linkerd2

stable-2.14.1

This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
remoteDiscoverySelector field in the Link resource would cause all services
to be exported. Finally, this release includes numerous other fixes and
enhancements and addresses two security vulnerabilities,
CVE-2023-2603 detected in the proxy-init runtime
image's libcap library and RUSTSEC-2023-0052, a
potential CPU usage denial-of-service attack in the proxy's webpki library
dependency.

• CLI

  • Fixed linkerd check --proxy incorrectly checking the proxy version of
    pods in the completed state (thanks @mikutas!) ([#11295]; fixes [#11280])
  • Fixed erroneous skipped messages when injecting namespaces with linkerd inject (thanks @mikutas!) ([#10231])

• CNI

  • Addressed security vulnerability CVE-2023-2603 in
    proxy-init and CNI plugin ([#11296])

• Control Plane

  • Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  • Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

• Helm

  • Removed unnecessary linkerd.io/helm-release-version annotation from the
    linkerd-control-plane Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  • Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

• Multicluster

  • Fixed an issue where an empty remoteDiscoverySelector field in a
    multicluster link would cause all services to be mirrored ([#11309])
  • Removed time out from linkerd multicluster gateways command; when no
    metrics exist the command will return instantly ([#11265])
  • Improved help messaging for linkerd multicluster link ([#11265])

• Proxy

  • Addressed security vulnerability
    RUSTSEC-2023-0052 in the proxy ([#11361])

edge-29.9.3

This edge release updates the proxy's dependency on the rustls library to
patch security vulnerability RUSTSEC-2023-0052
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when
acceting a TLS handshake from an untrusted peer with a maliciously-crafted
certificate. Furthermore, this edge release contains a few improvements to the
control plane and jaeger extension Helm charts.

• Addressed security vulnerability RUSTSEC-2023-0052 in
  the proxy by updating its dependency on the rustls library
• Added a prometheusUrl field for the heartbeat job in the control plane Helm
  chart (thanks @david972!) (#11343; fixes #11342)
• Introduced support for arbitrary labels in the podMonitors field in the
  control plane Helm chart (thanks @jseiser!) (#11222; fixes #11175)
• Added support for config merge and Deployment environment to
  opentelemetry-collector in the jaeger extension (thanks @iAnomaly!)
  (#11283)

edge-29.9.2

This edge release updates the proxy's dependency on the webpki library to
patch security vulnerability RUSTSEC-2023-0052 (GHSA-8qv2-5vq6-g2g7), a
potential CPU usage denial-of-service attack when accepting a TLS handshake from
an untrusted peer with a maliciously-crafted certificate.

• Addressed security vulnerability RUSTSEC-2023-0052 in the proxy (#11361)
• Fixed linkerd check --proxy incorrectly checking the proxy version of pods
  in the completed state (thanks @mikutas!) (#11295; fixes #11280)
• Removed unnecessary linkerd.io/helm-release-version annotation from the
  linkerd-control-plane Helm chart (thanks @mikutas!) (#11329; fixes
  #10778)

edge-23.9.1

This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

• Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  (#11296)
• Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart (#11301)
• Fixed an issue where an empty remoteDiscoverySelector field in a
  multicluster link would cause all services to be mirrored (#11309)
• Removed time out from linkerd multicluster gateways command; when no
  metrics exist the command will return instantly (#11265)
• Improved help messaging for linkerd multicluster link (#11265)
• Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts (#11328)
• Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) (#11149)
• Fixed erroneous skipped messages when injecting namespaces with linkerd inject (thanks @mikutas!) (#10231)

stable-2.12.6

This stable release backports a service mirror memory leak fix. The service
mirror previously had an issue where certain resources weren't cleaned up
properly resulting in a memory leak.

• Fixed a memory leak in the multicluster service mirror component (10746)

stable-2.14.0

This release introduces direct pod-to-pod multicluster service mirroring. When
clusters are deployed on a flat network, Linkerd can export multicluster
services in a way where cross-cluster traffic does not need to go through the
gateway. This enhances multicluster authentication and can reduce the need for
provisioning public load balancers.

In addition, this release adds support for the
Gateway API HTTPRoute resource (in the
gateway.networking.k8s.io api group). This improves compatibility with other
tools that use these resources such as Flagger and
Argo Rollouts. The release also includes
a large number of features and improvements to HTTPRoute including the ability
to set timeouts and the ability to define consumer-namespace HTTPRoutes.

Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.

Upgrade notes: Please see the
upgrade instructions.

