linkerd2

edge-22.12.1

This edge release introduces static and dynamic port overrides for CNI eBPF
socket-level load balancing. In certain installations when CNI plugins run in
eBPF mode, socket-level load balancing rewrites packet destinations to port
6443; as with 443 already, this port is now skipped as well on control plane
components so that they can communicate with the Kubernetes API before their
proxies are running.

Additionally, a potential panic and false warning have been fixed in the
destination controller.

• Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
  alongside gRPC (thanks @uralsemih!)
• Added a proxyInit.privileged setting to control whether the proxy-init
  initContainer runs as a privileged process
• Fixed a potential panic in the destination controller caused by concurrent
  writes when dealing with Endpoint updates
• Fixed false warning when looking up HostPort mappings on Pods
• Added static and dynamic port overrides for CNI eBPF to work with socket-level
  load balancing

edge-22.11.3

This edge release fixes connection errors to pods that use hostPort
configurations. The CNI network-validator init container features
improved error logging, and the default linkerd-cni DaemonSet
configuration is updated to tolerate all node taints so that the CNI
runs on all nodes in a cluster.

• Fixed destination service to properly discover targets using a hostPort
  different than their containerPort, which was causing 502 errors
• Upgraded the network-validator with better logging allowing users to
  determine whether failures occur as a result of their environment or the tool
  itself
• Added default Exists toleration to the linkerd-cni DaemonSet, allowing it
  to be deployed in all nodes by default, regardless of taints

edge-22.11.2

This edge release introduces the use of the Kubernetes metadata API in the
proxy-injector and tap-injector components. This can reduce the IO and memory
footprint for those components as they now only need to track the metadata for
certain resources, rather than the entire resource itself. Similar changes will
be made for the destination component in an upcoming release.

• Bumped HTTP dependencies to fix a potential deadlock in HTTP/2 clients
• Changed the proxy-injector and tap-injector components to use the metadata API
  which should result in less memory consumption

edge-22.11.1

This edge releases ships a few fixes in Linkerd's dashboard, and the
multicluster extension. Additionally, a regression has been fixed in the CLI
that blocked upgrades from versions older than 2.12.0, due to missing CRDs
(even if the CRDs were present in-cluster). Finally, the release includes
changes to the helm charts to allow for arbitrary (user-provided) labels on
Linkerd workloads.

• Fixed an issue in the CLI where upgrades from any version prior to
  stable-2.12.0 would fail when using the --from-manifest flag
• Removed un-injectable namespaces, such as kube-system from unmeshed resource
  notification in the dashboard (thanks @MoSattler!)
• Fixed an issue where the dashboard would respond to requests with 404 due to
  wrong root paths in the HTML script (thanks @junnplus!)
• Removed the proxyProtocol field in the multicluster gateway policy; this has
  the effect of changing the protocol from 'HTTP/1.1' to 'unknown' (thanks
  @psmit!)
• Fixed the multicluster gateway UID when installing through the CLI, prior to
  this change the 'runAsUser' field would be empty
• Changed the helm chart for the control plane and all extensions to support
  arbitrary labels on resources (thanks @bastienbosser!)

edge-22.10.3

This edge release adds network-validator, a new init container to be used when
CNI is enabled. network-validator ensures that local iptables rules are
working as expected. It will validate this before linkerd-proxy starts.
network-validator replaces the noop container, runs as nobody, and drops
all capabilities before starting.

• Validate CNI iptables configuration during pod startup
• Fix "cluster networks contains all services" fails with services with no
  ClusterIP
• Remove kubectl version check from linkerd check (thanks @ziollek!)
• Set readOnlyRootFilesystem: true in viz chart (thanks @mikutas!)
• Fix linkerd multicluster install by re-adding pause container image
  in chart
• linkerd-viz have hardcoded image value in namespace-metadata.yml template
  bug correction (thanks @bastienbosser!)

stable-2.12.2

This stable release fixes an issue with CNI chaining that was preventing the
Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
fixes some sections of the Viz dashboard appearing blank, and adds an optional
PodMonitor resource to the Helm chart to enable easier integration with the
Prometheus Operator. Several other fixes are included.

