Changelog History
Page 22
-
v2.12.0 Changes
๐ This release introduces route-based policy to Linkerd, allowing users to define and enforce authorization policies based on HTTP routes in a fully zero-trust way. These policies are built on Linkerd's strong workload identities, secured ๐ง by mutual TLS, and configured using types from the Kubernetes Gateway API.
๐ The 2.12 release also introduces optional request logging ("access logging" ๐ after its name in webservers), optional support for
iptables-nft
, and a host ๐ of other improvements and performance enhancements.โ Additionally, the
linkerd-smi
extension is now required to use TrafficSplit, โก๏ธ and the installation process has been updated to separate management of the ๐ Linkerd CRDs from the main installation process. With the CLI, you'll need tolinkerd install --crds
before runninglinkerd install
; with Helm, you'll install the newlinkerd-crds
chart, then thelinkerd-control-plane
chart. These charts are now versioned using SemVer independently ๐ of Linkerd releases. For more information, see the [upgrade โฌ๏ธ notes][upgrade-2120].โฌ๏ธ Upgrade notes: Please see the [upgrade instructions][upgrade-2120].
Proxy
- Added a
config.linkerd.io/shutdown-grace-period
annotation to limit the duration that the proxy may wait for graceful shutdown - Added a
config.linkerd.io/access-log
annotation to enable logging of workload requests - Added a new
iptables-nft
mode for theproxy-init
initContainer - Added support for non-HTTP traffic forwarding within the mesh in
ingress
mode - Added the
/env.json
log diagnostic endpoint - Added a new
process_uptime_seconds_total
metric to track proxy uptime in seconds - Added support for dynamically discovering policies for ports that are not
documented in a pod's
containerPorts
- Added support for route-based inbound HTTP metrics
(
route_group
/route_kind
/route_name
) - Added a new annotation to configure skipping subnets in the init container
(
config.linkerd.io/skip-subnets
), needed e.g. in Docker-in-Docker workloads (thanks @michaellzc!)
- Added a
Control Plane
- Added support for per-route policy by supporting AuthorizationPolicy resources which can target HttpRoute or Server resources
- Added support for bound service account token volumes for the control plane and injected workloads
- Removed kube-system exclusions from watchers to fix service discovery for workloads in the kube-system namespace (thanks @JacobHenner!)
- Updated healthcheck to ignore
Terminated
state for pods (thanks @AgrimPrasad!) - Updated the default policy controller log level to
info
; the controller will now emit INFO level logs for some of its dependencies - Added probe authorization by default, allowing clusters that use a default
deny
policy to not explicitly need to authorize probes - Fixed an issue where the proxy-injector would break when using
nodeAffinity
values for the control plane - Fixed an issue where certain control plane components were not restarting as necessary after a trust root rotation
- Removed SMI functionality in the default Linkerd installation; this is now
part of the
linkerd-smi
extension
CLI
- Fixed the
linkerd check
command crashing when unexpected pods are found in a Linkerd namespace - Updated the
linkerd authz
command to support AuthorizationPolicy and HttpRoute resources - Updated
linkerd check
to allow RSA signed trust anchors (thanks @danibaeyens!) linkerd install --crds
must be run beforelinkerd install
linkerd upgrade --crds
must be run beforelinkerd upgrade
- Fixed invalid yaml syntax in the viz extension's tap-injector template (thanks @wc-s!)
- Fixed an issue where the
--default-inbound-policy
setting was not being respected - Added support for AuthorizationPolicy and HttpRoute to
viz authz
command - Added support for AuthorizationPolicy and HttpRoute to
viz stat
command - Added support for policy metadata in
linkerd viz tap
- Fixed the
Helm
- Split the
linkerd2
chart intolinkerd-crds
andlinkerd-control-plane
- Charts are now versioned using SemVer independently of Linkerd releases
- Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
- Changed the
proxy.await
Helm value so that users can now disablelinkerd-await
on control plane components - Added the
policyController.probeNetworks
