Istio Release 1.5

Timeline

All dates are tentative

• January 24th Code freeze
• February 18th Community Testing Day 1
• February 25th Community Testing Day 2
• March 5th 1.5.0 release date

Release Managers

• Francois Pesce @fpesce
• Mariam John @johnma14
• Daniel Grimm @dgn

Release Notes Draft

Available to the community here

For any new, user facing changes targeting Istio 1.5, please add a note below. Examples can be found from the previous release: https://istio.io/news/2019/announcing-1.3/#release-notes

Traffic Management:

• Added support for configuring locality load balancing settings in Destination Rule (https://github.com/istio/istio/pull/18406)
• Enable protocol sniffing on inbound traffic by default (https://github.com/istio/istio/pull/18666)
• Enhance Pilot to send only partial XDS updates when config changes (https://github.com/istio/istio/pull/18354)
• Enhance Envoy readiness probe (TODO Rama Chavali)
• Optimize EDS pushes (https://github.com/istio/istio/pull/18412)
• Virtual Service, Destination Rule, Gateway, Sidecar and Service Entry APIs now support the v1beta1 version (https://github.com/istio/api/pull/1232)

Security:

• Graduated SDS to stable and enabled by default. It provides identity provisioning for Istio Envoy proxies.
• Added Beta authentication API. The new API separates peer (i.e mutual TLS) and origin (JWT) authentication into PeerAuthentication and RequestAuthentication respectively. Both new APIs are workload-oriented, as opposed to service-oriented in alpha AuthenticationPolicy.
• Added deny semantics to Authorization Policy
• Graduated auto mutual TLS from alpha to beta. This feature is now enabled by default.
• Improved SDS security by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
• Improved Istio by including certificate provisioning functionality within istiod.
• Added Support Kubernetes first-party-jwt as a fallback token for CSR authentication in clusters where third-party-jwt is not supported.
• Added Support Istio CA and Kubernetes CA to provision certificates for the control plane, configurable via values.global.pilotCertProvider.
• Added Istio Agent provisions a key and certificates for Prometheus.

Telemetry:

Policy:

Configuration Management:

Installation & Upgrades:

Istioctl and Kubectl:

Others:

• Use golang implementation for istio-iptables instead of bash script (https://github.com/istio/istio/pull/18962)
• Return an error upon fail to obtain pod info (https://github.com/istio/cni/pull/223)

How do I get my changes into the release?

On January 21st, the release-1.5 branch will be created, based on master. Any changes on master before this date will be included in the release. Any changes after will have to be cherry picked.

To get a PR merged into the release branch, it must first be merged into the master branch. PRs can automatically be cherrypicked by typing by adding the cherrypick/release-1.5 label to the PR.

A PR on the release branch will only be approved if:

• The change is already on master.
  • exception: if a change only applies to the release branch, and should not go to master, a change can be submitted directly to the release branch, but please note this in the PR description.
• The change is a bug fix, documentation enhancement, or testing enhancement.
  • Changes that are risky may require a feature flag, especially after the 1.5.0 release.
  • Any change not meeting the above, such as a new feature or API, may require TOC approval.

Note: on the istio.io repo, changes should go directly to master until after the 1.5.0 launch. The changes will appear on preliminary istio.io.