Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 2 years ago
This release includes a security improvement. When a user manually specified the
policyValidator.keyPEM
setting, the value was incorrectly included in the
linkerd-config
configmap. This means that this private key was erroneously
exposed to service accounts with read access to this configmap. Practically,
this means that the Linkerd proxy-injector
, identity
, and heartbeat
pods
could read this value. This should not have exposed this private key to
other unauthorized users unless additional role bindings were added outside of
Linkerd. Nevertheless, we recommend that users who manually set control plane
certificates update the credentials for the policy validator after upgrading
Linkerd.
Additionally, the linkerd-multicluster extensions has several fixes related to
fail fast errors during link watch restarts, improper label matching for
mirrored services, and properly cleaning up mirrored endpoints in certain
situations.
Lastly, the proxy can now retry gRPC requests that have responses with a
TRAILERS frame. A fix to reduce redundant load balancer updates should also
result in less connection churn.
prommatch
package for assertinglinkerd install
ratherlinkerd check --pre
matchLabels
and matchExpressions
to linkerd-multicluster's Link CRDlinkerd check
due to missing RBAC for listing pods inlinkerd authz
to match the labels of pre-fetched Pods rather thanpolicyValidtor.keyPEM
in linkerd-config
ConfigMapPublished by github-actions[bot] over 2 years ago
This release pulls in several control plane and proxy fixes from the main
development branch. The linkerd-multicluster extension has several fixes
regarding incorrect label matching and resource cleanup. Additionally, a long
standing panic has been fixed in the proxy.
linkerd multicluster allow
which resulted in broken YAMLCONNECT
linkerd check
did not skip Pods with a NodeShutdown
linkerd install
rather than linkerd check
mirror.linkerd.io/exported
rather than just its presencePublished by github-actions[bot] over 2 years ago
This edge release bumps the minimum supported Kubernetes version from v1.20
to v1.21
, introduces some new changes, and includes a few bug fixes. Most
notably, a bug has been fixed in the proxy's outbound load balancer that could
cause panics, especially when the balancer would process many service discovery
updates in a short period of time. This release also fixes a panic in the
proxy-injector, and introduces a change that will include HTTP probe ports in
the proxy's inbound ports configuration, to be used for policy discovery.
runtimeClassName
options to Linkerd's Helm chart (thanks @jtcarnes!)v1.21
from v1.20
PublicIPToString
to handle both IPv4 and IPv6 addresses in acosign-installer
actionv1
(thanks @saschagrunert!)Published by github-actions[bot] over 2 years ago
This edge release fixes an issue where Linkerd injected pods could not be
evicted by Cluster Autoscaler. It also adds the --crds
flag to linkerd check
which validates that the Linkerd CRDs have been installed with the proper
versions.
The previously noisy "cluster networks can be verified" check has been replaced
with one that now verifies each running Pod IP is contained within the current
clusterNetworks
configuration value.
Additionally, linkerd-viz is no longer required for linkerd-multicluster's
gateways
command — allowing the Gateways
API to marked as deprecated for
2.12.
Finally, several security issues have been patched in the Docker images now that
the builds are pinned only to minor — rather than patch — versions.
gateway
command dependency on the linkerd-vizdst_target_cluster
metric to linkerd-multicluster's service-mirror--crds
flag to linkerd check
which validates that the LinkerdclusterNetworks
configurationGateways
API which is no longer used bypromm
package for making programatic Prometheus assertions inrunAsUser
configuration to extensions to fix a PodSecurityPolicyPublished by github-actions[bot] over 2 years ago
This edge release fixes a few proxy issues, improves the upgrade process, and
introduces proto retries to Service Profiles. Also included are updates to the
bash scripts to ensure that they follow best practices.
linkerd upgrade
commandPublished by github-actions[bot] over 2 years ago
This edge release ships a few changes to the chart values, a fix for
multicluster headless services, and notable proxy features. HA functionality,
such as PDBs, deployment strategies, and pod anti-affinity, have been split
from the HA values and are now configurable for the control plane. On the proxy
side, non-HTTP traffic will now be forwarded on the outbound side within the
cluster when the proxy runs in ingress mode.
