Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] almost 2 years ago
This edge release introduces static and dynamic port overrides for CNI eBPF
socket-level load balancing. In certain installations when CNI plugins run in
eBPF mode, socket-level load balancing rewrites packet destinations to port
6443; as with 443 already, this port is now skipped as well on control plane
components so that they can communicate with the Kubernetes API before their
proxies are running.
Additionally, a potential panic and false warning have been fixed in the
destination controller.
proxyInit.privileged
setting to control whether the proxy-init
Published by github-actions[bot] almost 2 years ago
This edge release fixes connection errors to pods that use hostPort
configurations. The CNI network-validator
init container features
improved error logging, and the default linkerd-cni
DaemonSet
configuration is updated to tolerate all node taints so that the CNI
runs on all nodes in a cluster.
destination
service to properly discover targets using a hostPort
containerPort
, which was causing 502 errorsnetwork-validator
with better logging allowing users toExists
toleration to the linkerd-cni
DaemonSet, allowing itPublished by github-actions[bot] almost 2 years ago
This edge release introduces the use of the Kubernetes metadata API in the
proxy-injector and tap-injector components. This can reduce the IO and memory
footprint for those components as they now only need to track the metadata for
certain resources, rather than the entire resource itself. Similar changes will
be made for the destination component in an upcoming release.
Published by github-actions[bot] almost 2 years ago
This edge releases ships a few fixes in Linkerd's dashboard, and the
multicluster extension. Additionally, a regression has been fixed in the CLI
that blocked upgrades from versions older than 2.12.0, due to missing CRDs
(even if the CRDs were present in-cluster). Finally, the release includes
changes to the helm charts to allow for arbitrary (user-provided) labels on
Linkerd workloads.
--from-manifest
flagPublished by github-actions[bot] almost 2 years ago
This edge release adds network-validator
, a new init container to be used when
CNI is enabled. network-validator
ensures that local iptables rules are
working as expected. It will validate this before linkerd-proxy starts.
network-validator
replaces the noop
container, runs as nobody
, and drops
all capabilities before starting.
iptables
configuration during pod startuplinkerd check
(thanks @ziollek!)readOnlyRootFilesystem: true
in viz chart (thanks @mikutas!)linkerd multicluster install
by re-adding pause
container imagePublished by github-actions[bot] about 2 years ago
This stable release fixes an issue with CNI chaining that was preventing the
Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
fixes some sections of the Viz dashboard appearing blank, and adds an optional
PodMonitor resource to the Helm chart to enable easier integration with the
Prometheus Operator. Several other fixes are included.
Proxy
Control Plane
.conf
files in the CNI plugin so that the Linkerd CNINotIn
label selector operator in the policy resources beingIn
.config.linkerd.io/proxy-version
annotation could beCLI
linkerd diagnostics policy
command to inspect Linkerd policy statelinkerd authz
command to display AuthorizationPolicylinkerd viz check
--api-addr
flag (thanks @mikutas!)Helm
Dashboard
Published by github-actions[bot] about 2 years ago
This edge release fixes an issue with CNI chaining that was preventing the
Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
includes several other fixes.
linkerd diagnostics policy
command to inspect Linkerd policy stateconfig.linkerd.io/proxy-version
annotation could be emptyPublished by github-actions[bot] about 2 years ago
This edge release fixes some sections of the Viz dashboard appearing blank, and
adds an optional PodMonitor resource to the Helm chart to enable easier
integration with the Prometheus Operator. It also includes many fixes submitted
by our contributors.
--api-addr
flag (thanks @mikutas!)linkerd authz
command to display AuthorizationPolicy resourcesNotIn
label selector operator in the policy resources, beingIn
.linkerd viz check
Published by github-actions[bot] about 2 years ago
This release includes several control plane and proxy fixes for stable-2.12.0
.
In particular, it fixes issues related to control plane HTTP servers' header
read timeouts resulting in decreased controller success rates, lowers the
inbound connection pool idle timeout in the proxy, and fixes an issue where the
jaeger injector would put pods into an error state when upgrading from
stable-2.11.x.
Additionally, this release adds the linkerd.io/trust-root-sha256
annotation to
all injected workloads allowing predictable comparison of all workloads' trust
anchors via the Kubernetes API.
For Windows users, note that the Linkerd CLI's nupkg
file for Chocolatey is
once again included in the release assets (it was previously removed in
stable-2.10.0).
