You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.
December 10, 2024
As part of the Per-cluster entitlement to GKE Enterprise, a GKE cluster needs to have its cluster_tier
set to ENTERPRISE
in order for that cluster to be considered GKE Enterprise.
Existing clusters and new clusters can follow Update an existing cluster's tier and Enroll a new cluster respectively to make a cluster enterprise.
Clusters created or registered before November 2024 that use GKE Enterprise as part of their fleet membership are automatically enterprise-tier clusters. This is a billing announcement only, Cloud Service Mesh features don't change.
November 19, 2024
The rollout of managed Cloud Service Mesh version 1.19 to all channels has completed.
November 12, 2024
In-cluster Cloud Service Mesh 1.20 is no longer supported. For more information, see Supported versions.
1.20.8-asm.10 is now available for in-cluster Cloud Service Mesh.
1.20 is no longer supported. While the fix for the bug in the distroless proxy container has been backported to 1.20, you should upgrade to 1.21 or later.
You can now download 1.20.8-asm.10 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.20.8 subject to the list of supported features. Cloud Service Mesh version 1.20.8-asm.10 uses envoy v1.28.6.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.23.3-asm.2 is now available for in-cluster Cloud Service Mesh.
You can now download 1.23.3-asm.2 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.3 subject to the list of supported features. Cloud Service Mesh version 1.23.3-asm.2 uses envoy v1.31.2.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.22.6-asm.2 is now available for in-cluster Cloud Service Mesh.
You can now download 1.22.6-asm.2 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.6 subject to the list of supported features. Cloud Service Mesh version 1.22.6-asm.2 uses envoy v1.30.6.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.21.5-asm.12 is now available for in-cluster Cloud Service Mesh.
You can now download 1.21.5-asm.12 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.5 subject to the list of supported features. Cloud Service Mesh version 1.21.5-asm.12 uses envoy v1.29.8.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
This release fixes a bug in the distroless proxy container. Before this fix, the distroless proxy produced errors similar to the following when deployed in a Kubernetes cluster with in-cluster control plane that did not have Container Network Interface (CNI) installed.
xtables resource problem: can't open lock file /run/xtables.lock: No such file or directory
This fix applies to the following new versions:
- 1.20.8-asm.10
- 1.21.5-asm.12
- 1.22.6-asm.2
- 1.23.3-asm.2
November 07, 2024
The following images are now rolling out for managed Cloud Service Mesh:
- 1.19.10-asm.21 is rolling out to the rapid release channel.
- 1.19.10-asm.21 is rolling out to the regular release channel.
- 1.19.10-asm.21 is rolling out to the stable release channel.
November 06, 2024
1.23.3-asm.1 is now available for in-cluster Cloud Service Mesh.
You can now download 1.23.3-asm.1 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.3 subject to the list of supported features. Cloud Service Mesh version 1.23.3-asm.1 uses envoy v1.31.2.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.22.6-asm.1 is now available for in-cluster Cloud Service Mesh.
You can now download 1.22.6-asm.1 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.6 subject to the list of supported features. Cloud Service Mesh version 1.22.6-asm.1 uses envoy v1.30.6.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.21.5-asm.10 is now available for in-cluster Cloud Service Mesh.
You can now download 1.21.5-asm.10 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.5 subject to the list of supported features. Cloud Service Mesh version 1.21.5-asm.10 uses envoy v1.29.8.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
1.20.8-asm.9 is now available for in-cluster Cloud Service Mesh.
You can now download 1.20.8-asm.9 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.20.8 subject to the list of supported features. Cloud Service Mesh version 1.20.8-asm.9 uses envoy v1.28.6.
For details on upgrading Cloud Service Mesh, see Upgrade Cloud Service Mesh.
This release fixes a bug in the following versions where the default user for distroless proxy was changed to root; As a result of this fix, the default user is now back to non-root
- 1.20.8-asm.6
- 1.20.8-asm.7
- 1.21.5-asm.5
- 1.21.5-asm.7
- 1.22.3-asm.1
- 1.22.4-asm.0
- 1.22.5-asm.1
This change may affect some gateway deployments which rely on the root user to expose a privileged port for ingress or egress. To ensure your gateways continue to work correctly, you may need to apply additional security contexts to your deployments. For details, see the troubleshooting guide.
Patches fixing a bug where the default user for distroless proxy was changed to root will be rolling out to all release channels. As a result of this fix, the default user is changing back to non-root. When you see the release note notifying that this rollout is complete, you must restart each affected workload to make the change effective.
October 24, 2024
The rollout of managed Cloud Service Mesh version 1.19 to the stable channel has completed.
In future releases, managed Cloud Service Mesh will use the GKE release channel to determine the data plane component and Istio API versions. For more information, see Provision managed Cloud Service Mesh Requirements.
October 01, 2024
The following images are now rolling out for managed Cloud Service Mesh:
- 1.19.10-asm.19 is rolling out to the rapid release channel.
- 1.19.10-asm.19 is rolling out to the regular release channel.
- 1.19.10-asm.19 is rolling out to the stable release channel.
1.19.10-asm.19 contains the fixes for the security vulnerabilities listed in GCP-2024-052 and uses Envoy v1.27.7.
A known issue with asmcli for 1.23 is now fixed. Customers might have seen the following error when attempting to install in-cluster Cloud Service Mesh 1.23:
asmcli: Downloading ASM..
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
A new version of asmcli with the fix has released.
September 19, 2024
1.23.2-asm.2 is now available for in-cluster Cloud Service Mesh.
You can now download 1.23.2-asm.2 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.23.2 subject to the list of supported features.
Istio's deferred cluster creation is not supported.
Istio's outlier log path configuration in mesh proxy config is not supported.
Istio's credentialName field in the DestinationRule API is not supported.
Cloud Service Mesh 1.23.2-asm.2 uses Envoy v1.31.1.
This release contains the fix for the security vulnerability listed in GCP-2024-052.
Managed Cloud Service Mesh 1.23 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout.
1.22.5-asm.1 is now available for in-cluster Cloud Service Mesh.
This patch release contains fixes for the security vulnerabilities listed in GCP-2024-052. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.22.5-asm.1 uses Envoy v1.30.5.
1.21.5-asm.7 is now available for in-cluster Cloud Service Mesh.
This patch release contains fixes for the security vulnerabilities listed in GCP-2024-052. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.21.5-asm.7 uses Envoy v1.29.8.
1.20.8-asm.7 is now available for in-cluster Cloud Service Mesh.
This patch release contains fixes for the security vulnerabilities listed in GCP-2024-052. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.20.8-asm.7 uses Envoy v1.28.6.
September 17, 2024
Cloud Service Mesh with a Traffic Director control plane implementation is still incompatible with Envoy version v1.31.0.
If you manually control your Envoy version, do not upgrade to v1.31.0 as there is an existing issue with connecting to the Traffic Director API. Instead, upgrade to Envoy version 1.31.1 where this issue is fixed, or set GRPC_DNS_RESOLVER=native for v1.31.0 as a workaround.
If you do not manually control your Envoy version, you don't have to do anything. Google's data plane management will not select an incompatible version for you.
August 22, 2024
The onboarding path for Managed Cloud Service Mesh with asmcli is deprecated as of August 22, 2024, and support will end in February 2025. This change affects only Google Cloud clusters. Any off-Google Cloud clusters will continue to use asmcli.
To ensure this transition is as smooth as possible, use the gcloud or Cloud Console onboarding paths when creating new clusters before February 2025.
For clusters with existing Cloud Service Mesh deployments, no immediate action is required from you and those deployments remain fully supported.
1.20.8-asm.6 is now available for in-cluster Cloud Service Mesh.
You can now download 1.20.8-asm.6 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.20.8 subject to the list of supported features. Cloud Service Mesh 1.20.8-asm.6 uses Envoy v1.28.5.
1.21.5-asm.5 is now available for in-cluster Cloud Service Mesh.
You can now download 1.21.5-asm.5 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.5 subject to the list of supported features. Cloud Service Mesh 1.21.5-asm.5 uses Envoy v1.29.7.
1.22.4-asm.0 is now available for in-cluster Cloud Service Mesh.
You can now download 1.22.4-asm.0 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.4 subject to the list of supported features. Cloud Service Mesh 1.22.4-asm.0 uses Envoy v1.30.4.
August 07, 2024
Configuring Cloud Service Mesh for either proxyless gRPC or Envoy proxy deployments with the Kubernetes Gateway API is now available as a preview feature. For more information see, the Overview page.
July 29, 2024
Updated August 8, 2024
Cloud Service Mesh with a Traffic Director control plane implementation is incompatible with Envoy version v1.31.0.
If you manually control your Envoy version, do not upgrade to this version as there is an existing issue with connecting to Traffic Director. If you run into issues with v1.31.0, set GRPC_DNS_RESOLVER=native
.
If you do not manually control your Envoy version, you don't have to do anything. Google's data plane management will not select this version for you.
July 25, 2024
1.22.3-asm.1 is now available for in-cluster Cloud Service Mesh.
You can now download 1.22.3-asm.1 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.22.3 subject to the list of supported features.
- Path templating in Authorization Policy is not supported.
- Istio's Ambient mode is not supported.
- Kubernetes Gateway API for mesh is not supported. Gateway API for ingress continues to be supported in public preview. For more information, see Kubernetes Gateway API (preview) supported features.
