Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] almost 3 years ago
This release removes the Grafana component in the linkerd-viz extension.
Users can now import linkerd dashboards into Grafana from the Linkerd org
in Grafana. Users can also follow the instructions in the docs
to install a separate Grafana that can be integrated with the Linkerd Dashboard.
repair
sub-command in the CLIPublished by github-actions[bot] almost 3 years ago
This release sets the version of the extension Helm charts to 30.0.0-edge to
ensure that previous versions of these charts can be upgraded properly.
RoleBinding
for each multicluster link to preventPublished by github-actions[bot] almost 3 years ago
This release adds support for using the cert-manager CA Injector to configure
Linkerd's webhooks.
Published by github-actions[bot] almost 3 years ago
This release adds support for custom HTTP methods in the viz stats
(i.e CLI and Dashboard). Additionally, it also includes various
smaller improvements.
linkerd-viz
statslinkerd-identity-trust-roots
installNamespace
bool flag from thelinkerd-control-plane
chart (thanks @mikutas)install
command to error if container runtime check failsPublished by github-actions[bot] almost 3 years ago
This edge release contains a few improvements to the CLI commands and a major
change around Helm charts.
The linkerd2
chart has been deprecated in favor of the linkerd-crds
and
linkerd-control-plane
charts. The former takes care of installing all the
required CRDs and the latter everything else. Of important note is that, as per
Helm best practice, we're no longer creating the linkerd namespace. Users
require to do that manually, or have the Helm tool do it explicitly. So the
install procedure would look something like this:
helm install linkerd-crds -n linkerd --create-namespace --devel linkerd-edge/linkerd-crds
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
--devel
linkerd-edge/linkerd-control-plane
(Given the chart versions are flagged as a pre-release, you need the --devel
flag).
In order to upgrade, please delete your previously installed linkerd2
chart
and install the new charts as explained above.
Although the charts for the main extensions (viz, multicluster, jaeger,
linkerd2-cni) were not deprecated, they also stopped creating their namespace
and users are required to uninstall and reinstall them anew, e.g:
helm install linkerd-viz -n linkerd-viz --create-namespace linkerd-edge/linkerd-viz
--obfuscate
flag to linkerd diagnostics proxy-metrics
to--set clusterNetworks
in thelinkerd check
output when that parameter doesn't contain all the nodelinkerd viz check
and linkerd jaeger check
, toPublished by github-actions[bot] almost 3 years ago
This edge removes the default SMI functionality that is included in
installations now that the linkerd-smi extension provides these resources. It
also relaxes the proxy-init
's privileged
value to only be set to true
when
needed by certain installation configurations.
Along with some bug fixes, the repository's issue and feature request templates
have been updated to forms; check them when opening a new
issue! (thanks
@mikutas).
--context
flag (thanks @mikutas!)proxy-init
's privileged: true
onlylinkerd check
would compare proxy versions of--default-inbound-policy
flag to linkerd inject
for setting aPublished by github-actions[bot] almost 3 years ago
This edge release enables by default EndpointSlices
in the destination
controller, which unblocks any functionality that is specific to
EndpointSlices
such as topology-aware hints. It also contains a couple of
internal cleanups and upgrades, by our external contributors!
linkerd check
verifying the nodes aren't running the oldEndpointSlices
in the destination controller by defaultlinkerd check -o short
Published by github-actions[bot] almost 3 years ago
This edge release introduces a change in the destination service to honor
opaque ports set in the proxyProtocol
field of Server
resources. This
change makes it possible to set opaque ports directly in Server
resources
without needing the opaque ports annotation on pods. The release also features
a number of fixes and improvements, a big thank you to our external
contributors for their continued support and involvement.
