What’s New in Istio 1.0? A Deep Dive into Features, Gateways, and Security

Istio 1.0 was officially released on August 1, marking the first stable version of the open‑source service‑mesh platform that standardizes runtime operations for microservices similar to Docker and Kubernetes.

Istio implements the Service Mesh concept and provides a unified platform for connecting, managing, and securing microservices. Version 1.0 brings all core functions out of the demo stage and makes them ready for production.

New features in Istio 1.0

Network: Virtual Service SNI routing, streaming gRPC recovery, removal of old v1alpha1 network API, Istio Ingress replaced by Gateway.

Policy & telemetry: attribute updates, cache policy checks, telemetry buffering, out‑of‑process adapters, client telemetry.

Mixer adapters: SignalFX, Stackdriver.

Security: RPC‑level authorization policies, improved mutual TLS control, JWT authentication.

Key changes

IstioGateway replaces the previous IstioIngress, removing the dependency on Kubernetes Ingress and enabling L4‑L6 load balancing, external mTLS, and SNI support.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio
  name: simple-ingress
spec:
  rules:
  - http:
      paths:
      - path: /.*/
        backend:
          serviceName: guestbook-ui
          servicePort: 80

The same functionality can be expressed with an Istio Gateway and a VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: simple-gateway
spec:
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - sample.default.example.com
    tls:
      mode: SIMPLE
      serverCertificate: /tmp/tls.crt
      privateKey: /tmp/tls.key

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sample
spec:
  hosts:
  - guestbook-ui.default.example.com
  gateways:
  - simple-gateway
  http:
  - match:
    - uri:
        prefix: /get
    route:
    - destination:
        host: guestbook-ui
        port:
          number: 80

Out‑of‑process Mixer adapters are now separate from the Mixer process, allowing independent deployment, health checks, and the use of gRPC for communication. Example adapters include SignalFX and Stackdriver.

Istio also adds JWT‑based authentication and role‑based access control (RBAC) for authorization. A sample JWT payload and an HTTP request with a Bearer token are shown.

{
  "iss": "istio",
  "sub": "1.0 GA",
  "iat": 1533073556
}

GET http://35.45.16.16/api/v1/packages?packageNumber=MPDS-372766142-5899
Host: sample.default.example.com
Authorization: Bearer <jwt-token>

To enable authorization, users must enable the feature, set the desired scope (e.g., namespace), and create the corresponding access‑control policy.

Alibaba Middleware team continues to contribute to the Service Mesh ecosystem, providing tutorials, workshops, and plans to integrate Istio with Dubbo 2.7.