标签

This edge release fixes a caching issue in the destination controller, converts
deprecated policy resources, and introduces several changes to how the proxy
works.

A bug in the destination controller that could potentially lead to stale pods
being considered in the load balancer has been fixed.

Several Linkerd extensions were still using the now deprecated
ServerAuthorization resource. These instances have now been converted to using
AuthorizationPolicy. Additionally, removed several policy resources that
authenticated probes, since probes are now authenticated by default.

As part of ongoing policy work, there are several changes with how the proxy
works. Routes are now lazily initialized so that service profile routes will
not show up in metrics until the route is used. Furthermore, the proxy’s
traffic splitting behavior has changed so that only available resources are
used, resulting in less failfast errors.

Finally, this edge release contains a number of fixes and improvements from our
contributors.

* Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources
  in Linkerd extensions
* Removed policy resources bound to admin servers in extensions (previously
  these resources were used to authorize probes but now are authorized by
  default)
* Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!)
* Fixed an issue in the CLI where `--identity-external-ca` would set an
  incorrect field (thanks @anoxape!)
* Fixed an issue in the destination controller's cache that could result in
  stale endpoints when using EndpointSlice objects
* Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!)
* Added support for Pod Security Admission (Pod Security Policy resources are
  still supported but disabled by default)
* Changed routes to be initialized lazily. Service Profile routes will no
  longer show up in metrics until the route is used (default routes are always
  available when no Service Profile is defined for a service)
* Changed the proxy's behavior when traffic splitting so that only services
  that are not in failfast are used. This will enable the proxy to manage
  failover without external coordination
* Updated tokio (async runtime) in the proxy which should reduce CPU usage,
  especially for proxy's pod local (i.e in the same network namespace)
  communication
* Fixed an issue where `linkerd viz tap` would display wrong latency/duration
  value (thanks @olegy2008!)

## stable-2.12.3

This stable release is packed with various fixes in both the core linkerd
controllers and extensions.

* CLI
  * Fixed `linkerd check` failing when the cluster had services of type
    `ExternalName`
  * Fixed `linkerd multicluster install` not honoring the `gateway.UID` setting
  * Fixed flag `linkerd upgrade --from-manifests`

* Destination Controller
  * Fixed race condition in destination controller
  * Fixed issue in the destination controller where `hostPort` mappings were
    being ignored

* linkerd-proxy-init
  * Set the `noop` init container user to be the same as `proxy-init`'s to avoid
    errors when the security context disallows running as root
  * Introduced `proxyInit.privileged` setting to allow running
    `linkerd-proxy-init` without restrictions when required
  * Added port 6443 to default skipped ports to bypass proxy when ebpf CNIs
    override the API Server packet destination

* Extensions
  * Removed unnecessary `proxyProtocol` restriction in the multicluster gateway
    Server (thanks @psmit!)
  * Added "Exists" toleration to the `linkerd-cni` DaemonSet to have it
    installed by default in tainted nodes
  * Make dashboard loading more robust when in the presence of browser plugins
    injecting script tags (thanks @junnplus!)

This edge release introduces static and dynamic port overrides for CNI eBPF
socket-level load balancing. In certain installations when CNI plugins run in
eBPF mode, socket-level load balancing rewrites packet destinations to port
6443; as with 443 already, this port is now skipped as well on control plane
components so that they can communicate with the Kubernetes API before their
proxies are running.

Additionally, a potential panic and false warning have been fixed in the
destination controller.

* Updated linkerd-jaeger's collector to expose port 4318 in order support HTTP
  alongside gRPC (thanks @uralsemih!)
* Added a `proxyInit.privileged` setting to control whether the `proxy-init`
  initContainer runs as a privileged process
* Fixed a potential panic in the destination controller caused by concurrent
  writes when dealing with Endpoint updates
* Fixed false warning when looking up HostPort mappings on Pods
* Added static and dynamic port overrides for CNI eBPF to work with socket-level
  load balancing

## edge-22.11.3

This edge release fixes connection errors to pods that use `hostPort`
configurations. The CNI `network-validator` init container features
improved error logging, and the default `linkerd-cni` DaemonSet
configuration is updated to tolerate all node taints so that the CNI
runs on all nodes in a cluster.

