Changelog History
Page 1
-
v22.11.2 Changes
๐ This edge release introduces the use of the Kubernetes metadata API in the proxy-injector and tap-injector components. This can reduce the IO and memory ๐ footprint for those components as they now only need to track the metadata for certain resources, rather than the entire resource itself. Similar changes will ๐ be made for the destination component in an upcoming release.
- โฌ๏ธ Bumped HTTP dependencies to fix a potential deadlock in HTTP/2 clients
- ๐ Changed the proxy-injector and tap-injector components to use the metadata API which should result in less memory consumption
-
v22.11.1 Changes
๐ This edge releases ships a few fixes in Linkerd's dashboard, and the ๐ multicluster extension. Additionally, a regression has been fixed in the CLI โฌ๏ธ that blocked upgrades from versions older than 2.12.0, due to missing CRDs ๐ (even if the CRDs were present in-cluster). Finally, the release includes ๐ changes to the helm charts to allow for arbitrary (user-provided) labels on ๐ Linkerd workloads.
- ๐ Fixed an issue in the CLI where upgrades from any version prior to
stable-2.12.0 would fail when using the
--from-manifest
flag - โ Removed un-injectable namespaces, such as kube-system from unmeshed resource notification in the dashboard (thanks @MoSattler!)
- ๐ Fixed an issue where the dashboard would respond to requests with 404 due to wrong root paths in the HTML script (thanks @junnplus!)
- โ Removed the proxyProtocol field in the multicluster gateway policy; this has the effect of changing the protocol from 'HTTP/1.1' to 'unknown' (thanks @psmit!)
- ๐ Fixed the multicluster gateway UID when installing through the CLI, prior to this change the 'runAsUser' field would be empty
- ๐ Changed the helm chart for the control plane and all extensions to support arbitrary labels on resources (thanks @bastienbosser!)
- ๐ Fixed an issue in the CLI where upgrades from any version prior to
stable-2.12.0 would fail when using the
-
v22.10.3 Changes
๐ This edge release adds
network-validator
, a new init container to be used when CNI is enabled.network-validator
ensures that local iptables rules are working as expected. It will validate this before linkerd-proxy starts.network-validator
replaces thenoop
container, runs asnobody
, and drops all capabilities before starting.- ๐ง Validate CNI
iptables
configuration during pod startup - ๐ Fix "cluster networks contains all services" fails with services with no ClusterIP
- โ Remove kubectl version check from
linkerd check
(thanks @ziollek!) - Set
readOnlyRootFilesystem: true
in viz chart (thanks @mikutas!) - ๐ Fix
linkerd multicluster install
by re-addingpause
container image in chart - ๐ linkerd-viz have hardcoded image value in namespace-metadata.yml template bug correction (thanks @bastienbosser!)
- ๐ง Validate CNI
-
v22.10.2 Changes
๐ This edge release fixes an issue with CNI chaining that was preventing the ๐ Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also ๐ includes several other fixes.
- โก๏ธ Updated Grafana dashboards to use variable duration parameter so that they can be used when Prometheus has a longer scrape interval (thanks @TarekAS)
- ๐ Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI plugin can be used alongside other CNI plugins such as Cilium
- โ Added a
linkerd diagnostics policy
command to inspect Linkerd policy state - โ Added a check that ClusterIP services are in the cluster networks
- โ Added a noop init container to injected pods when the CNI plugin is enabled to prevent certain scenarios where a pod can get stuck without an IP address
- ๐ Fixed a bug where the
config.linkerd.io/proxy-version
annotation could be empty
-
v22.10.1 Changes
๐ This edge release fixes some sections of the Viz dashboard appearing blank, and โ adds an optional PodMonitor resource to the Helm chart to enable easier ๐ integration with the Prometheus Operator. It also includes many fixes submitted by our contributors.
- ๐ Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks @MoSattler!)
- โ Added an optional PodMonitor resource to the main Helm chart (thanks @jaygridley!)
