Release notes

This page documents production updates to Istio on GKE. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/istio-on-gke-release-notes.xml

Istio 1.2.10-gke.0

Fixes a known security issue with the same fixes as OSS Istio 1.2.10, as well as improvements and fixes from OSS Istio 1.2.8 and Istio 1.2.9.

Istio 1.1.17-gke.0

Istio 1.2.7-gke.0

This release has a known security issue that can leave clusters vulnerable. We recommend upgrading to a version of GKE that will install Istio 1.2.10.

Fixes a known security issue with the same fixes as OSS Istio 1.2.7, as well as bug fixes from OSS Istio 1.2.6.

Istio 1.1.16-gke.0

This release has a known security issue that can leave clusters vulnerable. We recommend upgrading to a version of GKE that will install Istio 1.1.17.

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes a known security issue with the same fixes as OSS Istio 1.1.16, as well as security updates from OSS Istio 1.1.14, and an Envoy crash bug fix from OSS Istio 1.1.15

Istio 1.1.13-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Has the known issues addressed in these releases: https://istio.io/about/notes/1.1.8/, https://istio.io/about/notes/1.1.9/, https://istio.io/about/notes/1.1.10/

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes a known security issue with the same fixes as OSS Istio version 1.1.13.

Istio 1.0.9-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Istio 1.1.10-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Istio 1.1.7-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes a known security issue from version 1.1.3-gke.0.

Stackdriver tracing is disabled by default.

This version does not have a pod disruption budget. See notes on upgrading from Istio 1.1.3.

Istio 1.1.3-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Upgrades Istio to version 1.1.3. See notes on upgrading from 1.0 versions of Istio.

Istio 1.0.6-gke.3

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes a known security issue with the same fixes as OSS Istio version 1.0.7. New clusters will use this version by default when announced on the GKE security bulletins page, expected mid April 2019. If you create a new cluster with Istio on GKE before then, make sure to select a recommended GKE version to get this version of the add-on. Existing users should upgrade to the latest patched version of GKE as soon as possible.

Find out more in this security bulletin.

Istio 1.0.6-gke.1

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes to all known issues in 1.0.3-gke.3a.

Upgrades Istio to version 1.0.6. See the Istio 1.0.6 release notes for more information.

Istio 1.0.3-gke.3b

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes to all known issues in 1.0.3-gke.3a.

Istio 1.0.3-gke.3a

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Fixes to all known issues in 1.0.3-gke.0.

All ConfigMaps are now read-only, since these may change during upgrade.

Stackdriver logging and tracing are enabled by default. However, please see the release issue below for current memory issues with tracing.

Istio on GKE's internal prometheus (used for internal metrics) is renamed to promsd to avoid confusion.

Stackdriver tracing can consume too much memory in telemetry pods and should be disabled for now.

Istio 1.0.3-gke.0

Depending on when the cluster was first created, may have a root certificate that will expire soon. Please follow the instructions to check the expiration date and, optionally, extend the life of your root certificate.

Updating an existing cluster Istio config between MTLS_STRICT and PERMISSIVE doesn't work.

Setting the --enable-stackdriver-kubernetes flag prevents the Istio Stackdriver adapter from being installed, leading to no Stackdriver metrics being published.

Mixer outputs logs to the local machine via the stdio adapter by default, which can consume large amounts of CPU.

If you are using Stackdriver with Istio 1.0.3 (the version used in this release of Istio on GKE for initial Istio installation), you can only use a single instance of Istio-Telemetry in your control plane. If you use multiple instances, telemetry data can be lost. To make sure your Stackdriver support continues to work smoothly, do the following:

  • Ensure only one instance of Istio-Telemetry is running by setting the Istio-Telemetry HorizontalPodAutoscaler maxReplicas value to 1.
    kubectl edit -n istio-system HorizontalPodAutoscalers/istio-telemetry
          
  • Make sure that your Istio-Telemetry resources are sufficient for one instance to handle the load from the entire cluster
     kubectl edit -n istio-system Deployments/istio-telemetry