Anthos Service Mesh 1.5 has reached end of life and is no longer supported. See Upgrading from earlier versions.

View the latest documentation or select another version:

Release notes

This page contains release notes for each version of Anthos Service Mesh.

You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud Console, or you can programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/servicemesh-release-notes.xml

October 06, 2021

1.11.x

1.11.2-asm.17 is now available.

Anthos Service Mesh 1.11 includes the features of Istio 1.11 subject to the list of Anthos Service Mesh supported features.

Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a Managed Anthos Service Mesh release channel for more information.

asmcliis generally available for new installations and upgrades of Anthos Service Mesh. You can use asmcli to:

The in-cluster control plane is supported on the on the following platforms using asmcli:

  • GKE clusters in a single project
  • GKE clusters in multiple projects
  • Anthos clusters on VMware
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

Note: Upgrades from Anthos Service Mesh 1.7 on EKS to Anthos Service Mesh 1.11 aren't supported. You will need to set up a new EKS cluster to install Anthos Service Mesh 1.11.

asmcli requires clusters to be registered with a fleet. asmcli can automatically register a cluster as long as it meets the requirements specified in fleet requirements. asmcli does not support automatic fleet registration for GKE 1.22 clusters, which must be registered manually before installation.

Using install_asm and istioctl install is deprecated and support for these tools for installations and upgrades of Anthos Service Mesh will be removed when Anthos Service Mesh 1.12 is released. Please update your scripts and tools to use asmcli. For more information see Transitioning to asmcli.

The Anthos Service Mesh integration with Certificate Authority Service (CA Service) is generally available. You can use CA Service as the certificate authority for signing mutual TLS certificates. See Configure Anthos Service Mesh to use CA Service for details.

Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Anthos Service Mesh 1.11 proxy is based on Envoy v1.19.1.

September 20, 2021

1.9.x & 1.10.x

1.9.8-asm.6 and 1.10.4-asm.14 are now available.

These patch releases fix a potential memory leak in the control plane.

September 14, 2021

1.9.x & 1.10.x

1.9.8-asm.3 and 1.10.4-asm.9 are now available.

These patch releases:

  • Introduced a rate limit to improve control plane availability under load spikes.
  • Fixed a memory leak and proxy count issue in the control plane.

August 24, 2021

1.10.x

1.10.4-asm.6 is now available.

This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

The asmcli script is now available in preview. With this script you can install and upgrade Anthos Service Mesh on GKE and On-premises. For more information, see About the asmcli.

Google-managed data plane is now available in preview as a part of managed Anthos Service Mesh. Google-managed data plane helps you upgrade data plane proxies automatically. For more information see Configure managed Anthos Service Mesh.

Anthos Service Mesh for Compute Engine VMs now uses gcloud commands and supports Google-managed control planes. For more information, see Add Compute Engine virtual machines to Anthos Service Mesh.

1.7.x & 1.8.x & 1.9.x & 1.10.x

The Istio project recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see the security bulletin.

Anthos Service Mesh now supports skip-version upgrades for single-project clusters on GKE running versions 1.7 and higher. This means you can now upgrade 1.7 and 1.8 installations directly to 1.10. For more information, see Upgrading Anthos Service Mesh to the latest version.

1.9.x

1.9.8-asm.1 is now available.

This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.8.x

1.8.6-asm.8 is now available.

This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.7.x

1.7.8-asm.10 is now available.

This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

July 28, 2021

1.8.x

1.8.6-asm.7 is now available. This patch release:

  • Fixes a bug that could lead to memory leaks in the proxy.
  • Fixes a bug causing invalid cipherSuites in the Gateway configuration that could cause broken traffic.

July 22, 2021

1.7.x & 1.8.x & 1.9.x & 1.10.x

The 1.x version of kpt breaks Anthos Service Mesh installations and upgrades. Anthos Service Mesh requires a pre -1.x version of kpt. The latest version of the gcloud command-line tool includes the 1.x kpt that breaks installs and upgrades.