• Proxy

  • Fixed proxies emitting some duplicate inbound metrics

• Control Plane

  • Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI
    plugin can be used alongside other CNI plugins such as Cilium
  • Added a noop init container to injected pods when the CNI plugin is enabled
    to prevent certain scenarios where a pod can get stuck without an IP address
  • Fixed the NotIn label selector operator in the policy resources being
    erroneously treated as In.
  • Fixed a bug where theconfig.linkerd.io/proxy-version annotation could be
    empty

• CLI

  • Added a linkerd diagnostics policy command to inspect Linkerd policy state
  • Added a check that ClusterIP services are in the cluster networks
  • Expanded the linkerd authz command to display AuthorizationPolicy
    resources that target namespaces (thanks @aatarasoff!)
  • Fixed warning logic in the "linkerd-viz ClusterRoles exist" and "linkerd-viz
    ClusterRoleBindings exist" checks in linkerd viz check
  • Fixed the CLI ignoring the --api-addr flag (thanks @mikutas!)

• Helm

  • Added an optional PodMonitor resource to the main Helm chart (thanks
    @jaygridley!)

• Dashboard

  • Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks
    @MoSattler!)
  • Updated Grafana dashboards to use variable duration parameter so that they
    can be used when Prometheus has a longer scrape interval (thanks @TarekAS)

edge-22.10.2

This edge release fixes an issue with CNI chaining that was preventing the
Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
includes several other fixes.

• Updated Grafana dashboards to use variable duration parameter so that they can
  be used when Prometheus has a longer scrape interval (thanks @TarekAS)
• Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI plugin
  can be used alongside other CNI plugins such as Cilium
• Added a linkerd diagnostics policy command to inspect Linkerd policy state
• Added a check that ClusterIP services are in the cluster networks
• Added a noop init container to injected pods when the CNI plugin is enabled
  to prevent certain scenarios where a pod can get stuck without an IP address
• Fixed a bug where theconfig.linkerd.io/proxy-version annotation could be empty

edge-22.10.1

This edge release fixes some sections of the Viz dashboard appearing blank, and
adds an optional PodMonitor resource to the Helm chart to enable easier
integration with the Prometheus Operator. It also includes many fixes submitted
by our contributors.

• Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks
  @MoSattler!)
• Added an optional PodMonitor resource to the main Helm chart (thanks
  @jaygridley!)
• Fixed the CLI ignoring the --api-addr flag (thanks @mikutas!)
• Expanded the linkerd authz command to display AuthorizationPolicy resources
  that target namespaces (thanks @aatarasoff!)
• Fixed the NotIn label selector operator in the policy resources, being
  erroneously treated as In.
• Fixed warning logic around the "linkerd-viz ClusterRoles exist" and
  "linkerd-viz ClusterRoleBindings exist" checks in linkerd viz check
• Fixed proxies emitting some duplicate inbound metrics

stable-2.12.1

This release includes several control plane and proxy fixes for stable-2.12.0.
In particular, it fixes issues related to control plane HTTP servers' header
read timeouts resulting in decreased controller success rates, lowers the
inbound connection pool idle timeout in the proxy, and fixes an issue where the
jaeger injector would put pods into an error state when upgrading from
stable-2.11.x.

Additionally, this release adds the linkerd.io/trust-root-sha256 annotation to
all injected workloads allowing predictable comparison of all workloads' trust
anchors via the Kubernetes API.

For Windows users, note that the Linkerd CLI's nupkg file for Chocolatey is
once again included in the release assets (it was previously removed in
stable-2.10.0).

• Proxy

  • Lowered inbound connection pool idle timeout to 3s

• Control Plane

  • Updated AdmissionRegistration API version usage to v1
  • Added linkerd.io/trust-root-sha256 annotation on all injected workloads
    to indicate certifcate bundle
  • Updated fields in AuthorizationPolicy and MeshTLSAuthentication to
    conform to specification (thanks @aatarasoff!)
  • Updated the identity controller to not require a ClusterRoleBinding
    to read all deployment resources
  • Increased servers' header read timeouts so they no longer match default
    probe and Prometheus scrape intervals

• Helm

  • Restored namespace field in Linkerd helm charts
  • Updated PodDisruptionBudget apiVersion from policy/v1beta1 to
    policy/v1 (thanks @Vrx555!)

• Extensions

  • Fixed jaeger injector interfering with upgrades to 2.12.x

stable-2.11.5

This release lowers the inbound connection pool idle timeout to 3s. This should
help avoid socket errors, especially for Kubernetes probes. Additionally, it
upgrades the version of Go used by the control plane and CLI from 1.17 to 1.18.

edge-22.9.2

This release fixes an issue where the jaeger injector would put pods into an
error state when upgrading from stable-2.11.x.

