-
edge-22.1.53fb30a23 · ·
This edge release adds support for per-request Access Logging for HTTP inbound requests in Linkerd. A new annotation i.e. `config.linkerd.io/access-log` is added, which configures the proxies to emit access logs to stderr. `apache` and `json` are the supported configuration options, emitting access logs in Apache Common Log Format and JSON respectively. Special thanks to @tustvold for all the initial work around this! * Updated injector to support the new `config.linkerd.io/access-log` annotation * Added a new `LINKERD2_PROXY_ACCESS_LOG` proxy environment variable to configure the access log format (thanks @tustvold) * Updated service mirror controller to emit relevant events when mirroring is skipped for a service * Updated various dependencies across the project (thanks @dependabot)
-
edge-22.1.4b158c0b6 · ·
This edge release features a new configuration annotation, support for externally hosted Grafana instances, and other improvements in the CLI, dashboard and Helm charts. To learn more about using an external Grafana instance with Linkerd, you can refer to our [docs](https://github.com/linkerd/website/blob/0c3c5cd5ae329cd7dbcca18534f3bc8ec7d57859/linkerd.io/content/2.12/tasks/grafana.md). * Added a new annotation to configure skipping subnets in the init container (`config.linkerd.io/skip-subnets`). This configuration option is ideal for Docker-in-Docker (dind) workloads (thanks @michaellzc!) * Added support in the dashboard for externally hosted Grafana instances (thanks @jackgill!) * Introduced resource block to `linkerd-jaeger` Helm chart (thanks @yuriydzobak!) * Introduced parametrized datasource (`DS_PROMETHEUS`) in all Grafana dashboards. This allows pointing to the right Prometheus datasource when importing a dashboard * Introduced a consistent `--ignore-cluster` flag in the CLI for the base installation and extensions; manifests will now be rendered even if there is an existing installation in the current Kubernetes context (thanks @krzysztofdrys!) * Updated the service mirror controller to skip mirroring services whose namespaces do not yet exist in the source cluster; previously, the service mirror would create the namespace itself.
-
edge-22.1.31cc068c1 · ·
This release removes the Grafana component in the linkerd-viz extension. Users can now import linkerd dashboards into Grafana from the [Linkerd org](https://grafana.com/orgs/linkerd) in Grafana. Users can also follow the instructions in the [docs](https://github.com/linkerd/website/blob/f687a04ee43c90bd804b04af287bc80c9366db98/linkerd.io/content/2.12/tasks/grafana.md) to install a separate Grafana that can be integrated with the Linkerd Dashboard. * Stopped shipping grafana-based image in the linkerd-viz extension * Removed `repair` sub-command in the CLI * Updated various dependencies across the project (thanks @dependabot)
-
edge-22.1.2dbb2fd2e · ·
This release sets the version of the extension Helm charts to 30.0.0-edge to ensure that previous versions of these charts can be upgraded properly. * Reset extensions Helm chart versions at 30.0.0-edge * Pin multicluster extension pause container version to 3.2 so that it will work on Arm architectures * Create a unique PSP `RoleBinding` for each multicluster link to prevent conflicts when PSP is enabled
-
edge-22.1.16a5f5802 · ·
This release adds support for using the cert-manager CA Injector to configure Linkerd's webhooks. * Fixed a rare issue when a Service's opaque ports annotation does not match that of the pods in the service * Disallowed privilege escalation in control plane containers (thanks @kichristensen!) * Updated the multicluster extension's service mirror controller to make mirror services empty when the exported service is empty * Added support for injecting Webhook CA bundles with cert-manager CA Injector (thanks @bdun1013!)
