Supported versions
Review the following information about supported release versions for Gloo Platform, including dependencies on open source projects like Istio.
Supported versions
Solo supports n-3
versions for Gloo Platform. Within each Gloo Platform version, different open source project versions are supported, including Gloo Istio n-4
version support.
Gloo Platform
The following versions of Gloo Platform are supported with the compatible open source project versions of Istio and Kubernetes. Later versions of the open source projects that are released after Gloo Platform might also work, but are not tested as part of the Gloo Platform release.
Gloo Platform | Release date | Gloo Istio* |
Kubernetes† |
---|---|---|---|
2.3 | TBD | 1.12 - 1.16 | 1.19 - 1.24 |
2.2 | 20 Jan 2023 | 1.12 - 1.16 | 1.19 - 1.24 |
2.1 | 21 Oct 2022 | 1.11 - 1.15 | 1.18 - 1.23 |
2.0 | 13 May 2022 | 1.9 - 1.13 | 1.17 - 1.23 |
1.2 | 04 Nov 2021 | 1.9 - 1.12 | 1.17 - 1.23 |
Gloo Istio
Keep in mind that Gloo Platform offers n-4
security patching support only with Gloo Istio versions, not community Istio versions. Gloo Istio versions support the same patch versions as community Istio. You can review community Istio patch versions in the Istio release documentation. You must run the latest Gloo Platform patch version to get the backported Istio support.
Supported Istio versions by Kubernetes or OpenShift version
The supported version of Istio, and Kubernetes or OpenShift are dependent on each other. For example, if you plan to use Gloo Platform with Istio 1.15, you must make sure that you use a Kubernetes or OpenShift version that is compatible with Istio 1.15. The same is true if you decided on a specific Kubernetes or OpenShift version, and you must find an Istio version that is compatible.
To find a list of supported Kubernetes versions in Istio, see the Istio docs. For supported OpenShift, go to the OpenShift knowledgebase (requires login).
Known Istio issues
- Istio versions 1.14.0 - 1.14.3 have a known issue about unused endpoints failing to be deleted. Additionally, version 1.14.4 has a known issue about short hostnames causing Kubernetes service and ServiceEntry conflicts. Both issues are resolved in Istio 1.14.5.
- Istio versions 1.13.0 - 1.13.3 have a known issue about service entry hostname expansion. The issue is resolved in Istio 1.13.4.
Gloo features
Additionally, the following Gloo Platform features require specific versions.
Gloo Platform feature | Required versions |
---|---|
XSLT filter | Istio 1.11 or later |
Gloo-managed Istio installations | Gloo Platform 2.1.0 or later |
GraphQL add-on | Gloo Platform version 2.1.0 or later, and Istio version 1.14.5 or later |
AWS Lambda unwrapAsApiGateway setting |
Istio version 1.15.0 or later |
Version skew policy for management and remote clusters
Ideally, run the same versions of Gloo Platform and Istio in your management and remote clusters. To give you more time to complete the upgrade for all of your clusters, n-1
minor version skew is supported between the Gloo management server and the agent. If your management server and agent are n-1
minor versions apart, your agents can run any patch version of that minor release to be compliant. If both your management server and agent run the same minor version, the agent can run any patch version that is equal or lower than the management server's patch version.
Consider the following example version skew scenarios:
Supported? | Server version | Agent version | Requirement |
---|---|---|---|
✅ | 2.2.3 | 2.2.1 | The management server and agents run the same minor version. The agent patch version is equal to or lower than the management server. |
❌ | 2.2.3 | 2.2.4 | The agent runs the same minor version as the server, but has a patch version greater than the server. |
✅ | 2.2.3 | 2.1.3 | The agent runs a minor version no greater than n-1 behind the server. The agent can run any patch version within that minor release to be compliant. |
❌ | 2.2.3 | 2.0.9 | The agent runs a minor version that is greater than n-1 behind the server. |
Note that you must always upgrade the Gloo management server before you upgrade any of your workload clusters.
You do not need to install Istio on the management clusters. Remote clusters can run different versions of Istio. However, if you want to apply policies or other resources that require a certain version of Istio across remote clusters, make sure that the clusters run a supported version.