ingress-mode
proxies to forward non-HTTP traffic within the clusterprocess_uptime_seconds_total
to keep track of thePublished by github-actions[bot] over 2 years ago
This edge release adds more flexibility to the MeshTLSAuthentication and
AuthorizationPolicy policy resources by allowing them to target entire
namespaces. It also fixes a race condition when multiple CNI plugins are
installed together as well as a number of other bug fixes.
linkerd install
when the --ignore-cluster
flag is passedenablePSP
andproxyInit.runAsRoot
are setPublished by github-actions[bot] over 2 years ago
In order to support having custom resources in the default Linkerd installation,
the CLI install flow is now always a 2-step process where
linkerd install --crds
must be run first to install CRDs only and then linkerd install
is run
to install everything else. This more closely aligns the CLI install flow with
the Helm install flow where the CRDs are a separate chart. This also applies to
linkerd upgrade
. Also, the config
and control-plane
sub-commands have been
removed from both linkerd install
and linkerd upgrade
.
On the proxy side, this release fixes an issue where proxies would not honor the
cluster's opaqueness settings for non-pod/service addresses. This could cause
protocol detection to be peformed, for instance, when using off-cluster
databases.
This release also disables the use of regexes in Linkerd log filters (i.e., as
set by LINKERD2_PROXY_LOG
). Malformed log directives could, in theory, cause a
proxy to stop responding.
The helm.sh/chart
label in some of the CRDs had its formatting fixed, which
avoids issues when installing/upgrading through external tools that make use of
it, such as recent versions of Flux.
--crds
flag to install/upgrade and remove config/control-plane stagesAuthorizationPolicy
CRD to have an emptyrequiredAuthenticationRefs
entry that allows all trafficnodeAffinity
config in all the charts for enhanced control on theresources
, nodeSelector
and tolerations
configs in thelinkerd-multicluster-link
chart for enhanced control on the service mirrorhelm.sh/chart
label in CRDsconfig.linkerd.io/opaque-ports
annotationPublished by github-actions[bot] over 2 years ago
This release pulls in many small fixes and improvements from the main
development branch. It features changes to the multicluster
extension to
support the new linkerd-failover
extension so that clients can
failover across services hosted on remote clusters.
CLI
check
to avoid checking the proxy version of uninjected podscheck
to skip evicted podsinstall
commands to support the --ignore-cluster
flagCore
destination
controller to honor Server
resources whenconfig.linkerd.io/enable-external-profiles
annotation is set to truelinkerd-await
post-start hook to timeout after 2config.linkerd.io/skip-subnets
workload annotation that can beopenssl
backend for its admissionServer
CRD to relax OpenAPI schema validation requirementsServer
and ServerAuthorization
resourcesproxyInit.runAsRoot
helm variable that may be set to false to runbeta.kubernetes.io/node
labelJaeger
jaeger
to v1.31 and opentelemetry-collector
to v0.43 to supportMulticluster
linkerd-multicluster-link
Helm chart so that a RoleBinding
enablePSP
helm value is set to truelinkerd multicluster install --ha
flag to run gateways withPublished by github-actions[bot] over 2 years ago
This edge release introduces new policy CRDs that allow for more generalized
authorization policies.
The AuthorizationPolicy
CRD authorizes clients that satisfy all the required
authentications to communicate with the Linkerd Server
that it targets.
Required authentications are specified through the new MeshTLSAuthentication
and NetworkAuthentication
CRDs.
A MeshTLSAuthentication
defines a list of authenticated client IDs—specified
directly by proxy identity strings or referencing resources such as
ServiceAccount
s.
A NetworkAuthentication
defines a list of client networks that will be
authenticated.
