-
edge-23.1.1028a6826 · ·
This edge release fixes a caching issue in the destination controller, converts deprecated policy resources, and introduces several changes to how the proxy works. A bug in the destination controller that could potentially lead to stale pods being considered in the load balancer has been fixed. Several Linkerd extensions were still using the now deprecated ServerAuthorization resource. These instances have now been converted to using AuthorizationPolicy. Additionally, removed several policy resources that authenticated probes, since probes are now authenticated by default. As part of ongoing policy work, there are several changes with how the proxy works. Routes are now lazily initialized so that service profile routes will not show up in metrics until the route is used. Furthermore, the proxy’s traffic splitting behavior has changed so that only available resources are used, resulting in less failfast errors. Finally, this edge release contains a number of fixes and improvements from our contributors. * Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources in Linkerd extensions * Removed policy resources bound to admin servers in extensions (previously these resources were used to authorize probes but now are authorized by default) * Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!) * Fixed an issue in the CLI where `--identity-external-ca` would set an incorrect field (thanks @anoxape!) * Fixed an issue in the destination controller's cache that could result in stale endpoints when using EndpointSlice objects * Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!) * Added support for Pod Security Admission (Pod Security Policy resources are still supported but disabled by default) * Changed routes to be initialized lazily. Service Profile routes will no longer show up in metrics until the route is used (default routes are always available when no Service Profile is defined for a service) * Changed the proxy's behavior when traffic splitting so that only services that are not in failfast are used. This will enable the proxy to manage failover without external coordination * Updated tokio (async runtime) in the proxy which should reduce CPU usage, especially for proxy's pod local (i.e in the same network namespace) communication * Fixed an issue where `linkerd viz tap` would display wrong latency/duration value (thanks @olegy2008!)
-
stable-2.12.35dc8f520 · ·
## stable-2.12.3 This stable release is packed with various fixes in both the core linkerd controllers and extensions. * CLI * Fixed `linkerd check` failing when the cluster had services of type `ExternalName` * Fixed `linkerd multicluster install` not honoring the `gateway.UID` setting * Fixed flag `linkerd upgrade --from-manifests` * Destination Controller * Fixed race condition in destination controller * Fixed issue in the destination controller where `hostPort` mappings were being ignored * linkerd-proxy-init * Set the `noop` init container user to be the same as `proxy-init`'s to avoid errors when the security context disallows running as root * Introduced `proxyInit.privileged` setting to allow running `linkerd-proxy-init` without restrictions when required * Added port 6443 to default skipped ports to bypass proxy when ebpf CNIs override the API Server packet destination * Extensions * Removed unnecessary `proxyProtocol` restriction in the multicluster gateway Server (thanks @psmit!) * Added "Exists" toleration to the `linkerd-cni` DaemonSet to have it installed by default in tainted nodes * Make dashboard loading more robust when in the presence of browser plugins injecting script tags (thanks @junnplus!)
-
edge-22.12.1cbb4d8f2 · ·
This edge release introduces static and dynamic port overrides for CNI eBPF socket-level load balancing. In certain installations when CNI plugins run in eBPF mode, socket-level load balancing rewrites packet destinations to port 6443; as with 443 already, this port is now skipped as well on control plane components so that they can communicate with the Kubernetes API before their proxies are running. Additionally, a potential panic and false warning have been fixed in the destination controller. * Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP alongside gRPC (thanks @uralsemih!) * Added a `proxyInit.privileged` setting to control whether the `proxy-init` initContainer runs as a privileged process * Fixed a potential panic in the destination controller caused by concurrent writes when dealing with Endpoint updates * Fixed false warning when looking up HostPort mappings on Pods * Added static and dynamic port overrides for CNI eBPF to work with socket-level load balancing
-
edge-22.11.34ea8ab21 · ·