Helm value for configuring the networks that probes are expected to be performed from
- Split the
Extensions
- Added annotations to allow Linkerd extension deployments to be evicted by the autoscaler when necessary
- Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
- Added a ServiceAccount token Secret to the multicluster extension to support Kubernetes versions >= v1.24
๐ This release includes changes from a massive list of contributors, including engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and ๐ others. A special thank-you to everyone who helped make this release possible:
Agrim Prasad @AgrimPrasad Ahmed Al-Hulaibi @ahmedalhulaibi Aleksandr Tarasov @aatarasoff Alexander Berger @alex-berger Ao Chen @chenaoxd Badis Merabet @badis Bjรธrn @Crevil Brian Dunnigan @bdun1013 Christian Schlotter @chrischdi Dani Baeyens @danibaeyens David Symons @multimac Dmitrii Ermakov @ErmakovDmitriy Elvin Efendi @ElvinEfendi Evan Hines @evan-hines-firebolt Eng Zer Jun @Juneezee Gustavo Fernandes de Carvalho @gusfcarvalho Harry Walter @haswalt Israel Miller @imiller31 Jack Gill @jackgill Jacob Henner @JacobHenner Jacob Lorenzen @Jaxwood Joakim Roubert @joakimr-axis Josh Ault @jault-figure Joรฃo Soares @jasoares jtcarnes @jtcarnes Kim Christensen @kichristensen Krzysztof Dryล @krzysztofdrys Lior Yantovski @lioryantov Martin Anker Have @mahlunar Michael Lin @michaellzc Michaล Romanowski @michalrom089 Naveen Nalam @nnalam Nick Calibey @ncalibey Nikola Brdaroski @nikolabrdaroski Or Shachar @or-shachar Pรฅl-Magnus Slรฅtto @dev-slatto Raman Gupta @rocketraman Ricardo Gรขndara Pinto @rmgpinto Roberth Strand @roberthstrand Sankalp Rangare @sankalp-r Sascha Grunert @saschagrunert Steve Gray @steve-gray Steve Zhang @zhlsunshine Takumi Sue @mikutas Tanmay Bhat @tanmay-bhat Tรกskai Dominik @dtaskai Ujjwal Goyal @importhuman Weichung Shaw @wc-s Wim de Groot @wim-de-groot Yannick Utard @utay Yurii Dzobak @yuriydzobak ็ฝๆณฝ่ฝฉ @spacewander
โฌ๏ธ [upgrade-2120]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2120
-
v2.12.0-rc2 Changes
๐ This release is the second release candidate for stable-2.12.0.
At this point the Helm charts can be retrieved from the stable repo:
helm repo add linkerd https://helm.linkerd.io/stable helm repo up helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds helm install linkerd-control-plane \ -n linkerd \ --set-file identityTrustAnchorsPEM=ca.crt \ --set-file identity.issuer.tls.crtPEM=issuer.crt \ --set-file identity.issuer.tls.keyPEM=issuer.key \ linkerd/linkerd-control-plane
The following lists all the changes since edge-22.8.2:
- ๐ Fixed inheritance of the
linkerd.io/inject
annotation from Namespace to Workloads when its value isingress
- โ Added the
config.linkerd.io/default-inbound-policy: all-authenticated
annotation to linkerd-multiclusterโs Gateway deployment so that all clients are required to be authenticated - โ Added a
ReadHeaderTimeout
of 10s to all the gohttp.Server
instances, to avoid being vulnerable to "slowrolis" attacks - โ Added check in
linkerd viz check --proxy
to warn in case namespace have theconfig.linkerd.io/default-inbound-policy: deny
annotation, which would not authorize scrapes coming from the linkerd-viz Prometheus instance - โ Added validation for accepted values for the
--default-inbound-policy
flag - ๐ Fixed invalid URL in the
linkerd install --help
output - โ Added
--destination-pod
flag tolinkerd diagnostics endpoints
subcommand - โ Added
proxyInit.runAsUser
invalues.yaml
defaulting to non-zero, to complement the new defaultproxyInit.runAsRoot: false
that was rencently changed
- ๐ Fixed inheritance of the
-
v2.11.0 Changes
๐ This release introduces access control policies. Default policies may be ๐ง configured at the cluster- and workspace-levels; and fine grained policies may be instrumented via the new
policy.linkerd.io/v1beta1
CRDs:Server
andServerAuthorization
. These resources may be created to define how individual ๐ ports accept connections; and theServer
resource will be a building block for ๐ง future features that configure inbound proxy behavior.๐ง Furthermore,
ServiceProfile
retry configurations can now instrument retries for requests with bodies. This unlocks retry behavior for gRPC services.โฌ๏ธ Upgrade notes: Please see the [upgrade instructions][upgrade-2110].