-
edge-21.12.4e97d4050 · ·
This release adds support for custom HTTP methods in the viz stats (i.e CLI and Dashboard). Additionally, it also includes various smaller improvements. * Added support for custom HTTP methods in the `linkerd-viz` stats * Updated the health checker to pull trust root from the `linkerd-identity-trust-roots` configmap to support cases where they are generated externally (thanks @wim-de-groot) * Removed unnecessary `installNamespace` bool flag from the `linkerd-control-plane` chart (thanks @mikutas) * Updated the `install` command to error if container runtime check fails * Updated various dependencies across the project (thanks @dependabot)
-
edge-21.12.3c53be48b · ·
## edge-21.12.3 This edge release contains a few improvements to the CLI commands and a major change around Helm charts. * **Breaking change** The `linkerd2` chart has been deprecated in favor of the `linkerd-crds` and `linkerd-control-plane` charts. The former takes care of installing all the required CRDs and the latter everything else. Of important note is that, as per Helm best practice, we're no longer creating the linkerd namespace. Users require to do that manually, or have the Helm tool do it explicitly. So the install procedure would look something like this: ```bash helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds helm install linkerd-control-plane -n linkerd \ --set-file identityTrustAnchorsPEM=ca.crt \ --set-file identity.issuer.tls.crtPEM=issuer.crt \ --set-file identity.issuer.tls.keyPEM=issuer.key \ linkerd/linkerd-control-plane ``` In order to upgrade, please delete your previously installed `linkerd2` chart and install the new charts as explained above. Although the charts for the main extensions (viz, multicluster, jaeger, linkerd2-cni) were not deprecated, they also stopped creating their namespace and users are required to uninstall and reinstall them anew, e.g: ```bash helm install linkerd-viz -n linkerd-viz --create-namespace linkerd/linkerd-viz ``` * Added a new `--obfuscate` flag to `linkerd diagnostics proxy-metrics` to obfuscate potentially private information in the output (thanks @ahmedalhulaibi!) * Fixed formatting of the recommended value for `--set clusterNetworks` in the `linkerd check` output when that parameter doesn't contain all the node podCIDRs (thanks @ElvinEfendi!) * Skipped evicted pods in `linkerd viz check` and `linkerd jaeger check`, to avoid the checks fail unnecessarily * Removed some no longer used environment variables from the proxy's manifest
-
edge-21.12.2b5dbd44e · ·
This edge removes the default SMI functionality that is included in installations now that the linkerd-smi extension provides these resources. It also relaxes the `proxy-init`'s `privileged` value to only be set to `true` when needed by certain installation configurations. Along with some bug fixes, the repository's issue and feature request templates have been updated to forms; check them when opening a [new issue](https://github.com/linkerd/linkerd2/issues/new/choose)! (thanks @mikutas). * Removed SMI functionality in the default Linkerd installation; this is now part of the linkerd-smi extension * Fixed autocompletion of the `--context` flag (thanks @mikutas!) * Added support for conditionally setting `proxy-init`'s `privileged: true` only when needed (thanks @alex-berger!) * Added support for controlling opaque ports through the Server resource * Fixed an issue where `linkerd check` would compare proxy versions of uninjected pods leading to incorrect errors * Relaxed extension checks so that the CLI still works when not all extension proxies are healthy * Added the `--default-inbound-policy` flag to `linkerd inject` for setting a non-default inbound policy on injected workloads (thanks @ahmedalhulaibi!)
-
edge-21.12.1c384cfd4 · ·
## edge-21.12.1 This edge release enables by default `EndpointSlices` in the destination controller, which unblocks any functionality that is specific to `EndpointSlices` such as as topology-aware hints. It also contains a couple of internal cleanups and upgrades, by our external contributors! * Added new check to `linkerd check` verifying the nodes aren't running the old Docker container runtime and attempting to run proxy-init as root at the same time, which doesn't work (thanks @alex-berger!) * Enabled `EndpointSlices` in the destination controller by default * Removed extraneous empty lines and fixed the formatting of warnings in the output of `linkerd check -o short` * Upgraded to go 1.17 (thanks @Juneezee!) * Removed old protobuf definitions from the codebase (thanks @krzysztofdrys!)
-
edge-21.11.4f2e1f0dd · ·
This edge release introduces a change in the destination service to honor opaque ports set in the `proxyProtocol` field of `Server` resources. This change makes it possible to set opaque ports directly in `Server` resources without needing the opaque ports annotation on pods. The release also features a number of fixes and improvements, a big thank you to our external contributors for their continued support and involvement. * Added support in the destination service for honoring opaque ports marked in `Server` resources; ports can now be marked as opaque directly in `Server` resources through the `proxyProtocol` field. * Added support to override default behavior and run `proxyInit` as root (thanks @alex-berger!) * Added multicluster `Link` CRD to code generation script; consumers of the multicluster API can now use a typed API to interact with multicluster links (thanks @zaharidichev!) * Added a multicluster integration test for exported headless services (thanks @importhuman!) * Deprecated `v1alpha1` version of the policy APIs * Removed newline from `linkerd check` header text (thanks @mikutas!) * Replaced deprecated `beta.kubernetes.io/os` label with `kubernetes.io/os`
