You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.
To get the latest product updates delivered to you, add the URL of this page to your
reader, or add the feed URL directly:
October 13, 2020
1.4.10-asm.19 is now available
You can now allow an experimental feature to exceed 4GB of memory usage.
September 29, 2020
1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18
Fixes the security issue, ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see the Istio 1.6.11 release notes.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
August 27, 2020
1.6.8-asm.9 is now available
Adds beta support for joining multiple clusters from different projects into a single Anthos Service Mesh on Google Kubernetes Engine.
Adds Citadel CA support for
Fixes an issue for enabling trust domain validation at the transport socket level.
August 14, 2020
1.6.8-asm.0 and 1.5.9-asm.0
Fixes the security issue, ISTIO-SECURITY-2020-009, with the same fixes as Istio 1.6.8 and Istio 1.5.9. For more information, see the Istio release notes:
July 24, 2020
Anthos Service Mesh on GKE on AWS is supported.
For more information, see Installing Anthos Service Mesh on GKE on AWS.
July 22, 2020
1.6.5-asm.7, 1.5.8-asm.7, and 1.4.10-asm.15 are now available
This release provides these features and fixes:
July 10, 2020
1.6.5-asm.1, 1.5.8-asm.0, and 1.4.10-asm.4
Fixes the security issue, ISTIO-SECURITY-2020-008, with the same fixes as Istio 1.6.5 and Istio 1.5.8. These fixes were backported to 1.4.10-asm.4. For more information, see the Istio release notes:
June 30, 2020
1.6.4-asm.9 is now available.
Anthos Service Mesh now supports multi-cluster meshes (beta) when running on GKE on Google Cloud.
Users that configure multiple clusters in their mesh can now see unified, multi-cluster views of their services in the Anthos Service Mesh pages in the Cloud Console. Note that multi-cluster support is in Beta and not all UI features are supported in multi-cluster mode.
ASM 1.6 is supported in a single cluster configuration in Anthos Attached Clusters in the following environments: Amazon Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).
The profile to install ASM in GKE has been renamed from
asm-gcp, see Upgrading Anthos Service Mesh on GKE. The profile to install ASM in GKE on-premise clusters has been renamed from
asm-multicloud, see Upgrading Anthos Service Mesh on premises.
asm-multicloud profile, ASM now installs a complete observability stack (Prometheus, Grafana and Kiali).
Support for cross-cluster load balancing (beta) for your multi-cluster mesh for GKE on Google Cloud.
New installation guides: Installing Anthos Service Mesh on attached clusters and Adding clusters to an Anthos Service Mesh.
Anthos Service Mesh now supports cross-cluster security policies (beta) for your multi-cluster mesh when running on GKE on Google Cloud.
Upgrade from ASM 1.5 to ASM 1.6 without downtime using a dual control plane upgrade.
Known Issue: If you upgrade from Istio to ASM 1.6 and have set SLOs on your service metrics, those SLOs might be lost and need to be recreated after the upgrade.
1.5.7-asm.0 and 1.4.10-asm.3
The vulnerability affects Anthos Service Mesh (ASM) versions 1.4.0 to 1.4.10, 1.5.0 to 1.5.5, and 1.6.4 whether running in Anthos GKE on-prem or on GKE, potentially exposing your application to Denial of Service (DOS) attacks. This vulnerability is referenced in these publicly disclosed Istio security bulletins:
- CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.
- CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
- CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.1 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
- CVE-2020-12604 (CVSS score 7.0, High): Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.
If you use ASM 1.6.4: * Apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.
If you use ASM 1.4.0 to 1.4.10 or 1.5.0 to 1.5.5: * Upgrade your clusters to ASM 1.4.10-asm.3 or ASM 1.5.7-asm.0 as soon as possible and apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.
See the following documentation for how to upgrade your Anthos Service Mesh.
June 22, 2020
1.5.6-asm.0 and 1.4.10.asm.2
Contains the same fixes as OSS Istio 1.5.6. Non-critical, minor improvements were also backported to ASM 1.4.10. See Announcing Istio 1.5.6 for more information.
June 15, 2020
Fixes a bug in the
HorizontalPodAutoscaling setting that caused Anthos Service Mesh installations to fail.
June 11, 2020
1.5.5-asm.0 and 1.4.10-asm.1
Fixes the security issue, CVE-2020-11080, with the same fixes as OSS Istio 1.5.5. The security fixes were backported to ASM 1.4.10.
A vulnerability affecting the HTTP/2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ).
CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
HTTP/2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration. HTTP/2 support at ingress can only be disabled if you are not exposing HTTP/2 services that cannot fallback to HTTP/1.1 through ingress. Note that gRPC services cannot fallback to HTTP/1.1.
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: disable-ingress-h2 namespace: istio-system spec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy match: context: GATEWAY listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: MERGE value: typed_config: "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager codec_type: HTTP1
For additional information, see ISTIO-SECURITY-2020-006.
May 20, 2020
1.5.4-asm.2 is now available.
1.5.4-asm.2 contains all the same security fixes that are in Anthos Service Mesh 1.4.
Beta release of the Anthos CLI
The Anthos CLI simplifies the installation of Anthos Service Mesh. You can use the Anthos CLI to:
- Create a new cluster that meets the Anthos Service Mesh cluster requirements and install Anthos Service Mesh. See Installing Anthos Service Mesh on a new cluster using the Anthos CLI.
- Update an existing cluster with the options that Anthos Service Mesh requires and install Anthos Service Mesh. See Installing Anthos Service Mesh on an existing cluster using the Anthos CLI.
Port change for automatic sidecar injection
If you are installing Anthos Service Mesh on a private cluster, you must add a firewall rule to open port 15017 if you want to use automatic sidecar injection. In Anthos Service Mesh 1.4, the port used for automatic sidecar injection is 9443.
If you don't add the firewall rule and automatic sidecar injection is enabled, you get an error when you deploy workloads. For details on adding a firewall rule, see Adding firewall rules for specific use cases.
The alpha authentication policy is deprecated
See Updating to the beta security policies for more information.
IstioOperator API replaces
Istio CNI plugin is supported
By default Anthos Service Mesh injects an
istio-init, in pods deployed in the mesh. The
istio-init container sets up the pod network traffic redirection to/from the sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the
NET_RAW capabilities. Requiring users to have elevated Kubernetes RBAC permissions is problematic for some organization's security compliance. The Istio Container Network Interface (CNI) plugin is a replacement for the
istio-init container that performs the same networking functionality but without requiring users to enable elevated Kubernetes RBAC permissions.
The Istio CNI plugin performs the mesh pod traffic redirection in the Kubernetes pod lifecycle's network setup phase, thereby removing the requirement for the
NET_RAW capabilities for users deploying pods into the mesh. The Istio CNI plugin replaces the functionality provided by the
Enabling pod security policies no longer needed
SDS security was improved by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
May 12, 2020
April 28, 2020
The Anthos Service Mesh dashboard in the Google Cloud Console is generally available for Anthos Service Mesh installations on Google Kubernetes Engine clusters. For more information, see the Observability overview.
April 01, 2020
Contains the same fixes as OSS Istio 1.4.7. See Announcing Istio 1.4.7 for more information.
March 03, 2020
Fixes known security issues with the same fixes as OSS Istio 1.4.6:
- CVE-2020-8659, CVE-2020-8661, CVE-2020-8664, CVE-2020-8660: ISTIO-SECURITY-2020-003
February 28, 2020
Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Cloud.
Mesh CA is a Google managed, highly available and secure service that replaces Citadel for Anthos Service Mesh customers on GKE on Cloud. Mesh CA issues mTLS certificates for workloads running in Anthos Service Mesh.
GKE on premises continues to use Citadel.
The changes to support the Anthos Service Mesh observability features, including the topology graph on the Anthos Service Mesh Dashboard are included in 1.4.5-asm-0.
Note that the Anthos Service Mesh Dashboard itself is still in beta.
Prepare for a breaking change coming in Anthos Service Mesh 1.5
Don't include a
in your authentication polices. Authentication policies that include a
TargetSelector will not be automatically converted to the new version of the Authentication Policy API that will be released in Anthos Service Mesh 1.5. You will have to migrate these authentication policies manually to the new Authentication Policy API. If you don't remove the
TargetSelector, the authentication policies might be ignored without warning in Anthos Service Mesh 1.5.
February 12, 2020
Fixes a known security issue with the same fixes as OSS Istio 1.4.4, as well as improvements from OSS Istio 1.4.3.
December 20, 2019
Anthos Service Mesh is generally available.
This release features a supported, downloadable installation of Anthos Service Mesh for use in your Anthos clusters on-premises or on Google Kubernetes Engine.
The following features remain in beta:
October 28, 2019
Anthos Service Mesh certificate authority Beta.
September 16, 2019
Anthos Service Mesh Beta. * Service Mesh Dashboard for Google Kubernetes Engine clusters * Observability of your services