• Multicluster
  • Remove namespace field from cluster scoped resources to fix pruning
  • Added -o json flag for the linkerd multicluster gateways command (thanks
    @hiteshwani29)
  • Introduced logFormat value to the multicluster Link Helm Chart (thanks
    @bunnybilou!)
  • Added leader-election capabilities to the service-mirror controller
  • Added high-availability (HA) mode for the multicluster service-mirror
  • Added a new remoteDiscoverySelector field to the multicluster Link CRD,
    which enables a service mirroring mode where the control plane
    performs discovery for the mirrored service from the remote cluster, rather
    than creating Endpoints for the mirrored service in the source cluster
• HTTPRoute
  • Fixed linkerd uninstall issue for HTTPRoute
  • Added support for gateway.networking.k8s.io HTTPRoutes in the policy
    controller
  • Added support for RequestHeaderModifier and RequestRedirect HTTP filters in
    outbound policy; filters may be added at the route or backend level
  • Added support for the ResponseHeaderModifier HTTPRoute filter
  • Added support for HTTPRoutes defined in the consumer namespace
  • Added support for HTTPRoute parent_refs that do not specify a port
• CRDs
  • Patched the MeshTLSAuthentication CRD to force providing at least one
    identity/identityRef
• Control Plane
  • Send Opaque protocol hint for opaque ports in destination controller
  • Replaced deprecated failure-domain.beta.kubernetes.io/zone labels in Helm
    charts with topology.kubernetes.io/zone labels (thanks @piyushsingariya!)
  • Replaced server_port_subscribers Destination controller gauge metric with
    server_port_subscribes and server_port_unsubscribes counter metrics
• Proxy
  • Handle Opaque protocol hints on endpoints
  • Added outbound_http_balancer_endpoints metric
  • Fixed missing route_ metrics for requests with ServiceProfiles
  • Fixed proxy startup failure when using the config.linkerd.io/admin-port
    annotation (thanks @jclegras!)
  • Added distinguishable version information to proxy logs and metrics
• CLI
  • The linkerd diagnostics policy command now displays outbound policy when
    the target resource is a Service
  • A fix for HA validation checks when Linkerd is installed with Helm. Thanks
    @mikutas!!
• Viz
  • Add the kubelet NetworkAuthentication back since it is used by the
    linkerd viz allow-scrapes subcommand.
  • Fixed the linkerd viz check command so that it will wait until the viz
    extension becomes ready
  • Fixed an issue where specifying a remote_write config would cause the
    Prometheus config to be invalid (thanks @hiteshwani29)
  • Improved validation of the --to and --from flags for the linkerd viz stat
    command (thanks @pranoyk)
  • Added -o jsonpath flag to linkerd viz tap to allow filtering output fields
    (thanks @hiteshwani29!)
  • Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)
  • Fixed missing "Services" menu item in the Spanish localization for the
    linkerd-viz web dashboard (thanks @mclavel!)
• Extensions
  • Added missing label linkerd.io/extension to certain resources to ensure they
    pruned when appropriate (thanks @ClementRepo)
  • Added tolerations and nodeSelector support in extensions namespace-metadata
    Jobs (thanks @pssalman!)
• Init Containers
  • Added an option for disabling the network validator's security context for
    environments that provide their own
• CNI
  • Added --set flag to install-cni plugin (thanks @amit-62!)
  • Fixed missing resource-cni labels on linkerd-cni, this blocked the
    linkerd-cni pods from coming up when the injector was broken (thanks
    @migueleliasweb!)
• Build
  • Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!

This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:

• Amir Karimi @AMK9978
• Amit Kumar @amit-62
• Andre Marcelo-Tanner @kzap
• Andrew @andrew-gropyus
• Arnaud Beun @bunnybilou
• Clement @proxfly
• Dima @krabradosty
• Grégoire Bellon-Gervais @albundy83
• Harsh Soni @harsh020
• Jean-Charles Legras @jclegras
• Loong Dai @daixiang0
• Mark Robinson @MarkSRobinson
• Miguel Elias dos Santos @migueleliasweb
• Pranoy Kumar Kundu @pranoyk
• Ryan Hristovski @ryanhristovski
• Takumi Sue @mikutas
• Zakhar Bessarab @zekker6
• hiteshwani29 @hiteshwani29
• pheianox
• pssalman @pssalman

edge-23.8.3

This is a release candidate for stable-2.14.0; we encourage you to help trying
it out!

This edge release contains a number of improvements over the multi-cluster
features introduced in the last edge release supporting flat networks. It also
hardens the containers security stance by removing write access to the root
filesystem.

