istio · istio-testing · Nov 15, 2022 · Nov 8, 2022 · Nov 9, 2022 · Nov 9, 2022
@@ -951,6 +951,7 @@ UID
 UIDs
 uint32
 ulimit
+un-injecting
 uncomment
 uncommented
 unconfigured

@@ -54,6 +54,7 @@ current `<minor>` release. A patch is usually a small change relative to the `<m
 | Version         | Currently Supported  | Release Date      | End of Life              | Supported Kubernetes Versions | Tested, but not supported          |
 |-----------------|----------------------|-------------------|--------------------------|-------------------------------|------------------------------------|
 | master          | No, development only |                   |                          |                               |                                    |
+| 1.16            | Yes                  | November 15, 2022 | ~June 2023 (Expected)    | 1.22, 1.23, 1.24, 1.25        | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
 | 1.15            | Yes                  | August 31, 2022   | ~March 2023 (Expected)   | 1.22, 1.23, 1.24, 1.25        | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
 | 1.14            | Yes                  | May 24, 2022      | ~January 2023 (Expected) | 1.21, 1.22, 1.23, 1.24        | 1.16, 1.17, 1.18, 1.19, 1.20       |
 | 1.13            | Yes                  | February 11, 2022 | Oct 12, 2022             | 1.20, 1.21, 1.22, 1.23        | 1.16, 1.17, 1.18, 1.19             |

@@ -0,0 +1,8 @@
+---
+title: 1.16.x Releases
+description: Announcements for the 1.16 release and its associated patch releases.
+weight: 13
+list_by_publishdate: true
+layout: release-grid
+decoration: dot
+---
@@ -0,0 +1,68 @@
+---
+title: Announcing Istio 1.16
+linktitle: 1.16
+subtitle: Major Update
+description: Istio 1.16 release announcement.
+publishdate: 2022-11-15
+release: 1.16.0
+skip_list: true
+aliases:
+- /news/announcing-1.16
+- /news/announcing-1.16.0
+---
+
+We are pleased to announce the release of Istio 1.16!
+
+{{< relnote >}}
+
+This is the fourth Istio release of 2022. We would like to thank the entire Istio community
+for helping to get Istio 1.16.0 published. Special thanks are due to the release managers Daniel Hawton from Solo.io, Ziyang Xiao from Intel, and Tong Li from IBM. As always, our gratitude goes to Test & Release WG lead Eric Van Norman (IBM) for his help and guidance.
+
+{{< tip >}}
+Istio 1.16.0 is officially supported on Kubernetes versions `1.22` to `1.25`.
+{{< /tip >}}
+
+## What's new
+
+Here are some of the highlights of the release:
+
+### External Authorization Promoted to Beta
+
+Istio's External Authorization feature has been promoted to Beta. For more information, see the [External Authorization](/docs/tasks/security/authorization/authz-custom/) documentation.
+
+### Kubernetes Gateway API Implementation Promoted to Beta
+
+Istio's implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/) has been promoted to Beta.
+This is a significant step toward our goal of making the Gateway API the default API for traffic management [in the future](/blog/2022/gateway-api-beta/).
+
+Along with the Beta promotion, we have enhanced all of our
+[ingress tasks](/docs/tasks/traffic-management/ingress/) to include parallel instructions for
+configuring ingress using either the Gateway API or the Istio configuration API.
+Also, although using the Gateway API for more generally configuring internal mesh traffic is still an
+[experimental feature](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels-eg-experimental-standard)
+of the Gateway API, pending [upstream agreement](https://gateway-api.sigs.k8s.io/contributing/gamma/),
+several other Istio documents have been updated with Gateway API instructions to allow early experimentation.
+Refer to the [Gateway API task](/docs/tasks/traffic-management/ingress/gateway-api/) for more information.
+
+### JWT Claim Based Routing Promoted to Alpha
+
+Istio's JWT Claim Based Routing feature has been promoted to Alpha. For more information, see the [JWT Claim Based Routing](/docs/tasks/security/authentication/jwt-route/) documentation.
+
+### HBONE for Sidecars and Ingress (Experimental)
+
+We have added support for the HBONE protocol for Sidecars and Ingress gateways. For more information, see the [pull request](https://github.com/istio/istio/pull/41391).
+
+### MAGLEV Load Balancing Support
+
+We have added support for the MAGLEV load balancing algorithm. For more information, see the [Envoy Documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev).
+
+### Added OpenTelemetry Tracing Provider Support
+
+We have added support for the OpenTelemetry tracing provider with the Telemetry API.
+
+## Upgrading to 1.16
+
+When you upgrade, we would like to hear from you! Please take a few minutes to respond to a brief [survey](https://forms.gle/99uiMML96AmsXY5d6) to let us know how we’re doing.
+
+You can also join the conversation at [Discuss Istio](https://discuss.istio.io/), or join our [Slack workspace](https://slack.istio.io/).
+Would you like to contribute directly to Istio? Find and join one of our [Working Groups](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) and help us improve.