Make sure that you are running a pre 1.x version of kpt:

kpt version

The output should be similar to the following:

0.39.2

If you have kpt version 1.x or higher, use the curl command in Setting up your environment to download the required version for your operating system.

If you are installing or upgrading Anthos Service Mesh using the install_asm script, make sure to download the most recent version of the script. The updated version of install_asm checks your kpt version. If needed, install_asm downloads and uses the required kpt version. Run install_asm --version to make sure you have a version of install_asm that has the workaround. You need the following install_asm versions or higher:

June 30, 2021

1.10.x

Anthos Service Mesh user authentication is now generally available (GA). This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.

1.10.2-asm.3 is now available and includes a fix for the known issue with control plane metric reporting reported on June 25, 2021.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

June 29, 2021

1.10.x

There is a breaking change in 1.10 with inbound forwarding that affects applications that bind solely to the localhost interface.

For more information, see the 1.10 Istio upgrading notes.

June 25, 2021

1.10.x

There is a known issue in 1.10.2-asm.2 where control plane metric reporting to Cloud Monitoring is not functioning properly and reports excessive error logs in the Istiod container.

June 24, 2021

1.10.x

1.10.2-asm.2 is now available.

This patch release contains the same bug fixes that are in Istio 1.10.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Anthos clusters on-premises support Mesh CA.

New installations of Anthos Service Mesh 1.10x on Anthos clusters on VMWare and bare metal support the Anthos Service Mesh certificate authority (Mesh CA). For details on the installation, see Installing Anthos Service Mesh on-premises.

When you install Anthos Service Mesh on-premises with Mesh CA, this enables Cloud Monitoring and Cloud Logging by default. Additionally, you can use Cloud Trace (which you enable separately) as needed for troubleshooting.

Google-managed control plane release channels are available.

Anthos Service Mesh releases updates often, to deliver security updates, fix known issues, and introduce new features. Release channels offer you the ability to balance between stability and the feature set of the Anthos Service Mesh version. Google automatically manages the version and upgrade cadence for each release channel. To learn more, see the following:

Migrating to Mesh CA from Istio CA with little or no downtime.

Migrating to Anthos Service Mesh certificate authority (Mesh CA) from Istio CA (also known as Citadel) requires migrating the root of trust. Prior to Anthos Service Mesh 1.10, if you wanted to migrate from Istio on to Anthos Service Mesh with Mesh CA, you needed to schedule downtime because Anthos Service Mesh was not able to load multiple root certificates, which interrupted mutual TLS (mTLS) traffic during the migration.

With Anthos Service Mesh 1.10 and higher, you can install a new in-cluster control plane with an option that distributes the Mesh CA root of trust to all proxies. After switching to the new control plane and restarting workloads, all proxies are configured with both the Istio CA and Mesh CA root of trust. Next, you install a new in-cluster control plane that has Mesh CA enabled. As you switch workloads over to the new control plane, mTLS traffic isn't interrupt. For details, see Migrating to Mesh CA.

1.8.x & 1.9.x

The Istio project recently announced a security vulnerability (CVE-2021-34824) where where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

For more information, see the GCP-2021-012 security bulletin.

1.8.6-asm.4 and 1.9.6-asm.1 are now available. This release updates the envoy versions for the following Anthos Service Mesh versions:

  • 1.8.6-asm.2 uses Envoy v1.16.3.
  • 1.9.6-asm.1 uses Envoy v1.17.2.

These patch releases contains a fix for CVE-2021-34824. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

June 15, 2021

1.9.x

Google-managed control plane is now a generally available (GA) feature. This feature lets you move from managing Istiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.

In addition, it offers these new features:

Using the Google-managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information see Configuring the Google-managed control plane.

May 19, 2021

1.6.x

Anthos Service Mesh 1.6 is no longer supported. For more information see Supported versions.

May 17, 2021

1.7.x & 1.8.x & 1.9.x

1.9.5-asm.2, 1.8.6-asm.3, and 1.7.8-asm.8 are now available.

