Skip to content

stable-2.13.0
Compare
Choose a tag to compare
@github-actions github-actions released this 11 Apr 02:16
· 1727 commits to main since this release
stable-2.13.0
This tag was signed with the committer’s verified signature.
hawkw Eliza Weisman
GPG key ID: F9C1A595C3814436
Learn about vigilant mode.
775dc9f
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

stable-2.13.0

This release introduces client-side policy to Linkerd, including dynamic routing
and circuit breaking. Gateway API HTTPRoutes
can now be used to configure policy for outbound (client) proxies as well as
inbound (server) proxies, by creating HTTPRoutes with Service resources as their
parentRef. See the Linkerd documentation for tutorials on dynamic request
routing and circuit breaking. New functionality for debugging HTTPRoute-based
policy is also included in this release, including new proxy metrics and the
ability to display outbound policies in the linkerd diagnostics policy CLI
command.

In addition, this release adds network-validator, a new init container to be
used when CNI is enabled. network-validator ensures that local iptables rules
are working as expected. It will validate this before linkerd-proxy starts.
network-validator replaces the noop container, runs as nobody, and drops
all capabilities before starting.

Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.

Upgrade notes: Please see the upgrade instructions.

  • CRDs

    • HTTPRoutes may now have Service parents, to configure outbound policy
    • Updated HTTPRoute version from v1alpha1 to v1beta2

  • CLI

    • Added a new linkerd prune command to the CLI (including most extensions) to
      remove resources which are no longer part of Linkerd's manifests
    • Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
    • The linkerd diagnostics policy command now displays outbound policy when
      the target resource is a Service

  • Control Plane

    • The policy controller now discovers outbound policy configurations from
      HTTPRoutes that target Services.
    • Added OutboundPolicies API, for use by linkerd-proxy to route
      outbound traffic
    • Added Prometheus /metrics endpoint to the admin server, with process
      metrics
    • Fixed QueryParamMatch parsing for HTTPRoutes
    • Added the policy status controller which writes the status field to
      HTTPRoutes when a parent reference Server accepts or rejects it
    • Added KubeAPI server ports to ignoreOutboundPorts of proxy-injector
    • No longer apply waitBeforeExitSeconds to control plane, viz and jaeger
      extension pods
    • Added support for the internalTrafficPolicy of a service (thanks @yc185050!)
    • Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
    • Added protection against nil dereference in resources helm template
    • Added support for Pod Security Admission (Pod Security Policy resources are
      still supported but disabled by default)
    • Lowered non-actionable error messages in the Destination log to debug-level
      entries to avoid triggering false alarms (thanks @siddharthshubhampal!)
    • Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
      when using more than one slice, a NoEndpoints event would be sent to the
      proxy regardless of the amount of endpoints that were still available
      (thanks @utay!)
    • Improved diagnostic log messages
    • Fixed sending of spurious profile updates
    • Removed unnecessary Namespaces access from the destination controller RBAC
    • Added the server_port_subscribers metric to track the number of subscribers
      to Server changes associated with a pod's port
    • Added the service_subscribers metric to track the number of subscribers to
      Service changes
    • Fixed a small memory leak in the opaque ports watcher

  • Proxy

    • Use the new OutboundPolicies API, supporting Gateway API-style routes
      in the outbound proxy
    • Added support for dynamic request routing based on HTTPRoutes
    • Added HTTP circuit breaking
    • Added outbound_route_backend_http_requests_total,
      outbound_route_backend_grpc_requests_total, and
      outbound_http_balancer_endpoints metrics
    • Changed the proxy's behavior when traffic splitting so that only services
      that are not in failfast are used. This will enable the proxy to manage
      failover without external coordination
    • Updated tokio (async runtime) in the proxy which should reduce CPU usage,
      especially for proxy's pod local (i.e in the same network namespace)
      communication

  • linkerd-proxy-init

    • Changed proxy-init iptables rules to be idempotent upon init pod
      restart (thanks @jim-minter!)
    • Improved logging in proxy-init and linkerd-cni
    • Added a proxyInit.privileged setting to control whether the proxy-init
      initContainer runs as a privileged process

  • CNI

    • Added static and dynamic port overrides for CNI eBPF to work with socket-level
      load balancing
    • Added network-validator init container to ensure that iptables rules are
      working as expected
    • Added a resources field in the linkerd-cni chart (thanks @jcogilvie!)

  • Viz

    • Added tap.ignoredHeaders Helm value to the linkerd-viz chart. This value
      allows users to specify a comma-separated list of header names which will be
      ignored by Linkerd Tap (thanks @ryanhristovski!)
    • Removed duplicate SecurityContext in Prometheus manifest
    • Added new flag --viz-namespace which avoids requiring permissions for
      listing all namespaces in linkerd viz subcommands (thanks @danibaeyens!)
    • Removed the TrafficSplit page from the Linkerd viz dashboard (thanks
      @h-dav!)
    • Introduced new values in the viz chart to allow for arbitrary annotations
      on the Service objects (thanks @sgrzemski!)
    • Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
      in the Viz extension

  • Multicluster

    • Removed duplicate AuthorizationPolicy for probes from the multicluster
      gateway Helm chart
    • Updated wording for linkerd-multicluster cluster when it fails to probe a
      remote gateway mirror
    • Added multicluster gateway nodeSelector and tolerations helm parameters
    • Added new configuration options for the multicluster gateway:
      • gateway.deploymentAnnotations
      • gateway.terminationGracePeriodSeconds (thanks @bunnybilou!)
      • gateway.loadBalancerSourceRanges (thanks @Tyrion85!)

  • Extensions

    • Removed dependency on the curlimages/curl 3rd-party image used to initialize
      extensions namespaces metadata (so they are visible by linkerd check),
      replaced by the new extension-init image
    • Converted ServerAuthorization resources to AuthorizationPolicy resources
      in Linkerd extensions
    • Removed policy resources bound to admin servers in extensions (previously
      these resources were used to authorize probes but now are authorized by
      default)
    • Fixed the link to the Jaeger dashboard the in viz dashboard (thanks
      @eugenegoncharuk!)
    • Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
      alongside gRPC (thanks @uralsemih!)

  • Among other dependency updates, the no-longer maintained ghodss/yaml library
    was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)

This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:

Contributors

eugenegoncharuk, jcogilvie, and 14 other contributors
Assets 15
Loading