Linkerd - stable-2.12.0
stable-2.12.0
This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes Gateway
API.
The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft
, and a host
of other improvements and performance enhancements.
Additionally, the linkerd-smi
extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds
before running linkerd install
; with Helm, you'll
install the new linkerd-crds
chart, then the linkerd-control-plane
chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.
Upgrade notes: Please see the upgrade instructions.
- Proxy
- Added a
config.linkerd.io/shutdown-grace-period
annotation to limit the
duration that the proxy may wait for graceful shutdown - Added a
config.linkerd.io/access-log
annotation to enable logging of
workload requests - Added a new
iptables-nft
mode for theproxy-init
initContainer - Added support for non-HTTP traffic forwarding within the mesh in
ingress
mode - Added the
/env.json
log diagnostic endpoint - Added a new
process_uptime_seconds_total
metric to track proxy uptime in
seconds - Added support for dynamically discovering policies for ports that are not
documented in a pod'scontainerPorts
- Added support for route-based inbound HTTP metrics
(route_group
/route_kind
/route_name
) -
Added a new annotation to configure skipping subnets in the init container
(config.linkerd.io/skip-subnets
), needed e.g. in Docker-in-Docker
workloads (thanks @michaellzc!) -
Control Plane
- Added support for per-route policy by supporting AuthorizationPolicy
resources which can target HttpRoute or Server resources - Added support for bound service account token volumes for the control plane
and injected workloads - Removed kube-system exclusions from watchers to fix service discovery for
workloads in the kube-system namespace (thanks @JacobHenner!) - Updated healthcheck to ignore
Terminated
state for pods (thanks
@AgrimPrasad!) - Updated the default policy controller log level to
info
; the controller
will now emit INFO level logs for some of its dependencies - Added probe authorization by default, allowing clusters that use a default
deny
policy to not explicitly need to authorize probes - Fixed an issue where the proxy-injector would break when using
nodeAffinity
values for the control plane - Fixed an issue where certain control plane components were not restarting as
necessary after a trust root rotation -
Removed SMI functionality in the default Linkerd installation; this is now
part of thelinkerd-smi
extension -
CLI
- Fixed the
linkerd check
command crashing when unexpected pods are found in
a Linkerd namespace - Updated the
linkerd authz
command to support AuthorizationPolicy and
HttpRoute resources - Updated
linkerd check
to allow RSA signed trust anchors (thanks
@danibaeyens!) linkerd install --crds
must be run beforelinkerd install
linkerd upgrade --crds
must be run beforelinkerd upgrade
- Fixed invalid yaml syntax in the viz extension's tap-injector template
(thanks @wc-s!) - Fixed an issue where the
--default-inbound-policy
setting was not being
respected - Added support for AuthorizationPolicy and HttpRoute to
viz authz
command - Added support for AuthorizationPolicy and HttpRoute to
viz stat
command -
Added support for policy metadata in
linkerd viz tap
-
Helm
- Split the
linkerd2
chart intolinkerd-crds
andlinkerd-control-plane
- Charts are now versioned using SemVer independently of
Linkerd releases - Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
- Changed the
proxy.await
Helm value so that users can now disable
linkerd-await
on control plane components -
Added the
policyController.probeNetworks
Helm value for configuring the
networks that probes are expected to be performed from -
Extensions
- Added annotations to allow Linkerd extension deployments to be evicted by
the autoscaler when necessary - Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
mode - Added a ServiceAccount token Secret to the multicluster extension to support
Kubernetes versions >= v1.24
This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:
@AgrimPrasad Ahmed Al-Hulaibi
@ahmedalhulaibi Aleksandr Tarasov
@aatarasoff Alexander Berger
@alex-berger Ao Chen
@chenaoxd Badis Merabet
@badis Bjørn @Crevil
@bdun1013 Christian Schlotter
@chrischdi Dani Baeyens
@danibaeyens David Symons
@multimac Dmitrii Ermakov
@ErmakovDmitriy Elvin Efendi
@ElvinEfendi Evan Hines
@evan-hines-firebolt Eng Zer Jun
@Juneezee Gustavo Fernandes de Carvalho
@gusfcarvalho Harry Walter
@haswalt Israel Miller
@imiller31 Jack Gill
@jackgill Jacob Henner
@JacobHenner Jacob Lorenzen
@Jaxwood Joakim Roubert
@joakimr-axis Josh Ault
@jault-figure João Soares
@jasoares jtcarnes
@jtcarnes Kim Christensen
@kichristensen Krzysztof Dryś
@krzysztofdrys Lior Yantovski
@lioryantov Martin Anker Have
@mahlunar Michael Lin
@michaellzc Michał Romanowski
@michalrom089 Naveen Nalam
@nnalam Nick Calibey
@ncalibey Nikola Brdaroski
@nikolabrdaroski Or Shachar
@or-shachar Pål-Magnus Slåtto
@dev-slatto Raman Gupta
@rocketraman Ricardo Gândara Pinto
@rmgpinto Roberth Strand
@roberthstrand Sankalp Rangare
@sankalp-r Sascha Grunert
@saschagrunert Steve Gray
@steve-gray Steve Zhang
@zhlsunshine Takumi Sue
@mikutas Tanmay Bhat
@tanmay-bhat Táskai Dominik
@dtaskai Ujjwal Goyal
@importhuman Weichung Shaw
@wc-s Wim de Groot
@wim-de-groot Yannick Utard
@utay Yurii Dzobak
@yuriydzobak罗泽轩
@spacewander
Details
- 🔍View and search all Linkerd releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!