conduit v22.3.5 Release Notes
-
🚀 This edge release introduces new policy CRDs that allow for more generalized authorization policies.
The
AuthorizationPolicy
CRD authorizes clients that satisfy all the required authentications to communicate with the LinkerdServer
that it targets. Required authentications are specified through the newMeshTLSAuthentication
andNetworkAuthentication
CRDs.A
MeshTLSAuthentication
defines a list of authenticated client IDs—specified directly by proxy identity strings or referencing resources such asServiceAccount
s.A
NetworkAuthentication
defines a list of client networks that will be authenticated.➕ Additionally, to support the new CRDs, policy-related labels have been changed 👍 to better categorize policy metrics. A
srv_kind
label has been introduced which splits the currentsrv_name
value—formatted askind:name
—into separate 🚚 labels. Thesaz_name
label has been removed and is replaced by the newauthz_kind
andauthz_name
labels.- Introduced the
srv_kind
label which allowed splitting the value of the currentsrv_name
label - Removed the
saz_name
label and replaced it with the newauthz_kind
andauthz_name
labels - 🛠 Fixed an issue in the destination controller where an update would not be sent after an endpoint was discovered for a currently empty service
- 👍 Introduced the following custom resource types to support generalized
authorization policies:
AuthorizationPolicy
,MeshTLSAuthentication
,NetworkAuthentication
- 🗄 Deprecated the
--proxy-version
flag (thanks @importhuman!) - ⚡️ Updated linkerd-viz to use new policy CRDs
- Introduced the