- ๐ Fixed the CLI ignoring the
--api-addr
flag (thanks @mikutas!) - Expanded the
linkerd authz
command to display AuthorizationPolicy resources that target namespaces (thanks @aatarasoff!) - ๐ Fixed the
NotIn
label selector operator in the policy resources, being erroneously treated asIn
. - ๐ Fixed warning logic around the "linkerd-viz ClusterRoles exist" and
"linkerd-viz ClusterRoleBindings exist" checks in
linkerd viz check
- ๐ Fixed proxies emitting some duplicate inbound metrics
-
v22.9.2 Changes
๐ This release fixes an issue where the jaeger injector would put pods into an โฌ๏ธ error state when upgrading from stable-2.11.x.
- โก๏ธ Updated AdmissionRegistration API version usage to v1
- ๐ Fixed jaeger injector interfering with upgrades to 2.12.x
-
v22.9.1 Changes
๐ This release adds the
linkerd.io/trust-root-sha256
annotation to all injected workloads allowing predictable comparison of all workloads' trust anchors via the Kubernetes API.โ Additionally, this release lowers the inbound connection pool idle timeout to 3s. This should help avoid socket errors, especially for Kubernetes probes.
- โ Added
linkerd.io/trust-root-sha256
annotation on all injected workloads to indicate certifcate bundle - โฑ Lowered inbound connection pool idle timeout to 3s
- โช Restored
namespace
field in Linkerd helm charts - โก๏ธ Updated fields in
AuthorizationPolicy
andMeshTLSAuthentication
to conform to specification (thanks @aatarasoff!) - โก๏ธ Updated the identity controller to not require a
ClusterRoleBinding
to read all deployment resources.
- โ Added
-
v22.8.3 Changes
Increased control plane HTTP servers' read timeouts so that they no longer 0๏ธโฃ match the default probe intervals. This was leading to closed connections and decreased controller success rate.
-
v22.8.2 Changes
๐ This release is considered a release candidate for stable-2.12.0 and we โก๏ธ encourage you to try it out! It includes an update to the multicluster extension โก๏ธ which adds support for Kubernetes v1.24 and also updates many CLI commands to ๐ support the new policy resources: ServerAuthorization and HTTPRoute.
- โก๏ธ Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens!)
- ๐ Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s!)
- โ Added support for AuthorizationPolicy and HttpRoute to viz authz command
- โ Added support for AuthorizationPolicy and HttpRoute to viz stat
- โ Added support for policy metadata in linkerd tap
- ๐ Fixed an issue where certain control plane components were not restarting as necessary after a trust root rotation
- โ Added a ServiceAccount token Secret to the multicluster extension to support Kubernetes versions >= v1.24
- ๐ Fixed an issue where the --default-inbound-policy setting was not being respected
-
v22.8.1 Changes
๐ This releases introduces default probe authorization. This means that on 0๏ธโฃ clusters that use a default
deny
policy, probes do not have to be explicitly authorized using policy resources. Additionally, thepolicyController.probeNetworks
Helm value has been added, which allows users ๐ง to configure the networks that probes are expected to be performed from.โ Additionally, the
linkerd authz
command has been updated to support the policy resources AuthorizationPolicy and HttpRoute.Finally, some smaller changes include allowing to disable
linkerd-await
on ๐ง control plane components (using the existingproxy.await
configuration) and 0๏ธโฃ changing the default iptables mode back tolegacy
to support more cluster 0๏ธโฃ environments by default.- โก๏ธ Updated the
linkerd authz
command to support AuthorizationPolicy and HttpRoute resources - ๐ Changed the
proxy.await
Helm value so that users can now disablelinkerd-await
on control plane components - โ Added probe authorization by default allowing clusters that use a default
deny
policy to not explicitly need to authorize probes - โ Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
- โ Added the
policyController.probeNetworks
Helm value for configuring the networks that probes are expected to be performed from - ๐ Changed the default iptables mode to
legacy
- โก๏ธ Updated the