Cloud Service Mesh 1.22.3-asm.1 uses Envoy v1.30.3.
1.22 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout.
July 08, 2024
1.21.4-asm.5 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for an Envoy bug where the additional cookie attributes are not properly sent to clients. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.21.4-asm.5 uses Envoy v1.29.7.
1.20.8-asm.1 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for an Envoy bug where the additional cookie attributes are not properly sent to clients. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.20.8-asm.1 uses Envoy v1.28.5.
1.19.10-asm.9 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for an Envoy bug where the additional cookie attributes are not properly sent to clients. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.19.10-asm.9 uses Envoy v1.27.7.
July 01, 2024
New fleets that provision managed Cloud Service Mesh in organizations that have existing fleets with the managed istiod
control plane implementation will receive the Traffic Director control plane implementation by default.
If you received a Service Announcement, or requested an exception from your account team, then your organization's default control plane implementation for new fleets continues to be istiod
.
June 27, 2024
1.21.4-asm.0 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for a security vulnerability where the Datadog tracer does not handle trace headers with unicode characters. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.21.4-asm.0 uses Envoy v1.29.6.
June 04, 2024
1.21.3-asm.3 is now available for in-cluster Cloud Service Mesh.
You can now download 1.21.3-asm.3 for in-cluster Cloud Service Mesh. It includes the features of Istio 1.21.3 subject to the list of supported features. Cloud Service Mesh 1.21.3-asm.3 uses Envoy v1.29.5.
This release contains the fixes for the security vulnerabilities listed in GCP-2024-032.
1.21 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout.
The following 3 changes break backwards compatibility in 1.21.
The default value of the feature flag
ENABLE_AUTO_SNI
has changed from false to true. To opt out, set the environment variable toENABLE_AUTO_SNI=false
.The default value of the feature flag
VERIFY_CERT_AT_CLIENT
changed from false to true. To opt out, set the environment variable toVERIFY_CERT_AT_CLIENT=false
.There are additional changes in external name support. To opt out, set the environment variable
ENABLE_EXTERNAL_NAME_ALIAS=false
.
Note that opting out is only possible for in-cluster installations. If you do opt out, you must restore the default values before upgrading to 1.22.
1.18.7-asm.26 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-032. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.18.7-asm.26 uses Envoy v1.26.8.
1.19.10-asm.6 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-032. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.19.10-asm.6 uses Envoy v1.27.6.
1.20.7-asm.2 is now available for in-cluster Cloud Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-032. For details on upgrading Cloud Service Mesh, refer to Upgrade Cloud Service Mesh. Cloud Service Mesh v1.20.7-asm.2 uses Envoy v1.28.4.
May 23, 2024
Anthos Service Mesh and Traffic Director have converged into a single, unified product: Cloud Service Mesh. Cloud Service Mesh brings together features from both products:
- A fully managed, global, multi-tenant control plane
- Managed data plane and telemetry for Google Cloud
- A choice of APIs
- Open APIs, Istio & Gateway for Kubernetes Engine
- Service Routing APIs for Compute Engine and Kubernetes Engine
- Support for Kubernetes clusters on-prem and on other public clouds
For more information see the Cloud Service Mesh overview.
If you're using the Istio APIs with the Traffic Director control plane implementation, disabling multi-cluster load balancing is not supported.
April 24, 2024
1.18.7-asm.21 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-023. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh. Anthos Service Mesh v1.18.7-asm.21 uses Envoy v1.26.8.
1.19.10-asm.0 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-023. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh. Anthos Service Mesh v1.19.10-asm.0 uses Envoy v1.27.5.
1.20.6-asm.0 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-022. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh. Anthos Service Mesh v1.20.6-asm.0 uses Envoy v1.28.3.
March 15, 2024
The rollout of managed Anthos Service Mesh version 1.17 to the stable channel has completed.
March 11, 2024
1.20.4-asm.0 is now available for in-cluster Anthos Service Mesh.
You can now download 1.20.4-asm.0 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.20.4 subject to the list of supported features. Anthos Service Mesh 1.20.4-asm.0 uses Envoy v1.28.1.
1.19.8-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.19.8-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.19.8 subject to the list of supported features. Anthos Service Mesh 1.19.8-asm.2 uses Envoy v1.27.3.
1.18.7-asm.11 is now available for in-cluster Anthos Service Mesh.
You can now download 1.18.7-asm.11 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.7-asm.11 subject to the list of supported features. Anthos Service Mesh 1.18.7-asm.11 uses Envoy v1.26.7.
There is a known issue where new installations of Managed Anthos Service Mesh in the rapid channel on GKE Autopilot clusters may fail. For affected versions and mitigation, see the GKE release note.
March 04, 2024
Managed Anthos Service Mesh 1.18 has completed its rollout in the rapid channel. See Managed Anthos Service Mesh release channels for more information.
February 08, 2024
Google has ended support for in-cluster Anthos Service Mesh 1.17 following the official policy. Managed Anthos Service Mesh will continue to support 1.17 until 1.18 is promoted to the regular and stable channels. For more information, see Supported versions.
1.17.8-asm.20 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
While these CVE fixes have been backported to 1.17, you should upgrade to a supported version, 1.18 or later.
1.20.3-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.20.3-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.20.3 subject to the list of supported features. Anthos Service Mesh 1.20.3-asm.4 uses Envoy v1.28.1.
This release contains the fix for the security vulnerability listed in GCP-2024-007.
After upgrading Anthos Service Mesh to version 1.20.3 for off-Google Cloud clusters, make sure to restart all Pods in order to trigger the re-injection of sidecars. Otherwise, the Anthos Service Mesh metric reports might become inconsistent between the old and new proxies in the cluster.
Managed Anthos Service Mesh 1.20 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. See Select a managed Anthos Service Mesh release channel for more information.
1.19.7-asm.3 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.18.7-asm.4 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2024-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
January 29, 2024
In February 2024, Managed Anthos Service Mesh will begin creating new Google Cloud backend resources that relate to upcoming control plane enhancements. These resources will have no impact on your traffic. The resources include but are not limited to the following:
- HealthChecks
- Gateways
- Meshes
- HTTPRoutes
- TCPRoutes
- TLSRoutes
- TrafficPolicies
- EndpointPolicies
- ServerTLSPolicies
- ClientTLSPolicies
- HTTPFilters
- TCPFilters
- ServiceLbPolicies
Managed Anthos Service Mesh 1.17 is rolling out in the stable channel. See Managed Anthos Service Mesh release channels for more information.
January 16, 2024
1.19.6-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.19.6-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.19.6 subject to the list of supported features. Anthos Service Mesh 1.19.6-asm.2 uses Envoy v1.27.3.
1.18.7-asm.0 is now available for in-cluster Anthos Service Mesh.
You can now download 1.18.7-asm.0 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.7 subject to the list of supported features. Anthos Service Mesh 1.18.7-asm.0 uses Envoy v1.26.7.
1.17.8-asm.12 is now available for in-cluster Anthos Service Mesh.
You can now download 1.17.8-asm.12 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.17.8 subject to the list of supported features. Anthos Service Mesh 1.17.8-asm.12 uses Envoy v1.25.12.
January 11, 2024
Managed Anthos Service Mesh 1.17 is rolling out in the regular channel. See Managed Anthos Service Mesh release channels for more information.
December 12, 2023
Google has ended support for in-cluster Anthos Service Mesh 1.16 following the official policy. Managed Anthos Service Mesh will continue to support 1.16 in the regular and stable channels until 1.17 is promoted to the regular and stable channels. For more information, see Supported versions.
1.19.5-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.19.5-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.19.5 subject to the list of supported features. Anthos Service Mesh 1.19.5-asm.4 uses Envoy v1.27.3.
1.18.6-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.18.6-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.6 subject to the list of supported features. Anthos Service Mesh 1.18.6-asm.2 uses Envoy v1.26.7.
1.17.8-asm.8 is now available for in-cluster Anthos Service Mesh.
You can now download 1.17.8-asm.8 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.17.8 subject to the list of supported features. Anthos Service Mesh 1.17.8-asm.8 uses Envoy v1.25.12.
The asmcli --channel
option is no longer supported
and your managed Anthos Service Mesh release channel is determined based on your cluster's Google Kubernetes Engine (GKE) release channel. However, using the asmcli --channel
option will not break your configuration. Additionally, selecting a different managed Anthos Service Mesh release channel is no longer supported. If the cluster is using static versioning, then managed Anthos Service Mesh will default to the regular channel. For more information, see Managed Anthos Service Mesh release channels.
December 07, 2023
Managed Anthos Service Mesh 1.18 is rolling out in the rapid channel. See Managed Anthos Service Mesh release channels for more information.
If you use Gateway API Automated Deployment, note the following breaking change. With Anthos Service Mesh v1.18 rolled out to the rapid channel, upgrading gateways no longer requires restarting the Pods to trigger a re-injection. Instead, gateways are updated, via a rolling restart, when their revision changes. For more information, see Istio's release note.
November 27, 2023
The rollout of managed Anthos Service Mesh version 1.17 to the rapid channel has completed. Additionally, the rollout of managed Anthos Service Mesh version 1.16 to the stable channel has completed.
See Select a managed Anthos Service Mesh release channel for more information.
If you use Gateway API Automated Deployment, note the following upcoming change. When Anthos Service Mesh v1.18 is rolled out to the rapid channel, upgrading gateways will no longer require restarting the Pods to trigger a re-injection. Instead, gateways will be updated, via a rolling restart, when their revision changes. For more information, see Istio's release note.