• Updated AdmissionRegistration API version usage to v1
• Fixed jaeger injector interfering with upgrades to 2.12.x

edge-22.9.1

This release adds the linkerd.io/trust-root-sha256 annotation to all injected
workloads allowing predictable comparison of all workloads' trust anchors via
the Kubernetes API.

Additionally, this release lowers the inbound connection pool idle timeout to
3s. This should help avoid socket errors, especially for Kubernetes probes.

• Added linkerd.io/trust-root-sha256 annotation on all injected workloads
  to indicate certifcate bundle
• Lowered inbound connection pool idle timeout to 3s
• Restored namespace field in Linkerd helm charts
• Updated fields in AuthorizationPolicy and MeshTLSAuthentication to
  conform to specification (thanks @aatarasoff!)
• Updated the identity controller to not require a ClusterRoleBinding
  to read all deployment resources.

edge-22.8.3

Increased control plane HTTP servers' read timeouts so that they no longer
match the default probe intervals. This was leading to closed connections
and decreased controller success rate.

stable-2.12.0

This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes Gateway
API.

The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft, and a host
of other improvements and performance enhancements.

Additionally, the linkerd-smi extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds before running linkerd install; with Helm, you'll
install the new linkerd-crds chart, then the linkerd-control-plane chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.

Upgrade notes: Please see the upgrade instructions.

• Proxy

  • Added a config.linkerd.io/shutdown-grace-period annotation to limit the
    duration that the proxy may wait for graceful shutdown
  • Added a config.linkerd.io/access-log annotation to enable logging of
    workload requests
  • Added a new iptables-nft mode for the proxy-init initContainer
  • Added support for non-HTTP traffic forwarding within the mesh in ingress
    mode
  • Added the /env.json log diagnostic endpoint
  • Added a new process_uptime_seconds_total metric to track proxy uptime in
    seconds
  • Added support for dynamically discovering policies for ports that are not
    documented in a pod's containerPorts
  • Added support for route-based inbound HTTP metrics
    (route_group/route_kind/route_name)
  • Added a new annotation to configure skipping subnets in the init container
    (config.linkerd.io/skip-subnets), needed e.g. in Docker-in-Docker
    workloads (thanks @michaellzc!)

• Control Plane

  • Added support for per-route policy by supporting AuthorizationPolicy
    resources which can target HttpRoute or Server resources
  • Added support for bound service account token volumes for the control plane
    and injected workloads
  • Removed kube-system exclusions from watchers to fix service discovery for
    workloads in the kube-system namespace (thanks @JacobHenner!)
  • Updated healthcheck to ignore Terminated state for pods (thanks
    @AgrimPrasad!)
  • Updated the default policy controller log level to info; the controller
    will now emit INFO level logs for some of its dependencies
  • Added probe authorization by default, allowing clusters that use a default
    deny policy to not explicitly need to authorize probes
  • Fixed an issue where the proxy-injector would break when using
    nodeAffinity values for the control plane
  • Fixed an issue where certain control plane components were not restarting as
    necessary after a trust root rotation
  • Removed SMI functionality in the default Linkerd installation; this is now
    part of the linkerd-smi extension

• CLI

  • Fixed the linkerd check command crashing when unexpected pods are found in
    a Linkerd namespace
  • Updated the linkerd authz command to support AuthorizationPolicy and
    HttpRoute resources
  • Updated linkerd check to allow RSA signed trust anchors (thanks
    @danibaeyens!)
  • linkerd install --crds must be run before linkerd install
  • linkerd upgrade --crds must be run before linkerd upgrade
  • Fixed invalid yaml syntax in the viz extension's tap-injector template
    (thanks @wc-s!)
  • Fixed an issue where the --default-inbound-policy setting was not being
    respected
  • Added support for AuthorizationPolicy and HttpRoute to viz authz command
  • Added support for AuthorizationPolicy and HttpRoute to viz stat command
  • Added support for policy metadata in linkerd viz tap

• Helm

  • Split the linkerd2 chart into linkerd-crds and linkerd-control-plane
  • Charts are now versioned using SemVer independently of
    Linkerd releases
  • Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
  • Changed the proxy.await Helm value so that users can now disable
    linkerd-await on control plane components
  • Added the policyController.probeNetworks Helm value for configuring the
    networks that probes are expected to be performed from