Upgrading versions
The upgrade process depends on which software you need to upgrade and your infrastructure provider.
- Gloo Platform: See the Upgrading guide.
- Istio: See the Istio documentation. You can follow a similar process to upgrade Gloo Istio, but make sure to specify the
hub
andtag
values for the Gloo Istio image that you want to use, such as in the Install Gloo Istio guide. - Kubernetes or OpenShift: Consult your infrastructure provider's upgrade process. For example, you might use Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), IBM Cloud Kubernetes Service, or Microsoft Azure Kubernetes Service (AKS).
Gloo Istio distributions
Gloo Istio is a hardened Istio enterprise image to maintainn-4
support for CVEs and other security fixes longer than the community Istio, which provides n-1
support with an additional 6 weeks of extended time to upgrade the n-2
version to n-1
. Based on a cadence of 1 release every 3 months, Gloo Mesh's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.
The following image provides an overview of how Solo engineers harden the base Istio image release.
Solo provides two main distributions for Gloo Istio as follows.
- Standard: An enterprise distribution of the community Istio project with additional security patches. Example:
1.16.0
- Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Gateway features. You must use the
solo
image to use these features. Example:1.16.0-solo
Both the standard and solo
distributions of Gloo Istio come in the following optional varieties.
- FIPS: An image that is tagged with
fips
complies with NIST FIPS, for use cases that require federal information processing capabilities. Examples:1.16.0-fips
,1.16.0-solo-fips
- Distroless: An image that is tagged with
distroless
is a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such aspip
,apt
,ls
,grep
, orbash
, you must find another way to install these dependencies. Examples:1.16.0-distroless
,1.16.0-solo-distroless
- ARM: An image that is tagged with
arm
is compatible with ARM64 architectures. Support for ARM images varies with your Istio version and distribution.- 1.16.0 and later: Both the standard and Solo distributions of Istio are now multi-architecture Docker images, which work for both AMD and ARM atchitectures. The
-arm
tag is no longer supported. For example,1.16.0-solo
,1.16.0-fips
, and1.16.0-solo-fips
work for both AMD and ARM. - 1.15.3 and later 1.15 versions: ARM images (tagged with
-arm
) are supported for the standard distibution with FIPS and the Solo distribution without FIPS. For example,1.15.3-fips-arm
and1.15.3-solo-arm
are supported, but1.15.3-solo-fips-arm
and1.15.3-arm
are not supported. - 1.15.0 - 1.15.2: ARM images are not supported for either distibution of these versions.
- 1.14 and earlier: ARM images (tagged with
-arm
) are supported only for the standard distribution without FIPS. Example:1.14.5-arm
- 1.16.0 and later: Both the standard and Solo distributions of Istio are now multi-architecture Docker images, which work for both AMD and ARM atchitectures. The
An image might be tagged to meet multiple use cases, such as 1.16.2-solo-fips-distroless
.
To use a version of Istio that is no longer supported by the community with Gloo Platform, you must install the Gloo Istio version. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Gloo Istio version. To review supported community versions, see the Istio documentation.
Download a specific image
You can download a particular image for Gloo Platform and Gloo Istio, such as for the following use cases.
- To download and transfer these images if your environment does not have public network access or cannot pull public images, for an air-gapped installation.
- To run an older Istio version that the community no longer supports while still receiving security patches.
- To use a custom build that aligns with compliance standards such as Federal Information Processing Standards (FIPS).
Get the Gloo Platform version that you want to use
- Find the version tag in the changelog, such as 2.2.5.
- To download the package for the
gloo-mesh-mgmt-server
component that you deploy in your management clusters, append the<version_tag>
to the following URL.https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-enterprise/gloo-mesh-enterprise-<version_tag>.tgz
- To download the package for the
gloo-mesh-agent
component that you deploy in your remote data plane clusters, append the<version_tag>
to the following URL.https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-agent/gloo-mesh-agent-<version_tag>.tgz
- Optional: For FIPS-compliant images, open the
values.yaml
file in the downloaded package, search for theimage
section, and append-fips
to the tag, such as in the following example.... glooMeshMgmtServer: image: pullPolicy: IfNotPresent registry: gcr.io/gloo-mesh repository: gloo-mesh-mgmt-server tag: 2.2.5-fips
- Optional: If you need to pull the images locally, such as for an air-gapped installation, you can use the information you retrieved from the
images
section in thevalues.yaml
file to pull the image. For example, you might use the followingdocker pull
command for a FIPS image. Repeat this step for each image that you want to build locally and push to a private repository.docker pull gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.2.5-fips
- Use these packages when you install Gloo Platform.