Proxy
- Reduced CPU & Memory usage by up to 30% in some load tests
- Updated retries to support requests with bodies up to 64KB. ServiceProfiles may now configure retries for gRPC services
- The proxy's container image is now based on
gcr.io/distroless/cc
to contain a minimal OS footprint that should not trigger unnecessary alerts in security scanners - Added the
inbound_http_errors_total
andoutbound_http_errors_total
metrics to reflect errors that caused the proxy to respond with errors - Added an
l5d-proxy-error
header that is included on responses on trusted connections for debugging purposes - Added a
l5d-client-id
header on mutually-authenticated inbound requests so that applications can discover the client's identity - Added metrics to reflect TCP and HTTP authorization decisions
- Added
srv_name
andsaz_name
labels to inbound HTTP metrics - Fixed an issue that could cause the proxy to continually reconnect to defunct service endpoints
- Dropped support for non-HTTP outbound services when
linkerd.io/inject: ingress
is used - Instrumented fuzz testing to help guard against unexpected panics
Control Plane
- Added a new
policy-controller
container to thelinkerd-destination
pod--the first control plane component implemented in Rust - Added a new admission controller to validate that multiple
Server
resources do not reference the same port - Added a
linkerd-identity-trust-roots
ConfigMap which configures the trust root bundle for all pods in the core control plane namespace - Eliminated the
linkerd-controller
deployment so that Linkerd's core control plane now consists of only 3 deployments - Updated the proxy injector to configure the
proxy-init
container withNET_RAW
andNET_ADMIN
capabilities so that the container does not fail when the pod drops these capabilities
- Added a new
CLI
- Enhanced
linkerd completion
to expand Kubernetes resources from the current kubectl context - Added an
authz
subcommand to display the authorization policies that impact a workload - Added a short output mode for
linkerd check
that only prints failed checks - Added support for
ReplicaSets
tolinkerd stat
so that pods created by ArgoRollout
resources can be inspected
- Enhanced
โฌ๏ธ Helm: please see the [upgrade instructions][upgrade-2110].
Extensions:
- Introduced a new (optional) SMI extension responsible for reading
specs.smi-spec.io
resources and converting them to Linkerd resources - In
stable-2.12
, this extension will be required to useTrafficSplit
resources with Linkerd - Added an extensions page to the Linkerd Web UI
- Viz
- Added
Server
andServerAuthorization
resources for all ports - Added JSON log formatting
- Jaeger
- Added OpenTelemetry collector instead of OpenCensus
- Multicluster
- Added experimental support for
StatefulSet
workloads
- Introduced a new (optional) SMI extension responsible for reading
๐ This release includes changes from a massive list of contributors. A special ๐ thank-you to everyone who helped make this release possible:
Gustavo Fernandes de Carvalho @gusfcarvalho Oleg Vorobev @olegy2008 Bart Peeters @bartpeeters Stepan Rabotkin @EpicStep LiuDui @xichengliudui Andrew Hemming @drewhemm Ujjwal Goyal @importhuman Knut Gรถtz @knutgoetz Sanni Michael @sannimichaelse Brandon Sorgdrager @bsord Gerald Pape @ubergesundheit Alexey Kostin @rumanzo rdileep13 @rdileep13 Takumi Sue @mikutas Akshit Grover @akshitgrover Sanskar Jaiswal @aryan9600 Aleksandr Tarasov @aatarasoff Taylor @skinn Miguel รngel Pastor Olivar @migue wangchenglong01 @wangchenglong01 Josh Soref @jsoref Carol Chen @kipply Peter Smit @psmit Tarvi Pillessaar @tarvip James Roper @jroper Dominik Mรผnch @muenchdo Szymon Gibaลa @Szymongib Mitch Hulscher @mhulscher
โฌ๏ธ [upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110
-
v2.10.1 Changes
๐ This stable release adds CLI support for Apple Silicon M1 chips and support for SMI's TrafficSplit
v1alpha2
.๐ There are several proxy fixes: handling
FailedPrecondition
errors gracefully, inbound TLS detection from non-meshed workloads, and using the correct cached ๐ฒ client when the proxy is in ingress mode. The logging infrastructure has also been improved to reduce memory pressure in high-connection environments.On the control-plane side, there have been several improvements to the ๐ destination service such as support for Host IP lookups and ignoring pods โก๏ธ in "Terminating" state. It also updates the proxy-injector to add opaque ports annotation to pods if their namespace has it set.
โก๏ธ On the CLI side,
linkerd repair
has been updated to be aware about the control-plane ๐ version and suggest the relevant version to generate the right config. Various ๐ bugs have been fixed aroundlinkerd identity
, etc.โฌ๏ธ Upgrade notes: Please refer 2.10 upgrade instructions โฌ๏ธ if you are upgrading from
2.9.x
or below versions.Proxy:
- Fixed an issue where proxies could infinitely retry failed requests to the
destination
controller when it returned aFailedPrecondition
- The proxy's logging infrastructure has been updated to reduce memory pressure in high-connection environments.
- Fixed a caching issue in the outbound proxy that would cause it to forward traffic to the wrong pod when running in ingress mode.
- Fixed an issue where inbound TLS detection from non-meshed workloads could break
- Fixed an issue where the admin server's HTTP detection would fail and not recover; these are now handled gracefully and without logging warnings
- Control plane proxies no longer emit warnings about the resolution stream ending. This error was innocuous.
- Bumped the proxy-init image to v1.3.11 which updates the go version to be 1.16.2
- Fixed an issue where proxies could infinitely retry failed requests to the
Control Plane:
- Fixed an issue where the destination service would respond with too big of a header and result in http2 protocol errors
- Fixed an issue where the destination control plane component sometimes returned endpoint addresses with a 0 port number while pods were undergoing a rollout (thanks @riccardofreixo!)
