You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
To get the latest product updates delivered to you, add the URL of this page to your
reader, or add the feed URL directly:
May 17, 2021
1.9.5-asm.2, 1.8.6-asm.3, and 1.7.8-asm.8 are now available.
This release fixes the following security vulnerabilities:
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Envoy version that the Anthos Service Mesh proxy uses differs by Anthos Service Mesh version, as follows:
April 20, 2021
1.9.3-asm.2, 1.8.5-asm.2, 1.7.8-asm.1, and 1.6.14-asm.2 are now available.
Fixes the security issue, ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Anthos Service Mesh versions.
This release updates the envoy versions for the following Anthos Service Mesh versions:
- Anthos Service Mesh version 1.9.3-asm.2 uses envoy v1.17.2.
- Anthos Service Mesh version 1.8.5-asm.2 uses envoy v1.16.3.
- Anthos Service Mesh version 1.7.8-asm.1 uses envoy v1.15.4.
- Anthos Service Mesh version 1.6.14-asm.2 uses envoy v1.14.7.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Anthos Service Mesh 1.9.x
- Anthos Service Mesh 1.8.x
- Anthos Service Mesh 1.7.x
- Anthos Service Mesh 1.6.x
Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a generally available (GA) feature.
Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a public preview feature.
April 02, 2021
1.9.2-asm.1 is now available.
This patch release contains the same bug fixes that are in Istio 1.9.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
Anthos Service Mesh user authentication is now available as a public preview feature on installations of 1.9. This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.
March 29, 2021
The Anthos Service Mesh Topology (beta) page in Cloud Console won't display properly if unsupported versions, including versions earlier than Anthos Service Mesh 1.6.8, are installed on your clusters or if you have disabled the Canonical Service controller in clusters in your project.
Note that the Canonical Service controller is enabled by default on version 1.6.8 and higher. If you did not disable the Canonical Service controller on a supported version, no action is required.
What should I do?
March 04, 2021
Google-managed control plane is now available as a public preview feature. This feature lets you move from managing
istiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.
Using the managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information see Configuring the Google-managed control plane.
Anthos Service Mesh for Compute Engine VMs is now available as a public preview feature. With this new feature you can manage, observe, and secure services running on both Compute Engine Managed Instance Groups and Kubernetes Engine clusters in the same mesh. You can mix and choose the best environment to run your services while enjoying the benefits of Anthos Service Mesh.
This feature also improves security and usability by letting you use Compute Engine service accounts for mTLS authentication to other Compute Engine VMs and Kubernetes Engine Pods. For more information see the documentation.
Anthos Service Mesh 1.5 is no longer supported. For more information see Supported versions.
February 23, 2021
1.8.3-asm.2 is now available.
This patch release contains the same bug fixes that are in Istio 1.8.3. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
February 12, 2021
1.6.14-asm.1 is now available.
This patch release contains a fix for CVE-2021-3156. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
February 02, 2021
1.8.2-asm.2 is now available.
This patch release contains the same bug fixes that are in Istio 1.8.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
install_asm script lets you reinstall the same version
You can use the
install_asm script when you need to reinstall the same Anthos Service Mesh version to change the control plane configuration. For more information, see the following:
January 20, 2021
1.7.6-asm.1 is now available.
This patch release contains the same bug fixes that are in Istio 1.7.6. For details on upgrading Anthos Service Mesh, refer to the following Anthos Service Mesh upgrade guides:
January 12, 2021
1.6.14-asm.0 is now available.
This patch release contains the same bug fixes that are in Istio 1.6.14. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
December 16, 2020
1.8.1-asm.5 is now available.
Multi-cluster support for GKE on-prem Beta
Anthos Service Mesh now supports multi-cluster meshes when running on GKE on-prem. For more information, see Add clusters to Anthos Service Mesh on-prem.
New flags for the install_asm script
install_asm script was enhanced to provide you with more granular control
over the changes that the script makes on your project and GKE on Google Cloud
cluster. For more information, see the
section in the documentation for the script.
Third-party add-ons removed from all profiles
The Prometheus, Grafana, and Kiali add-ons were removed from all Anthos Service
Mesh profiles. For information on why the add-ons were removed, see
Reworking our Addon Integrations. Installation of these third-party add-ons was removed from the 1.8
IstioOperator API, which means that they can't be installed with the
istioctl install command.
For information on installing a demo version of the add-ons, see
Integrating with third-party add-ons.
Note that by default, metrics are still exported to Prometheus in the
asm-multicloud profile. You can optionally enable metrics export to Prometheus in the
Anthos Service Mesh 1.8 isn't supported on Anthos attached clusters and GKE on AWS
Anthos Service Mesh 1.8 currently isn't supported on Anthos attached clusters (Microsoft AKS and Amazon EKS) and GKE on AWS (Amazon EC2). Anthos Service Mesh 1.7 and 1.6 are supported for these environments. For more information, see the following guides:
Reduced permissions required for installation
The permissions required for installation have been scaled back. Testing has shown that the Project Editor role can be replaced with more granular roles. For the complete list, see Permissions required to install Anthos Service Mesh.
