Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
APACHE-2.0 License
Bot releases are visible (Hide)
Published by github-actions[bot] about 3 years ago
This release includes various improvements and feature additions across the policy
feature i.e, New validating webhook for policy resources. This also includes changes
in the proxy i.e, terminating TCP connections when a authorization is revoked, improvements
in the proxy authorization metrics. In addition, proxy injector has also been updated
to set the right opaque-ports
annotation on services with default opaque ports.
srv_name
labelproxy-identity
binary which creates thecluster-unauthenticated
vis stat ts
and print a warning about the SMI extensionPublished by github-actions[bot] about 3 years ago
This edge release continues to build on the policy feature by adding support for
cluster-scoped default policies and exposing policy labels on various prometheus
metrics. The proxy has been updated to return HTTP-level authorization errors
at the time that the request is processed, instead of when the connection is
established.
In addition, the proxy-injector has been updated to set the opaque-ports
annotation on a workload to make sure that controllers can discover how the
workload was configured. Also, the sleep
binary has been added to the proxy
image in order to restore the functionality required for waitBeforeExitSeconds
to work.
default-inbound-policy
annotation to the proxy-injectoropaque-ports
annotationsleep
binary to proxy imageServer
resource definition does not match the ports defined for the workloadnonroot
variant from the policy-controller's distroless base imagePublished by github-actions[bot] about 3 years ago
This release adds support for dynamic inbound policies. The proxy now discovers
policies from the policy-controller API for all application ports documented in a
pod spec. Rejected connections are logged. Policies are not yet reflected in the
proxy's metrics.
These policies also allow the proxy to skip protocol detection when a server is
explicitly annotated as HTTP/2 or when the server is documented to be opaque or
application-terminated TLS.
enableHeadlessServices
Helm flag to the linkerd multicluster link
command for enabling headless service mirroring (thanks @knutgoetz!)linkerd-policy
service selector to properly select destination
Published by github-actions[bot] about 3 years ago
This edge release continues the policy work by adding a new controller, written
in Rust, to expose a discovery API for inbound server policies. Apart from
that, this release includes a number of changes from external contributors; the
linkerd-jaeger
helm chart now supports passing arguments to the Jaeger
container through the chart's values file. A number of unused functions and
variables have been also removed to improve the quality of the codebase.
Finally, this release also comes with changes to the proxy's outbound behavior,
a new extensions page on the dashboard, and support for querying service
metrics using the authority
label in linkerd viz stat
.
linkerd-policy-controller
; the new controller is written inlinkerd-destination
podlinkerd-jaeger
helm chart to support passing arguments to theauthority
label inlinkerd viz stat
Published by github-actions[bot] about 3 years ago
This releases includes initial changes w.r.t addition of Authorization into
Linkerd. It includes adding the new policy.linkerd.io
CRDs to the core install.
This also includes numerous dependency updates both in the web and dashboard.
servers.policy.linkerd.io
and serverauthorizations.policy.linkerd.io
Published by github-actions[bot] about 3 years ago
This release updates Linkerd to store the identity trust root in a ConfigMap to
make it easier to manage and rotate the trust root. The release also lays the
groundwork for StatefulSet support in the multicluster extension and removes
deprecated PSP resources by default.
linkerd-identity-trust-roots
ConfigMap which contains the configuredPublished by github-actions[bot] over 3 years ago
This release continues to focus on dependency updates. It also adds the
l5d-proxy-error
information header to distinguish proxy generated errors
proxy generated errors from application generated errors.
l5d-proxy-error
on responses that allows proxy-generated errortarget_addr
label to *_tcp_accept_errors
metrics to improvePublished by github-actions[bot] over 3 years ago
This edge release introduces several changes around metrics. ReplicaSets are now
a supported resource and metrics can be associated with them. A new metric has
been added which counts proxy errors encountered before a protocol can be
detected. Finally, the request errors metric has been split into separate
inbound and outbound directions.
check --pre
command usage if it fails after being unable toLINKERD2_PROXY_INBOUND_PORTS
environment variable during proxydiagnostics controller-metrics
request_errors_total
metric with two new metrics:inbound_http_errors_total
and outbound_http_errors_total
inbound_tcp_accept_errors_total
andoutbound_tcp_accept_errors_total
metrics which count proxy errorsPublished by github-actions[bot] over 3 years ago
This edge release focuses on dependency updates and has a couple of functional
changes. First, the Dockerfile used to build the proxy has been updated to use
the default distroless
image, rather than the non-root variant. This change
is safe because the proxy already runs as non-root within the container. Second,
the ignoreInboundPorts
parameter has been added in the linkerd2-cni helm
charts in order to enable tap support.
ignoreInboundPorts
parameter to the linkerd2-cni plugin helm chartPublished by github-actions[bot] over 3 years ago
This edge release adds support for emitting Kubernetes events in the identity
controller when issuing leaf certificates. The event includes the identity,
expiry date, and a hash of the certificate. Additionally, this release contains
many dependency updates for the control plane's components, and it includes a
fix for an issue with the clusterNetworks healthcheck.
linkerd check
where the clusterNetworks healthcheckpodCIDR
field is omitted from a node's spec.bin/web
script.Published by github-actions[bot] over 3 years ago
This release contains a few improvements, from many contributors! Also under
the hood, the destination service has received updates in preparation to the
upcoming support for StatefulSets across multicluster.
linkerd check --proxy
command to avoid hitting a timeout whenPublished by github-actions[bot] over 3 years ago
This release moves the Linkerd proxy to a more minimal Docker base image,
adds a check for detecting certain network misconfigurations, and replaces
the deprecated OpenCensus collector with the OpenTelemetry collector in the
jaeger extension.