- Fixed an issue where pod lookups by host IP and host port fail even though the cluster has a matching pod
- Updated the IP Watcher in destination to ignore pods in "Terminating" state (thanks @Wenliang-CHEN!)
- Modified the proxy-injector to add the opaque ports annotation to pods if their namespace has it set
- Added Support for TrafficSplit
v1alpha2
- Updated all the control-plane components to use go
1.16.2
.
CLI:
- Fixed an issue where the linkerd identity command returned the root certificate of a pod instead of its leaf certificates
- Fixed an issue where the destination service would respond with too big of a header and result in http2 protocol errors
- Updated the release process to build Linkerd CLI binaries for Apple Silicon M1 chips
- Improved error messaging when trying to install Linkerd on a cluster that already had Linkerd installed
- Added a loading spinner to the linkerd check command when running extension checks
- Added installNamespace toggle in the jaeger extension's install. (thanks @jijeesh!)
- Updated healthcheck pkg to have hintBaseURL configurable, useful for external extensions using that pkg
- Fixed TCP read and write bytes/sec calculations to group by label based off inbound or outbound traffic
- Fixed an issue in linkerd inject where the wrong annotation would be added when using --ingress flag
- Updated
linkerd repair
to be aware of the client and server versions - Updated
linkerd uninstall
to print error message when there are no resources to uninstall.
Helm:
- Aligned the Helm installation heartbeat schedule to match that of the CLI
Viz:
- Fixed an issue where the topology graph in the dashboard was no longer draggable.
- Updated dashboard build to use webpack v5
- Added CA certs to the Viz extension's metrics-api container so that it can validate the certificate of an external Prometheus
- Removed components from the control plane dashboard that now are part of the Viz extension
- Changed web's base image from debian to scratch
Multicluster:
- Fixed an issue with Multicluster's service mirror where its endpoint repair retries were not properly rate limited
Jaeger:
- Fixed components in the Jaeger extension to set the correct Prometheus scrape values
-
v2.10.0 Changes
๐ This release introduces Linkerd extensions. The default control plane no longer includes Prometheus, Grafana, the dashboard, or several other components that 0๏ธโฃ previously shipped by default. This results in a much smaller and simpler set of core functionalities. Visibility and metrics functionality is now available in the Viz extension under the
linkerd viz
command. Cross-cluster communication functionality is now available in the Multicluster extension under thelinkerd multicluster
command. Distributed tracing functionality is now available in the Jaeger extension under thelinkerd jaeger
command.๐ This release also introduces the ability to mark certain ports as "opaque", indicating that the proxy should treat the traffic as opaque TCP instead of attempting protocol detection. This allows the proxy to provide TCP metrics ๐ and mTLS for server-speaks-first protocols. It also enables support for TCP traffic in the Multicluster extension.
โฌ๏ธ Upgrade notes: Please see the upgrade โฌ๏ธ instructions.
Proxy
- Updated the proxy to use TLS version 1.3; support for TLS 1.2 remains enabled for compatibility with prior proxy versions
- Improved support for server-speaks-first protocols by allowing ports to be
marked as opaque, causing the proxy to skip protocol detection. Ports can
be marked as opaque by setting the
config.linkerd.io/opaque-ports
annotation on the Pod and Service or by using the--opaque-ports
flag withlinkerd inject
- Ports
25,443,587,3306,5432,11211
have been removed from the default skip ports; all traffic through those ports is now proxied and handled opaquely by default - Fixed an issue that could cause proxies in "ingress mode"
(
linkerd.io/inject: ingress
) to use an excessive amount of memory - Improved diagnostic logging around "fail fast" and "max-concurrency exhausted" error messages
- Added a new
/shutdown
admin endpoint that may only be accessed over the loopback network allowing batch jobs to gracefully terminate the proxy on completion
Control Plane
- Removed all components and functionality related to visibility, tracing, or multicluster. These have been moved into extensions
- Changed the identity controller to receive the trust anchor via environment variable instead of by flag; this allows the certificate to be loaded from a config map or secret (thanks @mgoltzsche!)
- Added PodDisruptionBudgets to the control plane components so that they cannot be all terminated at the same time during disruptions (thanks @tustvold!)