## edge-22.11.3 This edge release fixes connection errors to pods that use `hostPort` configurations. The CNI `network-validator` init container features improved error logging, and the default `linkerd-cni` DaemonSet configuration is updated to tolerate all node taints so that the CNI runs on all nodes in a cluster. * Fixed `destination` service to properly discover targets using a `hostPort` different than their `containerPort`, which was causing 502 errors * Upgraded the `network-validator` with better logging allowing users to determine whether failures occur as a result of their environment or the tool itself * Added default `Exists` toleration to the `linkerd-cni` DaemonSet, allowing it to be deployed in all nodes by default, regardless of taints
-
edge-22.11.274ba03fe · ·
## edge-22.11.2 This edge release introduces the use of the Kubernetes metadata API in the proxy-injector and tap-injector components. This can reduce the IO and memory footprint for those components as they now only need to track the metadata for certain resources, rather than the entire resource itself. Similar changes will be made for the destination component in an upcoming release. * Bumped HTTP dependencies to fix a potential deadlock in HTTP/2 clients * Changed the proxy-injector and tap-injector components to use the metadata API which should result in less memory consumption
-
edge-22.11.177fbe4d4 · ·
This edge releases ships a few fixes in Linkerd's dashboard, and the multicluster extension. Additionally, a regression has been fixed in the CLI that blocked upgrades from versions older than 2.12.0, due to missing CRDs (even if the CRDs were present in-cluster). Finally, the release includes changes to the helm charts to allow for arbitrary (user-provided) labels on Linkerd workloads. * Fixed an issue in the CLI where upgrades from any version prior to stable-2.12.0 would fail when using the `--from-manifest` flag * Removed un-injectable namespaces, such as kube-system from unmeshed resource notification in the dashboard (thanks @MoSattler!) * Fixed an issue where the dashboard would respond to requests with 404 due to wrong root paths in the HTML script (thanks @junnplus!) * Removed the proxyProtocol field in the multicluster gateway policy; this has the effect of changing the protocol from 'HTTP/1.1' to 'unknown' (thanks @psmit!) * Fixed the multicluster gateway UID when installing through the CLI, prior to this change the 'runAsUser' field would be empty * Changed the helm chart for the control plane and all extensions to support arbitrary labels on resources (thanks @bastienbosser!)
-
edge-22.10.3c7223d07 · ·
This edge release adds `network-validator`, a new init container to be used when CNI is enabled. `network-validator` ensures that local iptables rules are working as expected. It will validate this before linkerd-proxy starts. `network-validator` replaces the `noop` container, runs as `nobody`, and drops all capabilities before starting. * Validate CNI `iptables` configuration during pod startup * Fix "cluster networks contains all services" fails with services with no ClusterIP * Remove kubectl version check from `linkerd check` (thanks @ziollek!) * Set `readOnlyRootFilesystem: true` in viz chart (thanks @mikutas!) * Fix `linkerd multicluster install` by re-adding `pause` container image in chart * linkerd-viz have hardcoded image value in namespace-metadata.yml template bug correction (thanks @bastienbosser!)
-
stable-2.12.2d1dff278 · ·
## stable-2.12.2 This stable release fixes an issue with CNI chaining that was preventing the Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also fixes some sections of the Viz dashboard appearing blank, and adds an optional PodMonitor resource to the Helm chart to enable easier integration with the Prometheus Operator. Several other fixes are included. * Proxy * Fixed proxies emitting some duplicate inbound metrics * Control Plane * Fixed handling of `.conf` files in the CNI plugin so that the Linkerd CNI plugin can be used alongside other CNI plugins such as Cilium * Added a noop init container to injected pods when the CNI plugin is enabled to prevent certain scenarios where a pod can get stuck without an IP address * Fixed the `NotIn` label selector operator in the policy resources being erroneously treated as `In`. * Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be empty * CLI * Added a `linkerd diagnostics policy` command to inspect Linkerd policy state * Added a check that ClusterIP services are in the cluster networks * Expanded the `linkerd authz` command to display AuthorizationPolicy resources that target namespaces (thanks @aatarasoff!) * Fixed warning logic in the "linkerd-viz ClusterRoles exist" and "linkerd-viz ClusterRoleBindings exist" checks in `linkerd viz check` * Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!) * Helm * Added an optional PodMonitor resource to the main Helm chart (thanks @jaygridley!) * Dashboard * Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks @MoSattler!) * Updated Grafana dashboards to use variable duration parameter so that they can be used when Prometheus has a longer scrape interval (thanks @TarekAS)
-