* Fixed `destination` service to properly discover targets using a `hostPort`
  different than their `containerPort`, which was causing 502 errors
* Upgraded the `network-validator` with better logging allowing users to
  determine whether failures occur as a result of their environment or the tool
  itself
* Added default `Exists` toleration to the `linkerd-cni` DaemonSet, allowing it
  to be deployed in all nodes by default, regardless of taints

## edge-22.11.2

This edge release introduces the use of the Kubernetes metadata API in the
proxy-injector and tap-injector components. This can reduce the IO and memory
footprint for those components as they now only need to track the metadata for
certain resources, rather than the entire resource itself. Similar changes will
be made for the destination component in an upcoming release.

* Bumped HTTP dependencies to fix a potential deadlock in HTTP/2 clients
* Changed the proxy-injector and tap-injector components to use the metadata API
  which should result in less memory consumption

This edge releases ships a few fixes in Linkerd's dashboard, and the
multicluster extension. Additionally, a regression has been fixed in the CLI
that blocked upgrades from versions older than 2.12.0, due to missing CRDs
(even if the CRDs were present in-cluster). Finally, the release includes
changes to the helm charts to allow for arbitrary (user-provided) labels on
Linkerd workloads.

* Fixed an issue in the CLI where upgrades from any version prior to
  stable-2.12.0 would fail when using the `--from-manifest` flag
* Removed un-injectable namespaces, such as kube-system from unmeshed resource
  notification in the dashboard (thanks @MoSattler!)
* Fixed an issue where the dashboard would respond to requests with 404 due to
  wrong root paths in the HTML script (thanks @junnplus!)
* Removed the proxyProtocol field in the multicluster gateway policy; this has
  the effect of changing the protocol from 'HTTP/1.1' to 'unknown' (thanks
  @psmit!)
* Fixed the multicluster gateway UID when installing through the CLI, prior to
  this change the 'runAsUser' field would be empty
* Changed the helm chart for the control plane and all extensions to support
  arbitrary labels on resources (thanks @bastienbosser!)

This edge release adds `network-validator`, a new init container to be used when
CNI is enabled. `network-validator` ensures that local iptables rules are
working as expected. It will validate this before linkerd-proxy starts.
`network-validator` replaces the `noop` container, runs as `nobody`, and drops
all capabilities before starting.

* Validate CNI `iptables` configuration during pod startup
* Fix "cluster networks contains all services" fails with services with no
  ClusterIP
* Remove kubectl version check from `linkerd check` (thanks @ziollek!)
* Set `readOnlyRootFilesystem: true` in viz chart (thanks @mikutas!)
* Fix `linkerd multicluster install` by re-adding `pause` container image
  in chart
* linkerd-viz have hardcoded image value in namespace-metadata.yml template
  bug correction (thanks @bastienbosser!)

## stable-2.12.2

This stable release fixes an issue with CNI chaining that was preventing the
Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
fixes some sections of the Viz dashboard appearing blank, and adds an optional
PodMonitor resource to the Helm chart to enable easier integration with the
Prometheus Operator. Several other fixes are included.

* Proxy
  * Fixed proxies emitting some duplicate inbound metrics

* Control Plane
  * Fixed handling of `.conf` files in the CNI plugin so that the Linkerd CNI
    plugin can be used alongside other CNI plugins such as Cilium
  * Added a noop init container to injected pods when the CNI plugin is enabled
    to prevent certain scenarios where a pod can get stuck without an IP address
  * Fixed the `NotIn` label selector operator in the policy resources being
    erroneously treated as `In`.
  * Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be
    empty

* CLI
  * Added a `linkerd diagnostics policy` command to inspect Linkerd policy state
  * Added a check that ClusterIP services are in the cluster networks
  * Expanded the `linkerd authz` command to display AuthorizationPolicy
    resources that target namespaces (thanks @aatarasoff!)
  * Fixed warning logic in the "linkerd-viz ClusterRoles exist" and "linkerd-viz
    ClusterRoleBindings exist" checks in `linkerd viz check`
  * Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!)

* Helm
  * Added an optional PodMonitor resource to the main Helm chart (thanks
    @jaygridley!)

* Dashboard
  * Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks
    @MoSattler!)
  * Updated Grafana dashboards to use variable duration parameter so that they
    can be used when Prometheus has a longer scrape interval (thanks @TarekAS)

This edge release fixes an issue with CNI chaining that was preventing the
Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also
includes several other fixes.

