Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 1 year ago
This edge release introduces the ability to configure the proxy's discovery cache
timeouts via annotations. While most users will not need to do this, it can be
useful to improve the mesh's resilience to control plane failures. This release
also includes a number of other important improvements and bug fixes.
linkerd multicluster gateways
command (thankslinkerd.io/extension
to certain resources to ensure they--to
and --from
flags for the linkerd viz stat
remote_write
config would cause theconfig.linkerd.io/proxy-outbound-discovery-cache-unused-timeout
andconfig.linkerd.io/proxy-inbound-discovery-cache-unused-timeout
annotationslinkerd viz check
command so that it will wait until the vizPublished by github-actions[bot] over 1 year ago
This stable release improves compatibility with ArgoCD by changing the Linkerd
control plane to create Lease resources at runtime rather than including them
in the Helm chart. It also addresses a CVE by upgrading an underlying
dependency.
h2
dependency to address CVE-2023-26964server_port_subscribers
metric exposed by thepolicy-controller-write
Lease from the control plane Helm chartPublished by github-actions[bot] over 1 year ago
This edge release improves compatibility with ArgoCD by changing the Linkerd
control plane to create Lease resources at runtime rather than including them
in the Helm chart. It also addresses a CVE by upgrading an underlying
dependency.
h2
dependency to address CVE-2023-26964server_port_subscribers
metric in the DestinationPublished by github-actions[bot] over 1 year ago
This stable release fixes an incompatibility issue with the AWS CNI addon in EKS
that was forbidding pods to acquire networking after scaling up nodes (thanks
@frimik!). It also includes security updates for dependencies.
CNI
CLI
linkerd uninstall
commandProxy
trust_dns_proto
that are generally spuriousExtensions
Published by github-actions[bot] over 1 year ago
This stable release fixes an incompatibility issue with the AWS CNI addon in EKS
that was forbidding pods to acquire networking after scaling up nodes (thanks
@frimik!). It also includes security updates for dependencies.
h2
dependency in the policy controller to include a patch for aopenssl
dependency in the policy controller, addressingPublished by github-actions[bot] over 1 year ago
This edge release contains a number of bug fixes.
CLI
linkerd uninstall
issue for HttpRoutelinkerd diagnostics policy
command now displays outbound policy whenCNI
Control Plane
cluster.local
domainHelm
unexpected argument found
errorsMulticluster
Proxy
h2
dependency to include a patch for a theoreticaltrust_dns_proto
that are generally spurious.outbound_http_balancer_endpoints
metricViz
kubelet
NetworkAuthentication back since it is used by thelinkerd viz allow-scrapes
subcommand.Published by github-actions[bot] over 1 year ago
This stable release fixes an issue in the policy controller where a non-default
cluster domain would return incorrect authorities in the outbound policy API.
Additionally, this release updates a proxy dependency to fix CVE-2023-2694.
Proxy
h2
dependency to include a patch for a theoreticalControl Plane
cluster.local
domainHelm
unexpected argument found
errorsPublished by github-actions[bot] over 1 year ago
This release introduces client-side policy to Linkerd, including dynamic routing
and circuit breaking. Gateway API HTTPRoutes
can now be used to configure policy for outbound (client) proxies as well as
inbound (server) proxies, by creating HTTPRoutes with Service resources as their
parentRef
. See the Linkerd documentation for tutorials on dynamic request
routing and circuit breaking. New functionality for debugging HTTPRoute-based
policy is also included in this release, including new proxy metrics and the
ability to display outbound policies in the linkerd diagnostics policy
CLI
command.
In addition, this release adds network-validator
, a new init container to be
used when CNI is enabled. network-validator
ensures that local iptables rules
are working as expected. It will validate this before linkerd-proxy starts.
network-validator
replaces the noop
container, runs as nobody
, and drops
all capabilities before starting.
Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.
Upgrade notes: Please see the upgrade instructions.