edge-22.10.2c8a79841 · ·
This edge release fixes an issue with CNI chaining that was preventing the Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also includes several other fixes. * Updated Grafana dashboards to use variable duration parameter so that they can be used when Prometheus has a longer scrape interval (thanks @TarekAS) * Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI plugin can be used alongside other CNI plugins such as Cilium * Added a `linkerd diagnostics policy` command to inspect Linkerd policy state * Added a check that ClusterIP services are in the cluster networks * Added a noop init container to injected pods when the CNI plugin is enabled to prevent certain scenarios where a pod can get stuck without an IP address * Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be empty
-
edge-22.10.1a5797f72 · ·
## edge-22.10.1 This edge release fixes some sections of the Viz dashboard appearing blank, and adds an optional PodMonitor resource to the Helm chart to enable easier integration with the Prometheus Operator. It also includes many fixes submitted by our contributors. * Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks @MoSattler!) * Added an optional PodMonitor resource to the main Helm chart (thanks @jaygridley!) * Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!) * Expanded the `linkerd authz` command to display AuthorizationPolicy resources that target namespaces (thanks @aatarasoff!) * Fixed the `NotIn` label selector operator in the policy resources, being erroneously treated as `In`. * Fixed warning logic around the "linkerd-viz ClusterRoles exist" and "linkerd-viz ClusterRoleBindings exist" checks in `linkerd viz check` * Fixed proxies emitting some duplicate inbound metrics
-
stable-2.12.193dbb8b3 · ·
## stable-2.12.1 This release includes several control plane and proxy fixes for `stable-2.12.0`. In particular, it fixes issues related to control plane HTTP servers' header read timeouts resulting in decreased controller success rates, lowers the inbound connection pool idle timeout in the proxy, and fixes an issue where the jaeger injector would put pods into an error state when upgrading from stable-2.11.x. Additionally, this release adds the `linkerd.io/trust-root-sha256` annotation to all injected workloads allowing predictable comparison of all workloads' trust anchors via the Kubernetes API. For Windows users, note that the Linkerd CLI's `nupkg` file for Chocolatey is once again included in the release assets (it was previously removed in stable-2.10.0). * Proxy * Lowered inbound connection pool idle timeout to 3s * Control Plane * Updated AdmissionRegistration API version usage to v1 * Added `linkerd.io/trust-root-sha256` annotation on all injected workloads to indicate certifcate bundle * Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to conform to specification (thanks @aatarasoff!) * Updated the identity controller to not require a `ClusterRoleBinding` to read all deployment resources * Increased servers' header read timeouts so they no longer match default probe and Prometheus scrape intervals * Helm * Restored `namespace` field in Linkerd helm charts * Updated `PodDisruptionBudget` `apiVersion` from `policy/v1beta1` to `policy/v1` (thanks @Vrx555!) * Extensions * Fixed jaeger injector interfering with upgrades to 2.12.x
-
stable-2.11.51062718e · ·
This release lowers the inbound connection pool idle timeout to 3s. This should help avoid socket errors, especially for Kubernetes probes. Additionally, it upgrades the version of Go used by the control plane and CLI from 1.17 to 1.18.
-
edge-22.9.2566721c7 · ·
This release fixes an issue where the jaeger injector would put pods into an error state when upgrading from stable-2.11.x. * Updated AdmissionRegistration API version usage to v1 * Fixed jaeger injector interfering with upgrades to 2.12.x
-
edge-22.9.1ee75526b · ·
This release adds the `linkerd.io/trust-root-sha256` annotation to all injected workloads allowing predictable comparison of all workloads' trust anchors via the Kubernetes API. Additionally, this release lowers the inbound connection pool idle timeout to 3s. This should help avoid socket errors, especially for Kubernetes probes. * Added `linkerd.io/trust-root-sha256` annotation on all injected workloads to indicate certifcate bundle * Lowered inbound connection pool idle timeout to 3s * Restored `namespace` field in Linkerd helm charts * Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to conform to specification (thanks @aatarasoff!) * Updated the identity controller to not require a `ClusterRoleBinding` to read all deployment resources.
-
edge-22.8.39f365692 · ·
Increased control plane HTTP servers' read timeouts so that they no longer match the default probe intervals. This was leading to closed connections and decreased controller success rate.
