## stable-2.13.0
This release introduces client-side policy to Linkerd, including dynamic routing
and circuit breaking. [Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoutes
can now be used to configure policy for outbound (client) proxies as well as
inbound (server) proxies, by creating HTTPRoutes with Service resources as their
`parentRef`. See the Linkerd documentation for tutorials on [dynamic request
routing] and [circuit breaking]. New functionality for debugging HTTPRoute-based
policy is also included in this release, including [new proxy metrics] and the
ability to display outbound policies in the `linkerd diagnostics policy` CLI
command.
In addition, this release adds `network-validator`, a new init container to be
used when CNI is enabled. `network-validator` ensures that local iptables rules
are working as expected. It will validate this before linkerd-proxy starts.
`network-validator` replaces the `noop` container, runs as `nobody`, and drops
all capabilities before starting.
Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.
**Upgrade notes**: Please see the [upgrade instructions][upgrade-2130].
* CRDs
* HTTPRoutes may now have Service parents, to configure outbound policy
* Updated HTTPRoute version from `v1alpha1` to `v1beta2`
* CLI
* Added a new `linkerd prune` command to the CLI (including most extensions) to
remove resources which are no longer part of Linkerd's manifests
* Added additional shortnames for Linkerd policy resources (thanks @javaducky!)
* The `linkerd diagnostics policy` command now displays outbound policy when
the target resource is a Service
* Control Plane
* The policy controller now discovers outbound policy configurations from
HTTPRoutes that target Services.
* Added OutboundPolicies API, for use by `linkerd-proxy` to route
outbound traffic
* Added Prometheus `/metrics` endpoint to the admin server, with process
metrics
* Fixed QueryParamMatch parsing for HTTPRoutes
* Added the policy status controller which writes the `status` field to
HTTPRoutes when a parent reference Server accepts or rejects it
* Added KubeAPI server ports to `ignoreOutboundPorts` of `proxy-injector`
* No longer apply `waitBeforeExitSeconds` to control plane, viz and jaeger
extension pods
* Added support for the `internalTrafficPolicy` of a service (thanks @yc185050!)
* Added block chomping to strip trailing new lines in ConfigMap (thanks @avdicl!)
* Added protection against nil dereference in resources helm template
* Added support for Pod Security Admission (Pod Security Policy resources are
still supported but disabled by default)
* Lowered non-actionable error messages in the Destination log to debug-level
entries to avoid triggering false alarms (thanks @siddharthshubhampal!)
* Fixed an issue with EndpointSlice endpoint reconciliation on slice deletion;
when using more than one slice, a `NoEndpoints` event would be sent to the
proxy regardless of the amount of endpoints that were still available
(thanks @utay!)
* Improved diagnostic log messages
* Fixed sending of spurious profile updates
* Removed unnecessary Namespaces access from the destination controller RBAC
* Added the server_port_subscribers metric to track the number of subscribers
to Server changes associated with a pod's port
* Added the service_subscribers metric to track the number of subscribers to
Service changes
* Fixed a small memory leak in the opaque ports watcher
* Proxy
* Use the new OutboundPolicies API, supporting Gateway API-style routes
in the outbound proxy
* Added support for dynamic request routing based on HTTPRoutes
* Added HTTP circuit breaking
* Added `outbound_route_backend_http_requests_total`,
`outbound_route_backend_grpc_requests_total`, and
`outbound_http_balancer_endpoints` metrics
* Changed the proxy's behavior when traffic splitting so that only services
that are not in failfast are used. This will enable the proxy to manage
failover without external coordination
* Updated tokio (async runtime) in the proxy which should reduce CPU usage,
especially for proxy's pod local (i.e in the same network namespace)
communication
* linkerd-proxy-init
* Changed `proxy-init` iptables rules to be idempotent upon init pod
restart (thanks @jim-minter!)
* Improved logging in `proxy-init` and `linkerd-cni`
* Added a `proxyInit.privileged` setting to control whether the `proxy-init`
initContainer runs as a privileged process
* CNI
* Added static and dynamic port overrides for CNI eBPF to work with socket-level
load balancing
* Added `network-validator` init container to ensure that iptables rules are
working as expected
* Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!)
* Viz
* Added `tap.ignoredHeaders` Helm value to the linkerd-viz chart. This value
allows users to specify a comma-separated list of header names which will be
ignored by Linkerd Tap (thanks @ryanhristovski!)
* Removed duplicate SecurityContext in Prometheus manifest
* Added new flag `--viz-namespace` which avoids requiring permissions for
listing all namespaces in `linkerd viz` subcommands (thanks @danibaeyens!)