November 14, 2023
1.19.3-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.19.3-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.19.3 subject to the list of supported features. Anthos Service Mesh 1.19.3-asm.4 uses Envoy v1.27.2.
1.18.5-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.18.5-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.5 subject to the list of supported features. Anthos Service Mesh 1.18.5-asm.2 uses Envoy v1.26.5.
1.17.8-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.17.8-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.17.8 subject to the list of supported features. Anthos Service Mesh 1.17.8-asm.4 uses Envoy v1.25.12.
1.16.7-asm.14 is now available for in-cluster Anthos Service Mesh.
You can now download 1.16.7-asm.14 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.16.7 subject to the list of supported features. Anthos Service Mesh 1.16.7-asm.14 uses Envoy v1.24.11.
October 31, 2023
1.19.3-asm.0 is now available for in-cluster Anthos Service Mesh.
You can now download 1.19.3-asm.0 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.19.3 subject to the list of supported features. Anthos Service Mesh 1.19.3-asm.0 uses Envoy v1.27.1.
After upgrading Anthos Service Mesh to version 1.19.3 for off-Google Cloud clusters, make sure to restart all Pods in order to trigger the re-injection of sidecars. Otherwise, the Anthos Service Mesh metric reports might become inconsistent between the old and new proxies in the cluster.
Managed Anthos Service Mesh 1.19 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. See Select a managed Anthos Service Mesh release channel for more information.
October 17, 2023
Managed Anthos Service Mesh 1.17 is rolling out in the rapid channel.
Additionally, the rollout of managed Anthos Service Mesh version 1.16 to the regular channel has completed.
See Select a managed Anthos Service Mesh release channel for more information.
October 10, 2023
1.18.4-asm.0 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-031 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.17.7-asm.0 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-031 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.16.7-asm.10 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-031 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
September 06, 2023
1.16.7-asm.7 is now available for in-cluster Anthos Service Mesh.
You can now download 1.16.7-asm.7 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.16.7 subject to the list of supported features. Anthos Service Mesh 1.16.7-asm.7 uses Envoy v1.24.9.
1.17.5-asm.9 is now available for in-cluster Anthos Service Mesh.
You can now download 1.17.5-asm.9 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.17.5 subject to the list of supported features. Anthos Service Mesh 1.17.5-asm.9 uses Envoy v1.25.8.
1.18.2-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.18.2-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.2 subject to the list of supported features. Anthos Service Mesh 1.18.2-asm.4 uses Envoy v1.26.5.
September 05, 2023
Anthos Service Mesh will begin creating Network Endpoint Groups (NEGs) for all services. This rollout will proceed gradually over a period of several months, starting with the rapid channel. You may notice the following annotations on each of your services: cloud.google.com/neg
and cloud.google.com/neg-status
.
You can view NEGs with the following command:
gcloud compute network-endpoint-groups list
.
Managed Anthos Service Mesh 1.16 is rolling out in the stable channel. See Managed Anthos Service Mesh release channels for more information.
August 08, 2023
The rollout of managed Anthos Service Mesh version 1.15 to the stable channel has completed.
See Select a managed Anthos Service Mesh release channel for more information.
August 03, 2023
1.18.2-asm.0 is now available for in-cluster Anthos Service Mesh.
You can now download 1.18.2-asm.0 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.18.2 subject to the list of supported features. Anthos Service Mesh 1.18.2-asm.0 uses Envoy v1.26.5.
Managed Anthos Service Mesh 1.18 isn't rolling out to the rapid release channel at this time. You can periodically check this page for announcements regarding rapid channel rollout. See Select a managed Anthos Service Mesh release channel for more information.
Anthos Service Mesh now supports setting up a mesh containing multiple Anthos clusters on AWS. For more information, see Set up a multi-cluster mesh outside Google Cloud.
Google has ended support for in-cluster Anthos Service Mesh 1.15 following the official policy. Managed Anthos Service Mesh will continue to support 1.15 in the stable channel until 1.16 is promoted to the stable channel. For more information, see Supported versions.
July 25, 2023
Updated:2023-07-26
1.17.5-asm.0 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-021 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
Updated:2023-07-26
1.16.7-asm.0 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-021 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
Updated:2023-07-26
1.15.7-asm.23 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-021 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
July 18, 2023
1.15.7-asm.21 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-019 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.16.6-asm.3 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-019 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.17.4-asm.2 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fix for the security vulnerability listed in GCP-2023-019 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
June 13, 2023
1.17.3-asm.1 is now available for in-cluster Anthos Service Mesh.
You can now download 1.17.3-asm.1 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.17.3 subject to the list of supported features. Anthos Service Mesh 1.17.3-asm.1 uses Envoy v1.25.7.
1.16.5-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.16.5-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.16.5 subject to the list of supported features. Anthos Service Mesh 1.16.5-asm.2 uses Envoy v1.24.8.
1.15.7-asm.16 is now available for in-cluster Anthos Service Mesh.
You can now download 1.15.7-asm.16 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.15.7 subject to the list of supported features. Anthos Service Mesh 1.15.7-asm.16 uses Envoy v1.23.7.
May 24, 2023
The following images are now rolling out for managed Anthos Service Mesh:
- The image for 1.16.4-asm.14 is rolling out to the regular release channel
- The image for 1.15.7-asm.14 is rolling out to the stable release channel
See Select a managed Anthos Service Mesh release channel for more information.
May 23, 2023
1.16.4-asm.14 is now available for in-cluster Anthos Service Mesh.
You can now download 1.16.4-asm.14 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.16.4 subject to the list of supported features. Anthos Service Mesh 1.16.4-asm.14 uses Envoy v1.24.8.
May 08, 2023
Three images that contain a fix for FIPS compliance have successfully rolled out for managed Anthos Service Mesh:
- The image for 1.16.4-asm.8 is in the rapid release channel
- The image for 1.15.7-asm.8 is in the regular release channel
- The image for 1.14.6-asm.16 is in the stable release channel
See Select a managed Anthos Service Mesh release channel for more information.
May 05, 2023
The managed data plane is enabled on by default in the regular and rapid channels. To disable the managed data plane, follow the steps in Disable the managed data plane
April 27, 2023
Three images for managed Anthos Service Mesh are now rolling out and contain a fix for FIPS compliance:
- The image for 1.16.4-asm.8 is rolling out in the rapid release channel
- The image for 1.15.7-asm.8 is rolling out in the regular release channel
- The image for 1.14.6-asm.16 is rolling out in the stable release channel
See Select a managed Anthos Service Mesh release channel for more information.
April 26, 2023
1.17.2-asm.8 is now available for in-cluster Anthos Service Mesh.
Fixes build issues to achieve FIPS compliance. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.16.4-asm.8 is now available for in-cluster Anthos Service Mesh.
Fixes build issues to achieve FIPS compliance. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.15.7-asm.8 is now available for in-cluster Anthos Service Mesh.
Fixes build issues to achieve FIPS compliance. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
April 21, 2023
1.14.6-asm.11 is now available for managed Anthos Service Mesh.
The image for 1.14.6-asm.11 has rolled out in the stable release channel for managed Anthos Service Mesh. See Select a managed Anthos Service Mesh release channel for more information.
1.15.7-asm.1 is now available for managed Anthos Service Mesh.
The image for 1.15.7-asm.1 has rolled out in the regular release channel for managed Anthos Service Mesh. See Select a managed Anthos Service Mesh release channel for more information.
The Service dashboard now displays telemetry from external mesh services that have a canonical service label in the regular release channel. See Defining a Canonical Service for more information.
In-cluster Anthos Service Mesh 1.14 is no longer supported. For more information, see Supported versions.
April 18, 2023
Enabling mesh.googleapis.com
automatically enables trafficdirector.googleapis.com
, networkservices.googleapis.com
, and networksecurity.googleapis.com
. These APIs are required for managed Anthos Service Mesh. However, you can safely disable them on a project or fleet that has no managed Anthos Service Mesh clusters.
April 04, 2023
1.17.2-asm.1 is now available for in-cluster Anthos Service Mesh.
You can now download 1.17.2-asm.1 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.17.1 subject to the list of supported features. Anthos Service Mesh 1.17.2-asm.1 uses Envoy v1.25.2.
Managed Anthos Service Mesh 1.17 is rolling out to the rapid release channel soon. You can periodically check this page for the announcement of the rollout of managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.
The Envoy projects recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. The fixes for these CVEs are already included in 1.17.2-asm.1. For more information, see the security bulletin.
Anthos Service Mesh now supports multi-cluster, multi-network meshes on Anthos clusters on Azure. See Install Anthos Service Mesh for more information.
The asmcli
flag --option vm
used by the now deprecated Compute Engine virtual machine feature has been removed.
1.14.6-asm.11 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2023-002 For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.15.7-asm.1 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2023-002. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.16.4-asm.2 is now available for in-cluster Anthos Service Mesh.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2023-002. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
April 03, 2023
Anthos clusters on AWS (previous generation) is deprecated as of April 1, 2023. Therefore, Anthos Service Mesh no longer supports Anthos clusters on AWS (previous generation). For more information, see the deprecation announcement.
March 28, 2023
The control_plane
field in the service mesh fleet feature API (for example, gcloud container fleet mesh update --control-plane ...
) is deprecated. Instead, use the management
field. For more information, see Provision managed Anthos Service Mesh.
