Istio 1.12 learns to keep things local, gets a grip on TCP probes

Istio security
Istio security

Service mesh Istio is now available in version 1.12, providing users with enhancements meant to make the project more extensible and secure.

Istio 1.12 offers automatic mTLS support for workload level peer authentication, so that teams don’t have to configure destination rules themselves anymore, and improvements to make sure TLS certificate secret watches don’t use too much memory. It also includes support for using GKE workload certificates as sidecar certs, and a new VERTIFY_CERT_AT_CLIENT environment variable to verify server certificates with OS CA certificates when the DestinationRule caCertificates field isn’t used.  

In terms of traffic management, Istio’s basic support for the Kubernetes multi-cluster services has been extended. The implementation now makes sure requests to the cluster.local host are only routed to endpoints on the same cluster as the client. To enable this behaviour, flags  ENABLE_MCS_CLUSTER_LOCAL, ENABLE_MCS_HOST and ENABLE_MCS_SERVICE_DISCOVERY have to be set, since it is still experimental at this point.

The service mesh also gained the capability to have proxy Envoy quit the connection draining process when active connections hit 0 before the set drainDuration, and a failoverPriority load balancing traffic policy. The latter can be used to provide the project with an ordered list of labels that can be used to sort endpoints for priority based load balancing should resources be scarce. Other new additions include support for v1alpha2 version of the gateway-api, creating mirrored QUIC listeners for non-passthrough HTTPS listeners at gateways, and a validator for empty regex matches in VirtualService.

To make the functionality of Istio proxies easier to extend, the Istio team decided to add a webassembly API to the project earlier this year. Version 1.12 comes with an initial version of the corresponding implementation. It is currently able to read the WasmPlugin CRD, push updates through ECDS, deploy various filters, and fetch OCI containers. Functionality to realise image pull requests and verify signatures is said to be implemented for one of the upcoming releases.

Istio’s command line utility istioctl received a couple of fixes as well and should now accept a URL to a release tar for the --manifests argument and give more precise error location information when using istioctl analyze. It has also been reworked to include pre-checks for detecting Alpha Annotations, a po alias for pod (like the one available in kubectl), and a watchedNamespaces argument to use with istioctl operator dump for specifying the namespaces the operator controller watches. Details can be found on the Istio website.

Users who have set up TCP probes in previous versions might see those (correctly) failing after upgrading their systems to the latest Istio release. This is down to the team behind the service mesh fixing an implementation issue which meant that health checks on ports were successful no matter what. In version 1.12, Istio utilises the same approach used for HTTP probes, which should correct the old behaviour.