-
stable-2.12.00bd3f732 · ·
This release introduces route-based policy to Linkerd, allowing users to define and enforce authorization policies based on HTTP routes in a fully zero-trust way. These policies are built on Linkerd's strong workload identities, secured by mutual TLS, and configured using types from the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/). The 2.12 release also introduces optional request logging ("access logging" after its name in webservers), optional support for `iptables-nft`, and a host of other improvements and performance enhancements. Additionally, the `linkerd-smi` extension is now required to use TrafficSplit, and the installation process has been updated to separate management of the Linkerd CRDs from the main installation process. With the CLI, you'll need to `linkerd install --crds` before running `linkerd install`; with Helm, you'll install the new `linkerd-crds` chart, then the `linkerd-control-plane` chart. These charts are now versioned using [SemVer](https://semver.org) independently of Linkerd releases. For more information, see the [upgrade notes][upgrade-2120]. **Upgrade notes**: Please see the [upgrade instructions][upgrade-2120]. * Proxy * Added a `config.linkerd.io/shutdown-grace-period` annotation to limit the duration that the proxy may wait for graceful shutdown * Added a `config.linkerd.io/access-log` annotation to enable logging of workload requests * Added a new `iptables-nft` mode for the `proxy-init` initContainer * Added support for non-HTTP traffic forwarding within the mesh in `ingress` mode * Added the `/env.json` log diagnostic endpoint * Added a new `process_uptime_seconds_total` metric to track proxy uptime in seconds * Added support for dynamically discovering policies for ports that are not documented in a pod's `containerPorts` * Added support for route-based inbound HTTP metrics (`route_group`/`route_kind`/`route_name`) * Added a new annotation to configure skipping subnets in the init container (`config.linkerd.io/skip-subnets`), needed e.g. in Docker-in-Docker workloads (thanks @michaellzc!) * Control Plane * Added support for per-route policy by supporting AuthorizationPolicy resources which can target HttpRoute or Server resources * Added support for bound service account token volumes for the control plane and injected workloads * Removed kube-system exclusions from watchers to fix service discovery for workloads in the kube-system namespace (thanks @JacobHenner!) * Updated healthcheck to ignore `Terminated` state for pods (thanks @AgrimPrasad!) * Updated the default policy controller log level to `info`; the controller will now emit INFO level logs for some of its dependencies * Added probe authorization by default, allowing clusters that use a default `deny` policy to not explicitly need to authorize probes * Fixed an issue where the proxy-injector would break when using `nodeAffinity` values for the control plane * Fixed an issue where certain control plane components were not restarting as necessary after a trust root rotation * Removed SMI functionality in the default Linkerd installation; this is now part of the `linkerd-smi` extension * CLI * Fixed the `linkerd check` command crashing when unexpected pods are found in a Linkerd namespace * Updated the `linkerd authz` command to support AuthorizationPolicy and HttpRoute resources * Updated `linkerd check` to allow RSA signed trust anchors (thanks @danibaeyens!) * `linkerd install --crds` must be run before `linkerd install` * `linkerd upgrade --crds` must be run before `linkerd upgrade` * Fixed invalid yaml syntax in the viz extension's tap-injector template (thanks @wc-s!) * Fixed an issue where the `--default-inbound-policy` setting was not being respected * Added support for AuthorizationPolicy and HttpRoute to `viz authz` command * Added support for AuthorizationPolicy and HttpRoute to `viz stat` command * Added support for policy metadata in `linkerd viz tap` * Helm * Split the `linkerd2` chart into `linkerd-crds` and `linkerd-control-plane` * Charts are now versioned using [SemVer](https://semver.org) independently of Linkerd releases * Added missing port in the Linkerd viz chart documentation (thanks @haswalt!) * Changed the `proxy.await` Helm value so that users can now disable `linkerd-await` on control plane components * Added the `policyController.probeNetworks` Helm value for configuring the networks that probes are expected to be performed from * Extensions * Added annotations to allow Linkerd