Anthos Service Mesh 1.6

Release notes

This page contains release notes for each version of Anthos Service Mesh.

You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud release notes page.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/servicemesh-release-notes.xml

October 13, 2020

1.4.x

1.4.10-asm.19 is now available

You can now allow an experimental feature to exceed 4GB of memory usage.

September 29, 2020

1.6.x & 1.4.x & 1.5.x

1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18

Fixes the security issue, ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see the Istio 1.6.11 release notes.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.6

1.5

1.4

August 27, 2020

1.6.x

1.6.8-asm.9 is now available

Adds beta support for joining multiple clusters from different projects into a single Anthos Service Mesh on Google Kubernetes Engine.

Adds Citadel CA support for gcp profiles.

Fixes an issue for enabling trust domain validation at the transport socket level.

August 14, 2020

1.6.x & 1.5.x

1.6.8-asm.0 and 1.5.9-asm.0

Fixes the security issue, ISTIO-SECURITY-2020-009, with the same fixes as Istio 1.6.8 and Istio 1.5.9. For more information, see the Istio release notes:

July 24, 2020

1.6.x

Anthos Service Mesh on GKE on AWS is supported.

For more information, see Installing Anthos Service Mesh on GKE on AWS.

July 22, 2020

1.6.x

1.6.5-asm.7, 1.5.8-asm.7, and 1.4.10-asm.15 are now available

This release provides these features and fixes:

  • Builds Istiod (Pilot), Citadel Agent, Pilot Agent, Galley, and Sidecar Injector with Go+BoringCrypto.
  • Builds Istio Proxy (Envoy) with the --define boringssl=fips option.
  • Ensures the components listed above use FIPS-compliant algorithms.

July 10, 2020

1.6.x

1.6.5-asm.1, 1.5.8-asm.0, and 1.4.10-asm.4

Fixes the security issue, ISTIO-SECURITY-2020-008, with the same fixes as Istio 1.6.5 and Istio 1.5.8. These fixes were backported to 1.4.10-asm.4. For more information, see the Istio release notes:

June 30, 2020

1.6.x

1.6.4-asm.9 is now available.

ASM 1.6 is compatible with and has the feature set of Istio 1.6 (see Istio release notes), subject to the list of ASM Supported Features.

Anthos Service Mesh now supports multi-cluster meshes (beta) when running on GKE on Google Cloud.

Users that configure multiple clusters in their mesh can now see unified, multi-cluster views of their services in the Anthos Service Mesh pages in the Cloud Console. Note that multi-cluster support is in Beta and not all UI features are supported in multi-cluster mode.

ASM 1.6 is supported in a single cluster configuration in Anthos Attached Clusters in the following environments: Amazon Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).

The profile to install ASM in GKE has been renamed from asm to asm-gcp, see Upgrading Anthos Service Mesh on GKE. The profile to install ASM in GKE on-premise clusters has been renamed from asm-onprem to asm-multicloud, see Upgrading Anthos Service Mesh on premises.

In the asm-multicloud profile, ASM now installs a complete observability stack (Prometheus, Grafana and Kiali).

Support for cross-cluster load balancing (beta) for your multi-cluster mesh for GKE on Google Cloud.

Anthos Service Mesh now supports cross-cluster security policies (beta) for your multi-cluster mesh when running on GKE on Google Cloud.

Upgrade from ASM 1.5 to ASM 1.6 without downtime using a dual control plane upgrade.

Known Issue: If you upgrade from Istio to ASM 1.6 and have set SLOs on your service metrics, those SLOs might be lost and need to be recreated after the upgrade.

1.4.x & 1.5.x

1.5.7-asm.0 and 1.4.10-asm.3

Fixes the security issue, ISTIO-SECURITY-2020-007, with the same fixes as Istio 1.6.4. For information, see the Istio release notes.

Description

The vulnerability affects Anthos Service Mesh (ASM) versions 1.4.0 to 1.4.10, 1.5.0 to 1.5.5, and 1.6.4 whether running in Anthos GKE on-prem or on GKE, potentially exposing your application to Denial of Service (DOS) attacks. This vulnerability is referenced in these publicly disclosed Istio security bulletins:

  • ISTIO-SECURITY-2020-007:
    • CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.
    • CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
    • CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.1 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
    • CVE-2020-12604 (CVSS score 7.0, High): Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.

Mitigation

If you use ASM 1.6.4: * Apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.

If you use ASM 1.4.0 to 1.4.10 or 1.5.0 to 1.5.5: * Upgrade your clusters to ASM 1.4.10-asm.3 or ASM 1.5.7-asm.0 as soon as possible and apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.

June 22, 2020

1.4.x & 1.5.x

1.5.6-asm.0 and 1.4.10.asm.2

Contains the same fixes as OSS Istio 1.5.6. Non-critical, minor improvements were also backported to ASM 1.4.10. See Announcing Istio 1.5.6 for more information.

