linkerd2

edge-23.5.1

This edge release introduces the ability to configure the proxy's discovery cache
timeouts via annotations. While most users will not need to do this, it can be
useful to improve the mesh's resilience to control plane failures. This release
also includes a number of other important improvements and bug fixes.

• Added -o json flag for the linkerd multicluster gateways command (thanks
  @hiteshwani29)
• Added missing label linkerd.io/extension to certain resources to ensure they
  pruned when appropriate (thanks @ClementRepo)
• Fixed a memory leak in the service mirror controller
• Improved validation of the --to and --from flags for the linkerd viz stat
  command (thanks @pranoyk)
• Fixed an issue with W3C trace context propagation which caused proxy spans to
  be siblings rather than children of their original parent (thanks
  @whiskeysierra)
• Updated the Linkerd CNI plugin base docker image from Debian to Alpine
• Fixed an issue where specifying a remote_write config would cause the
  Prometheus config to be invalid (thanks @hiteshwani29)
• Added the ability to configure the proxy's discovery cache timeouts with the
  config.linkerd.io/proxy-outbound-discovery-cache-unused-timeout and
  config.linkerd.io/proxy-inbound-discovery-cache-unused-timeout annotations
• Fixed the linkerd viz check command so that it will wait until the viz
  extension becomes ready
• Fixed an issue where meshed pods could not communicate with themselves through
  a ClusterIP Service

stable-2.13.3

This stable release improves compatibility with ArgoCD by changing the Linkerd
control plane to create Lease resources at runtime rather than including them
in the Helm chart. It also addresses a CVE by upgrading an underlying
dependency.

• Upgraded the policy controller's h2 dependency to address CVE-2023-26964
• Fixed an issue where the server_port_subscribers metric exposed by the
  Destination controller was sometimes absent
• Removed the policy-controller-write Lease from the control plane Helm chart
  in favor of creating it at runtime
• Updated the proxy-injector to pass opaque port lists to the proxy as ranges
  rather than individually, greatly reducing the size of proxy manifests when
  large opaque port ranges are set
• Fixed an issue where the proxy was performing protocol detection on ports
  marked as opaque
• Improved backwards compatibility between 2.13 proxies and 2.12 control planes

edge-23.4.3

This edge release improves compatibility with ArgoCD by changing the Linkerd
control plane to create Lease resources at runtime rather than including them
in the Helm chart. It also addresses a CVE by upgrading an underlying
dependency.

• Upgraded h2 dependency to address CVE-2023-26964
• Fixed an issue where server_port_subscribers metric in the Destination
  controller was sometimes absent
• Removed the policy-controller-write Lease from the control plane Helm chart in
  favor of creating it at runtime
• Updated the proxy-injector to pass opaque port lists to the proxy as ranges
  rather than individually, greatly reducing the size of proxy manifests when
  large opaque port ranges are set
• Fixed an issue where the proxy was performing protocol detection on ports
  marked as opaque
• Improved backwards compatibility between 2.13 proxies and 2.12 control planes

stable-2.13.2

This stable release fixes an incompatibility issue with the AWS CNI addon in EKS
that was forbidding pods to acquire networking after scaling up nodes (thanks
@frimik!). It also includes security updates for dependencies.

• CNI

  • Fixed incompatibility issue with AWS CNI addon in EKS, that was forbidding
    pods to acquire networking after scaling up nodes. (thanks @frimik!)

• CLI

  • Added a missing label to the HttpRoute CRD so that to ensure it can be
    removed by the linkerd uninstall command

• Proxy

  • Updated the dependency on h2 to fix a potential crash in the HTTP/2
    implementation.
  • Changed the proxy's default log level to silence warnings from
    trust_dns_proto that are generally spurious

• Extensions

  • Bumped Prometheus image to v2.43.0
  • Fixed Jaeger Helm chart installation failure (CLI was unaffected).

stable-2.12.5

This stable release fixes an incompatibility issue with the AWS CNI addon in EKS
that was forbidding pods to acquire networking after scaling up nodes (thanks
@frimik!). It also includes security updates for dependencies.