CLI
- Changed the
check
command to include each installed extension'scheck
output; this allows users to check for proper configuration and installation of Linkerd without running a command for each extension - Moved the
metrics
,endpoints
, andinstall-sp
commands into subcommands under thediagnostics
command - Added an
--opaque-ports
flag tolinkerd inject
to easily mark ports as opaque. - Added the
repair
command which will repopulate resources needed for properly upgrading a Linkerd installation - Added Helm-style
set
,set-string
,values
,set-files
customization flags for thelinkerd install
andlinkerd upgrade
commands - Introduced the
linkerd identity
command, used to fetch the TLS certificates for injected pods (thanks @jimil749) - Removed the
get
andlogs
command from the CLI
- Changed the
Helm
- Changed many Helm values, please see the upgrade notes
Viz
- Introduced the
linkerd viz
subcommand which contains commands for installing the viz extension and all visibility commands - Updated the Web UI to only display the "Gateway" sidebar link when the multicluster extension is active
- Added a
linkerd viz list
command to list pods with tap enabled - Fixed an issue where the
tap
APIServer would not refresh its certs automatically when provided externallyโlike through cert-manager
- Introduced the
Multicluster
- Introduced the
linkerd multicluster
subcommand which contains commands for installing the multicluster extension and all multicluster commands - Added support for cross-cluster TCP traffic
- Updated the service mirror controller to copy the
config.linkerd.io/opaque-ports
annotation when mirroring services so that cross-cluster traffic can be correctly handled as opaque - Added support for multicluster gateways of types other than LoadBalancer (thanks @DaspawnW!)
- Introduced the
Jaeger
- Introduced the
linkerd jaeger
subcommand which contains commands for installing the jaeger extension and all tracing commands - Added a
linkerd jaeger list
command to list pods with tracing enabled
- Introduced the
๐ This release includes changes from a massive list of contributors. A special ๐ thank-you to everyone who helped make this release possible: Lutz Behnke Bjรถrn Wenzel Filip Petkovski Simon Weald GMarkfjard hodbn Hu Shuai Jimil Desai jiraguha Joakim Roubert Josh Soref Kelly Campbell Matei David Mayank Shah Max Goltzsche Mitch Hulscher Eugene Formanenko Nathan J Mehl Nicolas Lamirault Oleh Ozimok Piyush Singariya Naga Venkata Pradeep Namburi ๐ฆ rish-onesignal Shai Katz Takumi Sue Raphael Taylor-Davies Yashvardhan Kukreja
-
v2.9.1 Changes
December 10, 2020stable-2.9.1
๐ This stable release contains a number of proxy enhancements: better support for
๐ high-traffic workloads, improved performance by eliminating unnecessary endpoint
resolutions for TCP traffic and properly tearing down serverside connections
when errors occur, and reduced memory consumption on proxies which maintain many
idle connections (such as Prometheus' proxy).On the CLI and control plane sides, it relaxes checks on root and intermediate
๐ certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
โก๏ธ which failed to update endpoint information when a headless service was
modified.Proxy:
- Addressed some issues reported around clients seeing max-concurrency errors
0๏ธโฃ by increasing the default in-flight request limit to 100K pending requests - Reduced the default idle connection timeout to 5s for outbound clients and
๐จ for inbound clients to reduce the proxy's memory footprint, especially on
Prometheus instances - Fixed an issue where the proxy did not receive updated endpoint information
when a headless service was modified - Added HTTP/2 keepalive PING frames
- Removed logic to avoid redundant TCP endpoint resolution
- Fixed an issue where serverside connections were not torn down when an error
occurred
CLI / Helm / Control Plane:
- Fixed a CLI issue where the
linkerd-namespace
flag was not honored when
โฌ๏ธ passed to theinstall
andupgrade
commands - Fixed installing HA through the CLI (
linkerd install --ha
) that wasn't
0๏ธโฃ honoring some of the default settings found invalues-ha.yml
- Force the webhook pods (proxy-injector, sp-validator and tap) to be
โฌ๏ธ restarted when upgrading through the CLI, if a secret they rely on changes - Fixed multicluster installation using Helm (thanks @DaspawnW!)
- Updated
linkerd check
so that it doesn't attempt to validate the subject
alternative name (SAN) on root and intermediate certificates. SANs for leaf
certificates will continue to be validated - Fixed an issue in the destination service where endpoints always included a
protocol hint, regardless of the controller label being present or not - Removed the
get
andlogs
command from the CLI - No longer panic in rare cases when
linkerd-config
doesn't have an entry
forGlobal
configs (thanks @hodbn!)
- Addressed some issues reported around clients seeing max-concurrency errors
-
v2.9.0 Changes
November 06, 2020stable-2.9.0
๐ This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP
connections, allowing Linkerd to transparently encrypt and authenticate all TCP
๐ connections in the cluster the moment it's installed. It also adds ARM support,
๐ introduces a new multi-core proxy runtime for higher throughput, adds support
for Kubernetes service topologies, and lots, lots more, as described below:โฌ๏ธ (For upgrade instructions please check the docs)
Proxy
- Performed internal improvements for lower latencies under high concurrency
- Reduced performance impact of logging, especially when the
debug
or
๐ฒtrace
log levels are disabled - Improved error handling for DNS errors encountered when discovering control
plane addresses; this can be common during installation before all
components have been started, allowing linkerd to continue to operate
normally in HA during node outages
Control Plane
- Added support for topology-aware service
๐ routing
โก๏ธ to the Destination controller; when providing service discovery updates to
proxies the Destination controller will now filter endpoints based on the
service's topology preferences - Added support for the new Kubernetes
๐ EndpointSlice
resource to the Destination controller; Linkerd can be installed with
--enable-endpoint-slices
flag to use this resource rather than the
๐ Endpoints API in clusters where this new API is supported
Dashboard
- Added new Spanish translations (please help us translate into your
language!)
