Review the following information about supported release versions for Gloo Mesh Enterprise, including dependencies on open source projects like Istio.
The following versions of Gloo Mesh Enterprise are supported with the compatible open source projects versions of Istio and Kubernetes. Later versions of the open source projects that are released after Gloo Mesh Enterprise might also work, but are not tested as part of the Gloo Mesh Enterprise release.
|Gloo Mesh Enterprise||Gloo Mesh Istio
|1.1||1.7 - 1.10||1.16 - 1.21|
|1.0||1.7 - 1.10||1.16 - 1.21|
Additionally, the following Gloo Mesh Enterprise features require specific versions.
|Gloo Mesh feature||Required versions|
||Gloo Mesh Istio 1.8
|Multicluster subset routing in traffic policies||Istio 1.8 or later|
|Rate limiting for Gloo Mesh Gateway||Gloo Mesh Istio 1.8
* Gloo Mesh Enterprise offers
n-4 security patching support only with Gloo Mesh Istio versions, not community Istio versions. For more considerations when installing Gloo Mesh Istio, see Download a specific image.
† Istio and Kubernetes: Supported Kubernetes versions are based on the version of Istio that is installed. For example, you cannot use Gloo Mesh Enterprise with Istio 1.9 on a Kubernetes 1.22 cluster, because Istio 1.9 does not support Kubernetes 1.22. To review Istio support of Kubernetes versions, see the Istio documentation.
OpenShift and Kubernetes: The Istio and Kubernetes versions also determines which version of OpenShift you can run. For example, if you have Istio 1.11 you can run OpenShift 4.8, which uses Kubernetes 1.21. To review OpenShift Kubernetes support, see the OpenShift changelog documentation for the version you want to use.
Version skew policy for management and remote clusters
Ideally, run the same versions of Gloo Mesh Enterprise and Kubernetes in your management and remote clusters. To give you time to upgrade all of the remote clusters, the Gloo Mesh
enterprise-agent in the remote clusters can run up to one version behind the Gloo mesh
enterprise-networking in the management clusters (
n-1). Do not plan to run different versions of the enterprise
agent deployments on your management and remote clusters for longer than you need to complete the upgrade.
You do not need to install Istio on the management clusters. Remote clusters can run different versions of Istio. However, if you want to apply policies or other resources that require a certain version of Istio across remote clusters, make sure that the clusters run a supported version.
The upgrade process depends on which software you need to upgrade and your infrastructure provider.
- Gloo Mesh Enterprise: See the Upgrading guide.
- Istio: See the Istio documentation. You can follow a similar process to upgrade Gloo Mesh Istio, but make sure to specify the
tagvalues for the Gloo Mesh Istio image that you want to use, such as in the Install Gloo Mesh Istio guide.
- Kubernetes or OpenShift: Consult your infrastructure provider's upgrade process. For example, you might use Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), IBM Cloud Kubernetes Service, or Microsoft Azure Kubernetes Service (AKS).
Understanding the difference between Gloo Mesh Istio and community Istio distributions
Gloo Mesh Istio is a hardened Istio enterprise image to maintain
n-4 support for CVEs and other security fixes longer than the community Istio, which provides
n-1 support with an additional 6 weeks of extended time to upgrade the
n-2 version to
n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.
Solo provides two main distributions for Gloo Mesh Istio as follows.
- Standard: An enterprise distribution of the community Istio project with additional security patches.
- Solo: An enterprise distribution of the community Istio project with additional security patches, as well as certain Envoy filters to enable Gloo Mesh Enterprise features. You must use the
soloimage to use these features, such as Gloo Mesh Gateway.
Additionally, the standard and
solo distributions of Istio come in several varieties as follows.
- FIPS: An image that is tagged with
fipscomplies with NIST FIPS, for use cases that require federal information processing capabilities.