@@ -0,0 +1,147 @@
+---
+title: Istio 1.16.0 Change Notes
+linktitle: 1.16.0
+subtitle: Minor Release
+description: Istio 1.16.0 change notes.
+publishdate: 2022-11-15
+release: 1.16.0
+weight: 10
+---
+
+## Deprecation Notices
+
+These notices describe functionality that will be removed in a future release according to [Istio's deprecation policy](/docs/releases/feature-stages/#feature-phase-definitions). Please consider upgrading your environment to remove the deprecated functionality.
+
+- **Deprecated** fetching charts from URLs in `istio-operator`.
+
+## Traffic Management
+
+- **Improved** sidecar `Host` header matching to ignore port numbers by default. This can be controlled by the `SIDECAR_IGNORE_PORT_IN_HOST_MATCH` environment variable. ([Issue #36627](https://github.com/istio/istio/issues/36627))
+
+- **Updated** `meshConfig.discoverySelectors` to dynamically restrict the set of namespaces where istiod creates the `istio-ca-root-cert` configmap
+  if the `ENABLE_ENHANCED_RESOURCE_SCOPING` feature flag is enabled.
+
+- **Updated** `meshConfig.discoverySelectors` to dynamically restrict the set of namespaces where istiod discovers Custom Resource configurations
+  (like Gateway, VirtualService, DestinationRule, Ingress, etc.) if the `ENABLE_ENHANCED_RESOURCE_SCOPING` feature flag is enabled.
+  ([Issue #36627](https://github.com/istio/istio/issues/36627))
+
+- **Updated** the gateway-api integration to read `v1beta1` resources for `HTTPRoute`, `Gateway`, and `GatewayClass`. Users of the gateway-api must
+  be on version 0.5.0+ before upgrading Istio.
+
+- **Added** support for MAGLEV load balancing algorithm for consistent hashing.
+
+- **Added** the creation of inbound listeners for service ports and sidecar
+  and ingress listener both using environment variable
+  `PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE`.
+  Using this, the traffic for a service port is not sent via passthrough TCP even
+  though it is regular HTTP traffic when sidecar ingress listener is defined.
+  In case the same port number is defined in both sidecar ingress and service,
+  sidecar always takes precedence.
+  ([Issue #40919](https://github.com/istio/istio/issues/40919))
+
+- **Fixed** `LocalityLoadBalancerSetting.failoverPriority` not working properly if xDS cache is enabled.
+  ([Issue #40198](https://github.com/istio/istio/issues/40198))
+
+- **Fixed** disable `PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING` temporarily to fix some memory/CPU cost issues.
+
+- **Fixed** an issue where Remote JWKS URI's without a host port fail to parse into their host and port components.
+
+- **Fixed** the ordering of RBAC and metadata exchange filters while generating HTTP/network filters
+  ([Issue #41066](https://github.com/istio/istio/issues/41066))
+
+- **Fixed** an issue causing traffic to not match (and return a `404`) when using wildcard domain names and including an unexpected port in the `Host` header.
+
+- **Fixed** an issue causing traffic to match an unexpected route when using wildcard domain names and including an port in the `Host` header.
+
+## Security
+
+- **Improved** Pilot will now load its DNS serving certificate from well known locations:
+
+{{< text plain >}}
+/var/run/secrets/istiod/tls/tls.crt
+/var/run/secrets/istiod/tls/tls.key
+/var/run/secrets/istiod/ca/root-cert.pem
+{{< /text >}}
+
+The CA path will alternatively be loaded from: `/var/run/secrets/tls/ca.crt`
+It also automatically loads any secret called `istiod-tls` and the `istio-root-ca-configmap` into those paths.
+This method is preferred to use those well known paths than to set the TLS arguments.
+This will allow for an easier installation process for `istio-csr` as well as any other external issuer that needs to modify
+the Pilot DNS serving certificate. ([Issue #36916](https://github.com/istio/istio/issues/36916))
+
+- **Updated** dependency in Envoy to properly parse JWTs with negative values for `exp`, `nbf`, or `iat` fields.
+
+## Telemetry
+
+- **Updated** Telemetry API to use a new native extension for Prometheus stats
+  instead of the Wasm-based extension. This improves CPU overhead and memory
+  usage of the feature. Custom dimensions no longer require regex and bootstrap
+  annotations. If customizations use CEL expressions with Wasm attributes, they
+  are likely to be affected. This change can be disabled by setting the control
+  plane feature flag `TELEMETRY_USE_NATIVE_STATS` to `false`.
+
+- **Added** support for use of the OpenTelemetry tracing provider with the Telemetry API.
+  ([Issue #40027](https://github.com/istio/istio/issues/40027))
+
+- **Fixed** an issue to allow multiple regular expressions with the same tag name.
+  ([Issue #39903](https://github.com/istio/istio/issues/39903))
+
+## Extensibility
+
+- **Improved** when Wasm module downloading fails and `fail_open` is true, a RBAC filter allowing all the traffic is passed to Envoy instead of the original Wasm filter.
+  Previously, the given Wasm filter itself was passed to Envoy in this case, but it may cause the errors because some fields of Wasm configuration are optional in Istio, but not in Envoy.