• Extensions

  • Added annotations to allow Linkerd extension deployments to be evicted by
    the autoscaler when necessary
  • Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
    mode
  • Added a ServiceAccount token Secret to the multicluster extension to support
    Kubernetes versions >= v1.24

This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:

Agrim Prasad @AgrimPrasad
Ahmed Al-Hulaibi @ahmedalhulaibi
Aleksandr Tarasov @aatarasoff
Alexander Berger @alex-berger
Ao Chen @chenaoxd
Badis Merabet @badis
Bjørn @Crevil
Brian Dunnigan @bdun1013
Christian Schlotter @chrischdi
Dani Baeyens @danibaeyens
David Symons @multimac
Dmitrii Ermakov @ErmakovDmitriy
Elvin Efendi @ElvinEfendi
Evan Hines @evan-hines-firebolt
Eng Zer Jun @Juneezee
Gustavo Fernandes de Carvalho @gusfcarvalho
Harry Walter @haswalt
Israel Miller @imiller31
Jack Gill @jackgill
Jacob Henner @JacobHenner
Jacob Lorenzen @Jaxwood
Joakim Roubert @joakimr-axis
Josh Ault @jault-figure
João Soares @jasoares
jtcarnes @jtcarnes
Kim Christensen @kichristensen
Krzysztof Dryś @krzysztofdrys
Lior Yantovski @lioryantov
Martin Anker Have @mahlunar
Michael Lin @michaellzc
Michał Romanowski @michalrom089
Naveen Nalam @nnalam
Nick Calibey @ncalibey
Nikola Brdaroski @nikolabrdaroski
Or Shachar @or-shachar
Pål-Magnus Slåtto @dev-slatto
Raman Gupta @rocketraman
Ricardo Gândara Pinto @rmgpinto
Roberth Strand @roberthstrand
Sankalp Rangare @sankalp-r
Sascha Grunert @saschagrunert
Steve Gray @steve-gray
Steve Zhang @zhlsunshine
Takumi Sue @mikutas
Tanmay Bhat @tanmay-bhat
Táskai Dominik @dtaskai
Ujjwal Goyal @importhuman
Weichung Shaw @wc-s
Wim de Groot @wim-de-groot
Yannick Utard @utay
Yurii Dzobak @yuriydzobak
罗泽轩 @spacewander

stable-2.12.0-rc2

This release is the second release candidate for stable-2.12.0.

At this point the Helm charts can be retrieved from the stable repo:

helm repo add linkerd https://helm.linkerd.io/stable
helm repo up
helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
helm install linkerd-control-plane \
  -n linkerd \
  --set-file identityTrustAnchorsPEM=ca.crt \
  --set-file identity.issuer.tls.crtPEM=issuer.crt \
  --set-file identity.issuer.tls.keyPEM=issuer.key \
  linkerd/linkerd-control-plane

The following lists all the changes since edge-22.8.2:

• Fixed inheritance of the linkerd.io/inject annotation from Namespace to
  Workloads when its value is ingress
• Added the config.linkerd.io/default-inbound-policy: all-authenticated
  annotation to linkerd-multicluster’s Gateway deployment so that all clients
  are required to be authenticated
• Added a ReadHeaderTimeout of 10s to all the go http.Server instances, to
  avoid being vulnerable to "slowrolis" attacks
• Added check in linkerd viz check --proxy to warn in case namespace have the
  config.linkerd.io/default-inbound-policy: deny annotation, which would not
  authorize scrapes coming from the linkerd-viz Prometheus instance
• Added validation for accepted values for the --default-inbound-policy flag
• Fixed invalid URL in the linkerd install --help output
• Added --destination-pod flag to linkerd diagnostics endpoints subcommand
• Added proxyInit.runAsUser in values.yaml defaulting to non-zero, to
  complement the new default proxyInit.runAsRoot: false that was rencently
  changed

edge-22.8.2

This release is considered a release candidate for stable-2.12.0 and we
encourage you to try it out! It includes an update to the multicluster extension
which adds support for Kubernetes v1.24 and also updates many CLI commands to
support the new policy resources: ServerAuthorization and HTTPRoute.

• Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens)
• Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s)
• Added support for AuthorizationPolicy and HttpRoute to viz authz command
• Added support for AuthorizationPolicy and HttpRoute to viz stat
• Added support for policy metadata in linkerd tap
• Fixed an issue where certain control plane components were not restarting as
  necessary after a trust root rotation
• Added a ServiceAccount token Secret to the multicluster extension to support
  Kubernetes versions >= v1.24
• Fixed an issuer where the --default-inbound-policy setting was not being
  respected

edge-22.8.1

This releases introduces default probe authorization. This means that on
clusters that use a default deny policy, probes do not have to be explicitly
authorized using policy resources. Additionally, the
policyController.probeNetworks Helm value has been added, which allows users
to configure the networks that probes are expected to be performed from.

Additionally, the linkerd authz command has been updated to support the policy
resources AuthorizationPolicy and HttpRoute.

Finally, some smaller changes include allowing to disable linkerd-await on
control plane components (using the existing proxy.await configuration) and
changing the default iptables mode back to legacy to support more cluster
environments by default.

• Updated the linkerd authz command to support AuthorizationPolicy and
  HttpRoute resources
• Changed the proxy.await Helm value so that users can now disable
  linkerd-await on control plane components
• Added probe authorization by default allowing clusters that use a default
  deny policy to not explicitly need to authorize probes
• Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
• Added the policyController.probeNetworks Helm value for configuring the
  networks that probes are expected to be performed from
• Changed the default iptables mode to legacy

edge-22.7.3

This release adds a new nft iptables mode, used by default in proxy-init.
When used, firewall configuration will be set-up through the iptables-nft
binary; this should allow hosts that do not support iptables-legacy (such as
RHEL based environments) to make use of the init container. The older
iptables-legacy mode is still supported, but it must be explictly turned on.
Moreover, this release also replaces the HTTPRoute CRD with Linkerd's own
version, and includes a number of fixes and improvements.

• Added a new iptables-nft mode for proxy-init. When running in this mode,
  the firewall will be configured with nft kernel API; this should allow
  users to run the init container on RHEL-family hosts
• Fixed an issue where the proxy-injector would break when using nodeAffinity
  values for the control plane
• Updated healthcheck to ignore Terminated state for pods (thanks
  @AgrimPrasad!)
• Replaced HTTRoute CRD version from gateway.networking.k8s.io with a
  similar version from the policy.linkerd.io API group. While the CRD is
  similar, it does not support the Gateway type, does not contain the
  backendRefs fields, and does not support RequestMirror and ExtensionRef
  filter types.
• Updated the default policy controller log level to info; the controller
  will now emit INFO level logs for some of its dependencies
• Added validation to ensure HTTPRoute paths are absolute; relative paths are
  not supported by the proxy and the policy controller admission server will
  reject any routes that use paths which do not start with /

edge-22.7.2

This release adds support for per-route authorization policy using the
AuthorizationPolicy and HttpRoute resources. It also adds a configurable
shutdown grace period to the proxy which can be used to ensure that proxy
graceful shutdown completes within a certain time, even if there are outstanding
open connections.

• Removed kube-system exclusions from watchers to fix service discovery for
  workloads in the kube-system namespace (thanks @JacobHenner)
• Added annotations to allow Linkerd extension deployments to be evicted by the
  autoscaler when necessary
• Added missing port in the Linkerd viz chart documentation (thanks @haswalt)
• Added support for per-route policy by supporting AuthorizationPolicy resources
  which target HttpRoute resources
• Fixed the linkerd check command crashing when unexpected pods are found in
  a Linkerd namespace
• Added a config.linkerd.io/shutdown-grace-period annotation to configure the
  proxy's maximum grace period for graceful shutdown

stable-2.11.4

This release includes a security improvement. When a user manually specified the
policyValidator.keyPEM setting, the value was incorrectly included in the
linkerd-config ConfigMap. This means that this private key was erroneously
exposed to ServiceAccounts with read access to this ConfigMap. Practically, this
means that the Linkerd proxy-injector, identity, and heartbeat Pods could
read this value. This should not have exposed this private key to other
unauthorized users unless additional RoleBindings were added outside of Linkerd.
Nevertheless, we recommend that users who manually set control plane
certificates update the credentials for the policy validator after upgrading
Linkerd.

Additionally, a PodSecurityPolicy fix is included which fixes installations
where PSP is enabled and proxyInit.runAsRoot: true.