* Updated Grafana dashboards to use variable duration parameter so that they can
  be used when Prometheus has a longer scrape interval (thanks @TarekAS)
* Fixed handling of .conf files in the CNI plugin so that the Linkerd CNI plugin
  can be used alongside other CNI plugins such as Cilium
* Added a `linkerd diagnostics policy` command to inspect Linkerd policy state
* Added a check that ClusterIP services are in the cluster networks
* Added a noop init container to injected pods when the CNI plugin is enabled
  to prevent certain scenarios where a pod can get stuck without an IP address
* Fixed a bug where the`config.linkerd.io/proxy-version` annotation could be empty

## edge-22.10.1

This edge release fixes some sections of the Viz dashboard appearing blank, and
adds an optional PodMonitor resource to the Helm chart to enable easier
integration with the Prometheus Operator. It also includes many fixes submitted
by our contributors.

* Fixed the dashboard sections Tap, Top, and Routes appearing blank (thanks
  @MoSattler!)
* Added an optional PodMonitor resource to the main Helm chart (thanks
  @jaygridley!)
* Fixed the CLI ignoring the `--api-addr` flag (thanks @mikutas!)
* Expanded the `linkerd authz` command to display AuthorizationPolicy resources
  that target namespaces (thanks @aatarasoff!)
* Fixed the `NotIn` label selector operator in the policy resources, being
  erroneously treated as `In`.
* Fixed warning logic around the "linkerd-viz ClusterRoles exist" and
  "linkerd-viz ClusterRoleBindings exist" checks in `linkerd viz check`
* Fixed proxies emitting some duplicate inbound metrics

## stable-2.12.1

This release includes several control plane and proxy fixes for `stable-2.12.0`.
In particular, it fixes issues related to control plane HTTP servers' header
read timeouts resulting in decreased controller success rates, lowers the
inbound connection pool idle timeout in the proxy, and fixes an issue where the
jaeger injector would put pods into an error state when upgrading from
stable-2.11.x.

Additionally, this release adds the `linkerd.io/trust-root-sha256` annotation to
all injected workloads allowing predictable comparison of all workloads' trust
anchors via the Kubernetes API.

For Windows users, note that the Linkerd CLI's `nupkg` file for Chocolatey is
once again included in the release assets (it was previously removed in
stable-2.10.0).

* Proxy
  * Lowered inbound connection pool idle timeout to 3s

* Control Plane
  * Updated AdmissionRegistration API version usage to v1
  * Added `linkerd.io/trust-root-sha256` annotation on all injected workloads
    to indicate certifcate bundle
  * Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to
    conform to specification (thanks @aatarasoff!)
  * Updated the identity controller to not require a `ClusterRoleBinding`
    to read all deployment resources
  * Increased servers' header read timeouts so they no longer match default
    probe and Prometheus scrape intervals

* Helm
  * Restored `namespace` field in Linkerd helm charts
  * Updated `PodDisruptionBudget` `apiVersion` from `policy/v1beta1` to
    `policy/v1` (thanks @Vrx555!)

* Extensions
  * Fixed jaeger injector interfering with upgrades to 2.12.x

This release lowers the inbound connection pool idle timeout to 3s. This should
help avoid socket errors, especially for Kubernetes probes. Additionally, it
upgrades the version of Go used by the control plane and CLI from 1.17 to 1.18.

This release fixes an issue where the jaeger injector would put pods into an
error state when upgrading from stable-2.11.x.

* Updated AdmissionRegistration API version usage to v1
* Fixed jaeger injector interfering with upgrades to 2.12.x

This release adds the `linkerd.io/trust-root-sha256` annotation to all injected
workloads allowing predictable comparison of all workloads' trust anchors via
the Kubernetes API.

Additionally, this release lowers the inbound connection pool idle timeout to
3s. This should help avoid socket errors, especially for Kubernetes probes.

* Added `linkerd.io/trust-root-sha256` annotation on all injected workloads
  to indicate certifcate bundle
* Lowered inbound connection pool idle timeout to 3s
* Restored `namespace` field in Linkerd helm charts
* Updated fields in `AuthorizationPolicy` and `MeshTLSAuthentication` to
  conform to specification (thanks @aatarasoff!)
* Updated the identity controller to not require a `ClusterRoleBinding`
  to read all deployment resources.