Additionally, to support the new CRDs, policy-related labels have been changed
to better categorize policy metrics. A srv_kind
label has been introduced
which splits the current srv_name
value—formatted as kind:name
—into separate
labels. The saz_name
label has been removed and is replaced by the new
authz_kind
and authz_name
labels.
srv_kind
label which allowed splitting the value of thesrv_name
labelsaz_name
label and replaced it with the new authz_kind
andauthz_name
labelsAuthorizationPolicy
, MeshTLSAuthentication
,NetworkAuthentication
--proxy-version
flag (thanks @importhuman!)Published by github-actions[bot] over 2 years ago
Published by github-actions[bot] over 2 years ago
This edge release ensures that in multicluster installations, mirror service
endpoints have their readiness tied to gateway liveness. When the gateway for a
target cluster is not alive, the endpoints that point to it on a source cluster
will properly indicate that they are not ready.
namespace
entry in linkerd-control-plane
chartPublished by github-actions[bot] over 2 years ago
This edge release includes a few fixes and quality of life improvements. An
issue has been fixed in the proxy allowing HTTP Upgrade requests to work
through multi-cluster gateways, and the init container's resource limits and
requests have been revised. Additionally, more Go linters have been enabled and
improvements have been made to the devcontainer.
linkerd-init
resource (CPU/memory) limits and requests to ensure byGuaranteed
QOS classNodeShutdown
Published by github-actions[bot] over 2 years ago
This edge release includes updates to dependencies, CI, and rust 1.59.0. It also
includes changes to the linkerd-jaeger
chart to ensure that namespace labels
are preserved and adds support for imagePullSecrets
, along with improvements
to the multicluster and policy functionality.
multicluster link
command to clarify that the link isimagePullSecrets
to Jaeger Helm chartlinkerd-jaeger
chartrepairEndpoints
runsServer
CRD to handle an empty PodSelector
Published by github-actions[bot] over 2 years ago
This edge release continues to address several security related lints and
ensures they are checked by CI.
linkerd check
warning for clusters that cannot verify theirclusterNetworks
due to Nodes missing the podCIDR
fieldServer
CRD to allow having an empty PodSelector
linkerd inject
to only support https
URLs to mitigate securityfailurePolicy
was set to Fail
Published by github-actions[bot] over 2 years ago
This edge release fixes some Instant
-related proxy panics that occur on Amazon
Linux. It also includes many behind the scenes improvements to the project's
CI and linting.
--controller-image-version
install flag to simplify the way that--set linkerdVersion
flag or Helm valueInstant
-related proxy panicsPublished by github-actions[bot] over 2 years ago
This edge release updates the jaeger extension to be available in ARM
architectures and applies some security-oriented amendments.
linkerd multicluster check
which was reporting false warningsPublished by github-actions[bot] over 2 years ago
This edge release removed the disableIdentity
configuration now that the proxy
no longer supports running without identity.
privileged
configuration to linkerd-cni which is required by somedisableIdentity
configurations now that the proxy no longerlinkerd jaeger check
would needlessly fail for BYOPublished by github-actions[bot] over 2 years ago
This edge release adds support for per-request Access Logging for HTTP inbound
requests in Linkerd. A new annotation i.e. config.linkerd.io/access-log
is added,
which configures the proxies to emit access logs to stderr. apache
and json
are the supported configuration options, emitting access logs in Apache Common
Log Format and JSON respectively.
Special thanks to @tustvold for all the initial work around this!
config.linkerd.io/access-log
annotationLINKERD2_PROXY_ACCESS_LOG
proxy environment variable to configurePublished by github-actions[bot] almost 3 years ago
This edge release features a new configuration annotation, support for
externally hosted Grafana instances, and other improvements in the CLI,
dashboard and Helm charts. To learn more about using an external Grafana
instance with Linkerd, you can refer to our
docs.
config.linkerd.io/skip-subnets
). This configuration option is ideal forlinkerd-jaeger
Helm chart (thanksDS_PROMETHEUS
) in all Grafana--ignore-cluster
flag in the CLI for the base