This release note describes the changes of Solo builds of Istio version 1.27.

General

This version was built against upstream Istio release 1.27.0.

  • Added istiod support for per-service account mTLS egress via a single waypoint.

    • This is enabled by adding the environment variablePERMIT_CROSS_NAMESPACE_RESOURCE_ACCESS to istiod, the value is a comma-separated list of namespace/gateway pairs. Gateway is the name of the waypoint’s service account.
    • This also includes sample manifests under samples/solo-mtls-egress to demonstrate how to use this feature.
    • This feature requires a valid license capable of enabling our EnvoyFilter waypoint support.

  • Added the command istioctl multicluster check which will iterate through a few different checks on the status of multicluster for the current kube context. The following checks are performed:

    • Checks the license in use by each istiod and validates that it supports multicluster
    • Checks the health of all istiod, ztunnel, and eastwest gateway pods
    • Checks that the eastwest gateway is programmed
    • Checks that each remote gateway has a gloo.solo.io/PeeringSucceeded status of True

  • Added syncing of peer connection status to remote Gateways

  • Added to the istioctl multicluster check command, a flag to pass in multiple contexts and run checks against all of them.

  • Improved the istioctl multicluster check command to use the new gloo.solo.io/PeerConnected gateway condition which accurately reflects the current connected status of istiod to remote peers.

  • Fixed an issue where if a Service only existed in the remote cluster, the local cluster would not be able to apply L7 policies via a local sidecar or waypoint, as long as the remote Service properly declared an L7 protocol via the port name or appProtocol.

  • Fixed the istioctl multicluster check command’s pod check being inconsistently ordered.

  • Fixed an issue where locality information was not being propagated for peered multi-cluster resources when the istio-remote Gateway’s topology.kubernetes.io/zone and topology.kubernetes.io/region labels were updated without restarting istiod. Now, the labels changing will trigger an update without a restart.

  • Fixed an issue with locality weighting in multi-network cases.