## stable-2.11.0 This release introduces access control policies. Default policies may be configured at the cluster- and workspace-levels; and fine grained policies may be instrumented via the new `policy.linkerd.io/v1beta1` CRDs: `Server` and `ServerAuthorization`. These resources may be created to define how individual ports accept connections; and the `Server` resource will be a building block for future features that configure inbound proxy behavior. Furthermore, `ServiceProfile` retry configurations can now instrument retries for requests with bodies. This unlocks retry behavior for gRPC services. **Upgrade notes**: Please see the [upgrade instructions][upgrade-2110]. * Proxy * Reduced CPU & Memory usage by up to 30% in some load tests * Updated retries to support requests with bodies up to 64KB. ServiceProfiles may now configure retries for gRPC services * The proxy's container image is now based on `gcr.io/distroless/cc` to contain a minimal OS footprint that should not trigger unnecessary alerts in security scanners * Added the `inbound_http_errors_total` and `outbound_http_errors_total` metrics to reflect errors that caused the proxy to respond with errors * Added an `l5d-proxy-error` header that is included on responses on trusted connections for debugging purposes * Added a `l5d-client-id` header on mutually-authenticated inbound requests so that applications can discover the client's identity * Added metrics to reflect TCP and HTTP authorization decisions * Added `srv_name` and `saz_name` labels to inbound HTTP metrics * Fixed an issue that could cause the proxy to continually reconnect to defunct service endpoints * Dropped support for non-HTTP outbound services when `linkerd.io/inject: ingress` is used * Instrumented fuzz testing to help guard against unexpected panics * Control Plane * Added a new `policy-controller` container to the `linkerd-destination` pod--the first control plane component implemented in Rust * Added a new admission controller to validate that multiple `Server` resources do not reference the same port * Added a `linkerd-identity-trust-roots` ConfigMap which configures the trust root bundle for all pods in the core control plane namespace * Eliminated the `linkerd-controller` deployment so that Linkerd's core control plane now consists of only 3 deployments * Updated the proxy injector to configure the `proxy-init` container with `NET_RAW` and `NET_ADMIN` capabilities so that the container does not fail when the pod drops these capabilities * CLI * Enhanced `linkerd completion` to expand Kubernetes resources from the current kubectl context * Added an `authz` subcommand to display the authorization policies that impact a workload * Added a _short_ output mode for `linkerd check` that only prints failed checks * Added support for `ReplicaSets` to `linkerd stat` so that pods created by Argo `Rollout` resources can be inspected * Helm: please see the [upgrade instructions][upgrade-2110]. * Extensions: * Introduced a new (optional) SMI extension responsible for reading `specs.smi-spec.io` resources and converting them to Linkerd resources * In `stable-2.12`, this extension will be required to use `TrafficSplit` resources with Linkerd * Added an extensions page to the Linkerd Web UI * Viz * Added `Server` and `ServerAuthorization` resources for all ports * Added JSON log formatting * Jaeger * Added OpenTelemetry collector instead of OpenCensus * Multicluster * Added experimental support for `StatefulSet` workloads This release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible: Gustavo Fernandes de Carvalho @gusfcarvalho Oleg Vorobev @olegy2008 Bart Peeters @bartpeeters Stepan Rabotkin @EpicStep LiuDui @xichengliudui Andrew Hemming @drewhemm Ujjwal Goyal @importhuman Knut Götz @knutgoetz Sanni Michael @sannimichaelse Brandon Sorgdrager @bsord Gerald Pape @ubergesundheit Alexey Kostin @rumanzo rdileep13 @rdileep13 Takumi Sue @mikutas Akshit Grover @akshitgrover Sanskar Jaiswal @aryan9600 Aleksandr Tarasov @aatarasoff Taylor @skinn Miguel Ángel Pastor Olivar @migue wangchenglong01 @wangchenglong01 Josh Soref @jsoref Carol Chen @kipply Peter Smit @psmit Tarvi Pillessaar @tarvip James Roper @jroper Dominik Münch @muenchdo Szymon Gibała @Szymongib Mitch Hulscher @mhulscher [upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110