Istio launched version 1.10 last month. Key new features include discovery selectors, revision tags, and sidecar networking changes to improve day-two operations for Istio users.
Discovery selectors are arrays of Kubernetes selectors that apply to labels on namespaces, allowing Istio to watch for a particular set of namespaces. In prior versions, Istio watched for all Kubernetes resources which can lead to scalability issues in large clusters or clusters with frequent configuration changes.
Courtesy of Istio.io
Revision tags in Istio 1.10 support deploying multiple control planes safely as in previous releases but without the burden of often relabeling namespaces to change revisions.This adds a new layer of indirection in which a user can create tags like canary and prod, label namespaces using those tags as revision (i.e: istio.io/rev=prod), and link a specific istiod
revision with that tag. This is an experimental feature as of this writing.
Sidecar networking changed in Istio 1.10 by updating the Envoy proxy to send traffic by default to applications on the eth0
(a physical ethernet interface) rather than lo
(a virtual network interface called loopback device). For new users, this should be an improvement with no impact. However, for existing users some pods might be impacted and a precheck using the command istioctl experimental precheck
is recommended.
InfoQ interviewed Sam Naser, who is a software engineer at Google and one of the release managers of the Istio project. He stated that the Istio team continued to emphasize stability and bring existing features to a point of maturity, a similar focus to the 1.9 release.
InfoQ: Can you talk about the challenges of being a release manager?
Sam Naser: Being a release manager is mostly just knowing who to poke about problems and making sure all the right boxes get checked for the release to get out the door on time. Special thanks to Eric Van Norman and Brian Avery from the Test and Release Working Group for being massively involved and helpful even though they weren't technically release managers for 1.10.
InfoQ: Can you elaborate on the sidecar networking changes? In particular, are application developers using prior versions of Istio impacted?
Naser: On older versions of Istio the sidecar would intercept pod traffic and forward it to the user application on localhost. Users had to make sure their apps were listening on localhost for things to work. Starting with 1.10, the sidecar will redirect traffic to eth0. This change makes Istio work out of the box with popular stateful applications like Zookeeper or Elasticsearch, but to that end, user applications that are bound exclusively to localhost will have to be modified. We added a command to catch this automatically and make the migration easier. More details on that can be found on the Istio blog.
InfoQ: Are you planning to continue quarterly releases moving forward?
Naser: There is active discussion around moving Istio to three releases per year in the future and extending the support window. This decision has not yet been finalized and is still being fleshed out.
Istio is a platform-independent open source service mesh that simplifies observability, traffic management, security, and policy for cloud-native applications. The project was started by teams from Google and IBM in partnership with the Envoy team from Lyft.
More details of the Istio 1.10 release can be found on the release change notes page.