• Enhanced linkerd multicluster link to allow clusters to be linked without a
  gateway (#11226)
• Added cluster store size gauge metric (#11256)
• Disabled local traffic policy for remote discovery (#11257)
• Fixed various innocuous multi-cluster warnings (#11251, #11246, #11253)
• Set readOnlyRootFilesystem: true in all the containers, as they don't
  require write permissions (#11221; fixes #11142) (thanks @mikutas!)

edge-23.8.2

This edge release adds improvements to Linkerd's multi-cluster features as part
of the flat network support planned for Linkerd stable-2.14.0. In addition, it
fixes an issue (#10764) where warnings about an invalid metric were logged
frequently by the Destination controller.

• Added a new remoteDiscoverySelector field to the multicluster Link CRD,
  which enables a service mirroring mode where the control plane
  performs discovery for the mirrored service from the remote cluster, rather
  than creating Endpoints for the mirrored service in the source cluster
  (#11190, #11201, #11220, and #11224)
• Fixed missing "Services" menu item in the Spanish localization for the
  linkerd-viz web dashboard (#11229) (thanks @mclavel!)
• Replaced server_port_subscribers Destination controller gauge metric with
  server_port_subscribes and server_port_unsubscribes counter metrics
  (#11206; fixes #10764)
• Replaced deprecated failure-domain.beta.kubernetes.io/zone labels in Helm
  charts with topology.kubernetes.io/zone labels (#11148; fixes #11114)
  (thanks @piyushsingariya!)

stable-2.13.6

This stable release fixes a regression introduced in stable-2.13.0 which
resulted in proxies shedding load too aggressively while under moderate request
load to a single service (#11055). In addition, it updates the base image for
the linkerd-cni initcontainer to resolve a CVE in libdb (#11196), fixes a
race condition in the Destination controller that could cause it to crash
(#11163), as well as fixing a number of other issues.

• Control Plane

  • Fixed a race condition in the destination controller that could cause it to
    panic (#11169; fixes #11163)
  • Improved the granularity of logging levels in the control plane (#11147)

• Proxy

  • Changed the default HTTP request queue capacities for the inbound and
    outbound proxies back to 10,000 requests (#11198; fixes #11055)

• CLI

  • Updated extension CLI commands to prefer the --registry flag over the
    LINKERD_DOCKER_REGISTRY environment variable, making the precedence more
    consistent (thanks @harsh020!) (see #11144)

• CNI

  • Updated linkerd-cni base image to resolve CVE-2019-8457 in libdb
    (#11196)
  • Changed the CNI plugin installer to always run in 'chained' mode; the plugin
    will now wait until another CNI plugin is installed before appending its
    configuration (#10849)
  • Removed hostNetwork: true from linkerd-cni Helm chart templates
    (#11158; fixes #11141) (thanks @abhijeetgauravm!)

• Multicluster

  • Fixed the linkerd multicluster check command failing in the presence of
    lots of mirrored services (#10764)

edge-23.8.1

This edge release restores a proxy setting for it to shed load less aggressively
while under high load, which should result in lower error rates (see #11055). It
also removes the usage of host networking in the linkerd-cni extension.

• Changed the default HTTP request queue capacities for the inbound and outbound
  proxies back to 10,000 requests (see #11055 and #11198)
• Lifted need of using host networking in the linkerd-cni Daemonset (#11141)
  (thanks @abhijeetgauravm!)

edge-23.7.3

This edge release improves Linkerd's support for HttpRoute by allowing
parent_ref ports to be optional, allowing HttpRoutes to be defined in a
consumer's namespace, and adding support for the ResponseHeaderModifier filter.
It also fixes a panic in the destination controller.

• Added an option for disabling the network validator's security context for
  environments that provide their own
• Added high-availability (HA) mode for the multicluster service-mirror
• Added support for HttpRoute parent_refs that do not specify a port
• Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)
• Added support for HttpRoutes defined in the consumer namespace
• Improved the granularity of logging levels in the control plane
• Fixed a race condition in the destination controller that could cause it to
  panic
• Added support for the ResponseHeaderModifier HttpRoute filter
• Updated extension CLI commands to prefer the --register flag over the
  LINKERD_DOCKER_REGISTRY environment variable, making the precedence more
  consistent (thanks @harsh020!)

edge-23.7.2

This edge release introduces support for HTTP filters configured through both
policy.linkerd.io and gateway.networking.k8s.io HTTPRoute resources.
Currently, RequestHeaderModifier and RequestRedirect HTTP filters are
supported. Additionally, this release fixes an issue with the linkerd-cni
chart.