• Detached the linkerd-cni plugin's version from linkerd's and bumped to v1.1.1
  to fix incompatibility with EKS' AWS CNI addon
• Bumped the memory limit for the no-op init container to 25Mi to address issues
  on OKE environments
• Updated h2 dependency in the policy controller to include a patch for a
  theoretical denial-of-service vulnerability discovered in CVE-2023-26964
• Updated openssl dependency in the policy controller, addressing
  RUSTSEC-2023-0022, RUSTSEC-2023-0023 and RUSTSEC-2023-0024

edge-23.4.2

This edge release contains a number of bug fixes.

• CLI

  • Fixed linkerd uninstall issue for HttpRoute
  • The linkerd diagnostics policy command now displays outbound policy when
    the target resource is a Service

• CNI

  • Fixed incompatibility issue with AWS CNI addon in EKS, that was
    forbidding pods to acquire networking after scaling up nodes.
    (thanks @frimik!)
  • Added --set flag to install-cni plugin (thanks @amit-62!)

• Control Plane

  • Fixed an issue where the policy controller always used the default
    cluster.local domain
  • Send Opaque protocol hint for opaque ports in destination controller

• Helm

  • Fixed an issue in the viz Helm chart where the namespace metadata template
    would throw unexpected argument found errors
  • Fixed Jaeger chart installation failure

• Multicluster

  • Remove namespace field from cluster scoped resources to fix pruning

• Proxy

  • Updated h2 dependency to include a patch for a theoretical
    denial-of-service vulnerability discovered in CVE-2023-26964
  • Handle Opaque protocol hints on endpoints
  • Changed the proxy's default log level to silence warnings from
    trust_dns_proto that are generally spurious.
  • Added outbound_http_balancer_endpoints metric
  • Fixed missing route_ metrics for requests with ServiceProfiles

• Viz

  • Bump prometheus image to v2.43.0
  • Add the kubelet NetworkAuthentication back since it is used by the
    linkerd viz allow-scrapes subcommand.

stable-2.13.1

This stable release fixes an issue in the policy controller where a non-default
cluster domain would return incorrect authorities in the outbound policy API.
Additionally, this release updates a proxy dependency to fix CVE-2023-2694.

• Proxy

  • Updated h2 dependency to include a patch for a theoretical
    denial-of-service vulnerability discovered in CVE-2023-26964

• Control Plane

  • Fixed an issue where the policy controller always used the default
    cluster.local domain

• Helm

  • Fixed an issue in the viz Helm chart where the namespace metadata template
    would throw unexpected argument found errors

stable-2.13.0

This release introduces client-side policy to Linkerd, including dynamic routing
and circuit breaking. Gateway API HTTPRoutes
can now be used to configure policy for outbound (client) proxies as well as
inbound (server) proxies, by creating HTTPRoutes with Service resources as their
parentRef. See the Linkerd documentation for tutorials on dynamic request
routing and circuit breaking. New functionality for debugging HTTPRoute-based
policy is also included in this release, including new proxy metrics and the
ability to display outbound policies in the linkerd diagnostics policy CLI
command.

In addition, this release adds network-validator, a new init container to be
used when CNI is enabled. network-validator ensures that local iptables rules
are working as expected. It will validate this before linkerd-proxy starts.
network-validator replaces the noop container, runs as nobody, and drops
all capabilities before starting.

Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.

Upgrade notes: Please see the upgrade instructions.

• CRDs

  • HTTPRoutes may now have Service parents, to configure outbound policy
  • Updated HTTPRoute version from v1alpha1 to v1beta2

• CLI

  • Added a new linkerd prune command to the CLI (including most extensions) to
    remove resources which are no longer part of Linkerd's manifests
  • Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
  • The linkerd diagnostics policy command now displays outbound policy when
    the target resource is a Service

• Control Plane

  • The policy controller now discovers outbound policy configurations from
    HTTPRoutes that target Services.
  • Added OutboundPolicies API, for use by linkerd-proxy to route
    outbound traffic
  • Added Prometheus /metrics endpoint to the admin server, with process
    metrics
  • Fixed QueryParamMatch parsing for HTTPRoutes
  • Added the policy status controller which writes the status field to
    HTTPRoutes when a parent reference Server accepts or rejects it
  • Added KubeAPI server ports to ignoreOutboundPorts of proxy-injector
  • No longer apply waitBeforeExitSeconds to control plane, viz and jaeger
    extension pods
  • Added support for the internalTrafficPolicy of a service (thanks @yc185050!)
  • Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
  • Added protection against nil dereference in resources helm template
  • Added support for Pod Security Admission (Pod Security Policy resources are
    still supported but disabled by default)
  • Lowered non-actionable error messages in the Destination log to debug-level
    entries to avoid triggering false alarms (thanks @siddharthshubhampal!)
  • Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
    when using more than one slice, a NoEndpoints event would be sent to the
    proxy regardless of the amount of endpoints that were still available
    (thanks @utay!)
  • Improved diagnostic log messages
  • Fixed sending of spurious profile updates
  • Removed unnecessary Namespaces access from the destination controller RBAC
  • Added the server_port_subscribers metric to track the number of subscribers
    to Server changes associated with a pod's port
  • Added the service_subscribers metric to track the number of subscribers to
    Service changes
  • Fixed a small memory leak in the opaque ports watcher

