Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] about 1 year ago
This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
remoteDiscoverySelector
field in the Link
resource would cause all services
to be exported. Finally, this release includes numerous other fixes and
enhancements and addresses two security vulnerabilities,
CVE-2023-2603 detected in the proxy-init runtime
image's libcap library and RUSTSEC-2023-0052, a
potential CPU usage denial-of-service attack in the proxy's webpki
library
dependency.
CLI
linkerd check --proxy
incorrectly checking the proxy version ofcompleted
state (thanks @mikutas!) ([#11295]; fixes [#11280])skipped
messages when injecting namespaces with linkerd inject
(thanks @mikutas!) ([#10231])CNI
Control Plane
Helm
linkerd.io/helm-release-version
annotation from thelinkerd-control-plane
Helm chart (thanks @mikutas!) ([#11329]; fixesMulticluster
remoteDiscoverySelector
field in alinkerd multicluster gateways
command; when nolinkerd multicluster link
([#11265])Proxy
Published by github-actions[bot] about 1 year ago
This edge release updates the proxy's dependency on the rustls
library to
patch security vulnerability RUSTSEC-2023-0052
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when
acceting a TLS handshake from an untrusted peer with a maliciously-crafted
certificate. Furthermore, this edge release contains a few improvements to the
control plane and jaeger extension Helm charts.
rustls
libraryprometheusUrl
field for the heartbeat job in the control plane HelmpodMonitors
field in theopentelemetry-collector
in the jaeger extension (thanks @iAnomaly!)Published by github-actions[bot] about 1 year ago
This edge release updates the proxy's dependency on the webpki
library to
patch security vulnerability RUSTSEC-2023-0052 (GHSA-8qv2-5vq6-g2g7), a
potential CPU usage denial-of-service attack when accepting a TLS handshake from
an untrusted peer with a maliciously-crafted certificate.
linkerd check --proxy
incorrectly checking the proxy version of podscompleted
state (thanks @mikutas!) (#11295; fixes #11280)linkerd.io/helm-release-version
annotation from thelinkerd-control-plane
Helm chart (thanks @mikutas!) (#11329; fixesPublished by github-actions[bot] about 1 year ago
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.
remoteDiscoverySelector
field in alinkerd multicluster gateways
command; when nolinkerd multicluster link
(#11265)skipped
messages when injecting namespaces with linkerd inject
(thanks @mikutas!) (#10231)Published by github-actions[bot] about 1 year ago
This stable release backports a service mirror memory leak fix. The service
mirror previously had an issue where certain resources weren't cleaned up
properly resulting in a memory leak.
Published by github-actions[bot] about 1 year ago
This release introduces direct pod-to-pod multicluster service mirroring. When
clusters are deployed on a flat network, Linkerd can export multicluster
services in a way where cross-cluster traffic does not need to go through the
gateway. This enhances multicluster authentication and can reduce the need for
provisioning public load balancers.
In addition, this release adds support for the
Gateway API HTTPRoute resource (in the
gateway.networking.k8s.io
api group). This improves compatibility with other
tools that use these resources such as Flagger and
Argo Rollouts. The release also includes
a large number of features and improvements to HTTPRoute including the ability
to set timeouts and the ability to define consumer-namespace HTTPRoutes.
Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.
Upgrade notes: Please see the
upgrade instructions.
linkerd multicluster gateways
command (thankslogFormat
value to the multicluster Link
Helm Chart (thanksremoteDiscoverySelector
field to the multicluster Link
CRD,linkerd uninstall
issue for HTTPRoutegateway.networking.k8s.io
HTTPRoutes in the policyResponseHeaderModifier
HTTPRoute filterparent_refs
that do not specify a portfailure-domain.beta.kubernetes.io/zone
labels in Helmtopology.kubernetes.io/zone
labels (thanks @piyushsingariya!)server_port_subscribers
Destination controller gauge metric withserver_port_subscribes
and server_port_unsubscribes
counter metricsoutbound_http_balancer_endpoints
metricconfig.linkerd.io/admin-port
linkerd diagnostics policy
command now displays outbound policy whenkubelet
NetworkAuthentication back since it is used by thelinkerd viz allow-scrapes
subcommand.linkerd viz check
command so that it will wait until the vizremote_write
config would cause the--to
and --from
flags for the linkerd viz stat
-o jsonpath
flag to linkerd viz tap
to allow filtering output fieldslinkerd-viz
web dashboard (thanks @mclavel!)linkerd.io/extension
to certain resources to ensure theynamespace-metadata
This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:
Published by github-actions[bot] about 1 year ago
This is a release candidate for stable-2.14.0; we encourage you to help trying
it out!
