Release Notes
Version 1.6.2
Bug fixes and Improvements
- GitOps is now supported in the management plane cluster.
- GitOps webhook is now removed whenever the GitOps component is deactivated.
- By default, the synchronization of TelemetrySources and TelemetryMetrics is disabled to enhance resource consumption efficiency.
- Added functionality for North/South gateway to handle exposed host HTTPS multicluster calls from mesh clients, assisting in the migration process to ISTIO_MTLS.
- Addressed UI bugs and introduced improvements to enhance the user experience.
- Added the ability to delete AccessBindings using tctl or GitOps.
- Added support to detect minikube as a cluster provider.
- Added inline authz support for HTTP external server in Tier1 gateway.
- Improved propagation strategy behavior that the propagation strategy set for a resource will now only be enforced for the resource's descendants, rather than the resource itself.
- Fixed race condition in tsb-migrations job.
Security fixes
We shipped the releases with no CVEs at the time of release, new CVEs will emerge, and those will be fixed and documented in the following release notes.
There are currently some known not exploitable vulnerabilities:
- CVE-2023-29402 - Only exploitable at build time, and all the TSB build process only uses
go get
which is not affected - CVE-2023-29403 -
setuid
/setguid
is not used - CVE-2023-29404 and CVE-2023-29405 - Only exploitable at build time and
go
is not used in the TSB build - “PRISMA-2022-0227” - Not exploitable as the library is imported as indirect, it will be fixed in the next release based on Istio 1.17.
Version 1.6.1
What's New
- Subset based routing is now supported when cross cluster east-west failover is enabled.
- Zero traffic disruption for cross cluster communication during downscaling or node draining.
- TSB now supports K8s 1.25.
Bug fixes and Improvements
- IsolationBoundaries improvements.
- Improvements in resource clean-up while disabling or removing an Istio revision under IsolationBoundaries.
- Ability to operate and upgrade the Istio CNI component under a user-specified revision.
- Improved the XCP edge-to-central exchange of configurations and cluster states sync for enhanced performance.
- Fixed an upstream issue related to the IstioOperator cache not being properly updated while switching revisions.
- Fixed an issue related to helm uninstall timeout.
- Fixed an issue related to OAP to keep required security context properties as default.
- Improvement to handling of internal webhook certs.
- Fixed bug related to AuthZ policies at gateway when envoy proxy protocol is enabled.
- Optimizations to eastwest communication resource needs.
- Allow ISTIO_MUTUAL TLS setting in direct mode gateways.
- Addressed user interface (UI) issues to improve overall usability.
- Fixed namespace scope in workspace group cards and topology view
- Fixed issues related to topology view slider and date selector.
- New Zipkin Lens ui enhancements.
Security fixes
- Update TSB component images to address CVEs.
Version 1.6.0
What’s New
- Security Rules extended to provide significantly more flexibility and specificity, by:
- SecurityDomains (feature status: alpha) and Tenant sources and destinations for Allow and Deny rules to make it easier to map high-level intent to security policies.
- ServiceSecuritySetting (feature status: alpha) policies to allow operators to specify rules for selected target services.
- Identity Propagation (feature status: alpha) through gateway hops to make fine-grained, cross-cluster security rules possible.
- High Availability capabilities added to further improve efficiency and failover:
- EastWestGateway makes service failover between clusters automatic and transparent, without needing to expose services through external gateways.
- Allow Tier 1 gateways and Tier 2 gateways to be deployed in the same cluster, by removing the limitation that Tier 1 gateways required a dedicated cluster.
- New cluster-external-addresses annotation for gateway services, where it is necessary to specify external IP address in, for example, a GSLB environment.
- User Interface enhancements to empower TSB users to visualize and monitor platform and service activity:
- Add Log streaming viewers to UI dashboard, capturing logs from services and Istio proxies.
- Support multiple rule binding in Role UI.
- Add Users and Teams view in Setting UI.
- Improved time range slider in Topology view.
- UI now offers a new Dark Mode.
- Investigate Application Performance:
- New troubleshooting tools tctl collect and tctl troubleshoot empower App Developers to troubleshoot performance issues without requiring privileged access to clusters.
- Platform Additions and Changes:
- Support for multi-Istio environments within clusters, enabling Isolation Boundaries and Istio Revisions (feature status: alpha) for security-sensitive applications and for Istio canary upgrades.
- To use revisions in Workload Onboarding, you need to add
revision
in Agent configuration. For example:apiVersion: config.agent.onboarding.tetrate.io/v1alpha1
kind: AgentConfiguration
sidecar:
istio:
revision: canary - Availability on Red Hat OpenShift through the Red Hat Ecosystem Catalog.
- Optional delay hook to manage the downscaling of gateway pods, allowing for service discovery changes to propagate to remote clusters.