• Proxy

  • Use the new OutboundPolicies API, supporting Gateway API-style routes
    in the outbound proxy
  • Added support for dynamic request routing based on HTTPRoutes
  • Added HTTP circuit breaking
  • Added outbound_route_backend_http_requests_total,
    outbound_route_backend_grpc_requests_total, and
    outbound_http_balancer_endpoints metrics
  • Changed the proxy's behavior when traffic splitting so that only services
    that are not in failfast are used. This will enable the proxy to manage
    failover without external coordination
  • Updated tokio (async runtime) in the proxy which should reduce CPU usage,
    especially for proxy's pod local (i.e in the same network namespace)
    communication

• linkerd-proxy-init

  • Changed proxy-init iptables rules to be idempotent upon init pod
    restart (thanks @jim-minter!)
  • Improved logging in proxy-init and linkerd-cni
  • Added a proxyInit.privileged setting to control whether the proxy-init
    initContainer runs as a privileged process

• CNI

  • Added static and dynamic port overrides for CNI eBPF to work with socket-level
    load balancing
  • Added network-validator init container to ensure that iptables rules are
    working as expected
  • Added a resources field in the linkerd-cni chart (thanks @jcogilvie!)

• Viz

  • Added tap.ignoredHeaders Helm value to the linkerd-viz chart. This value
    allows users to specify a comma-separated list of header names which will be
    ignored by Linkerd Tap (thanks @ryanhristovski!)
  • Removed duplicate SecurityContext in Prometheus manifest
  • Added new flag --viz-namespace which avoids requiring permissions for
    listing all namespaces in linkerd viz subcommands (thanks @danibaeyens!)
  • Removed the TrafficSplit page from the Linkerd viz dashboard (thanks
    @h-dav!)
  • Introduced new values in the viz chart to allow for arbitrary annotations
    on the Service objects (thanks @sgrzemski!)
  • Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
    in the Viz extension

• Multicluster

  • Removed duplicate AuthorizationPolicy for probes from the multicluster
    gateway Helm chart
  • Updated wording for linkerd-multicluster cluster when it fails to probe a
    remote gateway mirror
  • Added multicluster gateway nodeSelector and tolerations helm parameters
  • Added new configuration options for the multicluster gateway:
    • gateway.deploymentAnnotations
    • gateway.terminationGracePeriodSeconds (thanks @bunnybilou!)
    • gateway.loadBalancerSourceRanges (thanks @Tyrion85!)

• Extensions

  • Removed dependency on the curlimages/curl 3rd-party image used to initialize
    extensions namespaces metadata (so they are visible by linkerd check),
    replaced by the new extension-init image
  • Converted ServerAuthorization resources to AuthorizationPolicy resources
    in Linkerd extensions
  • Removed policy resources bound to admin servers in extensions (previously
    these resources were used to authorize probes but now are authorized by
    default)
  • Fixed the link to the Jaeger dashboard the in viz dashboard (thanks
    @eugenegoncharuk!)
  • Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
    alongside gRPC (thanks @uralsemih!)