This release fixes the following security vulnerabilities:

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Envoy version that the Anthos Service Mesh proxy uses differs by Anthos Service Mesh version, as follows:

April 20, 2021

1.6.x & 1.7.x & 1.8.x & 1.9.x

1.9.3-asm.2, 1.8.5-asm.2, 1.7.8-asm.1, and 1.6.14-asm.2 are now available.

Fixes the security issue, ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Anthos Service Mesh versions.

This release updates the envoy versions for the following Anthos Service Mesh versions:

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.9.x

Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a generally available (GA) feature.

1.8.x

Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a public preview feature.

April 02, 2021

1.9.x

1.9.2-asm.1 is now available.

This patch release contains the same bug fixes that are in Istio 1.9.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

Anthos Service Mesh user authentication is now available as a public preview feature on installations of 1.9. This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.

March 29, 2021

1.6.x & 1.4.x & 1.5.x

The Anthos Service Mesh Topology (beta) page in Cloud Console won't display properly if unsupported versions, including versions earlier than Anthos Service Mesh 1.6.8, are installed on your clusters or if you have disabled the Canonical Service controller in clusters in your project.

Note that the Canonical Service controller is enabled by default on version 1.6.8 and higher. If you did not disable the Canonical Service controller on a supported version, no action is required.

What should I do?

March 04, 2021

1.9.x

1.9.1-asm.1 is now available. Anthos Service Mesh 1.9 includes the features of Istio 1.9 subject to the list of Anthos Service Mesh supported features.

Google-managed control plane is now available as a public preview feature. This feature lets you move from managing istiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.

Using the managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information see Configuring the Google-managed control plane.

Anthos Service Mesh for Compute Engine VMs is now available as a public preview feature. With this new feature you can manage, observe, and secure services running on both Compute Engine Managed Instance Groups and Kubernetes Engine clusters in the same mesh. You can mix and choose the best environment to run your services while enjoying the benefits of Anthos Service Mesh.

This feature also improves security and usability by letting you use Compute Engine service accounts for mTLS authentication to other Compute Engine VMs and Kubernetes Engine Pods. For more information see the documentation.

1.5.x

Anthos Service Mesh 1.5 is no longer supported. For more information see Supported versions.

February 23, 2021

1.8.x

1.8.3-asm.2 is now available.

This patch release contains the same bug fixes that are in Istio 1.8.3. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

February 12, 2021

1.6.x

1.6.14-asm.1 is now available.

This patch release contains a fix for CVE-2021-3156. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

February 02, 2021

1.8.x

1.8.2-asm.2 is now available.

This patch release contains the same bug fixes that are in Istio 1.8.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

The install_asm script lets you reinstall the same version

You can use the install_asm script when you need to reinstall the same Anthos Service Mesh version to change the control plane configuration. For more information, see the following:

January 20, 2021

1.7.x

1.7.6-asm.1 is now available.

This patch release contains the same bug fixes that are in Istio 1.7.6. For details on upgrading Anthos Service Mesh, refer to the following Anthos Service Mesh upgrade guides:

January 12, 2021

1.6.x

1.6.14-asm.0 is now available.

This patch release contains the same bug fixes that are in Istio 1.6.14. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

December 16, 2020

1.8.x

1.8.1-asm.5 is now available.

Multi-cluster support for GKE on-prem Beta

Anthos Service Mesh now supports multi-cluster meshes when running on GKE on-prem. For more information, see Add clusters to Anthos Service Mesh on-prem.

New flags for the install_asm script

The install_asm script was enhanced to provide you with more granular control over the changes that the script makes on your project and GKE on Google Cloud cluster. For more information, see the Enablement flags section in the documentation for the script.

Third-party add-ons removed from all profiles

The Prometheus, Grafana, and Kiali add-ons were removed from all Anthos Service Mesh profiles. For information on why the add-ons were removed, see Reworking our Addon Integrations. Installation of these third-party add-ons was removed from the 1.8 IstioOperator API, which means that they can't be installed with the istioctl install command. For information on installing a demo version of the add-ons, see Integrating with third-party add-ons.