March 23, 2023
In April 2023, enabling mesh.googleapis.com
will automatically enable trafficdirector.googleapis.com
, networkservices.googleapis.com
, and networksecurity.googleapis.com
. These APIs will be required for managed Anthos Service Mesh. You will be able to safely disable them on a project or fleet that has no managed Anthos Service Mesh clusters.
Configuring Certificate Authority connectivity through a HTTP CONNECT-based proxy is now generally available (GA). For more information, see Configure Certificate Authority connectivity through a proxy.
March 21, 2023
With Envoy versions 1.22 and later, the default minimal TLS version for servers changed from 1.0 to 1.2. Therefore, for Anthos Service Mesh version 1.14 and later, the default minimum TLS version for gateway servers is 1.2. If you need to configure the minimal TLS version on an Anthos Service Mesh gateway server to be lower than 1.2, then you can configure the minProtocolVersion parameter.
In Anthos Service Mesh versions 1.9 and earlier, the server-side minimum TLS version for Anthos Service Mesh workloads was 1.0. In Anthos Service Mesh versions 1.10 and later, the server-side minimum TLS version for Anthos Service Mesh workloads is configured to be 1.2 to improve TLS security. For better security, Anthos Service Mesh does not support configuring the minimum workload TLS version to be lower than 1.2.
Anthos clusters on AWS (previous generation) will be deprecated as of April 1, 2023. Therefore, Anthos Service Mesh will not support Anthos clusters on AWS (previous generation) starting April 1, 2023. For more information, see the deprecation announcement.
February 28, 2023
1.14.6-asm.9 is now available for in-cluster Anthos Service Mesh.
You can now download 1.14.6-asm.9 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.14.6 subject to the list of supported features.
February 22, 2023
1.15.5-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.15.5-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.15.5 subject to the list of supported features.
February 21, 2023
1.16.2-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.16.2-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.16.2 subject to the list of supported features.
Managed Anthos Service Mesh 1.16 isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.
Anthos Service Mesh now supports multi-cluster meshes on Amazon EKS and Microsoft AKS. See Install Anthos Service Mesh and Set up a multi-cluster mesh outside Google Cloud for more information.
Anthos Service Mesh now supports Mesh CA on all supported platforms.
Anthos Service Mesh now supports Anthos Clusters on Azure as a preview feature.
Anthos Service Mesh 1.13 is no longer supported. For more information, see Supported versions.
January 30, 2023
1.15.4-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.15.4-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.15.4 subject to the list of supported features.
January 24, 2023
1.13.9-asm.10 is now available for in-cluster Anthos Service Mesh.
You can now download 1.13.9-asm.10 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.13.9 subject to the list of supported features.
January 19, 2023
1.14.6-asm.4 is now available for in-cluster Anthos Service Mesh.
You can now download 1.14.6-asm.4 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.14.6 subject to the list of supported features.
January 18, 2023
1.15.4-asm.2 is now available for in-cluster Anthos Service Mesh.
You can now download 1.15.4-asm.2 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.15.4 subject to the list of supported features.
1.13.9-asm.9 is now available for in-cluster Anthos Service Mesh.
You can now download 1.13.9-asm.9 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.13.9 subject to the list of supported features.
Service mesh cloud gateway is now available as a preview feature for managed Anthos Service Mesh in the rapid release channel. With service mesh cloud gateway, you can configure Anthos Service Mesh ingress gateway with Cloud Load Balancing through the Kubernetes Gateway API. For more information, see Configure external HTTP(S) Load Balancing for managed Anthos Service Mesh.
November 21, 2022
1.15.3-asm.6 is now available for in-cluster Anthos Service Mesh.
You can now download 1.15.3-asm.6 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.15.3 subject to the list of supported features.
1.14.5-asm.8 is now available for in-cluster Anthos Service Mesh.
You can now download 1.14.5-asm.8 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.14.5 subject to the list of supported features.
1.13.9-asm.3 is now available for in-cluster Anthos Service Mesh.
You can now download 1.13.9-asm.3 for in-cluster Anthos Service Mesh. It includes the features of Istio 1.13.9 subject to the list of supported features.
November 07, 2022
The rollout of version 1.15 for managed Anthos Service Mesh has completed in all regions.
November 03, 2022
1.15.3-asm.1 is now available.
Anthos Service Mesh 1.15.3-asm.1 includes the features of Istio 1.15.3 subject to the list of Anthos Service Mesh supported features. If you've installed in-cluster 1.15.2, please update to 1.15.3 right away. Google will automatically upgrade customers running managed Anthos Service Mesh.
November 02, 2022
VPC-SC for managed Anthos Service Mesh is generally available (GA) in the rapid channel.
November 01, 2022
Version 1.15 is now available for managed Anthos Service Mesh and is rolling out to the Rapid Release Channel.
Upon rollout completion, the managed Anthos Service Mesh channels will contain the following versions:
- Rapid Release Channel - Version 1.15
- Regular Release Channel - Version 1.14
- Stable Release Channel - Version 1.13
Note that regions will have mixed availability during the 1.15 rollout. Additionally, stable and regular channel promotion occurs before 1.15 rolls out to rapid channel.
See Select a managed Anthos Service Mesh release channel for more information.
End-user authentication is being made available to managed Anthos Service Mesh in the rapid release channel. See the preceding release note for rollout timelines.
October 25, 2022
1.15.2-asm.6 is now available.
Anthos Service Mesh 1.15.2-asm.6 includes the features of Istio 1.15.2 subject to the list of Anthos Service Mesh supported features.
Docker images for in-cluster Anthos Service Mesh v1.15 and later support the Arm architecture.
Anthos Service Mesh now supports configuring Mesh CA and Google CA Service connectivity through an HTTPS proxy when direct connectivity from the sidecar-injected workloads is not available (for example, due to firewalls or other restrictive features). See Configure Certificate Authority connectivity through a proxy for more information.
Anthos Service Mesh 1.12 is no longer supported. For more information, see Supported versions.
Managed Anthos Service Mesh 1.15 isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.
1.14.5-asm.3 is now available.
Anthos Service Mesh 1.14.5-asm.3 includes the features of Istio 1.14.5 subject to the list of Anthos Service Mesh supported features.
1.13.9-asm.1 is now available.
Anthos Service Mesh 1.13.9-asm.1 includes the features of Istio 1.13.9 subject to the list of Anthos Service Mesh supported features.
October 19, 2022
VPC-SC for managed Anthos Service Mesh will soon be generally available (GA) in the rapid channel. Older versions of the istioctl
support tool may not be compatible with the enhanced security checks. To ensure compatibility, download the latest version of istioctl
.
October 05, 2022
The Istio and Go projects recently disclosed a CVE that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see the security bulletin.
1.14.4-asm.2 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-020. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.13.8-asm.3 and 1.13.8-asm.4 are now available.
These patch releases contain the fixes for the security vulnerabilities listed in GCP-2022-020. If your environment uses managed Anthos Service Mesh, then 1.13.8-asm.3 was rolled out to the Regular release channel and you do not need to take additional steps. If your environment uses in-cluster Anthos Service Mesh, then you must upgrade to 1.13.8-asm.4. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.12.9-asm.3 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-020. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
September 22, 2022
1.14.4-asm.0 is now available.
Anthos Service Mesh 1.14.4-asm.0 includes the features of Istio 1.14.4 subject to the list of Anthos Service Mesh supported features.
1.13.8-asm.1 is now available.
Anthos Service Mesh 1.13.8-asm.1 includes the features of Istio 1.13.8 subject to the list of Anthos Service Mesh supported features.
September 08, 2022
Managed Anthos Service Mesh support for GKE Autopilot is now generally available in the Regular and Rapid channels. For more information, see Configure managed Anthos Service Mesh with fleet API or Configure managed Anthos Service Mesh with asmcli
.
September 07, 2022
Automatically configuring managed Anthos Service Mesh using the Fleet Feature API is now generally available in the rapid, regular, and stable release channels. With this feature, Google will automatically configure your control plane, data plane, and multi-cluster endpoint visibility. This is the preferred method to provision managed Anthos Service Mesh on GKE. For more information, see Configure managed Anthos Service Mesh with fleet API.
The Google-managed data plane is now generally available (GA) as a part of managed Anthos Service Mesh. The managed data plane helps you upgrade data plane proxies automatically. For more information see Configure managed Anthos Service Mesh.
September 01, 2022
1.13.7-asm.3 is now available.
This patch release contains a fix for an issue where istiod
starts up very slowly when connectivity to the Google Cloud metadata service is partially broken. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
Anthos Service Mesh 1.13.7-asm.3 includes the features of Istio 1.13.7 subject to the list of Anthos Service Mesh supported features.
August 18, 2022
1.13.7-asm.0 is now available.
Anthos Service Mesh 1.13.7-asm.0 includes the features of Istio 1.13.7 subject to the list of Anthos Service Mesh supported features.
August 12, 2022
1.14.3-asm.1 is now available.
This patch release contains a fix for the known issue with the signatures of the revisions released August 11, 2022.
Anthos Service Mesh 1.14.3-asm.1 includes the features of Istio 1.14.3 subject to the list of Anthos Service Mesh supported features.
August 11, 2022
1.14.3-asm.0 is now available.
Anthos Service Mesh 1.14.3-asm.0 includes the features of Istio 1.14.3 subject to the list of Anthos Service Mesh supported features.