extension deployments to be evicted by the autoscaler when necessary * Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode * Added a ServiceAccount token Secret to the multicluster extension to support Kubernetes versions >= v1.24 This release includes changes from a massive list of contributors, including engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and others. A special thank-you to everyone who helped make this release possible: [@AgrimPrasad](https://github.com/AgrimPrasad) Ahmed Al-Hulaibi [@ahmedalhulaibi](https://github.com/ahmedalhulaibi) Aleksandr Tarasov [@aatarasoff](https://github.com/aatarasoff) Alexander Berger [@alex-berger](https://github.com/alex-berger) Ao Chen [@chenaoxd](https://github.com/chenaoxd) Badis Merabet [@badis](https://github.com/badis) Bjørn [@Crevil](https://github.com/Crevil) [@bdun1013](https://github.com/bdun1013) Christian Schlotter [@chrischdi](https://github.com/chrischdi) Dani Baeyens [@danibaeyens](https://github.com/danibaeyens) David Symons [@multimac](https://github.com/multimac) Dmitrii Ermakov [@ErmakovDmitriy](https://github.com/ErmakovDmitriy) Elvin Efendi [@ElvinEfendi](https://github.com/ElvinEfendi) Evan Hines [@evan-hines-firebolt](https://github.com/evan-hines-firebolt) Eng Zer Jun [@Juneezee](https://github.com/Juneezee) Gustavo Fernandes de Carvalho [@gusfcarvalho](https://github.com/gusfcarvalho) Harry Walter [@haswalt](https://github.com/haswalt) Israel Miller [@imiller31](https://github.com/imiller31) Jack Gill [@jackgill](https://github.com/jackgill) Jacob Henner [@JacobHenner](https://github.com/JacobHenner) Jacob Lorenzen [@Jaxwood](https://github.com/Jaxwood) Joakim Roubert [@joakimr-axis](https://github.com/joakimr-axis) Josh Ault [@jault-figure](https://github.com/jault-figure) João Soares [@jasoares](https://github.com/jasoares) jtcarnes [@jtcarnes](https://github.com/jtcarnes) Kim Christensen [@kichristensen](https://github.com/kichristensen) Krzysztof Dryś [@krzysztofdrys](https://github.com/krzysztofdrys) Lior Yantovski [@lioryantov](https://github.com/lioryantov) Martin Anker Have [@mahlunar](https://github.com/mahlunar) Michael Lin [@michaellzc](https://github.com/michaellzc) Michał Romanowski [@michalrom089](https://github.com/michalrom089) Naveen Nalam [@nnalam](https://github.com/nnalam) Nick Calibey [@ncalibey](https://github.com/ncalibey) Nikola Brdaroski [@nikolabrdaroski](https://github.com/nikolabrdaroski) Or Shachar [@or-shachar](https://github.com/or-shachar) Pål-Magnus Slåtto [@dev-slatto](https://github.com/dev-slatto) Raman Gupta [@rocketraman](https://github.com/rocketraman) Ricardo Gândara Pinto [@rmgpinto](https://github.com/rmgpinto) Roberth Strand [@roberthstrand](https://github.com/roberthstrand) Sankalp Rangare [@sankalp-r](https://github.com/sankalp-r) Sascha Grunert [@saschagrunert](https://github.com/saschagrunert) Steve Gray [@steve-gray](https://github.com/steve-gray) Steve Zhang [@zhlsunshine](https://github.com/zhlsunshine) Takumi Sue [@mikutas](https://github.com/mikutas) Tanmay Bhat [@tanmay-bhat](https://github.com/tanmay-bhat) Táskai Dominik [@dtaskai](https://github.com/dtaskai) Ujjwal Goyal [@importhuman](https://github.com/importhuman) Weichung Shaw [@wc-s](https://github.com/wc-s) Wim de Groot [@wim-de-groot](https://github.com/wim-de-groot) Yannick Utard [@utay](https://github.com/utay) Yurii Dzobak [@yuriydzobak](https://github.com/yuriydzobak)罗泽轩 [@spacewander](https://github.com/spacewander) [upgrade-2120]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2120
-
stable-2.12.0-rc2cdeca1c4 · ·
## stable-2.12.0-rc2 This release is the second release candidate for stable-2.12.0. At this point the Helm charts can be retrieved from the stable repo: ```sh helm repo add linkerd https://helm.linkerd.io/stable helm repo up helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds helm install linkerd-control-plane \ -n linkerd \ --set-file identityTrustAnchorsPEM=ca.crt \ --set-file identity.issuer.tls.crtPEM=issuer.crt \ --set-file identity.issuer.tls.keyPEM=issuer.key \ linkerd/linkerd-control-plane ``` The following lists all the changes since edge-22.8.2: * Fixed inheritance of the `linkerd.io/inject` annotation from Namespace to Workloads when its value is `ingress` * Added the `config.linkerd.io/default-inbound-policy: all-authenticated` annotation to linkerd-multicluster’s Gateway deployment so that all clients are required to be authenticated * Added a `ReadHeaderTimeout` of 10s to all the go `http.Server` instances, to avoid being vulnerable to "slowrolis" attacks * Added check in `linkerd viz check --proxy` to warn in case namespace have the `config.linkerd.io/default-inbound-policy: deny` annotation, which would not authorize scrapes coming from the linkerd-viz Prometheus instance * Added validation for accepted values for the `--default-inbound-policy` flag * Fixed invalid URL in the `linkerd install --help` output * Added `--destination-pod` flag to `linkerd diagnostics endpoints` subcommand * Added `proxyInit.runAsUser` in `values.yaml` defaulting to non-zero, to complement the new default `proxyInit.runAsRoot: false` that was rencently changed
-