- Added new section for exposing multicluster gateway metrics
CLI
- Renamed the
--addon-config
flag to--config
to clarify this flag can be
๐ used to set any Helm value
- Added fish shell completions to the
linkerd
commandMulticluster
- Replaced the single
service-mirror
controller with separate controllers
that will be installed per target cluster throughlinkerd multicluster link
- Changed the mechanism for mirroring services: instead of relying on
annotations on the target services, now the source cluster should specify
which services from the target cluster should be exported by using a label
selector - Added support for creating multiple service accounts when installing
multicluster with Helm to allow more granular revocation
- Added a multicluster
unlink
command for removing multicluster linksPrometheus
- Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this
โฌ๏ธ makes the Linkerd Prometheus more configurable, gives it a separate upgrade
lifecycle from the rest of the control plane, and allows users to
disable the bundled Prometheus instance - The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:
โ addedglobal.prometheusUrl
to the Helm config to have linkerd use an
0๏ธโฃ external Prometheus instance instead of the one provided by default - Added an option to persist data to a volume instead of memory, so that
historical metrics are available when Prometheus is restarted
- The helm chart can now configure persistent storage and limits
Other
- Added a new
linkerd.io/inject: ingress
annotation and accompanying
๐ง--ingress
flag to theinject
command, to configure the proxy to support
service profiles and enable per-route metrics and traffic splits for HTTP
ingress controllers - Changed the type of the injector and tap API secrets to
kubernetes.io/tls
so they can be provisioned by cert-manager - Changed default docker image repository to
ghcr.io
fromgcr.io
; Users
who pull the images into private repositories should take note of this
๐ change - Introduced support for authenticated docker registries
- Simplified the way that Linkerd stores its configuration; configuration is
now stored as Helm values in thelinkerd-config
ConfigMap - Added support for Helm configuration of per-component proxy resources
requests
๐ This release includes changes from a massive list of contributors. A special
๐ thank-you to everyone who helped make this release possible:
Abereham G Wodajie, Alexander Berger, Ali Ariff, Arthur Silva Sens, Chris Campbell,
Daniel Lang, David Tyler, Desmond Ho, Dominik Mรผnch, George Garces, Herrmann Hinz,
Hu Shuai, Jeffrey N. Davis, Joakim Roubert, Josh Soref, Lutz Behnke, MaT1g3R,
๐ Marcus Vaal, Markus, Matei David, Matt Miller, Mayank Shah, Naseem, Nil, OlivierB,
Olukayode Bankole, Paul Balogh, Rajat Jindal, Raphael Taylor-Davies, Simon Weald,
Steve Gray, Suraj Deshmukh, Tharun Rajendran, Wei Lun, Zhou Hao, ZouYu, aimbot31,
iohenkies, memory and tbsoares -
v2.8.1 Changes
๐ This release fixes multicluster gateways support on EKS.
- The multicluster service-mirror has been extended to resolve DNS names for target clusters when an IP address is not known.
- ๐ Linkerd checks could fail when run from the dashboard. Thanks to @alex-berger for providing a fix!
- Have the service mirror controller check in
linkerd check
retry on failures. - ๐ As of this version we're including a Chocolatey package (Windows) next to the other binaries in the release assets in GitHub.
- โก๏ธ Base images have been updated:
- debian:buster-20200514-slim
- grafana/grafana:7.0.3
- The shell scripts under
bin
continued to be improved, thanks to @joakimr-axis!
-
v2.8.0 Changes
๐ This release introduces new a multi-cluster extension to Linkerd, allowing it to establish connections across Kubernetes clusters that are secure, transparent to the application, and work with any network topology.
- The CLI has a new set of
linkerd multicluster
sub-commands that provide tooling to create the resources needed to discover services across Kubernetes clusters. - The
linkerd multicluster gateways
command exposes gateway-specific telemetry to supplement the existingstat
andtap
commands. - 0๏ธโฃ The Linkerd-provided Grafana instance remains enabled by default, but it can now be disabled. When it is disabled, the Linkerd dashboard can be configured to link to an alternate, externally-managed Grafana instance.
- ๐ง Jaeger & OpenCensus are configurable as an [add-on][addon-2.8.0]; and the proxy has been improved to emit spans with labels that reflect its pod's metadata.
