Prepare releasenotes for Istio 1.25 #16257
Conversation
Signed-off-by: Faseela K <faseela.k@est.tech>
istio-testing
added
the
size/L
|
@kfaseela: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| This enables the new iteration of [IP auto-allocation](/docs/ops/configuration/traffic-management/dns-proxy/#address-auto-allocation), | ||
| fixing long-standing issues around allocation instability, ambient support, and increased visibility. | ||
| `ServiceEntry` objects without `spec.address` set will now see a new field, `status.addresses`, automatically set. | ||
| Note these will not be used unless proxies are configured to do DNS proxying, which remains off-by-default. |
There was a problem hiding this comment.
"Promoted the cni.ambient.dnsCapture value to default to true" means that for ztunnel dnsCaprure will work out of the box so the "off-by-default" only applies to envoy-based proxies.
| **Deprecated** `traffic.sidecar.istio.io/kubevirtInterfaces`, in favor of `istio.io/reroute-virtual-interfaces` | ||
| ([Issue #49829](https://github.com/istio/istio/issues/49829)) | ||
|
|
||
| - **Added** support for attaching policy defaults for istio-waypoint by targetting the GatewayClass. |
There was a problem hiding this comment.
| - **Added** support for attaching policy defaults for istio-waypoint by targetting the GatewayClass. | |
| - **Added** support for attaching policy defaults for istio-waypoint by targeting the GatewayClass. |
Seems like this is probably my own typo
|
cc @keithmattix @bleggett @howardjohn @zirain @therealmitchconnors I am trying to add the highlights section. If you want me to pick any specific items from the change notes to be highlighted, please share. |
I can write up a blurb on "improved locality load balancing" in the next few days |
| - **Added** `ambient.reconcileIptablesOnStartup` field in the `istio-cni` chart and the corresponding `AMBIENT_RECONCILE_POD_RULES_ON_STARTUP` flag | ||
| to control whether the ambient CNI agent should reconcile the iptables of pods at startup. |
There was a problem hiding this comment.
| - **Added** `ambient.reconcileIptablesOnStartup` field in the `istio-cni` chart and the corresponding `AMBIENT_RECONCILE_POD_RULES_ON_STARTUP` flag | |
| to control whether the ambient CNI agent should reconcile the iptables of pods at startup. |
this is redundant with the below entry (the PRs were separate so the release notes entries are also, but for the published doc only need to say it once IMO)
|
|
||
| DNS proxying is enabled by default for ambient workloads in this release. Note that only new pods will have DNS enabled, existing pods will not have their DNS traffic captured. | ||
| To enable this feature for existing pods, existing pods must either be manually restarted, or alternatively the iptables reconcilation feature can be enabled when upgrading | ||
| `istio-cni` via `--set cni.ambient.reconcileIptablesOnStartup=true` which will reconcile existing pods automatically on upgrade. |
There was a problem hiding this comment.
| `istio-cni` via `--set cni.ambient.reconcileIptablesOnStartup=true` which will reconcile existing pods automatically on upgrade. | |
| `istio-cni` via `--set cni.ambient.reconcileIptablesOnStartup=true` which will reconcile existing pods automatically on upgrade. Individual pods may opt-out of global ambient DNS capture by applying the`ambient.istio.io/dns-capture=false` annotation. | |
| Note that setting this to `false` will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies. |
makes sense to mention the opt-out mechanism in the same breath as the global flag (which I did not do in the original upgrade note)
|
|
||
| ## What’s new? | ||
|
|
||
| ### Ambient mode enhancements |
There was a problem hiding this comment.
| ### Ambient mode enhancements | |
| ### Ambient mode enhancements | |
| - DNS proxying enabled by default for Ambient pods, allowing ServiceEntries and egress gateway routing to work by default. | |
| - Default-deny policy for waypoints via GatewayClass `targetRef`. | |
| - Ability to enforce L4 policy against the waypoint proxy instance itself. | |
| - Support for per-pod traffic customization around virtual interfaces and DNS capture | |
| - `istio-cni` Daemonset can now be safely upgraded in-place in an active cluster, without requiring a node cordon to prevent pods spawned during the upgrade process from escaping ambient traffic capture. |
There was a problem hiding this comment.
Maybe mention enhanced policy options for waypoint:
- default deny policy for waypoint by targetRef=gtwclass
- assert L4 policy against the workload implementing the waypoint
There was a problem hiding this comment.
Yep, I was just suggesting what I knew, I'll add those to this suggestion.
|
cc @whitneygriffith , could you please share some inputs about the http 1.1 header case preservation documentation which you have done? Wanted to add to the release notes |
| {{< /tip >}} | ||
|
|
||
| ## What’s new? | ||
|
|
There was a problem hiding this comment.
Zonal routing enhancements
Whether for reliability, performance, or cost reasons, controlling cross-zone and cross-region traffic is often an important day-2 operation for users.
With Istio 1.25, this just gets even easier!
- The Kubernetes Traffic disrtibution feature is now fully supported, offering a simplified interface to keep traffic local. The existing Istio locality load balancing remains for more complex use cases.
- Ztunnel will now report the additional
source_zone,source_region,destination_zone, anddestination_regionlabels to all metrics, giving a clear view of cross-zonal traffic.
| ### Ambient mode enhancements | ||
|
|
||
| ### DNS auto-allocation improvements | ||
|
|
There was a problem hiding this comment.
| DNS proxying is now enabled by default for ambient workloads. | |
| This enhances performance and security, as well as enabling [egress traffic controls](https://ambientmesh.io/docs/traffic/mesh-egress/#egress-gateways). | |
| Along with this change comes a few advanced per-pod customization around traffic captured, including during off DNS capture for specific workloads if necessary; check out the change notes for more information. |
Description
Early draft for 1.25 release notes, so that we can take inputs from WG leads to reword things better.
Reviewers