Proxy
Control Plane
linkerd.io/trust-root-sha256
annotation on all injected workloadsAuthorizationPolicy
and MeshTLSAuthentication
toClusterRoleBinding
Helm
namespace
field in Linkerd helm chartsPodDisruptionBudget
apiVersion
from policy/v1beta1
topolicy/v1
(thanks @Vrx555!)Extensions
Published by github-actions[bot] about 2 years ago
This release lowers the inbound connection pool idle timeout to 3s. This should
help avoid socket errors, especially for Kubernetes probes. Additionally, it
upgrades the version of Go used by the control plane and CLI from 1.17 to 1.18.
Published by github-actions[bot] about 2 years ago
This release fixes an issue where the jaeger injector would put pods into an
error state when upgrading from stable-2.11.x.
Published by github-actions[bot] about 2 years ago
This release adds the linkerd.io/trust-root-sha256
annotation to all injected
workloads allowing predictable comparison of all workloads' trust anchors via
the Kubernetes API.
Additionally, this release lowers the inbound connection pool idle timeout to
3s. This should help avoid socket errors, especially for Kubernetes probes.
linkerd.io/trust-root-sha256
annotation on all injected workloadsnamespace
field in Linkerd helm chartsAuthorizationPolicy
and MeshTLSAuthentication
toClusterRoleBinding
Published by github-actions[bot] about 2 years ago
Increased control plane HTTP servers' read timeouts so that they no longer
match the default probe intervals. This was leading to closed connections
and decreased controller success rate.
Published by github-actions[bot] about 2 years ago
This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes Gateway
API.
The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft
, and a host
of other improvements and performance enhancements.
Additionally, the linkerd-smi
extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds
before running linkerd install
; with Helm, you'll
install the new linkerd-crds
chart, then the linkerd-control-plane
chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.
Upgrade notes: Please see the upgrade instructions.
Proxy
config.linkerd.io/shutdown-grace-period
annotation to limit theconfig.linkerd.io/access-log
annotation to enable logging ofiptables-nft
mode for the proxy-init
initContaineringress
/env.json
log diagnostic endpointprocess_uptime_seconds_total
metric to track proxy uptime incontainerPorts
route_group
/route_kind
/route_name
)config.linkerd.io/skip-subnets
), needed e.g. in Docker-in-DockerControl Plane
Terminated
state for pods (thanksinfo
; the controllerdeny
policy to not explicitly need to authorize probesnodeAffinity
values for the control planelinkerd-smi
extensionCLI
linkerd check
command crashing when unexpected pods are found inlinkerd authz
command to support AuthorizationPolicy andlinkerd check
to allow RSA signed trust anchors (thankslinkerd install --crds
must be run before linkerd install
linkerd upgrade --crds
must be run before linkerd upgrade
--default-inbound-policy
setting was not beingviz authz
commandviz stat
commandlinkerd viz tap
Helm
linkerd2
chart into linkerd-crds
and linkerd-control-plane
proxy.await
Helm value so that users can now disablelinkerd-await
on control plane componentspolicyController.probeNetworks
Helm value for configuring theExtensions
This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:
Agrim Prasad @AgrimPrasad
Ahmed Al-Hulaibi @ahmedalhulaibi
Aleksandr Tarasov @aatarasoff
Alexander Berger @alex-berger
Ao Chen @chenaoxd
Badis Merabet @badis
Bjørn @Crevil
Brian Dunnigan @bdun1013
Christian Schlotter @chrischdi
Dani Baeyens @danibaeyens
David Symons @multimac
Dmitrii Ermakov @ErmakovDmitriy
Elvin Efendi @ElvinEfendi
Evan Hines @evan-hines-firebolt
Eng Zer Jun @Juneezee
Gustavo Fernandes de Carvalho @gusfcarvalho
Harry Walter @haswalt
Israel Miller @imiller31
Jack Gill @jackgill
Jacob Henner @JacobHenner
Jacob Lorenzen @Jaxwood
Joakim Roubert @joakimr-axis
Josh Ault @jault-figure
João Soares @jasoares
jtcarnes @jtcarnes
Kim Christensen @kichristensen
Krzysztof Dryś @krzysztofdrys
Lior Yantovski @lioryantov
Martin Anker Have @mahlunar
Michael Lin @michaellzc
Michał Romanowski @michalrom089
Naveen Nalam @nnalam
Nick Calibey @ncalibey
Nikola Brdaroski @nikolabrdaroski
Or Shachar @or-shachar
Pål-Magnus Slåtto @dev-slatto
Raman Gupta @rocketraman
Ricardo Gândara Pinto @rmgpinto
Roberth Strand @roberthstrand
Sankalp Rangare @sankalp-r
Sascha Grunert @saschagrunert
Steve Gray @steve-gray
Steve Zhang @zhlsunshine
Takumi Sue @mikutas
Tanmay Bhat @tanmay-bhat
Táskai Dominik @dtaskai
Ujjwal Goyal @importhuman
Weichung Shaw @wc-s
Wim de Groot @wim-de-groot
Yannick Utard @utay
Yurii Dzobak @yuriydzobak
罗泽轩 @spacewander
Published by github-actions[bot] about 2 years ago
This release is the second release candidate for stable-2.12.0.