* Removed the TrafficSplit page from the Linkerd viz dashboard (thanks
@h-dav!)
* Introduced new values in the `viz` chart to allow for arbitrary annotations
on the `Service` objects (thanks @sgrzemski!)
* Added an optional AuthorizationPolicy to authorize Grafana to Prometheus
in the Viz extension
* Multicluster
* Removed duplicate AuthorizationPolicy for probes from the multicluster
gateway Helm chart
* Updated wording for linkerd-multicluster cluster when it fails to probe a
remote gateway mirror
* Added multicluster gateway `nodeSelector` and `tolerations` helm parameters
* Added new configuration options for the multicluster gateway:
* `gateway.deploymentAnnotations`
* `gateway.terminationGracePeriodSeconds` (thanks @bunnybilou!)
* `gateway.loadBalancerSourceRanges` (thanks @Tyrion85!)
* Extensions
* Removed dependency on the `curlimages/curl` 3rd-party image used to initialize
extensions namespaces metadata (so they are visible by `linkerd check`),
replaced by the new `extension-init` image
* Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources
in Linkerd extensions
* Removed policy resources bound to admin servers in extensions (previously
these resources were used to authorize probes but now are authorized by
default)
* Fixed the link to the Jaeger dashboard the in viz dashboard (thanks
@eugenegoncharuk!)
* Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
alongside gRPC (thanks @uralsemih!)
* Among other dependency updates, the no-longer maintained ghodss/yaml library
was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)
This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:
* Andrew Pinkham [@jambonrose](https://github.com/jambonrose)
* Arnaud Beun [@bunnybilou](https://github.com/bunnybilou)
* Carlos Tadeu Panato Junior [@cpanato](https://github.com/cpanato)
* Christian Segundo [@someone-stole-my-name](https://github.com/someone-stole-my-name)
* Dani Baeyens [@danibaeyens](https://github.com/danibaeyens)
* Duc Tran [@ductnn](https://github.com/ductnn)
* Eng Zer Jun [@Juneezee](https://github.com/Juneezee)
* Ivan Ivic [@Tyrion85](https://github.com/Tyrion85)
* Joe Bowbeer [@joebowbeer](https://github.com/joebowbeer)
* Jonathan Ogilvie [@jcogilvie](https://github.com/jcogilvie)
* Jun [@junnplus](https://github.com/junnplus)
* Loong Dai [@daixiang0](https://github.com/daixiang0)
* María Teresa Rojas [@mtrojas](https://github.com/mtrojas)
* Mo Sattler [@MoSattler](https://github.com/MoSattler)
* Oleg Vorobev [@olegy2008](https://github.com/olegy2008)
* Paul Balogh [@javaducky](https://github.com/javaducky)
* Peter Smit [@psmit](https://github.com/psmit)
* Ryan Hristovski [@ryanhristovski](https://github.com/ryanhristovski)
* Semih Ural [@uralsemih](https://github.com/uralsemih)
* Shubhodeep Mukherjee [@shubhodeep9](https://github.com/shubhodeep9)
* Siddharth S Pal [@siddharthshubhampal](https://github.com/siddharthshubhampal)
* Subhash Choudhary [@subhashchy](https://github.com/subhashchy)
* Szymon Grzemski [@sgrzemski](https://github.com/sgrzemski)
* Takumi Sue [@mikutas](https://github.com/mikutas)
* Yannick Utard [@utay](https://github.com/utay)
* Yu Cao [@yc185050](https://github.com/yc185050)
* anoxape [@anoxape](https://github.com/anoxape)
* bastienbosser [@bastienbosser](https://github.com/bastienbosser)
* bitfactory-sem-denbroeder [@bitfactory-sem-denbroeder](https://github.com/bitfactory-sem-denbroeder)
* cui fliter [@cuishuang](https://github.com/cuishuang)
* eugenegoncharuk [@eugenegoncharuk](https://github.com/eugenegoncharuk)
* h-dav @[h-dav](https://github.com/h-dav)
* martinkubrak [@martinkubra](https://github.com/martinkubra)
* verbotenj [@verbotenj](https://github.com/verbotenj)
* ziollek [@ziollek](https://github.com/ziollek)
[dynamic request routing]: https://linkerd.io/2.13/tasks/configuring-dynamic-request-routing
[circuit breaking]: https://linkerd.io/2.13/tasks/circuit-breaking
[new proxy metrics]: https://linkerd.io/2.13/reference/proxy-metrics/#outbound-xroute-metrics
[upgrade-2130]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2130