- TSB data plane operator no longer defaults the replica count for the gateways to 1. This means the user can do scaling operations in the gateway deployment as long as the
replicaCount
for the deployment is kept to 0, or unset. This will not affect gateways that are already deployed. - Global defaultKubeSpec can be applied to all TSB components in both Management Plane and Control Plane. Use component kubeSpec to override global
defaultKubeSpec
. - Support operator configuration in Helm installation for Management Plane, Control Plane and Data Plane
- Traffic Control:
- ServiceRoute now supports advanced traffic shifting subset sections for HTTP and TCP services.
- Extensibility:
- Support for WASM Extensions across gateways and service proxies, with WASM catalog and admin-defined defaults for WASM extensions.
- Security:
- Web Application Firewall (WAF) (feature status: alpha) capability across gateways and service proxies to detect and block attack traffic using the industry-standard OWASP Core Rule Set (CRS) detection rules.
- Reduce footprint by removing Zipkin dependency and using OAP Skywalking for tracing. Improve efficiency and scalability of SkyWalking storage:
- Removed the Zipkin Backend and replaced it with OAP for collecting and querying traces. Use SkyWalking receiver-zipkin to collect traces from Zipkin trace reporter, and zipkin-query to provide Zipkin trace query API.
- OAP support merges all metrics/meter and records(without super datasets) indices into one physical index template
metrics-all
andrecords-all
. Provide oap component settingstorageIndexMergingEnabled
to "true" to merge indices into one physical index template. Metrics/meter and records indices are sharded into multi-physical indices as in the previous versions (Notice This is enabled by default in the SPM). Refer to SkyWalking new-elasticsearch-storage-option and SkyWalking-storage-elasticsearch - OAP supports per index template settings
to scale out the storage to your needs.
Regardless of the oap component's
storageIndexMergingEnabled
value, users can choose to adjust ElasticSearch's shard number(by adjusting theSW_STORAGE_ES_INDEX_SHARDS_NUMBER
env var of theoap
component) or provide per index the concrete number of shards and replicas. For instance, ifstorageIndexMergingEnabled
is enabled, we can increase the number of shards from themetrics-all
index template:oap:
storageIndexMergingEnabled: true
storageSpecificIndexSettings:
- indexName: "metrics-all"
numberOfShards: 4
numberOfReplicas: 1 - OAP supports enabling URIs/APIs(Endpoint) analysis by setting
apiEndpointMetricsEnabled
to "true". By default, this setting is "false", URIs/APIs(Endpoint) analysis is disabled. If the variable value needs to be modified, it should be configured in both the OAP management plane deployment and the control plane deployment. For example, if you need to enable it, you could update both the ManagementPlane resource and ControlPlane resource:spec:
meshObservability:
settings:
apiEndpointMetricsEnabled: true
- Added
--apikey-stdin
to provide API Key when doing image synchronization. For example:echo myAPIKey | tctl install image-sync --username myuser --registry gcr.io/mycompany/registry --apikey-stdin
. - OAP supports basic PromQL, users can obtain metrics through PromQL Service to do integration such as build Grafana UI.
Upgrade notes
- Due to Zipkin Backend being replaced by OAP, after the upgrade the Zipkin deployment needs to be removed,
including TSB Control Plane (automatically) and Management Plane (deployment, cronjob
zipkin-cleanup
, config in CRDmanagementplanes.install.tetrate.io
). The Elasticsearch indexeszipkin-span
andzipkin-autocomplete
can be removed too. - Due to a fix introduced in Istio 1.14, when both
replicaCount
andautoscaleEnabled
are set,replicaCount
will be ignored and only autoscale configuration will be applied. This can lead to issues where thetier1gateways
andingressgateways
scale down to 1 replica temporarily during the upgrade until the autoscale configuration is applied. In order to avoid this issue, edit thetier1gateway
oringressgateway
spec and remove thereplicas
field. Since the current deployment will already be managed by the HPA controller, this will allow you to upgrade the pods with the desired configuration. - If you enable Isolation Boundary on existing environment, you need to scale down TSB data plane operator before adding isolation boundaries in the control plane resource. See Non-revisioned to Revisioned upgrade for more details.
Deprecation Notices
- Removed the Zipkin Backend.
Known Issues and Limitations
For full details on production readiness and supportability of TSB features, refer to the Feature Status matrix. In addition:
- WAF plugin image is pulled from Tetrate public registry
oci://ghcr.io/tetrateio
instead of leveraging customer container registry defined within control plane. securityContext
defined in TSB control plane CR is not applied tovmgateway
component.- Subset based routing is not supported in EastWestGateway failover.
WasmExtension
will be applied to all the traffic without ability to select specific traffic by its direction or port.- If you use private registry for your
WasmExtension
, WasmimagePullSecret
has to exist in the target namespace. - To use Identity Propagation, You have to set
imagePullSecret
for your TSB images registry inistio-system
namespace. - Identity Propagation only supports HTTP traffic.
- Port
15443
is not allowed in Istio Gateway in Tier 2 DIRECT mode and tls modesISTIO_MUTUAL
andAUTO_PASSTHROUGH
are not allowed in Istio Gateway in DIRECT mode. - Workload Onboarding only support single isolation boundary.