1.12.9-asm.0 is now available.
Anthos Service Mesh 1.12.9-asm.0 includes the features of Istio 1.12.9 subject to the list of Anthos Service Mesh supported features.
August 01, 2022
The Mesh Config API (meshconfig.googleapis.com
) now enables the Connect Gateway API (connectgateway.googleapis.com
) and the GKE Hub API (gkehub.googleapis.com
). This change does not incur any additional cost.
July 26, 2022
Version 1.14 is now available for managed Anthos Service Mesh and is rolling out to the Rapid Release Channel.
The managed Anthos Service Mesh channels are now mapped to the following versions:
- Rapid Release Channel - Version 1.14
- Regular Release Channel - Version 1.13
- Stable Release Channel - Version 1.12
See Select a managed Anthos Service Mesh release channel for more information.
July 20, 2022
1.14.1-asm.3 is now available.
Anthos Service Mesh 1.14 includes the features of Istio 1.14 subject to the list of Anthos Service Mesh supported features.
Anthos Service Mesh allows you to configure the minimum TLS version for your Istio workloads. See Configure minimum TLS version for your workloads for more information.
Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.
Anthos Service Mesh 1.11 is no longer supported. For more information, see Supported versions.
1.12.8-asm.2 is now available.
Anthos Service Mesh 1.12 includes the features of Istio 1.12.8 subject to the list of Anthos Service Mesh Supported features.
1.13.5-asm.1 is now available.
Anthos Service Mesh 1.13 includes the features of Istio 1.13.5 subject to the list of Anthos Service Mesh Supported features.
June 17, 2022
The Fleet Feature API (mesh.googleapis.com
) now enables the Connect Gateway API (connectgateway.googleapis.com
). This change does not incur any additional cost.
June 10, 2022
There is a known issues with the signatures of the revisions released June 9, 2022. To avoid this issue, upgrade to one of the following versions instead:
- 1.13.4-asm.4
- 1.12.7-asm.2
- 1.11.8-asm.4
1.13.4-asm.4 is now available.
This patch release contains a fix for the known issue with the signatures of the revisions released June 9, 2022 as well as the fixes for the security vulnerabilities listed in GCP-2022-015. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.12.7-asm.2 is now available.
This patch release contains a fix for the known issue with the signatures of the revisions released June 9, 2022 as well as the fixes for the security vulnerabilities listed in GCP-2022-015. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.11.8-asm.4 is now available.
This patch release contains a fix for the known issue with the signatures of the revisions released June 9, 2022 as well as the fixes for the security vulnerabilities listed in GCP-2022-015. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
June 09, 2022
The Istio and Envoy projects recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see the security bulletin.
1.13.4-asm.3 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-015. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.12.7-asm.1 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-015. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.11.8-asm.3 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-015. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
May 20, 2022
Enabling endpoint discovery multi-cluster installations with declarative API is now available as a preview feature in all release channels. For more information, see Enable endpoint discovery between public clusters with declarative API.
May 12, 2022
1.11.8-asm.1 is now available.
This patch release includes the features of Istio 1.11.8 subject to the list of Anthos Service Mesh Supported features. Anthos Service Mesh version 1.11.8-asm.1 uses envoy v1.19.3.
1.12.6-asm.3 is now available.
This patch release contains the features of Istio 1.12.6 subject to the list of Anthos Service Mesh Supported features. Anthos Service Mesh version 1.12.6-asm.3 uses envoy v1.20.3.
1.13.2-asm.5 is now available.
This patch release contains the features of Istio 1.13.2 subject to the list of Anthos Service Mesh Supported features. Anthos Service Mesh version 1.13.2-asm.5 uses envoy v1.21.2.
May 03, 2022
Version 1.13 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel.
Version 1.12 is being promoted to the Regular Release Channel, and version 1.11 is being promoted to the Stable Release Channel.
See Select a managed Anthos Service Mesh release channel for more information.
In addition to the existing labels, you can now use the "istio-injection" label as an alias. For more information, see Injection labels.
April 14, 2022
1.13.2-asm.2 is now available.
Anthos Service Mesh 1.13 includes the features of Istio 1.13.2 subject to the list of Anthos Service Mesh Supported features.
March 30, 2022
1.13.1-asm.1 is now available.
Anthos Service Mesh 1.13 includes the features of Istio 1.13 subject to the list of Anthos Service Mesh supported features.
Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.
Anthos Service Mesh now supports Google Kubernetes Engine on Google Cloud and On-premise combined in a hybrid mesh as a public preview feature. See Install Anthos Service Mesh and Set up a multi-cluster mesh for more information.
Anthos Service Mesh now supports Google Kubernetes Engine on Google Cloud and Amazon EKS combined in a multi-cloud mesh as a public preview feature. See Install Anthos Service Mesh and Set up a multi-cluster mesh for more information.
Enabled a single Cloud API (mesh.googleapis.com
), which automatically enables all required Cloud APIs for Anthos Service Mesh.
In general, the Service dashboards support all current versions of Anthos Service Mesh. Historically, the Anthos Service Mesh release notes attempted to announce each of these dashboard updates. Going forward, the Anthos Service Mesh release notes will no longer explicitly announce dashboard updates but reserve the space for significant new feature announcements.
Anthos Service Mesh 1.10 is no longer supported. For more information, see Supported versions.
March 10, 2022
The Istio project recently disclosed a CVE that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see the security bulletin.
1.12.5-asm.0 is now available.
This patch release contains the fixes for the security vulnerability listed in GCP-2022-010. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.11.8-asm.0 is now available.
This patch release contains the fixes for the security vulnerability listed in GCP-2022-010. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.10.6-asm.2 is now available.
This patch release contains the fixes for the security vulnerability listed in GCP-2022-010. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
March 02, 2022
1.12.4-asm.2 is now available.
Anthos Service Mesh includes the features of Istio 1.12 subject to the list of Anthos Service Mesh supported features.
Anthos Service Mesh now supports certificate templates with the Certificate Authority Service integration. See Install default features and CA Service for more information.
February 22, 2022
The Istio project recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see the security bulletin.
1.12.4-asm.1 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.11.7-asm.1 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
1.10.6-asm.1 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2022-007. For details on upgrading Anthos Service Mesh, refer to Upgrade Anthos Service Mesh.
February 04, 2022
Using the fleet feature API to set up managed Anthos Service Mesh with automatic control plane management is now available as a preview feature in the rapid, regular, and stable release channels. For more information, see Configure managed Anthos Service Mesh with fleet API.
January 28, 2022
The Anthos Service Mesh dashboard in the Cloud Console now supports cross-project clusters, Anthos on GKE-on-vSphere (on-prem), and Anthos on Bare Metal. For more information, see Observability overview.
January 20, 2022
1.10.6-asm.0 is now available.
This patch release contains the same bug fixes that are in Istio 1.10.6. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
1.12.2-asm.0 is now available.
This patch release contains the same bug fixes that are in Istio 1.12.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
January 19, 2022
Version 1.12 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel.
Version 1.11 has been promoted to the Regular Release Channel, and version 1.10 has been promoted to the Stable Release Channel.
See Select a managed Anthos Service Mesh release channel for more information.
Managed Anthos Service Mesh now supports GKE Autopilot in the Regular and Rapid channels. For more information, see Configure managed Anthos Service Mesh.
Managed Anthos Service Mesh control plane now displays its provisioning status in the ControlPlaneRevision API. For more information, see Verify the control plane has been provisioned.
Managed Anthos Service Mesh now supports deploying a proxy built on the distroless base image. Note that distroless proxy images do not work with managed data plane.
The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners. See Distroless proxy image for more information.
December 16, 2021
1.12.0-asm.4 is now available.
Anthos Service Mesh includes the features of Istio 1.12 subject to the list of Anthos Service Mesh supported features.
Fixed a compatibility issue in the previous release between GKE 1.22, the Anthos Service Mesh Certificate Authority (Mesh CA), and Certificate Authority Service (CA Service).
Managed Anthos Service Mesh now supports Locality Load Balancing and Consistent Hash Load Balancing in the regular and rapid channels.
Anthos Service Mesh now supports Locality Load Balancing and Consistent Hash Load Balancing.
December 14, 2021
This release note was updated on December 16, 2021. Managed Anthos Service Mesh still supports 1.9 in the Stable Release Channel.
Anthos Service Mesh 1.7-1.9 are no longer supported. For more information, see Supported versions.
December 13, 2021
Managed Anthos Service Mesh now supports VPC Service Controls (VPC-SC) as a preview feature in the rapid channel. For more information, see Configure VPC Service Control for Managed Anthos Service Mesh.
1.11.5-asm.3 is now available.
Anthos Service Mesh 1.11 includes the features of Istio 1.11 subject to the list of Anthos Service Mesh supported features.
December 09, 2021
1.12.0-asm.3 is now available.
Anthos Service Mesh 1.12 includes the features of Istio 1.12 subject to the list of Anthos Service Mesh supported features.
Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a managed Anthos Service Mesh release channel for more information.
Anthos Service Mesh now supports installations and upgrades on Microsoft Azure Kubernetes Service (AKS) clusters.
Anthos Service Mesh now supports the Certificate Authority Service integration on on-premises platforms (both Anthos on VMware and bare metal). See install and upgrade with default features and CA Service.