• Added support for RequestHeaderModifier and RequestRedirect HTTP filters in
  outbound policy; filters may be added at the route or backend level
• Fixed missing resource-cni labels on linkerd-cni, this blocked the
  linkerd-cni pods from coming up when the injector was broken (thanks
  @migueleliasweb!)

edge-23.7.1

This edge release adds support for the upstream gateway.networking.k8s.io
HTTPRoute resource (in addition to the policy.linkerd.io CRD installed by
Linkerd). Furthermore, it fixes a bug where the ingress-mode proxy would fail to
fall back to ServiceProfiles for destinations without HTTPRoutes.

• Added support for gateway.networking.k8s.io HTTPRoutes in the policy
  controller
• Added distinguishable version information to proxy logs and metrics
• Fixed incorrect handling of NotFound client policies in ingress-mode proxies

edge-23.6.3

This edge release adds leader-election capabilities to the service-mirror
controller under the hood, as a precursor to HA mode in an upcoming release. It
also includes a linkerd viz tap improvement and a proxy startup bugfix, both
contributed by the community!

• Added leader-election capabilities to the service-mirror controller
• Added -o jsonpath flag to linkerd viz tap to allow filtering output fields
  (thanks @hiteshwani29!)
• Fixed proxy startup failure when using the config.linkerd.io/admin-port
  annotation (thanks @jclegras!)

stable-2.13.5

This stable release fixes a memory leak in the multicluster extension and fixes
an issue where the proxy was failing certain requests when running in ingress
mode.

• Fixed a memory leak in the service mirror controller
• Fixed an issue where the proxy would fail requests that were missing the
  l5d-dst-override header when run in ingress mode

edge-23.6.2

This edge release introduces timeout capabilities for HTTPRoutes in a manner
compatible with the proposed changes to HTTPRoute in
kubernetes-sigs/gateway-api#1997.

This release also includes several small improvements and fixes:

• A fix for HA validation checks when Linkerd is installed with Helm. Thanks
  @mikutas!!
• Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!

edge-23.6.1

This edge release changes the behavior of the CNI plugin to run exclusively in
"chained mode". Instead of creating its own configuration file, the CNI plugin
will now wait until a conf file exists before appending its configuration.
Additionally, this change includes a bug fix for topology aware service
routing.

• Changed the CNI plugin installer to always run in 'chained' mode; the plugin will
  now wait until another CNI plugin is installed before appending its
  configuration
• Fixed bug where topology routing would not disable while service was under
  load (thanks @MarkSRobinson!)
• Introduced logFormat value to the multicluster Link Helm Chart (thanks
  @bunnybilou!)

stable-2.13.4

This stable release fixes a few issues in the proxy and in the outbound policy
API. Two new configuration options are also introduced to configure the
outbound (and inbound) cache discovery idle period for proxies. The
configuration is supported through annotations and through Helm values.

• Control Plane
  • Fixed an issue where the namespace field on HTTPRoute backendRefs was
    ignored, and the backend Service would always be assumed to be in the
    namespace as the parent Service
  • Fixed an issue where default authorizations generated for readiness and
    liveness probes would fail if the probe path included URI query parameters
  • Added the ability to configure the proxy's discovery cache timeouts with
    the config.linkerd.io/proxy-outbound-discovery-cache-unused-timeout and
    config.linkerd.io/proxy-inbound-discovery-cache-unused-timeout annotations
  • Fixed bug where topology routing would not disable while service was under
    load (thanks @MarkSRobinson!)
• Proxy
  • Fixed an issue where meshed pods could not communicate with themselves
    through a ClusterIP Service
  • Fixed an issue with W3C trace context propagation which caused proxy spans
    to be siblings rather than children of their original parent (thanks
    @whiskeysierra)
  • Fixed the proxy not using gRPC response classification for gRPC requests to
    destinations without ServiceProfiles
• Helm
  • Introduced outbound/inbound cache discovery cache idle timeout
    configuration values

edge-23.5.3

This edge release includes fixes for several bugs related to HTTPRoute handling.

• Fixed an issue where the namespace field on HTTPRoute backendRefs was
  ignored, and the backend Service would always be assumed to be in the
  namespace as the parent Service
• Fixed an issue where default authorizations generated for readiness and
  liveness probes would fail if the probe path included URI query parameters
• Fixed the proxy not using gRPC response classification for gRPC requests to
  destinations without ServiceProfiles

edge-23.5.2

This edge release adds some minor improvements in the MeshTLSAuthentication CRD
and the extensions charts, and fixes an issue with linkerd multicluster check.

• Added tolerations and nodeSelector support in extensions namespace-metadata
  Jobs (thanks @pssalman!)
• Patched the MeshTLSAuthentication CRD to force providing at least one
  identity/identityRef
• Fixed the linkerd multicluster check command failing in the presence of lots
  of mirrored services