- The
linkerd-cni
component has been promoted from experimental to stable. linkerd profile --open-api
now honors thex-linkerd-retryable
andx-linkerd-timeout
OpenAPI annotations.- The Helm chart continues to become more flexible and modular, with new Prometheus configuration options. More information is available in the Helm chart README.
- gRPC stream error handling has been improved so that transport errors
are indicated to the client with a
grpc-status: UNAVAILABLE
trailer. - ๐จ The proxy's memory footprint could grow significantly when server-speaks-first-protocol connections hit the proxy. Now, a timeout is in place to prevent these connections from consuming resources.
- After benchmarking the proxy in high-concurrency situations, the inbound proxy has been improved to reduce contention, improving latency and reducing spurious timeouts.
- The proxy could fail requests to services that had only 1 request every 60 seconds. This race condition has been eliminated.
- Finally, users reported that ingress misconfigurations could cause the proxy to consume an entire CPU which could lead to timeouts. The proxy now attempts to prevent the most common traffic-loop scenarios to protect against this.
NOTE: Linkerd's
multicluster
extension does not yet work on Amazon ๐ EKS. We expect to follow this release with a stable-2.8.1 to address this โก๏ธ issue. Follow #4582 for updates.๐ This release includes changes from a massive list of contributors. A special ๐ thank-you to everyone who helped make this release possible: @aliariff, @amariampolskiy, @arminbuerkle, @arthursens, @christianhuening, @christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble, @joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207, ๐ @mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.
๐ง [addon-2.8.0]: https://github.com/linkerd/linkerd2/blob/4219955bdb5441c5fce192328d3760da13fb7ba1/charts/linkerd2/README.md#add-ons-configuration
- The CLI has a new set of
-
v2.7.0 Changes
๐ This release adds support for integrating Linkerd's PKI with an external certificate issuer such as [
cert-manager
] as well as streamlining the certificate rotation process in general. For more details about cert-manager ๐ and certificate rotation, see the docs. This release also ๐ includes performance improvements to the dashboard, reduced memory usage of the proxy, various improvements to the Helm chart, and much much more.๐ To install this release, run:
curl https://run.linkerd.io/install | sh
โฌ๏ธ Upgrade notes: This release includes breaking changes to our Helm charts. โฌ๏ธ Please see the upgrade โฌ๏ธ instructions.
Special thanks to: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre, @javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607, @Pothulapati, and @StupidScience!
๐ Full release notes:
- CLI
- Updated the mTLS trust anchor checks to eliminate false positives caused by extra trailing spaces
- Reduced the severity level of the Linkerd version checks, so that they don't fail when the external version endpoint is unreachable (thanks @mayankshah1607!)
- Added a new
tap
APIService check to aid with uncovering Kubernetes API aggregation layer issues (thanks @droidnoob!) - Introduced CNI checks to confirm the CNI plugin is installed and ready;
this is done through
linkerd check --pre --linkerd-cni-enabled
before installation andlinkerd check
after installation if the CNI plugin is present - Added support for the
--as-group
flag so that users can impersonate groups for Kubernetes operations (thanks @mayankshah1607!) - Added HA specific checks to
linkerd check
to ensure that thekube-system
namespace has theconfig.linkerd.io/admission-webhooks:disabled
label set - Fixed a problem causing the presence of unnecessary empty fields in generated resource definitions (thanks @mayankshah1607)
- Added the ability to pass both port numbers and port ranges to
--skip-inbound-ports
and--skip-outbound-ports
(thanks to @javaducky!) - Increased the comprehensiveness of
linkerd check --pre
- Added TLS certificate validation to
check
andupgrade
commands - Added support for injecting CronJobs and ReplicaSets, as well as the ability to use them as targets in the CLI subcommands
- Introduced the new flags
--identity-issuer-certificate-file
,--identity-issuer-key-file
andidentity-trust-anchors-file
tolinkerd upgrade
to support trust anchor and issuer certificate rotation - Added a check that ensures using
--namespace
and--all-namespaces
results in an error as they are mutually exclusive - Added a
Dashboard.Replicas
parameter to the Linkerd Helm chart to allow configuring the number of dashboard replicas (thanks @KIVagant!) - Removed redundant service profile check (thanks @alenkacz!)
- Updated
uninject
command to work with namespace resources (thanks @mayankshah1607!) - Added a new
--identity-external-issuer
flag tolinkerd install
that configures Linkerd to use certificates issued by an external certificate issuer (such ascert-manager
) - Added support for injecting a namespace to
linkerd inject
(thanks @mayankshah1607!) - Added checks to
linkerd check --preinstall
ensuring Kubernetes Secrets can be created and accessed - Fixed
linkerd tap
sometimes displaying incorrect pod names for unmeshed IPs that match multiple running pods - Made
linkerd install --ignore-cluster
and--skip-checks
faster - Fixed a bug causing
linkerd upgrade
to fail when used with--from-manifest
- Made
--cluster-domain
an install-only flag (thanks @bmcstdio!) - Updated
check
to ensure that proxy trust anchors match configuration (thanks @ereslibre!) - Added condition to the
linkerd stat
command that requires a window size of at least 15 seconds to work properly with Prometheus
- Controller
- Fixed an issue where an override of the Docker registry was not being applied to debug containers (thanks @javaducky!)
