Istio 0.8

In addition to the usual pile of bug fixes and performance improvements, this release includes the new or updated features detailed below.


  • Revamped Traffic Management Model. We’re finally ready to take the wraps off our new traffic management configuration model. This model adds many new features and addresses usability issues with the prior model. There is a conversion tool built into istioctl to help migrate your config from the old model. Try out the new traffic management model.

  • Envoy V2. Users can choose to inject Envoy V2 as the sidecar. In this mode, Pilot uses Envoy’s new API to push configuration to the data plane. This new approach increases effective scalability and should eliminate spurious 404 errors. [TBD: docs on how to control this?]

  • Gateway for Ingress/Egress. We no longer support combining Kubernetes Ingress specs with Istio route rules, as it has led to several bugs and reliability issues. Istio now supports a platform independent ingress/egress Gateway that works across Kubernetes and Cloud Foundry and works seamlessly with the routing rules.

  • Constrained Inbound Ports. We now restrict the inbound ports in a pod to the ones declared by the apps running inside that pod.


  • Introducing Citadel. We’ve finally given a name to our security component. What was formerly known as Istio-Auth or Istio-CA is now called Citadel.

  • Multicluster Support. We support per-cluster Citadel in multicluster deployments such that all Citadels share the same root cert and workloads can authenticate each other across the mesh.

  • Authentication Policy. We’ve introduced authentication policy that can be used to configure service-to-service authentication (mutual TLS) and end user authentication. This is the recommended way for enabling mutual TLS (over the existing config flag and service annotations). Learn more.


  • Self-Reporting. Mixer and Pilot now produce telemetry that flows through the normal Istio telemetry pipeline, just like services in the mesh.


  • A la Carte Istio. Istio has a rich set of features, however you don’t need to install or consume them all together. By using Helm or istioctl gen-deploy, users can install only the features they want. For example, users can install Pilot only and enjoy traffic management functionality without dealing with Mixer or Citadel. Learn more about customization through Helm and about istioctl gen-deploy.

Mixer adapters

  • CloudWatch. Mixer can now report metrics to AWS CloudWatch. Learn more

Known issues with 0.8