• Among other dependency updates, the no-longer maintained ghodss/yaml library
  was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)

This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:

• Andrew Pinkham @jambonrose
• Arnaud Beun @bunnybilou
• Carlos Tadeu Panato Junior @cpanato
• Christian Segundo @someone-stole-my-name
• Dani Baeyens @danibaeyens
• Duc Tran @ductnn
• Eng Zer Jun @Juneezee
• Ivan Ivic @Tyrion85
• Joe Bowbeer @joebowbeer
• Jonathan Ogilvie @jcogilvie
• Jun @junnplus
• Loong Dai @daixiang0
• María Teresa Rojas @mtrojas
• Mo Sattler @MoSattler
• Oleg Vorobev @olegy2008
• Paul Balogh @javaducky
• Peter Smit @psmit
• Ryan Hristovski @ryanhristovski
• Semih Ural @uralsemih
• Shubhodeep Mukherjee @shubhodeep9
• Siddharth S Pal @siddharthshubhampal
• Subhash Choudhary @subhashchy
• Szymon Grzemski @sgrzemski
• Takumi Sue @mikutas
• Yannick Utard @utay
• Yu Cao @yc185050
• anoxape @anoxape
• bastienbosser @bastienbosser
• bitfactory-sem-denbroeder @bitfactory-sem-denbroeder
• cui fliter @cuishuang
• eugenegoncharuk @eugenegoncharuk
• h-dav @h-dav
• martinkubrak @martinkubra
• verbotenj @verbotenj
• ziollek @ziollek

edge-23.4.1

This is a release candidate for stable-2.13.0 — we encourage you to help
try it out!

This edge release introduces request-level HTTP circuit-breaking
using a consecutive failures failure accrual policy. Circuit breaking can be
configured by adding failure accrual annotations to a Service. In addition, this
release adds new outbound_route_backend_http_requests_total and
outbound_route_backend_grpc_requests_total proxy metrics, which can be
used to track how routing rules and backend distributions apply to
requests. These metrics contain labels describing the route's parent
(i.e. a Service), the route resource being used, and the backend
resource being used by each request.

• Proxy

  • Added discovery of failure accrual policies from the OutboundPolicy API
  • Implemented consecutive failures failure accrual policy
  • Added INFO-level logging on failure accrual changes
  • Added outbound_route_backend_http_requests_total and
    outbound_route_backend_grpc_requests_total metrics

• Policy Controller

  • Added failure accrual configuration to the OutboundPolicy API
  • Added Prometheus /metrics endpoint to the admin server, with process
    metrics
  • Changed the policy controller to only accept HTTPRoutes when the parentRef
    is a ClusterIP Service
  • Added ports to service references in the OutboundPolicy API

• Viz

  • Added tap.ignoredHeaders Helm value to the linkerd-viz chart. This value
    allows users to specify a comma-separated list of header names which will be
    ignored by Linkerd Tap (thanks @ryanhristovski!)
  • Removed duplicate SecurityContext in Prometheus manifest

• Multicluster

  • Removed duplicate AuthorizationPolicy for probes from the multicluster
    gateway Helm chart

edge-23.3.4

This edge release further enhances the OutboundPolicies API used by the proxy to
route outbound traffic, and continues extending the HTTPRoute resource's Status
field. It also starts integrating circuit-breaking functionality into the proxy,
which will be configurable in a subsequent iteration.

• Continued iterating on the HTTPRoute's Status field, by extending support for
  routes parented to Services, and adding a ResolvedRefs condition reflecting
  the status of BackendRefs
• Updated the OutboundPolicies API such that only HTTPRoutes with an Accepted
  status of true are considered when routing outbound requests
• Improved handling of invalid backends, allowing the configuration of error
  responses
• Added new flag --viz-namespace which avoids requiring permissions for
  listing all namespaces in linkerd viz subcommands (thanks @danibaeyens!)
• Among other dependency updates, the no-longer maintained ghodss/yaml library
  was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)

edge-23.3.3

This edge release removes TrafficSplits from the Linkerd dashboard as well as
fixing a number of issues in the policy controller.

• Removed the TrafficSplit page from the Linkerd viz dashboard
• Fixed an issue where the policy controller was not returning the correct
  status for non-Service authorities
• Fixed an issue where the policy controller could use large amounts of CPU
  when lease API calls failed

edge-23.3.2

This edge release continues to improve dynamic Policy statuses and
introduces support for header-based routing.

• Destination Controller

  • Added OutboundPolicies API, for use by linkerd-proxy to route
    outbound traffic
  • Improved diagnostic log messages
  • Fixed sending of spurious profile updates

• Proxy

  • Use the new OutboundPolicies API, supporting Gateway API-style routes
    in the outbound proxy

• Policy Controller

  • Support highly available Policy Controller by utilizing
    policy-controller-write Lease when patching HTTPRoutes
  • Consider the status field and filter out HTTPRoutes which have not
    been accepted

• Added KubeAPI server ports to ignoreOutboundPorts of proxy-injector

• Updated HTTPRoute version from v1alpha1 to v1beta2

• Updated network-validator helm charts to use proxy-init resources

• Fixed Grafana regular expression, enabling monitoring of filesystem
  usage (thanks @h-dav!)

edge-23.3.1

This edge release continues to build support under the hood for the upcoming
features in 2.13. Also included are several dependency updates and less verbose
logging.