Server
resources; ports can now be marked as opaque directly in Server
proxyProtocol
field.proxyInit
as rootLink
CRD to code generation script; consumers of thev1alpha1
version of the policy APIslinkerd check
header text (thanks @mikutas!)beta.kubernetes.io/os
label with kubernetes.io/os
Published by github-actions[bot] almost 3 years ago
This edge releases fixes a compatibility issue that prevented the policy
controller from starting in some Kubernetes distributions. This release also
includes a new High Availability mode for the gateway component in multicluster
extension. Various dependencies across the CNI plugin, Policy Controller and
dashboard have also been upgraded. In the proxy, error logging when the proxy
fails to accept a connection due to a system error has been improved.
openssl
instead of rustls
to fixlinkerd-cni
to support latest CNIPublished by github-actions[bot] almost 3 years ago
This edge release introduces a new Services page in the web dashboard that shows
live calls and route metrics for meshed services. Additionally, the proxy-init
container is no longer enforced to run as root. Lastly, the proxy can now retry
requests with a content-length
header—permitting requests emitted by grpc-go
to be retried.
proxy-init
container to run as rootcontent-length
headerTRACE
to DEBUG
linkerd
was the name oflogFormat
and logLevel
configuration values for the proxy-init
viz
subcommand whenlinkerd-sp-validator
service account in thelinkerd-psp
role binding (thanks @multimac!)Published by github-actions[bot] almost 3 years ago
In this edge, we're very excited to introduce Service Account Token Volume
Projections, used to set up the pods' identities. These tokens are bounded
specifically for this use case and are rotated daily, replacing the usage of the
default tokens injected by Kubernetes which are overly permissive.
Note that this edge release updates the minimum supported kubernetes version to 1.20.
automountServiceAccountToken
set tofalse
linkerd check -o json
Published by github-actions[bot] almost 3 years ago
BEFORE YOU DOWNLOAD THIS RELEASE: Please take 60 seconds to tell the CNCF that you are using Linkerd. This is hugely important for the project, will only take a minute, and we need your voice! https://www.surveymonkey.com/r/LZJ9DD7
This release relaxes the policy on the identity controller, allowing it to work
in more environments. It updates the CLI and Helm charts to indicate that the
minimum supported Kubernetes version is 1.17.0. It also fixes a number of bugs
in the CLI, multicluster extension, and proxy.
linkerd check
to avoid multiline errors with retryable checks-o short
command-line flag for extension check commandsauthz
CLI commands would fail when policy resources had anPublished by github-actions[bot] about 3 years ago
This edge release fixes a bug in the proxy that could cause it to be killed in
certain situations. It also uses a more relaxed policy for the identity
controller that allows it to work in environments where health checks come from
outside of the pod network.
admin
server so that it no longerauthz
CLI commands would fail when policy resources hadPublished by github-actions[bot] about 3 years ago
This edge release fixes linkerd check and the helm charts to explicitly
indicate that the minimum Kubernetes version is 1.17.0. Prior to this change,
there was no validation or enforcement from linkerd check or helm to meet this
minimum requirement.
This edge also improves check
functionality for extensions by adding the
-oshort
flag, and prevents duplicate policy resources from being created for
linked multicluster services.
-oshort
flag for extension check
commandscrtExpiry
template parameter from helm chartspriorityClassName
to the helm charts to configure control planePublished by github-actions[bot] about 3 years ago
This release includes some fixes in the linkerd check
, along with a
bunch of dependency updates across the dashboard, Go components, and
others. On the proxy side, Support for TLSv1.2
has been dropped
(Only TLSv1.3
cipher suite will be used), h2
crate has been updated
to support HTTP/2 messages with larger header values.
linkerd check
to avoid multiline errors with retryable checkslinkerd check --proxy
with1.4.1
which adds support for --log-level
--log-format
flags (thanks @gusfcarvalho)TLSv1.2
in the proxyh2
crate in the proxy to support HTTP/2 messages withPublished by github-actions[bot] about 3 years ago
This release introduces access control policies. Default policies may be
configured at the cluster- and workspace-levels; and fine grained policies may
be instrumented via the new policy.linkerd.io/v1beta1
CRDs: Server
and
ServerAuthorization
. These resources may be created to define how individual
ports accept connections; and the Server
resource will be a building block for
future features that configure inbound proxy behavior.
Furthermore, ServiceProfile
retry configurations can now instrument retries
for requests with bodies. This unlocks retry behavior for gRPC services.
Upgrade notes: Please see the upgrade instructions.
