istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/external-name-on.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/external-name-on.yaml (about)

     1  apiVersion: release-notes/v2
     2  kind: bug-fix
     3  area: traffic-management
     4  issues:
     5    - 37331
     6  releaseNotes:
     7    - |
     8      **Improved** support for `ExternalName` services. See Upgrade Notes for more information.
     9  upgradeNotes:
    10    - title: "`ExternalName` support changes"
    11      content: |
    12        Kubernetes `ExternalName` `Service`s allow users to create new DNS entries. For example, you can create an `example` service
    13        that points to `example.com`. This is implemented by a DNS `CNAME` redirect.
    14  
    15        In Istio, the implementation of `ExternalName`, historically, was substantially different. Each `ExternalName` represented its own
    16        service, and traffic matching the service was sent to the configured DNS name.
    17  
    18        This caused a few issues:
    19        * Ports are required in Istio, but not in Kubernetes. This can result in broken traffic if ports are not configured as Istio expects, despite them working without Istio.
    20        * Ports not declared as `HTTP` would match *all* traffic on that port, making it easy to accidentally send all traffic on a port to the wrong place.
    21        * Because the destination DNS name is treated as opaque, we cannot apply Istio policies to it as expected. For example, if I point
    22          an external name at another in-cluster Service (for example, `example.default.svc.cluster.local`), mTLS would not be used.
    23  
    24        `ExternalName` support has been revamped to fix these problems. `ExternalName`s are now simply treated as aliases.
    25        Wherever we would match `Host: <concrete service>` we additionally will match `Host: <external name service>`.
    26        Note that the primary implementation of `ExternalName` -- DNS -- is handled outside of Istio in the Kubernetes DNS implementation, and remains unchanged.
    27  
    28        If you are using `ExternalName` with Istio, please be advised of the following behavioral changes:
    29        * The `ports` field is no longer needed, matching Kubernetes behavior. If it is set, it will have no impact.
    30        * `VirtualServices` that route to an `ExternalName` service will no longer work unless the referenced service exists (as a Service or ServiceEntry).
    31        * `DestinationRule` can no longer apply to `ExternalName` services. Instead, create rules where the `host` references service.
    32  
    33        To opt-out, the `ENABLE_EXTERNAL_NAME_ALIAS=false` environment variable can be set.
    34  
    35        Note: the same change was introduced in the previous release, but off by default. This release turns the flag on by default.