Increased control plane HTTP servers' read timeouts so that they no longer
match the default probe intervals. This was leading to closed connections
and decreased controller success rate.

This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes [Gateway
API](https://gateway-api.sigs.k8s.io/).

The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for `iptables-nft`, and a host
of other improvements and performance enhancements.

Additionally, the `linkerd-smi` extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
`linkerd install --crds` before running `linkerd install`; with Helm, you'll
install the new `linkerd-crds` chart, then the `linkerd-control-plane` chart.
These charts are now versioned using [SemVer](https://semver.org) independently
of Linkerd releases. For more information, see the [upgrade
notes][upgrade-2120].

**Upgrade notes**: Please see the [upgrade instructions][upgrade-2120].

* Proxy
  * Added a `config.linkerd.io/shutdown-grace-period` annotation to limit the
    duration that the proxy may wait for graceful shutdown
  * Added a `config.linkerd.io/access-log` annotation to enable logging of
    workload requests
  * Added a new `iptables-nft` mode for the `proxy-init` initContainer
  * Added support for non-HTTP traffic forwarding within the mesh in `ingress`
    mode
  * Added the `/env.json` log diagnostic endpoint
  * Added a new `process_uptime_seconds_total` metric to track proxy uptime in
    seconds
  * Added support for dynamically discovering policies for ports that are not
    documented in a pod's `containerPorts`
  * Added support for route-based inbound HTTP metrics
    (`route_group`/`route_kind`/`route_name`)
  * Added a new annotation to configure skipping subnets in the init container
    (`config.linkerd.io/skip-subnets`), needed e.g. in Docker-in-Docker
    workloads (thanks @michaellzc!)

* Control Plane
  * Added support for per-route policy by supporting AuthorizationPolicy
    resources which can target HttpRoute or Server resources
  * Added support for bound service account token volumes for the control plane
    and injected workloads
  * Removed kube-system exclusions from watchers to fix service discovery for
    workloads in the kube-system namespace (thanks @JacobHenner!)
  * Updated healthcheck to ignore `Terminated` state for pods (thanks
    @AgrimPrasad!)
  * Updated the default policy controller log level to `info`; the controller
    will now emit INFO level logs for some of its dependencies
  * Added probe authorization by default, allowing clusters that use a default
    `deny` policy to not explicitly need to authorize probes
  * Fixed an issue where the proxy-injector would break when using
    `nodeAffinity` values for the control plane
  * Fixed an issue where certain control plane components were not restarting as
    necessary after a trust root rotation
  * Removed SMI functionality in the default Linkerd installation; this is now
    part of the `linkerd-smi` extension

* CLI
  * Fixed the `linkerd check` command crashing when unexpected pods are found in
    a Linkerd namespace
  * Updated the `linkerd authz` command to support AuthorizationPolicy and
    HttpRoute resources
  * Updated `linkerd check` to allow RSA signed trust anchors (thanks
    @danibaeyens!)
  * `linkerd install --crds` must be run before `linkerd install`
  * `linkerd upgrade --crds` must be run before `linkerd upgrade`
  * Fixed invalid yaml syntax in the viz extension's tap-injector template
    (thanks @wc-s!)
  * Fixed an issue where the `--default-inbound-policy` setting was not being
    respected
  * Added support for AuthorizationPolicy and HttpRoute to `viz authz` command
  * Added support for AuthorizationPolicy and HttpRoute to `viz stat` command
  * Added support for policy metadata in `linkerd viz tap`

* Helm
  * Split the `linkerd2` chart into `linkerd-crds` and `linkerd-control-plane`
  * Charts are now versioned using [SemVer](https://semver.org) independently of
    Linkerd releases
  * Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
  * Changed the `proxy.await` Helm value so that users can now disable
    `linkerd-await` on control plane components
  * Added the `policyController.probeNetworks` Helm value for configuring the
    networks that probes are expected to be performed from

* Extensions
  * Added annotations to allow Linkerd extension deployments to be evicted by
    the autoscaler when necessary
  * Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
    mode
  * Added a ServiceAccount token Secret to the multicluster extension to support
    Kubernetes versions >= v1.24

This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:

[@AgrimPrasad](https://github.com/AgrimPrasad) Ahmed Al-Hulaibi
[@ahmedalhulaibi](https://github.com/ahmedalhulaibi) Aleksandr Tarasov
[@aatarasoff](https://github.com/aatarasoff) Alexander Berger
[@alex-berger](https://github.com/alex-berger) Ao Chen
[@chenaoxd](https://github.com/chenaoxd) Badis Merabet
[@badis](https://github.com/badis) Bjørn [@Crevil](https://github.com/Crevil)
[@bdun1013](https://github.com/bdun1013) Christian Schlotter
[@chrischdi](https://github.com/chrischdi) Dani Baeyens
[@danibaeyens](https://github.com/danibaeyens) David Symons
[@multimac](https://github.com/multimac) Dmitrii Ermakov
[@ErmakovDmitriy](https://github.com/ErmakovDmitriy) Elvin Efendi
[@ElvinEfendi](https://github.com/ElvinEfendi) Evan Hines
[@evan-hines-firebolt](https://github.com/evan-hines-firebolt) Eng Zer Jun
[@Juneezee](https://github.com/Juneezee) Gustavo Fernandes de Carvalho
[@gusfcarvalho](https://github.com/gusfcarvalho) Harry Walter
[@haswalt](https://github.com/haswalt) Israel Miller
[@imiller31](https://github.com/imiller31) Jack Gill
[@jackgill](https://github.com/jackgill) Jacob Henner
[@JacobHenner](https://github.com/JacobHenner) Jacob Lorenzen
[@Jaxwood](https://github.com/Jaxwood) Joakim Roubert
[@joakimr-axis](https://github.com/joakimr-axis) Josh Ault
[@jault-figure](https://github.com/jault-figure) João Soares
[@jasoares](https://github.com/jasoares) jtcarnes
[@jtcarnes](https://github.com/jtcarnes) Kim Christensen
[@kichristensen](https://github.com/kichristensen) Krzysztof Dryś
[@krzysztofdrys](https://github.com/krzysztofdrys) Lior Yantovski
[@lioryantov](https://github.com/lioryantov) Martin Anker Have
[@mahlunar](https://github.com/mahlunar) Michael Lin
[@michaellzc](https://github.com/michaellzc) Michał Romanowski
[@michalrom089](https://github.com/michalrom089) Naveen Nalam
[@nnalam](https://github.com/nnalam) Nick Calibey
[@ncalibey](https://github.com/ncalibey) Nikola Brdaroski
[@nikolabrdaroski](https://github.com/nikolabrdaroski) Or Shachar
[@or-shachar](https://github.com/or-shachar) Pål-Magnus Slåtto
[@dev-slatto](https://github.com/dev-slatto) Raman Gupta
[@rocketraman](https://github.com/rocketraman) Ricardo Gândara Pinto
[@rmgpinto](https://github.com/rmgpinto) Roberth Strand
[@roberthstrand](https://github.com/roberthstrand) Sankalp Rangare
[@sankalp-r](https://github.com/sankalp-r) Sascha Grunert
[@saschagrunert](https://github.com/saschagrunert) Steve Gray
[@steve-gray](https://github.com/steve-gray) Steve Zhang
[@zhlsunshine](https://github.com/zhlsunshine) Takumi Sue
[@mikutas](https://github.com/mikutas) Tanmay Bhat
[@tanmay-bhat](https://github.com/tanmay-bhat) Táskai Dominik
[@dtaskai](https://github.com/dtaskai) Ujjwal Goyal
[@importhuman](https://github.com/importhuman) Weichung Shaw
[@wc-s](https://github.com/wc-s) Wim de Groot
[@wim-de-groot](https://github.com/wim-de-groot) Yannick Utard
[@utay](https://github.com/utay) Yurii Dzobak
[@yuriydzobak](https://github.com/yuriydzobak)罗泽轩
[@spacewander](https://github.com/spacewander)

[upgrade-2120]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2120

## stable-2.12.0-rc2

This release is the second release candidate for stable-2.12.0.