CRDs
v1alpha1
to v1beta2
CLI
linkerd prune
command to the CLI (including most extensions) tolinkerd diagnostics policy
command now displays outbound policy whenControl Plane
linkerd-proxy
to route/metrics
endpoint to the admin server, with processstatus
field toignoreOutboundPorts
of proxy-injector
waitBeforeExitSeconds
to control plane, viz and jaegerinternalTrafficPolicy
of a service (thanks @yc185050!)NoEndpoints
event would be sent to theProxy
outbound_route_backend_http_requests_total
,outbound_route_backend_grpc_requests_total
, andoutbound_http_balancer_endpoints
metricslinkerd-proxy-init
proxy-init
iptables rules to be idempotent upon init podproxy-init
and linkerd-cni
proxyInit.privileged
setting to control whether the proxy-init
CNI
network-validator
init container to ensure that iptables rules areresources
field in the linkerd-cni chart (thanks @jcogilvie!)Viz
tap.ignoredHeaders
Helm value to the linkerd-viz chart. This value--viz-namespace
which avoids requiring permissions forlinkerd viz
subcommands (thanks @danibaeyens!)viz
chart to allow for arbitrary annotationsService
objects (thanks @sgrzemski!)Multicluster
nodeSelector
and tolerations
helm parametersgateway.deploymentAnnotations
gateway.terminationGracePeriodSeconds
(thanks @bunnybilou!)gateway.loadBalancerSourceRanges
(thanks @Tyrion85!)Extensions
curlimages/curl
3rd-party image used to initializelinkerd check
),extension-init
imageServerAuthorization
resources to AuthorizationPolicy
resourcesAmong other dependency updates, the no-longer maintained ghodss/yaml library
was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)
This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:
Published by github-actions[bot] over 1 year ago
This is a release candidate for stable-2.13.0 — we encourage you to help
try it out!
This edge release introduces request-level HTTP circuit-breaking
using a consecutive failures failure accrual policy. Circuit breaking can be
configured by adding failure accrual annotations to a Service. In addition, this
release adds new outbound_route_backend_http_requests_total
and
outbound_route_backend_grpc_requests_total
proxy metrics, which can be
used to track how routing rules and backend distributions apply to
requests. These metrics contain labels describing the route's parent
(i.e. a Service), the route resource being used, and the backend
resource being used by each request.
Proxy
outbound_route_backend_http_requests_total
andoutbound_route_backend_grpc_requests_total
metricsPolicy Controller
/metrics
endpoint to the admin server, with processViz
tap.ignoredHeaders
Helm value to the linkerd-viz chart. This valueMulticluster
Published by github-actions[bot] over 1 year ago
This edge release further enhances the OutboundPolicies API used by the proxy to
route outbound traffic, and continues extending the HTTPRoute resource's Status
field. It also starts integrating circuit-breaking functionality into the proxy,
which will be configurable in a subsequent iteration.
true
are considered when routing outbound requests--viz-namespace
which avoids requiring permissions forlinkerd viz
subcommands (thanks @danibaeyens!)Published by github-actions[bot] over 1 year ago
This edge release removes TrafficSplits from the Linkerd dashboard as well as
fixing a number of issues in the policy controller.
Published by github-actions[bot] over 1 year ago
This edge release continues to improve dynamic Policy statuses and
introduces support for header-based routing.
Destination Controller
linkerd-proxy
to routeProxy
Policy Controller
policy-controller-write
Lease when patching HTTPRoutesstatus
field and filter out HTTPRoutes which have notAdded KubeAPI server ports to ignoreOutboundPorts
of proxy-injector
Updated HTTPRoute version from v1alpha1
to v1beta2
Updated network-validator
helm charts to use proxy-init
resources
Fixed Grafana regular expression, enabling monitoring of filesystem
usage (thanks @h-dav!)
Published by github-actions[bot] over 1 year ago
This edge release continues to build support under the hood for the upcoming
features in 2.13. Also included are several dependency updates and less verbose
logging.
curlimages/curl
3rd-party image used to initializelinkerd check
),extension-init
imagePublished by github-actions[bot] over 1 year ago
This edge release includes a number of fixes and introduces a new CLI command,
linkerd prune
. The new prune
command should be used to remove resources
which are no longer part of the Linkerd manifest when doing an upgrade.