Note that by default, metrics are still exported to Prometheus in the asm-multicloud profile. You can optionally enable metrics export to Prometheus in the asm-gcp-multiproject profile.

Anthos Service Mesh 1.8 isn't supported on Anthos attached clusters and GKE on AWS

Anthos Service Mesh 1.8 currently isn't supported on Anthos attached clusters (Microsoft AKS and Amazon EKS) and GKE on AWS (Amazon EC2). Anthos Service Mesh 1.7 and 1.6 are supported for these environments. For more information, see the following guides:

Reduced permissions required for installation

The permissions required for installation have been scaled back. Testing has shown that the Project Editor role can be replaced with more granular roles. For the complete list, see Permissions required to install Anthos Service Mesh.

November 12, 2020

1.6.x & 1.7.x

Anthos Service Mesh, Mesh CA and the Anthos Service Mesh dashboards in Google Cloud Console are now available for any GKE customer and do not require the purchase of Anthos. See pricing for details.

There are slight changes to the behavior of Google Cloud Console for customers who use Anthos Service Mesh without an Anthos subscription. See details here.

Added a shell script to automate Anthos Service Mesh installation and migration from Istio and the Istio on GKE add-on. For details, see the following guides:

November 03, 2020

1.7.x

1.7.3-asm.6 is now available

Anthos Service Mesh 1.7 is compatible with and has the feature set of Istio 1.7, subject to the list of Anthos Service Mesh supported features.

Added support for on-premises secure key management, provided by Thales Luna HSM 7+ and Hashicorp Vault.

Added a shell script to automate Anthos Service Mesh installation and migration from Istio 1.6. See the installation guide for details.

Added revision label support to sidecar injection for greater control over various scenarios, such as canary upgrades and more.

The beta validation tool asmctl is retired and the lessons learned are built into the new, streamlined Anthos Service Mesh install script.

If you use unsupported Istio features in your Anthos Service Mesh deployment, see Istio upgrade notes for changes that might affect you.

October 13, 2020

1.4.x

1.4.10-asm.19 is now available

You can now allow an experimental feature to exceed 4GB of memory usage.

September 29, 2020

1.6.x & 1.4.x & 1.5.x

1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18

Fixes the security issue, ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see the Istio 1.6.11 release notes.

For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:

1.6

1.5

1.4

August 27, 2020

1.6.x

1.6.8-asm.9 is now available

Adds beta support for joining multiple clusters from different projects into a single Anthos Service Mesh on Google Kubernetes Engine.

Adds Citadel CA support for gcp profiles.

Fixes an issue for enabling trust domain validation at the transport socket level.

August 14, 2020

1.6.x & 1.5.x

1.6.8-asm.0 and 1.5.9-asm.0

Fixes the security issue, ISTIO-SECURITY-2020-009, with the same fixes as Istio 1.6.8 and Istio 1.5.9. For more information, see the Istio release notes:

July 24, 2020

1.6.x

Anthos Service Mesh on GKE on AWS is supported.

For more information, see Installing Anthos Service Mesh on GKE on AWS.

July 22, 2020

1.6.x

1.6.5-asm.7, 1.5.8-asm.7, and 1.4.10-asm.15 are now available

This release provides these features and fixes:

  • Builds Istiod (Pilot), Citadel Agent, Pilot Agent, Galley, and Sidecar Injector with Go+BoringCrypto.
  • Builds Istio Proxy (Envoy) with the --define boringssl=fips option.
  • Ensures the components listed above use FIPS-compliant algorithms.

July 10, 2020

1.6.x

1.6.5-asm.1, 1.5.8-asm.0, and 1.4.10-asm.4

Fixes the security issue, ISTIO-SECURITY-2020-008, with the same fixes as Istio 1.6.5 and Istio 1.5.8. These fixes were backported to 1.4.10-asm.4. For more information, see the Istio release notes:

June 30, 2020

1.6.x

1.6.4-asm.9 is now available.