Published by github-actions[bot] over 3 years ago
This release fixes a problem with the HTTP body buffering that was added
to support gRPC retries. Now, only requests with a retry configuration
are buffered (and only when their bodies are less than 64KB).
Additionally, an issue with the outbound ingress-mode proxy where forwarded
HTTP clients could fail to detect when the target pod was deleted, causing
connections to retry forever has been fixed. This only impacted traffic
forwarded directly to pod IPs and not load balanced services.
Finally, this release also includes some fixes in the CLI and dashboard.
namespace
resource was erroneously being shownPublished by github-actions[bot] over 3 years ago
This release adds support for retrying HTTP/2 requests with small (<64KB)
message bodies, allowing the proxy to properly buffer message bodies when
responses are classified as a failure. Documentation on how to configure
retries can be found here.
This release also modifies the proxy's identity subsystem to instantiate a
client on-demand so client connections are not retained continually. Also
included in this release are various bug fixes and improvements as well as
expanding support for resource-aware tab completion in the jaeger and
multicluster CLI extensions.
gateway-port
flag for the multicluster link
jaeger
andmulticluster
commandsviz
, jaeger
and multicluster
extensions could notPodSecurityPolicy
-enabled clusterslinkerd check --proxy
could incorrectly reportuninstall
command to remove viz installations that used thelinkerd.io/extension: linkerd-viz
label (thanks @jsoref!)Published by github-actions[bot] over 3 years ago
This edge release contains various improvements to the Viz and Jaeger install
charts, along with bug fixes in the CLI, and destination. This release also
adds kubernetes aware autocompletion to all viz commands, along with
ServiceProfiles to be part of the default viz install
.
Finally, the proxy has been updated to continue supporting requests without
l5d-dst-override
in ingress-mode proxies, to no longer include query parameters
in the OpenCensus trace spans, and to prevent timeouts with controller clients
of components with more than one replica.
hint.OpaqueTransport
field from not being set whenl5d-dst-override
in ingress-mode proxieslinkerd check --proxy
failure with pods that are part of Jobsviz install
to also include ServiceProfiles of its components.linkerd diagnostics install-sp
cmd has been removedServiceProfile.dstOverrides
overTrafficSplit
when both are present for a servicecollector
and jaeger
components in thenodeselector
, toleration
fields for componentspodAnnotations
field--addon-overwrite
flag in linkerd upgrade
Published by github-actions[bot] over 3 years ago
This edge release updates the proxy-init container to check whether the iptables
rules have already been added, which prevents errors if the proxy-init container
is restarted. Also, the viz stat
command now has tab completion for Kubernetes
resources, saving you precious keystrokes! Finally, the proxy has been updated
with several fixes and improvements.
build.md
for using a locally built proxyviz stat
proxy-init
to skip configuring firewall if rules existsviz uninstall
to delete all RBAC objects (thanks @aryan9600!)l5d-client-id
header on mutually-authenticated inbound requests sol5d-dst-override
header on outboundPublished by github-actions[bot] over 3 years ago
This stable release fixes a proxy task leak that could be triggered when clients
disconnect when a service is in failfast. It also includes fixes for the fuzz
testing that was performed on the proxy and its dependencies; check out the
Introducing fuzz testing for
Linkerd blog post for
a summary of that work!
check
command so thatPublished by github-actions[bot] over 3 years ago
This edge release adds support for versioned hint URLs in linkerd check
and
support for traffic splitting through ServiceProfiles, among other fixes and
improvements. Additionally, more options have been added to the
linkerd-multicluster and linkerd-jaeger helm charts.
dstOverrides
nodePorts
option to the multicluster helm chart (thanks @psmit!).nodeSelector
and toleration options to the linkerd-jaeger helm chartcheck
command when encountering ancheck
command where error messages forl5d-dst-override
header and by failing non-HTTP communication. ProxiesPublished by github-actions[bot] over 3 years ago
This stable release fixes an issue where the destination service is throttled
after overwhelming the Kubernetes API server with node topology queries. This
results in the destination service failing requests and spiking in latency. By
moving to a shared informer for these queries, the information is now fetched
asynchronously.
Published by github-actions[bot] over 3 years ago
This edge release adds a new --short
flag to linkerd check
to show a
summary of the check output. This release also includes various proxy bug fixes
and improvements.
--short
flag to the check command to output a summary