Previously, the recommendation was to use linkerd upgrade
in conjunction with
kubectl apply --prune
, however, that will not remove resources which are not
part of the input manifest, and it will not detect cluster scoped resources,
linkerd prune
(included in all core extensions) should be preferred over it.
Additionally, this change contains a few fixes from our external contributors,
and a change to the viz
Helm chart which allows for arbitrary annotations on
Service
objects. Last but not least, the release contains a few proxy
internal changes to prepare for the new client policy API.
linkerd prune
command to the CLI (including extensions) toviz
chart to allow for arbitrary annotationsService
objects (thanks @sgrzemski!)NoEndpoints
event would be sent to thePublished by github-actions[bot] over 1 year ago
This edge release adds the policy status controller which writes the status
field to HTTPRoutes when a parent reference Server accepts or rejects the
HTTPRoute. This field is currently not consumed by the policy controller, but
acts as the first step for considering HTTPRoute status
when serving policy.
Additionally, the destination controller now uses the Kubernetes metadata API
for resources which it only needs to track the metadata for — Nodes and
ReplicaSets. For all other resources it tracks, it uses additional information
so continues to use the API as before.
status
field toPublished by github-actions[bot] over 1 year ago
This edge release sees the linkerd-cni
plugin moved to
linkerd2-proxy-init
and released from that repository. An iptables
improvement to linkerd-cni
and proxy-init
is the main focus. Other
minor fixes are also included.
proxy-init
iptables rules to be idempotent upon init podproxy-init
and linkerd-cni
waitBeforeExitSeconds
to control plane, viz and jaegerinternalTrafficPolicy
of a service (thanks @yc185050!)limits
and requests
to network-validator for ResourceQuota interopnodeSelector
and tolerations
helm parametersPublished by github-actions[bot] over 1 year ago
This stable release fixes a memory leak in the Destination controller, and also
includes other bug fixes for the Linkerd control plane, CLI, and extensions.
CLI
--identity-external-ca
would set anControl Plane
linkerd-proxy-init
noop
init container, to support environmentsHelm
Extensions
linkerd viz tap
would display wrong latency/durationPublished by github-actions[bot] over 1 year ago
This edge release fixes a memory leak in the Linkerd control plane that could
occur when many many pods were created. It also adds a number of new
configuration options Multicluster extension's gateway.
gateway.deploymentAnnotations
gateway.terminationGracePeriodSeconds
(thanks @bunnybilou!)gateway.loadBalancerSourceRanges
(thanks @Tyrion85!)seccompProfile
Published by github-actions[bot] almost 2 years ago
This edge release fixes a caching issue in the destination controller, converts
deprecated policy resources, and introduces several changes to how the proxy
works.
A bug in the destination controller that could potentially lead to stale pods
being considered in the load balancer has been fixed.
Several Linkerd extensions were still using the now deprecated
ServerAuthorization resource. These instances have now been converted to using
AuthorizationPolicy. Additionally, removed several policy resources that
authenticated probes, since probes are now authenticated by default.
As part of ongoing policy work, there are several changes with how the proxy
works. Routes are now lazily initialized so that service profile routes will
not show up in metrics until the route is used. Furthermore, the proxy’s
traffic splitting behavior has changed so that only available resources are
used, resulting in less failfast errors.
Finally, this edge release contains a number of fixes and improvements from our
contributors.
ServerAuthorization
resources to AuthorizationPolicy
resourcesresources
field in the linkerd-cni chart (thanks @jcogilvie!)--identity-external-ca
would set anlinkerd viz tap
would display wrong latency/durationPublished by github-actions[bot] almost 2 years ago
This stable release is packed with various fixes in both the core linkerd
controllers and extensions.
CLI
linkerd check
failing when the cluster had services of typeExternalName
linkerd multicluster install
not honoring the gateway.UID
settinglinkerd upgrade --from-manifests
Destination Controller
hostPort
mappings werelinkerd-proxy-init
noop
init container user to be the same as proxy-init
's to avoidproxyInit.privileged
setting to allow runninglinkerd-proxy-init
without restrictions when requiredExtensions
proxyProtocol
restriction in the multicluster gatewaylinkerd-cni
DaemonSet to have it