Proxy
gcr.io/distroless/cc
toinbound_http_errors_total
and outbound_http_errors_total
l5d-proxy-error
header that is included on responses on trustedl5d-client-id
header on mutually-authenticated inbound requests sosrv_name
and saz_name
labels to inbound HTTP metricslinkerd.io/inject: ingress
is usedControl Plane
policy-controller
container to the linkerd-destination
Server
linkerd-identity-trust-roots
ConfigMap which configures the trustlinkerd-controller
deployment so that Linkerd's coreproxy-init
container withNET_RAW
and NET_ADMIN
capabilities so that the container does not failCLI
linkerd completion
to expand Kubernetes resources from the currentauthz
subcommand to display the authorization policies thatlinkerd check
that only prints failedReplicaSets
to linkerd stat
so that pods created byRollout
resources can be inspectedHelm: please see the upgrade instructions.
Extensions:
Introduced a new (optional) SMI extension responsible for reading
specs.smi-spec.io
resources and converting them to Linkerd resources
In stable-2.12
, this extension will be required to use TrafficSplit
resources with Linkerd
Added an extensions page to the Linkerd Web UI
Viz
Server
and ServerAuthorization
resources for all portsJaeger
Multicluster
StatefulSet
workloadsThis release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible:
Gustavo Fernandes de Carvalho @gusfcarvalho
Oleg Vorobev @olegy2008
Bart Peeters @bartpeeters
Stepan Rabotkin @EpicStep
LiuDui @xichengliudui
Andrew Hemming @drewhemm
Ujjwal Goyal @importhuman
Knut Götz @knutgoetz
Sanni Michael @sannimichaelse
Brandon Sorgdrager @bsord
Gerald Pape @ubergesundheit
Alexey Kostin @rumanzo
rdileep13 @rdileep13
Takumi Sue @mikutas
Akshit Grover @akshitgrover
Sanskar Jaiswal @aryan9600
Aleksandr Tarasov @aatarasoff
Taylor @skinn
Miguel Ángel Pastor Olivar @migue
wangchenglong01 @wangchenglong01
Josh Soref @jsoref
Carol Chen @kipply
Peter Smit @psmit
Tarvi Pillessaar @tarvip
James Roper @jroper
Dominik Münch @muenchdo
Szymon Gibała @Szymongib
Mitch Hulscher @mhulscher
Published by github-actions[bot] about 3 years ago
This edge is a release candidate for stable-2.11.0
, containing a couple of
improvements to linkerd check
, some final tweaks before the stable release,
and a couple of contributions from the community.
linkerd check --proxy
stop failing on pods that are in Shutdown statusPublished by github-actions[bot] about 3 years ago
This edge is a release candidate for stable-2.11.0
! It introduces a new
linkerd viz auth
command which shows metrics for server authorizations broken
down by server for a given resource. It also shows the rate of unauthorized
requests to each server. This is helpful for seeing a breakdown of which
authorizations are being used and what proportion of traffic is being rejected.
It also fixes an issue in the proxy where HTTP load balancers could continue
trying to establish connections to endpoints that were removed from service
discovery. In addition it improves the proxy's error handling so that it can
signal to an inbound proxy when its peers outbound connections should be torn
down.
info
to debug
to reduce the amountlinkerd viz auth
command which shows metrics for serveromitWebhookSideEffects
setting now that we no longer supportprofileValidator.namespaceSelector
v1beta1
stat
's -o json
option to Server resourceslinkerd viz authz
commandPublished by github-actions[bot] about 3 years ago
This edge is a release candidate for stable-2.11.0
! It features a new linkerd authz
CLI command to list servers and authorizations for a workload, as well as
policy resources support for linkerd viz stat
. Furthermore, this edge release
adds support for JSON log formatting, enables TLS detection on port 443
(previously marked as opaque), and further improves policy features.
viz stat
commandlinkerd-identity
linkerd authz
command to the CLI to list all server andproxyProtocol
field of Server
resourcesWARN
Server
structsPublished by github-actions[bot] about 3 years ago
This edge release gets us closer to 2.11 by further polishing the policy
feature. Also the proxy received a noticeable resource consumption improvement.
all-unauthenticated
to allow the webhooks to be called from the kube-api