+
+- **Improved** WasmPlugin images (docker and OCI standard image) to support more than one layer as per spec changes.
+  See ([https://github.com/solo-io/wasm/pull/293](https://github.com/solo-io/wasm/pull/293)) for more details.
+
+- **Added** the `match` field in the WasmPlugin API. With this `match` clause, a WasmPlugin can be applied to more specific traffic (e.g., traffic to a specific port).
+  ([Issue #39345](https://github.com/istio/istio/issues/39345))
+
+## Installation
+
+- **Added** `seccompProfile` fields to set the `seccompProfile` field in container
+  `securityContext`s as per [https://kubernetes.io/docs/tutorials/security/seccomp/](https://kubernetes.io/docs/tutorials/security/seccomp/).
+  ([Issue #39791](https://github.com/istio/istio/issues/39791))
+
+- **Added** a new Istio Operator `remote` profile and deprecated the equivalent `external` profile. ([Issue #39797](https://github.com/istio/istio/issues/39797))
+
+- **Added** a `--cluster-specific` flag to `istioctl manifest generate`. When this is set, the current cluster context will be used to determine dynamic default settings, mirroring `istioctl install`.
+
+- **Added** auto-detection of [GKE specific installation steps](/docs/setup/additional-setup/cni/#hosted-kubernetes-settings) when using CNI to `istioctl install` and `helm install`.
+
+- **Added** an `ENABLE_LEADER_ELECTION=false` feature flag for pilot-discovery to disable leader election when using a single replica of istiod.
+  ([reference](/docs/reference/commands/pilot-discovery/)) ([Issue #40427](https://github.com/istio/istio/issues/40427))
+
+- **Added** support for configuring `MaxConcurrentReconciles` in istio-operator. ([Issue #40827](https://github.com/istio/istio/issues/40827))
+
+- **Fixed** an issue when `auto.sidecar-injector.istio.io` `namespaceSelector` caused problems with cluster maintenance. ([Issue #40984](https://github.com/istio/istio/issues/40984))
+
+- **Fixed** an issue issue when deleting a custom gateway using an Istio Operator custom resource, other gateways are restarted. ([Issue #40577](https://github.com/istio/istio/issues/40577))
+
+- **Fixed** an issue in Istio Operator where CNI is not created properly when `cni.resourceQuotas` is enabled due to missing RBAC permissions. ([Issue #41159](https://github.com/istio/istio/issues/41159))
+
+## istioctl
+
+- **Added** the `--skip-confirmation` flag to `istioctl operator remove` to add confirmation mechanism for operator removal. ([Issue #41244](https://github.com/istio/istio/issues/41244))
+
+- **Added** precheck for revision when running `istioctl uninstall`. ([Issue #40598](https://github.com/istio/istio/issues/40598))
+
+- **Added** `--rps-limit` flag to `istioctl bug-report` that allows increasing
+  the requests per second limit to the Kubernetes API server which can greatly
+  reduce the time to collect bug reports.
+
+- **Added** `istioctl experimental check-inject` feature to describe why injection will/won't or did/didn't occur to the pod based on current running webhooks.
+  ([Issue #38299](https://github.com/istio/istio/issues/38299))
+
+- **Fixed** setting `exportTo` field and `networking.istio.io/exportTo` annotation lead to incorrect IST0101 message.
+  ([Issue #39629](https://github.com/istio/istio/issues/39629))
+
+- **Fixed** setting `networking.istio.io/exportTo` annotation to services with multiple values lead to incorrect IST0101 message.
+  ([Issue #39629](https://github.com/istio/istio/issues/39629))
+
+- **Fixed** `x un-inject` providing incorrect templates for "un-injecting".
+
+## Documentation changes
+
+- **Added** `build_push_update_images.sh` now supports the `--multiarch-images` argument to build multi-arch container images used in the bookinfo application.
+  ([Issue #40405](https://github.com/istio/istio/issues/40405))
@@ -0,0 +1,16 @@
+---
+title: Istio 1.16 Upgrade Notes
+description: Important changes to consider when upgrading to Istio 1.16.0.
+publishdate: 2022-11-15
+weight: 20
+---
+
+When you upgrade from Istio 1.15.x to Istio 1.16.0, you need to consider the changes on this page.
+These notes detail the changes which purposefully break backwards compatibility with Istio 1.15.0.
+The notes also mention changes which preserve backwards compatibility while introducing new behavior.
+Changes are only included if the new behavior would be unexpected to a user of Istio `1.15.x`.
+Users upgrading from 1.14.x to Istio 1.16.0 should also reference the [1.15 change logs](/news/releases/1.15.x/announcing-1.15/change-notes/).
+
+## Gateway API Resources
+
+The Gateway API integration has been upgraded to read `v1beta1` resources for `HTTPRoute`, `Gateway`, and `GatewayClass`. If using the new Gateway API feature for traffic management, which is currently beta, this change requires the gateway-api to be version 0.5.0 or higher. For more information, see the Kubernetes Gateway API [Getting Started Guide](/docs/setup/additional-setup/getting-started).