Istio 1.9 opens up to external authorisers, VM support goes to beta

Istio security
Istio security

Istio – the service mesh developed by Google – has landed in version 1.9, finally getting Kubernetes Service API support going and VM integration closer to being production ready.

Having capabilities to run VMs as part of a service mesh is especially important in larger organisations with complex code bases that can’t be easily migrated but need to be integrated with more modern infrastructure nonetheless. The current iteration has progressed to beta and now reads WorkloadEntry resources across multi-cluster installations, making VM auto-registration work in multi-cluster scenarios.

Progress has also been made regarding functionality to allow the exposure of services using Kubernetes Service APIs. This should help make the mesh compatible with others supporting these interfaces, which might make it more of an option for switching. In Istio 1.9, the API support has gained alpha status, though Google is looking for help from the Kubernetes special interest group working on networking to move it forward.

In v1.9, users have a new experimental proxy option called DNS_AUTO_ALLOCATE at their disposal, which can be used to control the automatic allocation of ServiceEntry addresses. This functionality was earlier bound to DNS_CAPTURE and the decoupling is expected to be useful to fix some issues with DNS resolving. 

Advertisement

In other traffic management news, gRPC logging can now be enabled using –log_output_level, and the pilot-agent has been fitted with a pprof endpoint to facilitate debugging. Meanwhile telemetry has been improved by promoting functionality to classify requests based on their type, and adding canonical service tags to all trace spans for easier information retrieval. 

Teams wanting to use their own authorisation systems are in luck as experimental support for this is available. To get going, an authorizer in the mesh config’s extension provider has to be defined and the new value CUSTOM has to be set in the action field. The Istio team also added a OIDC JWT authenticator that supports both JWKS-URI and OIDC discovery, and an option to let users enable token exchange for XDS flows.

A complete list of changes can be found in the project’s change notes.

- Advertisement -