This edge release contains a number of improvements over the multi-cluster
features introduced in the last edge release supporting flat networks. It also
hardens the containers security stance by removing write access to the root
filesystem.
linkerd multicluster link
to allow clusters to be linked without areadOnlyRootFilesystem: true
in all the containers, as they don'tPublished by github-actions[bot] about 1 year ago
This edge release adds improvements to Linkerd's multi-cluster features as part
of the flat network support planned for Linkerd stable-2.14.0. In addition, it
fixes an issue (#10764) where warnings about an invalid metric were logged
frequently by the Destination controller.
remoteDiscoverySelector
field to the multicluster Link
CRD,linkerd-viz
web dashboard (#11229) (thanks @mclavel!)server_port_subscribers
Destination controller gauge metric withserver_port_subscribes
and server_port_unsubscribes
counter metricsfailure-domain.beta.kubernetes.io/zone
labels in Helmtopology.kubernetes.io/zone
labels (#11148; fixes #11114)Published by github-actions[bot] about 1 year ago
This stable release fixes a regression introduced in stable-2.13.0 which
resulted in proxies shedding load too aggressively while under moderate request
load to a single service (#11055). In addition, it updates the base image for
the linkerd-cni
initcontainer to resolve a CVE in libdb
(#11196), fixes a
race condition in the Destination controller that could cause it to crash
(#11163), as well as fixing a number of other issues.
Control Plane
Proxy
CLI
--registry
flag over theLINKERD_DOCKER_REGISTRY
environment variable, making the precedence moreCNI
linkerd-cni
base image to resolve CVE-2019-8457 in libdb
hostNetwork: true
from linkerd-cni Helm chart templatesMulticluster
linkerd multicluster check
command failing in the presence ofPublished by github-actions[bot] about 1 year ago
This edge release restores a proxy setting for it to shed load less aggressively
while under high load, which should result in lower error rates (see #11055). It
also removes the usage of host networking in the linkerd-cni extension.
Published by github-actions[bot] about 1 year ago
This edge release improves Linkerd's support for HttpRoute by allowing
parent_ref
ports to be optional, allowing HttpRoutes to be defined in a
consumer's namespace, and adding support for the ResponseHeaderModifier
filter.
It also fixes a panic in the destination controller.
parent_refs
that do not specify a portResponseHeaderModifier
HttpRoute filter--register
flag over theLINKERD_DOCKER_REGISTRY
environment variable, making the precedence morePublished by github-actions[bot] over 1 year ago
This edge release introduces support for HTTP filters configured through both
policy.linkerd.io
and gateway.networking.k8s.io
HTTPRoute resources.
Currently, RequestHeaderModifier and RequestRedirect HTTP filters are
supported. Additionally, this release fixes an issue with the linkerd-cni
chart.
Published by github-actions[bot] over 1 year ago
This edge release adds support for the upstream gateway.networking.k8s.io
HTTPRoute resource (in addition to the policy.linkerd.io
CRD installed by
Linkerd). Furthermore, it fixes a bug where the ingress-mode proxy would fail to
fall back to ServiceProfiles for destinations without HTTPRoutes.
gateway.networking.k8s.io
HTTPRoutes in the policyNotFound
client policies in ingress-mode proxiesPublished by github-actions[bot] over 1 year ago
This edge release adds leader-election capabilities to the service-mirror
controller under the hood, as a precursor to HA mode in an upcoming release. It
also includes a linkerd viz tap
improvement and a proxy startup bugfix, both
contributed by the community!
-o jsonpath
flag to linkerd viz tap
to allow filtering output fieldsconfig.linkerd.io/admin-port
Published by github-actions[bot] over 1 year ago
This stable release fixes a memory leak in the multicluster extension and fixes
an issue where the proxy was failing certain requests when running in ingress
mode.
l5d-dst-override
header when run in ingress modePublished by github-actions[bot] over 1 year ago
This edge release introduces timeout capabilities for HTTPRoutes in a manner
compatible with the proposed changes to HTTPRoute in
kubernetes-sigs/gateway-api#1997.
This release also includes several small improvements and fixes:
Published by github-actions[bot] over 1 year ago
This edge release changes the behavior of the CNI plugin to run exclusively in
"chained mode". Instead of creating its own configuration file, the CNI plugin
will now wait until a conf
file exists before appending its configuration.
Additionally, this change includes a bug fix for topology aware service
routing.
logFormat
value to the multicluster Link
Helm Chart (thanksPublished by github-actions[bot] over 1 year ago
This stable release fixes a few issues in the proxy and in the outbound policy
API. Two new configuration options are also introduced to configure the
outbound (and inbound) cache discovery idle period for proxies. The
configuration is supported through annotations and through Helm values.
namespace
field on HTTPRoute backendRef
s wasPublished by github-actions[bot] over 1 year ago
This edge release includes fixes for several bugs related to HTTPRoute handling.
namespace
field on HTTPRoute backendRef
s wasPublished by github-actions[bot] over 1 year ago
This edge release adds some minor improvements in the MeshTLSAuthentication CRD
and the extensions charts, and fixes an issue with linkerd multicluster check
.
namespace-metadata
linkerd multicluster check
command failing in the presence of lots