Istio 1.9 opens up to external authorisers, VM support goes to beta

By Julia Schmidt
-
Istio 1.9 opens up to external authorisers, VM support goes to beta
Istio security

Istio – the service mesh developed by Google – has landed in version 1.9, finally getting Kubernetes Service API support going and VM integration closer to being production ready.

Having capabilities to run VMs as part of a service mesh is especially important in larger organisations with complex code bases that can’t be easily migrated but need to be integrated with more modern infrastructure nonetheless. The current iteration has progressed to beta and now reads WorkloadEntry resources across multi-cluster installations, making VM auto-registration work in multi-cluster scenarios.

Progress has also been made regarding functionality to allow the exposure of services using Kubernetes Service APIs. This should help make the mesh compatible with others supporting these interfaces, which might make it more of an option for switching. In Istio 1.9, the API support has gained alpha status, though Google is looking for help from the Kubernetes special interest group working on networking to move it forward.

In v1.9, users have a new experimental proxy option called DNS_AUTO_ALLOCATE at their disposal, which can be used to control the automatic allocation of ServiceEntry addresses. This functionality was earlier bound to DNS_CAPTURE and the decoupling is expected to be useful to fix some issues with DNS resolving. 

In other traffic management news, gRPC logging can now be enabled using –log_output_level, and the pilot-agent has been fitted with a pprof endpoint to facilitate debugging. Meanwhile telemetry has been improved by promoting functionality to classify requests based on their type, and adding canonical service tags to all trace spans for easier information retrieval. 

Teams wanting to use their own authorisation systems are in luck as experimental support for this is available. To get going, an authorizer in the mesh config’s extension provider has to be defined and the new value CUSTOM has to be set in the action field. The Istio team also added a OIDC JWT authenticator that supports both JWKS-URI and OIDC discovery, and an option to let users enable token exchange for XDS flows.

A complete list of changes can be found in the project’s change notes.

Podman 5.0 released with native Mac hypervisor support, new features and breaking changes
Fermyon promises over 5000 WebAssembly applications on one Kubernetes node via new platform
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Kubecost 2.0 released as reports show persistent Kubernetes over-provisioning
Docker introduces Build Cloud for accelerated local development
Virtual Kubernetes lands on the Fly.io platform but there are compromises
Docker buys AtomicJar to integrate container-based test automation
Interview: Not much on Kubernetes at AWS re:Invent? More than it seemed, VP tells us
Ubuntu chiselled containers arrive for .NET – smaller, more secure, but beware 'sharp edges'
Microsoft releases .NET 8 with preview of Aspire cloud-ready stack to 'simplify cloud app complexity...
Docker introduces 'seems like magic' container debug tool and cloud-driven build service
Fermyon previews new spin on Serverless AI via Wasm