At this point the Helm charts can be retrieved from the stable repo:

```sh
helm repo add linkerd https://helm.linkerd.io/stable
helm repo up
helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
helm install linkerd-control-plane \
  -n linkerd \
  --set-file identityTrustAnchorsPEM=ca.crt \
  --set-file identity.issuer.tls.crtPEM=issuer.crt \
  --set-file identity.issuer.tls.keyPEM=issuer.key \
  linkerd/linkerd-control-plane
```

The following lists all the changes since edge-22.8.2:

* Fixed inheritance of the `linkerd.io/inject` annotation from Namespace to
  Workloads when its value is `ingress`
* Added the `config.linkerd.io/default-inbound-policy: all-authenticated`
  annotation to linkerd-multicluster’s Gateway deployment so that all clients
  are required to be authenticated
* Added a `ReadHeaderTimeout` of 10s to all the go `http.Server` instances, to
  avoid being vulnerable to "slowrolis" attacks
* Added check in `linkerd viz check --proxy` to warn in case namespace have the
  `config.linkerd.io/default-inbound-policy: deny` annotation, which would not
  authorize scrapes coming from the linkerd-viz Prometheus instance
* Added validation for accepted values for the `--default-inbound-policy` flag
* Fixed invalid URL in the `linkerd install --help` output
* Added `--destination-pod` flag to `linkerd diagnostics endpoints` subcommand
* Added `proxyInit.runAsUser` in `values.yaml` defaulting to non-zero, to
  complement the new default `proxyInit.runAsRoot: false` that was rencently
  changed

This release is considered a release candidate for stable-2.12.0 and we
encourage you to try it out! It includes an update to the multicluster extension
which adds support for Kubernetes v1.24 and also updates many CLI commands to
support the new policy resources: ServerAuthorization and HTTPRoute.

* Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens)
* Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s)
* Added support for AuthorizationPolicy and HttpRoute to viz authz command
* Added support for AuthorizationPolicy and HttpRoute to viz stat
* Added support for policy metadata in linkerd tap
* Fixed an issue where certain control plane components were not restarting as
  necessary after a trust root rotation
* Added a ServiceAccount token Secret to the multicluster extension to support
  Kubernetes versions >= v1.24
* Fixed an issuer where the --default-inbound-policy setting was not being
  respected

This releases introduces default probe authorization. This means that on
clusters that use a default `deny` policy, probes do not have to be explicitly
authorized using policy resources. Additionally, the
`policyController.probeNetworks` Helm value has been added, which allows users
to configure the networks that probes are expected to be performed from.

Additionally, the `linkerd authz` command has been updated to support the policy
resources AuthorizationPolicy and HttpRoute.

Finally, some smaller changes include allowing to disable `linkerd-await` on
control plane components (using the existing `proxy.await` configuration) and
changing the default iptables mode back to `legacy` to support more cluster
environments by default.

* Updated the `linkerd authz` command to support AuthorizationPolicy and
  HttpRoute resources
* Changed the `proxy.await` Helm value so that users can now disable
  `linkerd-await` on control plane components
* Added probe authorization by default allowing clusters that use a default
  `deny` policy to not explicitly need to authorize probes
* Added ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
* Added the `policyController.probeNetworks` Helm value for configuring the
  networks that probes are expected to be performed from
* Changed the default iptables mode to `legacy`

This release adds a new `nft` iptables mode, used by default in proxy-init.
When used, firewall configuration will be set-up through the `iptables-nft`
binary; this should allow hosts that do not support `iptables-legacy` (such as
RHEL based environments) to make use of the init container. The older
`iptables-legacy` mode is still supported, but it must be explictly turned on.
Moreover, this release also replaces the `HTTPRoute` CRD with Linkerd's own
version, and includes a number of fixes and improvements.

* Added a new `iptables-nft` mode for proxy-init. When running in this mode,
  the firewall will be configured with `nft` kernel API; this should allow
  users to run the init container on RHEL-family hosts
* Fixed an issue where the proxy-injector would break when using `nodeAffinity`
  values for the control plane
* Updated healthcheck to ignore `Terminated` state for pods (thanks
  @AgrimPrasad!)
* Replaced `HTTRoute` CRD version from `gateway.networking.k8s.io` with a
  similar version from the `policy.linkerd.io` API group. While the CRD is
  similar, it does not support the `Gateway` type, does not contain the
  `backendRefs` fields, and does not support `RequestMirror` and `ExtensionRef`
  filter types.
* Updated the default policy controller log level to `info`; the controller
  will now emit INFO level logs for some of its dependencies
* Added validation to ensure `HTTPRoute` paths are absolute; relative paths are
  not supported by the proxy and the policy controller admission server will
  reject any routes that use paths which do not start with `/`