At this point the Helm charts can be retrieved from the stable repo:
helm repo add linkerd https://helm.linkerd.io/stable
helm repo up
helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
helm install linkerd-control-plane \
-n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
linkerd/linkerd-control-plane
The following lists all the changes since edge-22.8.2:
linkerd.io/inject
annotation from Namespace toingress
config.linkerd.io/default-inbound-policy: all-authenticated
ReadHeaderTimeout
of 10s to all the go http.Server
instances, tolinkerd viz check --proxy
to warn in case namespace have theconfig.linkerd.io/default-inbound-policy: deny
annotation, which would not--default-inbound-policy
flaglinkerd install --help
output--destination-pod
flag to linkerd diagnostics endpoints
subcommandproxyInit.runAsUser
in values.yaml
defaulting to non-zero, toproxyInit.runAsRoot: false
that was rencentlyPublished by github-actions[bot] about 2 years ago
This release is considered a release candidate for stable-2.12.0 and we
encourage you to try it out! It includes an update to the multicluster extension
which adds support for Kubernetes v1.24 and also updates many CLI commands to
support the new policy resources: ServerAuthorization and HTTPRoute.
Published by github-actions[bot] about 2 years ago
This releases introduces default probe authorization. This means that on
clusters that use a default deny
policy, probes do not have to be explicitly
authorized using policy resources. Additionally, the
policyController.probeNetworks
Helm value has been added, which allows users
to configure the networks that probes are expected to be performed from.
Additionally, the linkerd authz
command has been updated to support the policy
resources AuthorizationPolicy and HttpRoute.
Finally, some smaller changes include allowing to disable linkerd-await
on
control plane components (using the existing proxy.await
configuration) and
changing the default iptables mode back to legacy
to support more cluster
environments by default.
linkerd authz
command to support AuthorizationPolicy andproxy.await
Helm value so that users can now disablelinkerd-await
on control plane componentsdeny
policy to not explicitly need to authorize probespolicyController.probeNetworks
Helm value for configuring thelegacy
Published by github-actions[bot] about 2 years ago
This release adds a new nft
iptables mode, used by default in proxy-init.
When used, firewall configuration will be set-up through the iptables-nft
binary; this should allow hosts that do not support iptables-legacy
(such as
RHEL based environments) to make use of the init container. The older
iptables-legacy
mode is still supported, but it must be explictly turned on.
Moreover, this release also replaces the HTTPRoute
CRD with Linkerd's own
version, and includes a number of fixes and improvements.
iptables-nft
mode for proxy-init. When running in this mode,nft
kernel API; this should allownodeAffinity
Terminated
state for pods (thanksHTTRoute
CRD version from gateway.networking.k8s.io
with apolicy.linkerd.io
API group. While the CRD isGateway
type, does not contain thebackendRefs
fields, and does not support RequestMirror
and ExtensionRef
info
; the controllerHTTPRoute
paths are absolute; relative paths are/
Published by github-actions[bot] over 2 years ago
This release adds support for per-route authorization policy using the
AuthorizationPolicy and HttpRoute resources. It also adds a configurable
shutdown grace period to the proxy which can be used to ensure that proxy
graceful shutdown completes within a certain time, even if there are outstanding
open connections.
linkerd check
command crashing when unexpected pods are found inconfig.linkerd.io/shutdown-grace-period
annotation to configure thePublished by github-actions[bot] over 2 years ago
This release includes a security improvement. When a user manually specified the
policyValidator.keyPEM
setting, the value was incorrectly included in the
linkerd-config
ConfigMap. This means that this private key was erroneously
exposed to ServiceAccounts with read access to this ConfigMap. Practically, this
means that the Linkerd proxy-injector
, identity
, and heartbeat
Pods could
read this value. This should not have exposed this private key to other
unauthorized users unless additional RoleBindings were added outside of Linkerd.
Nevertheless, we recommend that users who manually set control plane
certificates update the credentials for the policy validator after upgrading
Linkerd.
Additionally, a PodSecurityPolicy fix is included which fixes installations
where PSP is enabled and proxyInit.runAsRoot: true
.