ASM 1.6 is compatible with and has the feature set of Istio 1.6 (see Istio release notes), subject to the list of ASM Supported Features.

Anthos Service Mesh now supports multi-cluster meshes (beta) when running on GKE on Google Cloud.

Users that configure multiple clusters in their mesh can now see unified, multi-cluster views of their services in the Anthos Service Mesh pages in the Cloud Console. Note that multi-cluster support is in Beta and not all UI features are supported in multi-cluster mode.

ASM 1.6 is supported in a single cluster configuration in Anthos Attached Clusters in the following environments: Amazon Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).

The profile to install ASM in GKE has been renamed from asm to asm-gcp, see Upgrading Anthos Service Mesh on GKE. The profile to install ASM in GKE on-premise clusters has been renamed from asm-onprem to asm-multicloud, see Upgrading Anthos Service Mesh on premises.

In the asm-multicloud profile, ASM now installs a complete observability stack (Prometheus, Grafana and Kiali).

Support for cross-cluster load balancing (beta) for your multi-cluster mesh for GKE on Google Cloud.

Anthos Service Mesh now supports cross-cluster security policies (beta) for your multi-cluster mesh when running on GKE on Google Cloud.

Upgrade from ASM 1.5 to ASM 1.6 without downtime using a dual control plane upgrade.

Known Issue: If you upgrade from Istio to ASM 1.6 and have set SLOs on your service metrics, those SLOs might be lost and need to be recreated after the upgrade.

1.4.x & 1.5.x

1.5.7-asm.0 and 1.4.10-asm.3

Fixes the security issue, ISTIO-SECURITY-2020-007, with the same fixes as Istio 1.6.4. For information, see the Istio release notes.

Description

The vulnerability affects Anthos Service Mesh (ASM) versions 1.4.0 to 1.4.10, 1.5.0 to 1.5.5, and 1.6.4 whether running in Anthos clusters on VMware or on GKE, potentially exposing your application to Denial of Service (DOS) attacks. This vulnerability is referenced in these publicly disclosed Istio security bulletins:

  • ISTIO-SECURITY-2020-007:
    • CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.
    • CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
    • CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.1 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
    • CVE-2020-12604 (CVSS score 7.0, High): Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.

Mitigation

If you use ASM 1.6.4: * Apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.

If you use ASM 1.4.0 to 1.4.10 or 1.5.0 to 1.5.5: * Upgrade your clusters to ASM 1.4.10-asm.3 or ASM 1.5.7-asm.0 as soon as possible and apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.

June 22, 2020

1.4.x & 1.5.x

1.5.6-asm.0 and 1.4.10.asm.2

Contains the same fixes as OSS Istio 1.5.6. Non-critical, minor improvements were also backported to ASM 1.4.10. See Announcing Istio 1.5.6 for more information.

June 15, 2020

1.5.x

1.5.5-asm.2

Fixes a bug in the istioctl HorizontalPodAutoscaling setting that caused Anthos Service Mesh installations to fail.

June 11, 2020

1.4.x & 1.5.x

1.5.5-asm.0 and 1.4.10-asm.1

Fixes the security issue, CVE-2020-11080, with the same fixes as OSS Istio 1.5.5. The security fixes were backported to ASM 1.4.10.

Description

A vulnerability affecting the HTTP/2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ).

CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.

Mitigation

HTTP/2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration. HTTP/2 support at ingress can only be disabled if you are not exposing HTTP/2 services that cannot fallback to HTTP/1.1 through ingress. Note that gRPC services cannot fallback to HTTP/1.1.


apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-ingress-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: HTTP1

For additional information, see ISTIO-SECURITY-2020-006.

May 20, 2020

1.5.x

1.5.4-asm.2

1.5.4-asm.2 is now available.

Security fixes

1.5.4-asm.2 contains all the same security fixes that are in Anthos Service Mesh 1.4.