• Removed dependency on the curlimages/curl 3rd-party image used to initialize
  extensions namespaces metadata (so they are visible by linkerd check),
  replaced by the new extension-init image
• Lowered non-actionable error messages in the Destination log to debug-level
  entries to avoid triggering false alarms (thanks @siddharthshubhampal!)

edge-23.2.3

This edge release includes a number of fixes and introduces a new CLI command,
linkerd prune. The new prune command should be used to remove resources
which are no longer part of the Linkerd manifest when doing an upgrade.
Previously, the recommendation was to use linkerd upgrade in conjunction with
kubectl apply --prune, however, that will not remove resources which are not
part of the input manifest, and it will not detect cluster scoped resources,
linkerd prune (included in all core extensions) should be preferred over it.

Additionally, this change contains a few fixes from our external contributors,
and a change to the viz Helm chart which allows for arbitrary annotations on
Service objects. Last but not least, the release contains a few proxy
internal changes to prepare for the new client policy API.

• Added a new linkerd prune command to the CLI (including extensions) to
  remove resources which are no longer part of Linkerd's manifests
• Introduced new values in the viz chart to allow for arbitrary annotations
  on the Service objects (thanks @sgrzemski!)
• Fixed up a comment in k8s API wrapper (thanks @ductnn!)
• Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
  when using more than one slice, a NoEndpoints event would be sent to the
  proxy regardless of the amount of endpoints that were still available (thanks
  @utay!)

edge-23.2.2

This edge release adds the policy status controller which writes the status
field to HTTPRoutes when a parent reference Server accepts or rejects the
HTTPRoute. This field is currently not consumed by the policy controller, but
acts as the first step for considering HTTPRoute status when serving policy.

Additionally, the destination controller now uses the Kubernetes metadata API
for resources which it only needs to track the metadata for — Nodes and
ReplicaSets. For all other resources it tracks, it uses additional information
so continues to use the API as before.

• Fixed error message to include the colliding Server in the policy controller's
  admission webhook validation
• Updated wording for linkerd-multicluster cluster when it fails to probe a
  remote gateway mirror
• Removed unnecessary Namespaces access from the destination controller RBAC
• Added Kubernetes metadata API in the destination controller for watching Nodes
  and ReplicaSets
• Fixed QueryParamMatch parsing for HTTPRoutes
• Added the policy status controller which writes the status field to
  HTTPRoutes when a parent reference Server accepts or rejects it

edge-23.2.1

This edge release sees the linkerd-cni plugin moved to
linkerd2-proxy-init and released from that repository. An iptables
improvement to linkerd-cni and proxy-init is the main focus. Other
minor fixes are also included.

• Changed proxy-init iptables rules to be idempotent upon init pod
  restart (thanks @jim-minter!)
• Improved logging in proxy-init and linkerd-cni
• Added the server_port_subscribers metric to track the number of subscribers
  to Server changes associated with a pod's port
• Added the service_subscribers metric to track the number of subscribers to
  Service changes
• Fixed a small memory leak in the opaque ports watcher
• No longer apply waitBeforeExitSeconds to control plane, viz and jaeger
  extension pods
• Added support for the internalTrafficPolicy of a service (thanks @yc185050!)
• Added limits and requests to network-validator for ResourceQuota interop
• Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
• Added multicluster gateway nodeSelector and tolerations helm parameters
• Added protection against nil dereference in resources helm template

stable-2.12.4

This stable release fixes a memory leak in the Destination controller, and also
includes other bug fixes for the Linkerd control plane, CLI, and extensions.

• CLI

  • Fixed an issue in the CLI where --identity-external-ca would set an
    incorrect field (thanks @anoxape!)