November 12, 2020
Anthos Service Mesh, Mesh CA and the Anthos Service Mesh dashboards in Google Cloud Console are now available for any GKE customer and do not require the purchase of Anthos. See pricing for details.
There are slight changes to the behavior of Google Cloud Console for customers who use Anthos Service Mesh without an Anthos subscription. See details here.
Added a shell script to automate Anthos Service Mesh installation and migration from Istio and the Istio on GKE add-on. For details, see the following guides:
November 03, 2020
1.7.3-asm.6 is now available
Added support for on-premises secure key management, provided by Thales Luna HSM 7+ and Hashicorp Vault.
Added a shell script to automate Anthos Service Mesh installation and migration from Istio 1.6. See the installation guide for details.
Added revision label support to sidecar injection for greater control over various scenarios, such as canary upgrades and more.
The beta validation tool asmctl is retired and the lessons learned are built into the new, streamlined Anthos Service Mesh install script.
If you use unsupported Istio features in your Anthos Service Mesh deployment, see Istio upgrade notes for changes that might affect you.
October 13, 2020
1.4.10-asm.19 is now available
You can now allow an experimental feature to exceed 4GB of memory usage.
September 29, 2020
1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18
Fixes the security issue, ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see the Istio 1.6.11 release notes.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
August 27, 2020
1.6.8-asm.9 is now available
Adds beta support for joining multiple clusters from different projects into a single Anthos Service Mesh on Google Kubernetes Engine.
Adds Citadel CA support for
Fixes an issue for enabling trust domain validation at the transport socket level.
August 14, 2020
1.6.8-asm.0 and 1.5.9-asm.0
Fixes the security issue, ISTIO-SECURITY-2020-009, with the same fixes as Istio 1.6.8 and Istio 1.5.9. For more information, see the Istio release notes:
July 24, 2020
Anthos Service Mesh on GKE on AWS is supported.
For more information, see Installing Anthos Service Mesh on GKE on AWS.
July 22, 2020
1.6.5-asm.7, 1.5.8-asm.7, and 1.4.10-asm.15 are now available
This release provides these features and fixes:
July 10, 2020
1.6.5-asm.1, 1.5.8-asm.0, and 1.4.10-asm.4
Fixes the security issue, ISTIO-SECURITY-2020-008, with the same fixes as Istio 1.6.5 and Istio 1.5.8. These fixes were backported to 1.4.10-asm.4. For more information, see the Istio release notes:
June 30, 2020
1.6.4-asm.9 is now available.
Anthos Service Mesh now supports multi-cluster meshes (beta) when running on GKE on Google Cloud.
Users that configure multiple clusters in their mesh can now see unified, multi-cluster views of their services in the Anthos Service Mesh pages in the Cloud Console. Note that multi-cluster support is in Beta and not all UI features are supported in multi-cluster mode.
ASM 1.6 is supported in a single cluster configuration in Anthos Attached Clusters in the following environments: Amazon Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).
The profile to install ASM in GKE has been renamed from
asm-gcp, see Upgrading Anthos Service Mesh on GKE. The profile to install ASM in GKE on-premise clusters has been renamed from
asm-multicloud, see Upgrading Anthos Service Mesh on premises.
asm-multicloud profile, ASM now installs a complete observability stack (Prometheus, Grafana and Kiali).
Support for cross-cluster load balancing (beta) for your multi-cluster mesh for GKE on Google Cloud.
New installation guides: Installing Anthos Service Mesh on attached clusters and Adding clusters to an Anthos Service Mesh.
Anthos Service Mesh now supports cross-cluster security policies (beta) for your multi-cluster mesh when running on GKE on Google Cloud.
Upgrade from ASM 1.5 to ASM 1.6 without downtime using a dual control plane upgrade.
Known Issue: If you upgrade from Istio to ASM 1.6 and have set SLOs on your service metrics, those SLOs might be lost and need to be recreated after the upgrade.
1.5.7-asm.0 and 1.4.10-asm.3
The vulnerability affects Anthos Service Mesh (ASM) versions 1.4.0 to 1.4.10, 1.5.0 to 1.5.5, and 1.6.4 whether running in Anthos clusters on VMware or on GKE, potentially exposing your application to Denial of Service (DOS) attacks. This vulnerability is referenced in these publicly disclosed Istio security bulletins:
- CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.
- CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
- CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.1 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
- CVE-2020-12604 (CVSS score 7.0, High): Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.
If you use ASM 1.6.4: * Apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.
If you use ASM 1.4.0 to 1.4.10 or 1.5.0 to 1.5.5: * Upgrade your clusters to ASM 1.4.10-asm.3 or ASM 1.5.7-asm.0 as soon as possible and apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.
See the following documentation for how to upgrade your Anthos Service Mesh.
June 22, 2020
1.5.6-asm.0 and 1.4.10.asm.2
Contains the same fixes as OSS Istio 1.5.6. Non-critical, minor improvements were also backported to ASM 1.4.10. See Announcing Istio 1.5.6 for more information.