Beta release of the Anthos CLI

The Anthos CLI simplifies the installation of Anthos Service Mesh. You can use the Anthos CLI to:

Port change for automatic sidecar injection

If you are installing Anthos Service Mesh on a private cluster, you must add a firewall rule to open port 15017 if you want to use automatic sidecar injection. In Anthos Service Mesh 1.4, the port used for automatic sidecar injection is 9443.

If you don't add the firewall rule and automatic sidecar injection is enabled, you get an error when you deploy workloads. For details on adding a firewall rule, see Adding firewall rules for specific use cases.

The alpha authentication policy is deprecated

See Updating to the beta security policies for more information.

IstioOperator API replaces IstioControlPlane API

The alpha IstioControlPlane API has been replaced by the IstioOperator API. You must use the IstioOperator API in YAML files to enable optional features when you install Anthos Service Mesh.

Istio CNI plugin is supported

By default Anthos Service Mesh injects an initContainer, istio-init, in pods deployed in the mesh. The istio-init container sets up the pod network traffic redirection to/from the sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities. Requiring users to have elevated Kubernetes RBAC permissions is problematic for some organization's security compliance. The Istio Container Network Interface (CNI) plugin is a replacement for the istio-init container that performs the same networking functionality but without requiring users to enable elevated Kubernetes RBAC permissions.

The Istio CNI plugin performs the mesh pod traffic redirection in the Kubernetes pod lifecycle's network setup phase, thereby removing the requirement for the NET_ADMIN and NET_RAW capabilities for users deploying pods into the mesh. The Istio CNI plugin replaces the functionality provided by the istio-init container.

Enabling pod security policies no longer needed

SDS security was improved by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.

May 12, 2020

1.4.x

1.4.9-asm.1

Fixes the security issue, CVE-2020-10739, with the same fixes as OSS Istio 1.4.9. See ISTIO-SECURITY-2020-005 for more information.

April 28, 2020

1.4.x

The Anthos Service Mesh dashboard in the Google Cloud Console is generally available for Anthos Service Mesh installations on Google Kubernetes Engine clusters. For more information, see the Observability overview.

April 01, 2020

1.4.x

1.4.7-asm.0

Contains the same fixes as OSS Istio 1.4.7. See Announcing Istio 1.4.7 for more information.

March 03, 2020

1.4.x

1.4.6-asm.0

Fixes known security issues with the same fixes as OSS Istio 1.4.6:

February 28, 2020

1.4.x

1.4.5-asm.0

Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Cloud.

Mesh CA is a Google managed, highly available and secure service that replaces Citadel for Anthos Service Mesh customers on GKE on Cloud. Mesh CA issues mTLS certificates for workloads running in Anthos Service Mesh.

GKE on premises continues to use Citadel.

The changes to support the Anthos Service Mesh observability features, including the topology graph on the Anthos Service Mesh Dashboard are included in 1.4.5-asm-0.

Note that the Anthos Service Mesh Dashboard itself is still in beta.

1.5.x

Prepare for a breaking change coming in Anthos Service Mesh 1.5

WARNING: Don't include a TargetSelector in your authentication polices. Authentication policies that include a TargetSelector will not be automatically converted to the new version of the Authentication Policy API that will be released in Anthos Service Mesh 1.5. You will have to migrate these authentication policies manually to the new Authentication Policy API. If you don't remove the TargetSelector, the authentication policies might be ignored without warning in Anthos Service Mesh 1.5.

February 12, 2020

1.4.x

1.4.4-asm.0

Fixes a known security issue with the same fixes as OSS Istio 1.4.4, as well as improvements from OSS Istio 1.4.3.

December 20, 2019

1.4.x

Anthos Service Mesh is generally available.

This release features a supported, downloadable installation of Anthos Service Mesh for use in your Anthos clusters on-premises or on Google Kubernetes Engine.

The following features remain in beta:

October 28, 2019

0.1.x

Anthos Service Mesh certificate authority Beta.

September 16, 2019

0.1.x