- Added check for the Subject Alternate Name attributes to the API server when access restrictions have been enabled (thanks @javaducky!)
- Added support for arbitrary pod labels so that users can leverage the Linkerd provided Prometheus instance to scrape for their own labels (thanks @daxmc99!)
- Fixed an issue with CNI config parsing
- Fixed a race condition in the
linkerd-web
service - Updated Prometheus to 2.15.2 (thanks @Pothulapati)
- Increased minimum kubernetes version to 1.13.0
- Added support for pod ip and service cluster ip lookups in the destination service
- Added recommended kubernetes labels to control-plane
- Added the
--wait-before-exit-seconds
flag to linkerd inject for the proxy sidecar to delay the start of its shutdown process (a huge commit from @KIVagant, thanks!) - Added a pre-sign check to the identity service
- Fixed inject failures for pods with security context capabilities
- Added
conntrack
to thedebug
container to help with connection tracking debugging - Fixed a bug in
tap
where mismatch cluster domain and trust domain causedtap
to hang - Fixed an issue in the
identity
RBAC resource which caused start up errors in k8s 1.6 (thanks @Pothulapati!) - Added support for using trust anchors from an external certificate issuer
(such as
cert-manager
) to thelinkerd-identity
service - Added support for headless services (thanks @JohannesEH!)
- Helm
- Breaking change: Renamed
noInitContainer
parameter tocniEnabled
- Breaking Change Updated Helm charts to follow best practices (thanks @Pothulapati and @javaducky!)
- Fixed an issue with
helm install
where the lists of ignored inbound and outbound ports would not be reflected - Fixed the
linkerd-cni
Helm chart not setting proper namespace annotations and labels - Fixed certificate issuance lifetime not being set when installing through Helm
- Updated the helm build to retain previous releases
- Moved CNI template into its own Helm chart
- Breaking change: Renamed
- Proxy
- Fixed an issue that could cause the OpenCensus exporter to stall
- Improved error classification and error responses for gRPC services
- Fixed a bug where the proxy could stop receiving service discovery updates, resulting in 503 errors
- Improved debug/error logging to include detailed contextual information
- Fixed a bug in the proxy's logging subsystem that could cause the proxy to consume memory until the process is OOM killed, especially when the proxy was configured to log diagnostic information
- Updated proxy dependencies to address RUSTSEC-2019-0033, RUSTSEC-2019-0034, and RUSTSEC-2020-02
- ๐ป Web UI
- Fixed an error when refreshing an already open dashboard when the Linkerd version has changed
- Increased the speed of the dashboard by pausing network activity when the dashboard is not visible to the user
- Added support for CronJobs and ReplicaSets, including new Grafana dashboards for them
- Added
linkerd check
to the dashboard in the/controlplane
view - Added request and response headers to the
tap
expanded view in the dashboard - Added filter to namespace select button
- Improved how empty tables are displayed
- Added
Host:
header validation to thelinkerd-web
service, to protect against DNS rebinding attacks - Made the dashboard sidebar component responsive
- Changed the navigation bar color to the one used on the Linkerd website
- Internal
- Added validation to incoming sidecar injection requests that ensures the
value of
linkerd.io/inject
is eitherenabled
ordisabled
(thanks @mayankshah1607) - Upgraded the Prometheus Go client library to v1.2.1 (thanks @daxmc99!)
- Fixed an issue causing
tap
,injector
andsp-validator
to use old certificates afterhelm upgrade
due to not being restarted - Fixed incomplete Swagger definition of the tap api, causing benign error logging in the kube-apiserver
- Removed the destination container from the linkerd-controller deployment as it now runs in the linkerd-destination deployment
- Allowed the control plane to be injected with the
debug
container - Updated proxy image build script to support HTTP proxy options (thanks @joakimr-axis!)
- Updated the CLI
doc
command to auto-generate documentation for the proxy configuration annotations (thanks @StupidScience!) - Added new
--trace-collector
and--trace-collector-svc-account
flags tolinkerd inject
that configures the OpenCensus trace collector used by proxies in the injected workload (thanks @Pothulapati!) - Added a new
--control-plane-tracing
flag tolinkerd install
that enables distributed tracing in the control plane (thanks @Pothulapati!) - Added distributed tracing support to the control plane (thanks @Pothulapati!)
- Added validation to incoming sidecar injection requests that ensures the
value of
- CLI