edge-22.8.25427446d · ·
This release is considered a release candidate for stable-2.12.0 and we encourage you to try it out! It includes an update to the multicluster extension which adds support for Kubernetes v1.24 and also updates many CLI commands to support the new policy resources: ServerAuthorization and HTTPRoute. * Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens) * Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s) * Added support for AuthorizationPolicy and HttpRoute to viz authz command * Added support for AuthorizationPolicy and HttpRoute to viz stat * Added support for policy metadata in linkerd tap * Fixed an issue where certain control plane components were not restarting as necessary after a trust root rotation * Added a ServiceAccount token Secret to the multicluster extension to support Kubernetes versions >= v1.24 * Fixed an issuer where the --default-inbound-policy setting was not being respected
-
edge-22.8.1ca08b81d · ·
This releases introduces default probe authorization. This means that on clusters that use a default `deny` policy, probes do not have to be explicitly authorized using policy resources. Additionally, the `policyController.probeNetworks` Helm value has been added, which allows users to configure the networks that probes are expected to be performed from. Additionally, the `linkerd authz` command has been updated to support the policy resources AuthorizationPolicy and HttpRoute. Finally, some smaller changes include allowing to disable `linkerd-await` on control plane components (using the existing `proxy.await` configuration) and changing the default iptables mode back to `legacy` to support more cluster environments by default. * Updated the `linkerd authz` command to support AuthorizationPolicy and HttpRoute resources * Changed the `proxy.await` Helm value so that users can now disable `linkerd-await` on control plane components * Added probe authorization by default allowing clusters that use a default `deny` policy to not explicitly need to authorize probes * Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode * Added the `policyController.probeNetworks` Helm value for configuring the networks that probes are expected to be performed from * Changed the default iptables mode to `legacy`
-
edge-22.7.326f696da · ·
This release adds a new `nft` iptables mode, used by default in proxy-init. When used, firewall configuration will be set-up through the `iptables-nft` binary; this should allow hosts that do not support `iptables-legacy` (such as RHEL based environments) to make use of the init container. The older `iptables-legacy` mode is still supported, but it must be explictly turned on. Moreover, this release also replaces the `HTTPRoute` CRD with Linkerd's own version, and includes a number of fixes and improvements. * Added a new `iptables-nft` mode for proxy-init. When running in this mode, the firewall will be configured with `nft` kernel API; this should allow users to run the init container on RHEL-family hosts * Fixed an issue where the proxy-injector would break when using `nodeAffinity` values for the control plane * Updated healthcheck to ignore `Terminated` state for pods (thanks @AgrimPrasad!) * Replaced `HTTRoute` CRD version from `gateway.networking.k8s.io` with a similar version from the `policy.linkerd.io` API group. While the CRD is similar, it does not support the `Gateway` type, does not contain the `backendRefs` fields, and does not support `RequestMirror` and `ExtensionRef` filter types. * Updated the default policy controller log level to `info`; the controller will now emit INFO level logs for some of its dependencies * Added validation to ensure `HTTPRoute` paths are absolute; relative paths are not supported by the proxy and the policy controller admission server will reject any routes that use paths which do not start with `/`