Anthos Service Mesh now supports deploying a proxy built on the distroless base image. The distroless base image ensures that the proxy image contains the minimal number of packages required to run the proxy. This improves security posture by reducing the overall attack surface of the image and gets cleaner results with CVE scanners. See Distroless proxy image for more information.
For unmanaged Anthos Service Mesh installations, the installer will automatically set up the default tag (the istio-revision-tag-default
and istio-default-validator
webhooks). When the default tag exists, it is possible to use the istio-injection=enabled
namespace label and the sidecar.istio.io/inject
workload label to enable sidecar injection for that revision.
November 19, 2021
1.11.4-asm.5 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel. See Select a managed Anthos Service Mesh release channel for more information.
Managed Anthos Service Mesh now supports Certificate Authority (CA) Service. To install managed Anthos Service Mesh with CA Service, see Configure managed Anthos Service Mesh.
Managed Anthos Service Mesh now supports GKE Autopilot as a preview feature in the Rapid Channel. For more information, see Configure managed Anthos Service Mesh with asmcli x
.
November 04, 2021
Version 1.11 is now available for managed Anthos Service Mesh and is rolling out into the Rapid Release Channel. See Select a managed Anthos Service Mesh release channel for more information.
Managed Anthos Service Mesh now supports Multi-project with shared VPC in the Rapid Release Channel. For more information, see Configure managed Anthos Service Mesh.
Managed Anthos Service Mesh now supports private GKE clusters with private control plane. This means that all types of private GKE clusters are supported. For more information, see Environments on the Supported features page.
October 06, 2021
1.11.2-asm.17 is now available.
Anthos Service Mesh 1.11 includes the features of Istio 1.11 subject to the list of Anthos Service Mesh supported features.
Managed Anthos Service Mesh isn't rolling out to the rapid release channel at this time. You can periodically check this page for the announcement of the rollout of Managed Anthos Service Mesh to the rapid channel. See Select a Managed Anthos Service Mesh release channel for more information.
asmcli
is generally available for new installations and upgrades of Anthos
Service Mesh. You can use asmcli
to:
Install the Anthos Service Mesh in-cluster control plane
The in-cluster control plane is supported on the on the following platforms
using asmcli
:
- GKE clusters in a single project
- GKE clusters in multiple projects
- Anthos clusters on VMware
- Anthos on bare metal
- Anthos clusters on AWS
- Amazon EKS
Note: Upgrades from Anthos Service Mesh 1.7 on EKS to Anthos Service Mesh 1.11 aren't supported. You will need to set up a new EKS cluster to install Anthos Service Mesh 1.11.
asmcli
requires clusters to be registered with a fleet. asmcli
can automatically register a cluster as long as it meets the requirements specified in
fleet requirements. asmcli
does not support automatic fleet registration for GKE 1.22 clusters, which must be registered manually before installation.
Using install_asm
and istioctl install
is deprecated and support for these
tools for installations and upgrades of Anthos Service Mesh will be removed when
Anthos Service Mesh 1.12 is released. Please update your scripts and tools to
use asmcli
. For more information see
Transitioning to asmcli.
The Anthos Service Mesh integration with Certificate Authority Service (CA Service) is generally available. You can use CA Service as the certificate authority for signing mutual TLS certificates. See Configure Anthos Service Mesh to use CA Service for details.
Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Anthos Service Mesh 1.11 proxy is based on Envoy v1.19.1.
September 20, 2021
1.9.8-asm.6 and 1.10.4-asm.14 are now available.
These patch releases fix a potential memory leak in the control plane.
September 14, 2021
1.9.8-asm.3 and 1.10.4-asm.9 are now available.
These patch releases:
- Introduced a rate limit to improve control plane availability under load spikes.
- Fixed a memory leak and proxy count issue in the control plane.
August 24, 2021
1.10.4-asm.6 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE or On-premises using the
asmcli
script. - Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
The asmcli
script is now available in preview. With this script you can install and upgrade Anthos Service Mesh on GKE and On-premises. For more information, see About the asmcli
.
Google-managed data plane is now available in preview as a part of managed Anthos Service Mesh. Google-managed data plane helps you upgrade data plane proxies automatically. For more information see Configure managed Anthos Service Mesh.
Anthos Service Mesh for Compute Engine VMs now uses gcloud
commands and supports Google-managed control planes. For more information, see Add Compute Engine virtual machines to Anthos Service Mesh.
The Istio project recently disclosed a series of CVEs that can expose Anthos Service Mesh to remotely exploitable vulnerabilities. For more information, see the security bulletin.
Anthos Service Mesh now supports skip-version upgrades for single-project clusters on GKE running versions 1.7 and higher. This means you can now upgrade 1.7 and 1.8 installations directly to 1.10. For more information, see Upgrading Anthos Service Mesh to the latest version.
1.9.8-asm.1 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE or On-premises using the
asmcli
script (preview) - Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
1.8.6-asm.8 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE or On-premises using the
asmcli
script (preview) - Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
1.7.8-asm.10 is now available.
This patch release contains the fixes for the security vulnerabilities listed in GCP-2021-016. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE or On-premises using the
asmcli
script (preview) - Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
July 28, 2021
1.8.6-asm.7 is now available. This patch release:
- Fixes a bug that could lead to memory leaks in the proxy.
- Fixes a bug causing invalid
cipherSuites
in the Gateway configuration that could cause broken traffic.
July 22, 2021
The 1.x version of kpt
breaks Anthos Service Mesh installations and upgrades. Anthos Service Mesh requires a pre -1.x version of kpt
. The latest version of the gcloud
command-line tool includes the 1.x kpt
that breaks installs and upgrades.
Make sure that you are running a pre 1.x version of kpt
:
kpt version
The output should be similar to the following:
0.39.2
If you have kpt
version 1.x or higher, use the curl
command in Setting up your environment to download the required version for your operating system.
If you are installing or upgrading Anthos Service Mesh using the install_asm
script, make sure to download the most recent
version of the script. The updated version of install_asm
checks your kpt
version. If needed, install_asm
downloads and uses the required kpt
version. Run install_asm --version
to make sure you have a version of install_asm
that has the workaround. You need the following install_asm
versions or higher:
1.10: 1.10.2-asm.3+config1 or higher. Get the latest 1.10 install_asm.
1.9: 1.9.6-asm.2+config1 or higher. Get the latest 1.9 install_asm.
1.8 1.8.6-asm.5+config1 or higher. Get the latest 1.8 install_asm.
1.7 Download the required
kpt
version as described above.
June 30, 2021
Anthos Service Mesh user authentication is now generally available (GA). This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.
1.10.2-asm.3 is now available and includes a fix for the known issue with control plane metric reporting reported on June 25, 2021.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
June 29, 2021
There is a breaking change in 1.10 with inbound forwarding that affects applications that bind solely to the localhost
interface.
For more information, see the 1.10 Istio upgrading notes.
June 25, 2021
There is a known issue in 1.10.2-asm.2 where control plane metric reporting to Cloud Monitoring is not functioning properly and reports excessive error logs in the Istiod container.
June 24, 2021
1.10.2-asm.2 is now available.
This patch release contains the same bug fixes that are in Istio 1.10.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
Anthos clusters on-premises support Mesh CA.
New installations of Anthos Service Mesh 1.10x on Anthos clusters on VMWare and bare metal support the Anthos Service Mesh certificate authority (Mesh CA). For details on the installation, see Installing Anthos Service Mesh on-premises.
When you install Anthos Service Mesh on-premises with Mesh CA, this enables Cloud Monitoring and Cloud Logging by default. Additionally, you can use Cloud Trace (which you enable separately) as needed for troubleshooting.
Google-managed control plane release channels are available.
Anthos Service Mesh releases updates often, to deliver security updates, fix known issues, and introduce new features. Release channels offer you the ability to balance between stability and the feature set of the Anthos Service Mesh version. Google automatically manages the version and upgrade cadence for each release channel. To learn more, see the following:
Migrating to Mesh CA from Istio CA with little or no downtime.
Migrating to Anthos Service Mesh certificate authority (Mesh CA) from Istio CA (also known as Citadel) requires migrating the root of trust. Prior to Anthos Service Mesh 1.10, if you wanted to migrate from Istio on to Anthos Service Mesh with Mesh CA, you needed to schedule downtime because Anthos Service Mesh was not able to load multiple root certificates, which interrupted mutual TLS (mTLS) traffic during the migration.
With Anthos Service Mesh 1.10 and higher, you can install a new in-cluster control plane with an option that distributes the Mesh CA root of trust to all proxies. After switching to the new control plane and restarting workloads, all proxies are configured with both the Istio CA and Mesh CA root of trust. Next, you install a new in-cluster control plane that has Mesh CA enabled. As you switch workloads over to the new control plane, mTLS traffic isn't interrupt. For details, see Migrating to Mesh CA.
The Istio project recently announced a security vulnerability (CVE-2021-34824) where where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
For more information, see the GCP-2021-012 security bulletin.
1.8.6-asm.4 and 1.9.6-asm.1 are now available. This release updates the envoy versions for the following Anthos Service Mesh versions:
- 1.8.6-asm.2 uses Envoy v1.16.3.
- 1.9.6-asm.1 uses Envoy v1.17.2.
These patch releases contains a fix for CVE-2021-34824. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Anthos Service Mesh 1.8.x
- Anthos Service Mesh 1.9.x
June 15, 2021
Google-managed control plane is now a generally available (GA) feature. This feature lets you move from managing Istiod in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.
