesh,” the team says, so “Starting with 1.3, the protocol for outbound traffic is automatically detected as HTTP or TCP when the ports are not named according to Istio’s conventions.”

The feature will be further polished in upcoming releases, with support for protocol sniffing on inbound traffic, and the ability to identity protocols other than HTTP.


The team also debuted “mixer-less telemetry”, saying, “In this release, we have enhanced the Istio proxy to emit HTTP metrics directly to Prometheus, without requiring the istio-telemetry service to enrich the information.” Over the coming months, they plan to add telemetry support for TCP services “when you enable Istio mutual TLS.”

Other key updates include the dropping the requirement that pods “explicitly declare the Kubernetes containerPort for each container as a security measure against trampolining traffic.” The team said the latest version has “a secure and simpler way of handling all inbound traffic on any port into a workload instance without requiring the containerPort declarations.” They also say they have “completely eliminated the infinite loops caused in the IP tables rules when workload instances send traffic to themselves.”

Expert Users also get more customization options on Envoy via tweaks to the EnvoyFilter API.  You can see the full list of enhancements, including enhancements to control plane monitoring and delightfully phrased “better support for headless services with Istio mutual TLS”,  here.

In other news, Istio has flagged up a vulnerability in the v1.2.4 sidecar image that shipped between August 23 and Sept 6. “If you have installed Istio 1.2.4 during that time,” it warned “Please consider upgrading to Istio 1.2.5 that also contains additional security fixes.

- Advertisement -