• Control Plane

  • Fixed an issue in the destination controller's cache that could result in
    stale endpoints when using EndpointSlice objects
  • Fixed control plane components failing liveness probes while waiting for
    caches to sync, which could prevent the control plane from starting in large
    clusters
  • Fixed a memory leak in the Destination controller

• linkerd-proxy-init

  • Added resource limits for noop init container, to support environments
    where resource quotas are required

• Helm

  • Added namespace to namespace-metadata resources in Helm (thanks
    @joebowbeer!)
  • Fixed potential nil pointer dereference errors in template evaluation

• Extensions

  • Fixed an issue where linkerd viz tap would display wrong latency/duration
    value (thanks @olegy2008!)

edge-23.1.2

This edge release fixes a memory leak in the Linkerd control plane that could
occur when many many pods were created. It also adds a number of new
configuration options Multicluster extension's gateway.

• Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
• Added new configuration options for the multicluster gateway:
  • gateway.deploymentAnnotations
  • gateway.terminationGracePeriodSeconds (thanks @bunnybilou!)
  • gateway.loadBalancerSourceRanges (thanks @Tyrion85!)
• Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
  in the Viz extension
• Fixed the link to the Jaeger dashboard the in viz dashboard (thanks @eugenegoncharuk!)
• Fixed an issue where control plane components could fail to start on large
  clusters because of failing readiness probes while caches were being
  initialized
• Fixed a memory leak in the Destination controller
• Fixed an issue where PodSecurityPolicies could reject Linkerd control plane
  components due to the seccompProfile

edge-23.1.1

This edge release fixes a caching issue in the destination controller, converts
deprecated policy resources, and introduces several changes to how the proxy
works.

A bug in the destination controller that could potentially lead to stale pods
being considered in the load balancer has been fixed.

Several Linkerd extensions were still using the now deprecated
ServerAuthorization resource. These instances have now been converted to using
AuthorizationPolicy. Additionally, removed several policy resources that
authenticated probes, since probes are now authenticated by default.

As part of ongoing policy work, there are several changes with how the proxy
works. Routes are now lazily initialized so that service profile routes will
not show up in metrics until the route is used. Furthermore, the proxy’s
traffic splitting behavior has changed so that only available resources are
used, resulting in less failfast errors.

Finally, this edge release contains a number of fixes and improvements from our
contributors.

• Converted ServerAuthorization resources to AuthorizationPolicy resources
  in Linkerd extensions
• Removed policy resources bound to admin servers in extensions (previously
  these resources were used to authorize probes but now are authorized by
  default)
• Added a resources field in the linkerd-cni chart (thanks @jcogilvie!)
• Fixed an issue in the CLI where --identity-external-ca would set an
  incorrect field (thanks @anoxape!)
• Fixed an issue in the destination controller's cache that could result in
  stale endpoints when using EndpointSlice objects
• Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!)
• Added support for Pod Security Admission (Pod Security Policy resources are
  still supported but disabled by default)
• Changed routes to be initialized lazily. Service Profile routes will no
  longer show up in metrics until the route is used (default routes are always
  available when no Service Profile is defined for a service)
• Changed the proxy's behavior when traffic splitting so that only services
  that are not in failfast are used. This will enable the proxy to manage
  failover without external coordination
• Updated tokio (async runtime) in the proxy which should reduce CPU usage,
  especially for proxy's pod local (i.e in the same network namespace)
  communication
• Fixed an issue where linkerd viz tap would display wrong latency/duration
  value (thanks @olegy2008!)

stable-2.12.3

This stable release is packed with various fixes in both the core linkerd
controllers and extensions.

• CLI

  • Fixed linkerd check failing when the cluster had services of type
    ExternalName
  • Fixed linkerd multicluster install not honoring the gateway.UID setting
  • Fixed flag linkerd upgrade --from-manifests

• Destination Controller

  • Fixed race condition in destination controller
  • Fixed issue in the destination controller where hostPort mappings were
    being ignored

• linkerd-proxy-init

  • Set the noop init container user to be the same as proxy-init's to avoid
    errors when the security context disallows running as root
  • Introduced proxyInit.privileged setting to allow running
    linkerd-proxy-init without restrictions when required
  • Added port 6443 to default skipped ports to bypass proxy when ebpf CNIs
    override the API Server packet destination

• Extensions

  • Removed unnecessary proxyProtocol restriction in the multicluster gateway
    Server (thanks @psmit!)
  • Added "Exists" toleration to the linkerd-cni DaemonSet to have it
    installed by default in tainted nodes
  • Make dashboard loading more robust when in the presence of browser plugins
    injecting script tags (thanks @junnplus!)