The recent release of Istio 1.22 includes a plethora of significant updates. This article shares the new features and application recommendations brought by this release.
Although Ambient mode has now entered the Beta phase, this does not mean we can completely do away with Sidecars. While the Istio official claims that Ambient mode simplifies operations and significantly reduces memory and CPU usage, it still has limitations and potential complexity issues. For example, while Sidecars are eliminated, the introduction of new ztunnel and waypoint components may pose new challenges. For more detailed information about Ambient mode entering Beta, refer to the Istio official blog.
Challenges Introduced by Ambient Mode
For a comparison of Sidecar mode and Ambient mode, see Analysis of Limitations in Istio Ambient Mode.
In the Istio 1.22 release, key APIs related to traffic management, security, and telemetry have officially been upgraded to the v1
version. You only need to change the API version of your existing configuration to v1
, with no other changes needed. These APIs are already mature, and you can safely use the v1
version. For environments requiring high stability, Istio has added validating admission policies to ensure that only v1
APIs and fields can be used in the Istio API.
For example, the following AuthorizationPolicy example.
|
|
Other extension-type APIs such as EnvoyFilter
, WasmPlugin
, ProxyConfig
are still in alpha or beta stages. For more information on API upgrades, please refer to the v1 API blog.
v1
API. For extension-type APIs that are not yet stable, enabling validating admission policies is recommended to ensure system stability.
Gateway API has been updated to version 1.1.0 and is now widely available. This update extends Istio’s traffic management capabilities, but it is important to be cautious of compatibility issues between Istio’s native APIs and the Gateway API when migrating to the new API to avoid relying on features that are not fully mature yet. For more details, check out the Gateway API v1.1 blog.
Istio 1.22 version now has delta xDS enabled by default, which is a mechanism to optimize configuration distribution. Compared to the traditional State of the World (SotW) mode, delta xDS only sends changed configurations to the Envoy proxies, thereby significantly reducing the amount of data transmitted over the network and the resource consumption of the control plane. This change is particularly suitable for large-scale deployment environments with frequent configuration updates, improving the efficiency and performance of configuration updates. Additionally, delta xDS also helps manage configuration updates more efficiently in complex network environments or dynamically changing configurations.
For more on xDS, refer to the Introduction to Envoy xDS and Configuration Distribution Process in Istio.
In Istio 1.22, AuthorizationPolicy
has added support for path templates, greatly enhancing the flexibility and precision of path matching. Prior to this, AuthorizationPolicy
did not support wildcards in path configurations. This feature allows for defining paths in HTTP requests using URI templates based on Envoy, including simple wildcards (*
and **
) or named variables, enabling precise matching of single or multiple path components. For example, the path template /foo/{*}
can match /foo/bar
but not /foo/bar/baz
, while /foo/{**}/
can match any path starting with /foo/
. This flexible path template design is particularly suitable for dynamic and complex routing rules, further strengthening Istio’s security policy toolbox.
The diagram below illustrates the wildcard rules for path matching in AuthorizationPolicy.
For more on the specific applications and rules of path templates, you can refer to Envoy’s official documentation.
AuthorizationPolicy
finally supports templates in path matching, so you no longer need to manually add paths one by one in your configurations.
The Istio 1.22 release introduces several important updates and improvements. Although some features are widely publicized, they require detailed assessment and appropriate testing in practical use. Hopefully, this blog post helps you understand and apply these new features more deeply to achieve the best results in practice.
This blog was initially published at tetrate.io.
Last updated on Nov 22, 2024