June 15, 2020

1.5.x

1.5.5-asm.2

Fixes a bug in the istioctl HorizontalPodAutoscaling setting that caused Anthos Service Mesh installations to fail.

June 11, 2020

1.4.x & 1.5.x

1.5.5-asm.0 and 1.4.10-asm.1

Fixes the security issue, CVE-2020-11080, with the same fixes as OSS Istio 1.5.5. The security fixes were backported to ASM 1.4.10.

Description

A vulnerability affecting the HTTP/2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ).

CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.

Mitigation

HTTP/2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration. HTTP/2 support at ingress can only be disabled if you are not exposing HTTP/2 services that cannot fallback to HTTP/1.1 through ingress. Note that gRPC services cannot fallback to HTTP/1.1.


apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-ingress-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: HTTP1

For additional information, see ISTIO-SECURITY-2020-006.

May 20, 2020

1.5.x

1.5.4-asm.2

1.5.4-asm.2 is now available.

Security fixes

1.5.4-asm.2 contains all the same security fixes that are in Anthos Service Mesh 1.4.

Beta release of the Anthos CLI

The Anthos CLI simplifies the installation of Anthos Service Mesh. You can use the Anthos CLI to:

Port change for automatic sidecar injection

If you are installing Anthos Service Mesh on a private cluster, you must add a firewall rule to open port 15017 if you want to use automatic sidecar injection. In Anthos Service Mesh 1.4, the port used for automatic sidecar injection is 9443.

If you don't add the firewall rule and automatic sidecar injection is enabled, you get an error when you deploy workloads. For details on adding a firewall rule, see Adding firewall rules for specific use cases.

The alpha authentication policy is deprecated

See Updating to the beta security policies for more information.

IstioOperator API replaces IstioControlPlane API

The alpha IstioControlPlane API has been replaced by the IstioOperator API. You must use the IstioOperator API in YAML files to enable optional features when you install Anthos Service Mesh.

Istio CNI plugin is supported

By default Anthos Service Mesh injects an initContainer, istio-init, in pods deployed in the mesh. The istio-init container sets up the pod network traffic redirection to/from the sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities. Requiring users to have elevated Kubernetes RBAC permissions is problematic for some organization's security compliance. The Istio Container Network Interface (CNI) plugin is a replacement for the istio-init container that performs the same networking functionality but without requiring users to enable elevated Kubernetes RBAC permissions.

The Istio CNI plugin performs the mesh pod traffic redirection in the Kubernetes pod lifecycle's network setup phase, thereby removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying pods into the mesh. The Istio CNI plugin replaces the functionality provided by the istio-init container.

Enabling pod security policies no longer needed

SDS security was improved by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.

May 12, 2020

1.4.x

1.4.9-asm.1

Fixes the security issue, CVE-2020-10739, with the same fixes as OSS Istio 1.4.9. See ISTIO-SECURITY-2020-005 for more information.

April 28, 2020

1.4.x

The Anthos Service Mesh dashboard in the Google Cloud Console is generally available for Anthos Service Mesh installations on Google Kubernetes Engine clusters. For more information, see the Observability overview.

April 01, 2020

1.4.x

1.4.7-asm.0

Contains the same fixes as OSS Istio 1.4.7. See Announcing Istio 1.4.7 for more information.

March 03, 2020

1.4.x

1.4.6-asm.0

Fixes known security issues with the same fixes as OSS Istio 1.4.6:

February 28, 2020

1.4.x

1.4.5-asm.0

Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Cloud.

Mesh CA is a Google managed, highly available and secure service that replaces Citadel for Anthos Service Mesh customers on GKE on Cloud. Mesh CA issues mTLS certificates for workloads running in Anthos Service Mesh.

GKE on premises continues to use Citadel.

The changes to support the Anthos Service Mesh observability features, including the topology graph on the Anthos Service Mesh Dashboard are included in 1.4.5-asm-0.

Note that the Anthos Service Mesh Dashboard itself is still in beta.

1.5.x

Prepare for a breaking change coming in Anthos Service Mesh 1.5

WARNING: Don't include a TargetSelector in your authentication polices. Authentication policies that include a TargetSelector will not be automatically converted to the new version of the Authentication Policy API that will be released in Anthos Service Mesh 1.5. You will have to migrate these authentication policies manually to the new Authentication Policy API. If you don't remove the TargetSelector, the authentication policies might be ignored without warning in Anthos Service Mesh 1.5.

February 12, 2020

1.4.x

1.4.4-asm.0

Fixes a known security issue with the same fixes as OSS Istio 1.4.4, as well as improvements from OSS Istio 1.4.3.

December 20, 2019

1.4.x

Anthos Service Mesh is generally available.

This release features a supported, downloadable installation of Anthos Service Mesh for use in your Anthos clusters on-premises or on Google Kubernetes Engine.

The following features remain in beta:

October 28, 2019

0.1.x

Anthos Service Mesh certificate authority Beta.

September 16, 2019

0.1.x