Get the Gloo Istio version that you want to use
To download Gloo Istio images, you must be a registered user and log in to the Solo Support Center.
-
Open the Istio images built by Solo.io support article. When prompted, log in to the Support Center with your Solo account credentials.
-
Find the repo key for the Istio version that you want to use in the support article, such as the repo key for
# istio-1.16
. -
Save the repo key that your account representative gave you as an environment variable.
export REPO=<repo-key>
-
Decide on the specific tag of Istio image, such as the
solo-fips
,solo-distroless
, orsolo-fips-distroless
, that you want for your environment. For more information, see Gloo Istio distributions. -
Save the Istio version, including any specific tags, as an environment variable. The following example is for the latest patch version of the Gloo Istio FIPS image.
export ISTIO_IMAGE=1.16.2-solo-fips
-
Pull the Istio images that you want to use with the repo key.
docker pull $REPO/pilot:$ISTIO_IMAGE docker pull $REPO/proxyv2:$ISTIO_IMAGE docker pull $REPO/operator:$ISTIO_IMAGE
-
Install Istio with these images. Istio provides several installation methods, such as using
istioctl
, the Istio Operator, or Helm. When you install Istio, make sure to replace any images with the Gloo Platform images that you want to use. For more information, see the Istio documentation. For examples that set thehub
andtag
values in the Istio Operator to Gloo Istio, see one of the following installation guides.- Install Gloo Istio
- For airgapped environments, see the guide.
-
After installing Istio, you can verify that the version is compatible with your Kubernetes environment by running
istioctl x precheck
.istioctl x precheck ✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/
Release lifecycle
Solo supports n-3
for Gloo Platform and n-4
for Gloo Istio versions.
Typically, Gloo Platform releases a new minor version, n
, each quarter. When the new minor version is released, the previous n-4
for Gloo Platform or n-5
for Gloo Istio becomes unsupported. Make sure that you run a supported version for production environments, and keep that version upgraded to the latest patch version so that you have the latest security fixes. For more information, see Upgrading Gloo Platform.
Version | Supported? | Type | Description |
---|---|---|---|
n |
Yes | Latest | The latest stable version is the default version when you view the documentation. New features are typically not developed for the latest version, but the version is actively maintained for security patches, bugs, and documentation. |
n-2 n-3 Istio-only: n-4 |
Yes | Stable | Supported versions up to n-3 (and n-4 for Gloo Istio) continue to receive support for security patches, bugs, and documentation. You can review the documentation for these versions by switching the documentation to the main branch from the dropdown in the menu bar. |
n+1 |
No | Beta | Active feature development happens on the main branch as part of the development of a beta version. When the n+1 beta version is prepared as a release candidate, new feature development is suspended until this version becomes the new n . You can preview the documentation for some of these features by switching the documentation to the main branch from the dropdown in the menu bar. New features and development work on main is subject to change, not necessarily fully tested, and not supported. |
n-4 Istio-only: n-5 |
No | Unsupported | Versions that are n-4 (and n-5 for Gloo Istio) or older are no longer supported or maintained. Upgrade your release to a stable version to continue to receive support. |
Open source packages in Gloo Platform
For specific versions of open sources packages that are bundled with Gloo Platform, see the entries in the Open Source Attribution topic. For more information on where these open source packages are retrieved from, see the go.mod documentation.
Help me choose which version to run
- Consider your container platform environment, particularly which cloud provider and version of Kubernetes that you want to run. Compare the version against the table of supported versions for Gloo Platform.
- Review the features that are available in a particular version of the software.
- Decide if you need to run a specific image, such as the FIPS version of Gloo Istio for FedRAMP compliance.
- Follow the Setup guides, modifying the steps to install the particular versions that you want to use.