- Distroless: An image that is tagged with
distrolessis a slimmed down distribution with the minimum set of binary dependencies to run the image, for enhanced performance and security. Note that if your app relies on package management, shell, or other operating system tools such as
bash, you must find another way to install these dependencies.
An image might be tagged to meet multiple use cases, such as
To use a version of Istio that is no longer supported by the community with Gloo Mesh Enterprise, you must install the Gloo Mesh Istio version. If the Istio version that you want to use is currently supported by the community, you can use either the community Istio or the Gloo Mesh Istio version. To review supported community versions, see the Istio documentation.
Download a specific image
You can download a particular image for Gloo Mesh Enterprise and Gloo Mesh Istio, such as for the following use cases.
- To download and transfer these images if your environment does not have public network access or cannot pull public images, for an air-gapped installation.
- To run an older Istio version that the community no longer supports while still receiving security patches.
- To use a custom build that aligns with compliance standards such as Federal Information Processing Standards (FIPS).
Get the Gloo Mesh Enterprise version that you want to use
- Find the version tag in the changelog, such as
- To download the package for the
enterprise-networkingcomponent that you deploy in your management clusters, append the
<version_tag>to the following URL.
- To download the package for the
enterprise-agentcomponent that you deploy in your remote data plane clusters, append the
<version_tag>to the following URL.
- Use these packages when you install Gloo Mesh Enterprise.
Get the Gloo Mesh Istio version that you want to use
- Navigate to the Google Cloud Registry Istio Enterprise images: https://console.cloud.google.com/gcr/images/istio-enterprise.
- Click the Name of each Istio component image to install.
- Click the Filter field, select Tags, and enter a search term such as a version like
1.11.1or a specific build like
distroless. You can add multiple filters to your search.
- Hover over the row of the image that you want to use and click the Actions overflow (…) > Show pull command.
- Install Istio with these images. Istio provides several installation methods, such as using
istioctl, the Istio Operator, or Helm. When you install Istio, make sure to replace any images with the Gloo Mesh Enterprise images that you want to use. For more information, see the Istio documentation. For examples that set the
tagvalues in the Istio Operator to Gloo Mesh Istio, see one of the following installation guides.
- After installing Istio, you can verify that the version is compatible with your Kubernetes environment by running
istioctl x precheck.
istioctl x precheck ✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/
Example links to Gloo Mesh Enterprise and Gloo Mesh Istio images
The following table has example links to the latest
1.1 version for Gloo Mesh Enterprise and corresponding
1.11 Gloo Mesh Istio images. If you follow the previous steps, the links that you use to download the images are similar.
For more information about what standard, Solo, FIPS, and distroless versions mean, see Understanding the difference between Gloo Mesh Istio and community Istio distributions.
|Component||Link to downloadable package|
Typically, Gloo Mesh Enterprise releases a new minor version,
n, each quarter. Make sure that you run a supported version for production environments, and keep that version upgraded to the latest patch version so that you have the latest security fixes. For more information, see Upgrading Gloo Mesh Enterprise.
||Yes||Latest||The latest stable version is the default version when you view the documentation. New features are typically not developed for the latest version, but the version is actively maintained for security patches, bugs, and documentation.|
||Yes||Stable||Supported versions up to
||No||Beta||Active feature development happens on the
||No||Unsupported||Versions that are
Open source packages in Gloo Mesh Enterprise
For specific versions of open sources packages that are bundled with Gloo Mesh Enterprise, see the entries in the Open Source Attribution topic. For more information on where these open source packages are retrieved from, see the go.mod documentation.
Help me choose which version to run
- Consider your container platform environment, particularly which cloud provider and version of Kubernetes that you want to run. Compare the version against the table of supported versions for Gloo Mesh Enterprise.
- Review the features that are available in a particular version of the software.
- Decide if you need to run a specific image, such as the FIPS version of Gloo Mesh Istio for FedRAMP compliance.
- Follow the Setup guides, modifying the steps to install the particular versions that you want to use.