In addition, it offers these new features:
- Support for CNI
- Support for private clusters with a public IP address/endpoint access for the control plane
- Support for private clusters with Master Authorized Network (MAN)
Using the Google-managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information see Configuring the Google-managed control plane.
May 19, 2021
Anthos Service Mesh 1.6 is no longer supported. For more information see Supported versions.
May 17, 2021
1.9.5-asm.2, 1.8.6-asm.3, and 1.7.8-asm.8 are now available.
This release fixes the following security vulnerabilities:
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
Anthos Service Mesh uses a proxy that is based on OSS Envoy. The Envoy version that the Anthos Service Mesh proxy uses differs by Anthos Service Mesh version, as follows:
- 1.9.5-asm.2: Envoy v1.17.1
- 1.8.6-asm.3: Envoy v1.16.3
- 1.7.8-asm.8: Envoy v1.15.4
April 20, 2021
1.9.3-asm.2, 1.8.5-asm.2, 1.7.8-asm.1, and 1.6.14-asm.2 are now available.
Fixes the security issue, ISTIO-SECURITY-2021-003, with the same fixes as Istio 1.9.3. These fixes were also backported to the specified Anthos Service Mesh versions.
This release updates the envoy versions for the following Anthos Service Mesh versions:
- Anthos Service Mesh version 1.9.3-asm.2 uses envoy v1.17.2.
- Anthos Service Mesh version 1.8.5-asm.2 uses envoy v1.16.3.
- Anthos Service Mesh version 1.7.8-asm.1 uses envoy v1.15.4.
- Anthos Service Mesh version 1.6.14-asm.2 uses envoy v1.14.7.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Anthos Service Mesh 1.9.x
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
- Upgrading on GKE using the
- Anthos Service Mesh 1.8.x
- Anthos Service Mesh 1.7.x
- Anthos Service Mesh 1.6.x
Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a generally available (GA) feature.
Adding multiple private clusters from different projects into a single Mesh on GKE is now available as a public preview feature.
April 02, 2021
1.9.2-asm.1 is now available.
This patch release contains the same bug fixes that are in Istio 1.9.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
Anthos Service Mesh user authentication is now available as a public preview feature on installations of 1.9. This feature lets you use existing Identity Providers (IDP) for user authentication and access control to your workloads. For more information, see Configuring Anthos Service Mesh user authentication.
March 29, 2021
The Anthos Service Mesh Topology (beta) page in Cloud Console won't display properly if unsupported versions, including versions earlier than Anthos Service Mesh 1.6.8, are installed on your clusters or if you have disabled the Canonical Service controller in clusters in your project.
Note that the Canonical Service controller is enabled by default on version 1.6.8 and higher. If you did not disable the Canonical Service controller on a supported version, no action is required.
What should I do?
March 04, 2021
1.9.1-asm.1 is now available. Anthos Service Mesh 1.9 includes the features of Istio 1.9 subject to the list of Anthos Service Mesh supported features.
Google-managed control plane is now available as a public preview feature. This feature lets you move from managing istiod
in your clusters to configuring the control plane as a service. Google will manage the availability, scalability and security of the control plane.
Using the managed control plane also simplifies multi-cluster mesh configuration and reduces the Kubernetes Engine privileges needed to install Anthos Service Mesh. For more information see Configuring the Google-managed control plane.
Anthos Service Mesh for Compute Engine VMs is now available as a public preview feature. With this new feature you can manage, observe, and secure services running on both Compute Engine Managed Instance Groups and Kubernetes Engine clusters in the same mesh. You can mix and choose the best environment to run your services while enjoying the benefits of Anthos Service Mesh.
This feature also improves security and usability by letting you use Compute Engine service accounts for mTLS authentication to other Compute Engine VMs and Kubernetes Engine Pods. For more information see the documentation.
Anthos Service Mesh 1.5 is no longer supported. For more information see Supported versions.
February 23, 2021
1.8.3-asm.2 is now available.
This patch release contains the same bug fixes that are in Istio 1.8.3. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
February 12, 2021
1.6.14-asm.1 is now available.
This patch release contains a fix for CVE-2021-3156. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
February 02, 2021
1.8.2-asm.2 is now available.
This patch release contains the same bug fixes that are in Istio 1.8.2. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
The install_asm
script lets you reinstall the same version
You can use the install_asm
script when you need to reinstall the same Anthos Service Mesh version to change the control plane configuration. For more information, see the following:
January 20, 2021
1.7.6-asm.1 is now available.
This patch release contains the same bug fixes that are in Istio 1.7.6. For details on upgrading Anthos Service Mesh, refer to the following Anthos Service Mesh upgrade guides:
- Upgrading on GKE using the
install_asm
script - Upgrading on Anthos clusters on VMware
January 12, 2021
1.6.14-asm.0 is now available.
This patch release contains the same bug fixes that are in Istio 1.6.14. For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
December 16, 2020
1.8.1-asm.5 is now available.
Multi-cluster support for GKE on-prem Beta
Anthos Service Mesh now supports multi-cluster meshes when running on GKE on-prem. For more information, see Add clusters to Anthos Service Mesh on-prem.
New flags for the install_asm script
The install_asm
script was enhanced to provide you with more granular control
over the changes that the script makes on your project and GKE on Google Cloud
cluster. For more information, see the
Enablement flags
section in the documentation for the script.
Third-party add-ons removed from all profiles
The Prometheus, Grafana, and Kiali add-ons were removed from all Anthos Service
Mesh profiles. For information on why the add-ons were removed, see
Reworking our Addon Integrations. Installation of these third-party add-ons was removed from the 1.8 IstioOperator
API, which means that they can't be installed with the istioctl install
command.
For information on installing a demo version of the add-ons, see
Integrating with third-party add-ons.
Note that by default, metrics are still exported to Prometheus in the asm-multicloud
profile. You can optionally enable metrics export to Prometheus in the asm-gcp-multiproject
profile.
Anthos Service Mesh 1.8 isn't supported on Anthos attached clusters and GKE on AWS
Anthos Service Mesh 1.8 currently isn't supported on Anthos attached clusters (Microsoft AKS and Amazon EKS) and GKE on AWS (Amazon EC2). Anthos Service Mesh 1.7 and 1.6 are supported for these environments. For more information, see the following guides:
Reduced permissions required for installation
The permissions required for installation have been scaled back. Testing has shown that the Project Editor role can be replaced with more granular roles. For the complete list, see Permissions required to install Anthos Service Mesh.
November 12, 2020
Anthos Service Mesh, Mesh CA and the Anthos Service Mesh dashboards in Google Cloud Console are now available for any GKE customer and do not require the purchase of Anthos. See pricing for details.
There are slight changes to the behavior of Google Cloud Console for customers who use Anthos Service Mesh without an Anthos subscription. See details here.
Added a shell script to automate Anthos Service Mesh installation and migration from Istio and the Istio on GKE add-on. For details, see the following guides:
November 03, 2020
1.7.3-asm.6 is now available
Anthos Service Mesh 1.7 is compatible with and has the feature set of Istio 1.7, subject to the list of Anthos Service Mesh supported features.
Added support for on-premises secure key management, provided by Thales Luna HSM 7+ and Hashicorp Vault.
Added a shell script to automate Anthos Service Mesh installation and migration from Istio 1.6. See the installation guide for details.
Added revision label support to sidecar injection for greater control over various scenarios, such as canary upgrades and more.
The beta validation tool asmctl is retired and the lessons learned are built into the new, streamlined Anthos Service Mesh install script.
If you use unsupported Istio features in your Anthos Service Mesh deployment, see Istio upgrade notes for changes that might affect you.
October 13, 2020
1.4.10-asm.19 is now available
You can now allow an experimental feature to exceed 4GB of memory usage.
September 29, 2020
1.6.11-asm.1, 1.5.10-asm.2, and 1.4.10-asm.18
Fixes the security issue, ISTIO-SECURITY-2020-010, with the same fixes as Istio 1.6.11. These fixes were backported to 1.6.11-asm.1, 1.5.10-asm.2 and 1.4.10-asm.18. For more information, see the Istio 1.6.11 release notes.
For details on upgrading Anthos Service Mesh, refer to the following upgrade guides:
1.6
1.5
1.4
August 27, 2020
1.6.8-asm.9 is now available
Adds beta support for joining multiple clusters from different projects into a single Anthos Service Mesh on Google Kubernetes Engine.
Adds Citadel CA support for gcp
profiles.
Fixes an issue for enabling trust domain validation at the transport socket level.
August 14, 2020
1.6.8-asm.0 and 1.5.9-asm.0
Fixes the security issue, ISTIO-SECURITY-2020-009, with the same fixes as Istio 1.6.8 and Istio 1.5.9. For more information, see the Istio release notes:
July 24, 2020
Anthos Service Mesh on GKE on AWS is supported.
For more information, see Installing Anthos Service Mesh on GKE on AWS.
July 22, 2020
1.6.5-asm.7, 1.5.8-asm.7, and 1.4.10-asm.15 are now available
This release provides these features and fixes:
- Builds Istiod (Pilot), Citadel Agent, Pilot Agent, Galley, and Sidecar Injector with Go+BoringCrypto.
- Builds Istio Proxy (Envoy) with the --define boringssl=fips option.
- Ensures the components listed above use FIPS-compliant algorithms.