June 15, 2020
Fixes a bug in the
HorizontalPodAutoscaling setting that caused Anthos Service Mesh installations to fail.
June 11, 2020
1.5.5-asm.0 and 1.4.10-asm.1
Fixes the security issue, CVE-2020-11080, with the same fixes as OSS Istio 1.5.5. The security fixes were backported to ASM 1.4.10.
A vulnerability affecting the HTTP/2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ).
CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
HTTP/2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration. HTTP/2 support at ingress can only be disabled if you are not exposing HTTP/2 services that cannot fallback to HTTP/1.1 through ingress. Note that gRPC services cannot fallback to HTTP/1.1.
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: disable-ingress-h2 namespace: istio-system spec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy match: context: GATEWAY listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: MERGE value: typed_config: "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager codec_type: HTTP1
For additional information, see ISTIO-SECURITY-2020-006.
May 20, 2020
1.5.4-asm.2 is now available.
1.5.4-asm.2 contains all the same security fixes that are in Anthos Service Mesh 1.4.
Beta release of the Anthos CLI
The Anthos CLI simplifies the installation of Anthos Service Mesh. You can use the Anthos CLI to:
- Create a new cluster that meets the Anthos Service Mesh cluster requirements and install Anthos Service Mesh. See Installing Anthos Service Mesh on a new cluster using the Anthos CLI.
- Update an existing cluster with the options that Anthos Service Mesh requires and install Anthos Service Mesh. See Installing Anthos Service Mesh on an existing cluster using the Anthos CLI.
Port change for automatic sidecar injection
If you are installing Anthos Service Mesh on a private cluster, you must add a firewall rule to open port 15017 if you want to use automatic sidecar injection. In Anthos Service Mesh 1.4, the port used for automatic sidecar injection is 9443.
If you don't add the firewall rule and automatic sidecar injection is enabled, you get an error when you deploy workloads. For details on adding a firewall rule, see Adding firewall rules for specific use cases.
The alpha authentication policy is deprecated
See Updating to the beta security policies for more information.
IstioOperator API replaces
Istio CNI plugin is supported
By default Anthos Service Mesh injects an
istio-init, in pods deployed in the mesh. The
istio-init container sets up the pod network traffic redirection to/from the sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the
NET_RAW capabilities. Requiring users to have elevated Kubernetes RBAC permissions is problematic for some organization's security compliance. The Istio Container Network Interface (CNI) plugin is a replacement for the
istio-init container that performs the same networking functionality but without requiring users to enable elevated Kubernetes RBAC permissions.
The Istio CNI plugin performs the mesh pod traffic redirection in the Kubernetes pod lifecycle's network setup phase, thereby removing the requirement for the
NET_RAW capabilities for users deploying pods into the mesh. The Istio CNI plugin replaces the functionality provided by the
Enabling pod security policies no longer needed
SDS security was improved by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
May 12, 2020
April 28, 2020
The Anthos Service Mesh dashboard in the Google Cloud Console is generally available for Anthos Service Mesh installations on Google Kubernetes Engine clusters. For more information, see the Observability overview.
April 01, 2020
Contains the same fixes as OSS Istio 1.4.7. See Announcing Istio 1.4.7 for more information.
March 03, 2020
Fixes known security issues with the same fixes as OSS Istio 1.4.6:
- CVE-2020-8659, CVE-2020-8661, CVE-2020-8664, CVE-2020-8660: ISTIO-SECURITY-2020-003
February 28, 2020
Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Cloud.
Mesh CA is a Google managed, highly available and secure service that replaces Citadel for Anthos Service Mesh customers on GKE on Cloud. Mesh CA issues mTLS certificates for workloads running in Anthos Service Mesh.
GKE on premises continues to use Citadel.
The changes to support the Anthos Service Mesh observability features, including the topology graph on the Anthos Service Mesh Dashboard are included in 1.4.5-asm-0.
Note that the Anthos Service Mesh Dashboard itself is still in beta.
Prepare for a breaking change coming in Anthos Service Mesh 1.5
Don't include a
in your authentication polices. Authentication policies that include a
TargetSelector will not be automatically converted to the new version of the Authentication Policy API that will be released in Anthos Service Mesh 1.5. You will have to migrate these authentication policies manually to the new Authentication Policy API. If you don't remove the
TargetSelector, the authentication policies might be ignored without warning in Anthos Service Mesh 1.5.
February 12, 2020
Fixes a known security issue with the same fixes as OSS Istio 1.4.4, as well as improvements from OSS Istio 1.4.3.
December 20, 2019
Anthos Service Mesh is generally available.
This release features a supported, downloadable installation of Anthos Service Mesh for use in your Anthos clusters on-premises or on Google Kubernetes Engine.
The following features remain in beta:
October 28, 2019
Anthos Service Mesh certificate authority Beta.
September 16, 2019
Anthos Service Mesh Beta. * Service Mesh Dashboard for Google Kubernetes Engine clusters * Observability of your services