July 10, 2020
1.6.5-asm.1, 1.5.8-asm.0, and 1.4.10-asm.4
Fixes the security issue, ISTIO-SECURITY-2020-008, with the same fixes as Istio 1.6.5 and Istio 1.5.8. These fixes were backported to 1.4.10-asm.4. For more information, see the Istio release notes:
June 30, 2020
1.6.4-asm.9 is now available.
ASM 1.6 is compatible with and has the feature set of Istio 1.6 (see Istio release notes), subject to the list of ASM Supported Features.
Anthos Service Mesh now supports multi-cluster meshes (beta) when running on GKE on Google Cloud.
Users that configure multiple clusters in their mesh can now see unified, multi-cluster views of their services in the Anthos Service Mesh pages in the Cloud Console. Note that multi-cluster support is in Beta and not all UI features are supported in multi-cluster mode.
ASM 1.6 is supported in a single cluster configuration in Anthos Attached Clusters in the following environments: Amazon Elastic Kubernetes Service (EKS) and Microsoft Azure Kubernetes Service (AKS).
The profile to install ASM in GKE has been renamed from asm
to asm-gcp
, see Upgrading Anthos Service Mesh on GKE. The profile to install ASM in GKE on-premise clusters has been renamed from asm-onprem
to asm-multicloud
, see Upgrading Anthos Service Mesh on premises.
In the asm-multicloud
profile, ASM now installs a complete observability stack (Prometheus, Grafana and Kiali).
Support for cross-cluster load balancing (beta) for your multi-cluster mesh for GKE on Google Cloud.
New installation guides: Installing Anthos Service Mesh on attached clusters and Adding clusters to an Anthos Service Mesh.
Anthos Service Mesh now supports cross-cluster security policies (beta) for your multi-cluster mesh when running on GKE on Google Cloud.
Upgrade from ASM 1.5 to ASM 1.6 without downtime using a dual control plane upgrade.
Known Issue: If you upgrade from Istio to ASM 1.6 and have set SLOs on your service metrics, those SLOs might be lost and need to be recreated after the upgrade.
1.5.7-asm.0 and 1.4.10-asm.3
Fixes the security issue, ISTIO-SECURITY-2020-007, with the same fixes as Istio 1.6.4. For information, see the Istio release notes.
Description
The vulnerability affects Anthos Service Mesh (ASM) versions 1.4.0 to 1.4.10, 1.5.0 to 1.5.5, and 1.6.4 whether running in Anthos clusters on VMware or on GKE, potentially exposing your application to Denial of Service (DOS) attacks. This vulnerability is referenced in these publicly disclosed Istio security bulletins:
- ISTIO-SECURITY-2020-007:
- CVE-2020-12603 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (e.g., 1 byte) data frames.
- CVE-2020-12605 (CVSS score 7.0, High): Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
- CVE-2020-8663 (CVSS score 7.0, High): Envoy version 1.14.1 or earlier may exhaust file descriptors and/or memory when accepting too many connections.
- CVE-2020-12604 (CVSS score 7.0, High): Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.
Mitigation
If you use ASM 1.6.4: * Apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.
If you use ASM 1.4.0 to 1.4.10 or 1.5.0 to 1.5.5: * Upgrade your clusters to ASM 1.4.10-asm.3 or ASM 1.5.7-asm.0 as soon as possible and apply the additional configuration changes specified in ISTIO-SECURITY-2020-007 to prevent Denial of Service (DOS) attacks on your mesh.
See the following documentation for how to upgrade your Anthos Service Mesh.
- ASM 1.5 for GKE and on-premises, respectively:
- Upgrading Anthos Service Mesh on GKE
ASM 1.4 for GKE and on-premises, respectively:
June 22, 2020
1.5.6-asm.0 and 1.4.10.asm.2
Contains the same fixes as OSS Istio 1.5.6. Non-critical, minor improvements were also backported to ASM 1.4.10. See Announcing Istio 1.5.6 for more information.
June 15, 2020
1.5.5-asm.2
Fixes a bug in the istioctl
HorizontalPodAutoscaling
setting that caused Anthos Service Mesh installations to fail.
June 11, 2020
1.5.5-asm.0 and 1.4.10-asm.1
Fixes the security issue, CVE-2020-11080, with the same fixes as OSS Istio 1.5.5. The security fixes were backported to ASM 1.4.10.
Description
A vulnerability affecting the HTTP/2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ).
CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
Mitigation
HTTP/2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration. HTTP/2 support at ingress can only be disabled if you are not exposing HTTP/2 services that cannot fallback to HTTP/1.1 through ingress. Note that gRPC services cannot fallback to HTTP/1.1.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: disable-ingress-h2
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: HTTP1
For additional information, see ISTIO-SECURITY-2020-006.
May 20, 2020
1.5.4-asm.2
1.5.4-asm.2 is now available.
Security fixes
1.5.4-asm.2 contains all the same security fixes that are in Anthos Service Mesh 1.4.
Beta release of the Anthos CLI
The Anthos CLI simplifies the installation of Anthos Service Mesh. You can use the Anthos CLI to:
- Create a new cluster that meets the Anthos Service Mesh cluster requirements and install Anthos Service Mesh. See Installing Anthos Service Mesh on a new cluster using the Anthos CLI.
- Update an existing cluster with the options that Anthos Service Mesh requires and install Anthos Service Mesh. See Installing Anthos Service Mesh on an existing cluster using the Anthos CLI.
Port change for automatic sidecar injection
If you are installing Anthos Service Mesh on a private cluster, you must add a firewall rule to open port 15017 if you want to use automatic sidecar injection. In Anthos Service Mesh 1.4, the port used for automatic sidecar injection is 9443.
If you don't add the firewall rule and automatic sidecar injection is enabled, you get an error when you deploy workloads. For details on adding a firewall rule, see Adding firewall rules for specific use cases.
The alpha authentication policy is deprecated
See Updating to the beta security policies for more information.
IstioOperator
API replaces IstioControlPlane
API
The alpha IstioControlPlane
API has been replaced by the IstioOperator
API. You must use the IstioOperator
API in YAML files to enable optional features when you install Anthos Service Mesh.
Istio CNI plugin is supported
By default Anthos Service Mesh injects an initContainer
, istio-init
, in pods deployed in the mesh. The istio-init
container sets up the pod network traffic redirection to/from the sidecar proxy. This requires the user or service-account deploying pods to the mesh to have sufficient Kubernetes RBAC permissions to deploy containers with the NET_ADMIN
and NET_RAW
capabilities. Requiring users to have elevated Kubernetes RBAC permissions is problematic for some organization's security compliance. The Istio Container Network Interface (CNI) plugin is a replacement for the istio-init
container that performs the same networking functionality but without requiring users to enable elevated Kubernetes RBAC permissions.
The Istio CNI plugin performs the mesh pod traffic redirection in the Kubernetes pod lifecycle's network setup phase, thereby removing the requirement for the NET_ADMIN
and NET_RAW
capabilities for users deploying pods into the mesh. The Istio CNI plugin replaces the functionality provided by the istio-init
container.
Enabling pod security policies no longer needed
SDS security was improved by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
May 12, 2020
1.4.9-asm.1
Fixes the security issue, CVE-2020-10739, with the same fixes as OSS Istio 1.4.9. See ISTIO-SECURITY-2020-005 for more information.
April 28, 2020
The Anthos Service Mesh dashboard in the Google Cloud Console is generally available for Anthos Service Mesh installations on Google Kubernetes Engine clusters. For more information, see the Observability overview.
April 01, 2020
1.4.7-asm.0
Contains the same fixes as OSS Istio 1.4.7. See Announcing Istio 1.4.7 for more information.
March 03, 2020
1.4.6-asm.0
Fixes known security issues with the same fixes as OSS Istio 1.4.6:
- CVE-2020-8659, CVE-2020-8661, CVE-2020-8664, CVE-2020-8660: ISTIO-SECURITY-2020-003
February 28, 2020
1.4.5-asm.0
Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Cloud.
Mesh CA is a Google managed, highly available and secure service that replaces Citadel for Anthos Service Mesh customers on GKE on Cloud. Mesh CA issues mTLS certificates for workloads running in Anthos Service Mesh.
GKE on premises continues to use Citadel.
The changes to support the Anthos Service Mesh observability features, including the topology graph on the Anthos Service Mesh Dashboard are included in 1.4.5-asm-0.
Note that the Anthos Service Mesh Dashboard itself is still in beta.
Prepare for a breaking change coming in Anthos Service Mesh 1.5
WARNING:
Don't include a
TargetSelector
in your authentication polices. Authentication policies that include a TargetSelector
will not be automatically converted to the new version of the Authentication Policy API that will be released in Anthos Service Mesh 1.5. You will have to migrate these authentication policies manually to the new Authentication Policy API. If you don't remove the TargetSelector
, the authentication policies might be ignored without warning in Anthos Service Mesh 1.5.
February 12, 2020
1.4.4-asm.0
Fixes a known security issue with the same fixes as OSS Istio 1.4.4, as well as improvements from OSS Istio 1.4.3.
December 20, 2019
Anthos Service Mesh is generally available.
This release features a supported, downloadable installation of Anthos Service Mesh for use in your Anthos clusters on-premises or on Google Kubernetes Engine.
The following features remain in beta:
October 28, 2019
Anthos Service Mesh certificate authority Beta.
September 16, 2019
Anthos Service Mesh Beta. * Service Mesh Dashboard for Google Kubernetes Engine clusters * Observability of your services