-
edge-21.11.3ad2bbe7f · ·
This edge releases fixes a compatibility issue that prevented the policy controller from starting in some Kubernetes distributions. This release also includes a new High Availability mode for the gateway component in multicluster extension. Various dependencies across the CNI plugin, Policy Controller and dashboard have also been upgraded. In the proxy, error logging when the proxy fails to accept a connection due to a system error has been improved. * Updated policy controller to use `openssl` instead of `rustls` to fix compatibility issues with some Kubernetes distributions * Added HA mode to multicluster gateway that adds a PodDisruptionBudget, additional replicas and anti-affinity to the deployment (thanks @Crevil) * Improved TCP server error messages in the proxy * Fixed broken Grafana links in the dashboard * Upgraded CNI pkg to v0.8.1 in `linkerd-cni` to support latest CNI versions * Updated various dependencies in the dashboard, policy controller (thanks @dependabot)
-
edge-21.11.263f7b191 · ·
This edge release introduces a new Services page in the web dashboard that shows live calls and route metrics for meshed services. Additionally, the `proxy-init` container is no longer enforced to run as root. Lastly, the proxy can now retry requests with a `content-length` header—permitting requests emitted by grpc-go to be retried. * Removed hardcoding that enforced the `proxy-init` container to run as root * Added support for retrying requests without a `content-length` header * Changed service discovery logs from `TRACE` to `DEBUG` * Fixed issue with policy controller where it assumed `linkerd` was the name of the control plane namespace, leading to issues with installations that use a non-default namespace name * Added support for ephemeral storage requests and limits configured either through the CLI or annotations (thanks @michaellzc!) * Deprecated support for topology keys and added support for topology aware hints * Added `logFormat` and `logLevel` configuration values for the `proxy-init` container (thanks @gusfcarvalho!) * Added services to the web dashboard (thanks @krzysztofdrys!) * Updated example commands in the web dashboard to use the `viz` subcommand when necessary (thanks @mikutas!) * Removed references to `linkerd-sp-validator` service account in the `linkerd-psp` role binding (thanks @multimac!)
-
edge-21.11.1333fcf9d · ·
## edge-21.11.1 In this edge, we're very excited to introduce Service Account Token Volume Projections, used to set up the pods' identities. These tokens are bounded specifically for this use case and are rotated daily, replacing the usage of the default tokens injected by Kubernetes which are overly permissive. Note that this edge release updates the minimum supported kubernetes version to 1.20. * Updated the minimum supported kubernetes version to 1.20 * Use Service Account Token Volume Projections to set up the pods' identities; now injection also works on pods with `automountServiceAccountToken` set to `false` * Updated proxy-init's Alpine base image to fix some CVEs (not affecting Linkerd) * Updated the Prometheus image in linkerd-viz to 2.30.3 * Changed the proxy and policy controller to use jemalloc on x86_64 gnu/linux to reduce memory usage * Fixed output for `linkerd check -o json` * Added ability to configure ephemeral-storage resources for each component (thanks @michaellzc!)
-
stable-2.11.143fc40f5 · ·
This release relaxes the policy on the identity controller, allowing it to work in more environments. It updates the CLI and Helm charts to indicate that the minimum supported Kubernetes version is 1.17.0. It also fixes a number of bugs in the CLI, multicluster extension, and proxy. * Fixed incorrect opaque ports warning in linkerd check --proxy with un-named ports * Updated `linkerd check` to avoid multiline errors with retryable checks * Fixed multicluster gateway name for ServerAuthorization * Removed unused crtExpiry template parameter from helm charts * Updated minimum kubernetes version to 1.17.0 * Moved service mirror policy into multicluster base chart * Added an `-o short` command-line flag for extension check commands * Skipped Prometheus scrapes on policy's admin server so that it no longer incorrectly appears as "DOWN" in the Prometheus UI * Updated the identity controller to use the 'all-unauthenticated' policy so that it can accept health checks from the node IPs * Fixed a bug where `authz` CLI commands would fail when policy resources had an empty selector * Fixed an infinite loop in the proxy that could cause it to be killed * Fixed a bug where extension checks were rendered in the wrong format * Changed the policy-controller to use jemalloc on x86_64 gnu/linux to reduce memory usage
-
edge-21.10.30ed30271 · ·
This edge release fixes a bug in the proxy that could cause it to be killed in certain situations. It also uses a more relaxed policy for the identity controller that allows it to work in environments where health checks come from outside of the pod network. * Skipped Prometheus scrapes on policy's `admin` server so that it no longer incorrectly appears as "DOWN" in the Prometheus UI * Updated the identity controller to use the 'all-unauthenticated' policy so that it can accept health checks from the node IPs * Fixed an infinite loop in the proxy that could cause it to be killed * Added tests for the multicluster install command (thanks @crevil!) * Fixed a bug where `authz` CLI commands would fail when policy resources had an empty selector
-
edge-21.10.271b708b3 · ·
This edge release fixes linkerd check and the helm charts to explicitly indicate that the minimum Kubernetes version is 1.17.0. Prior to this change, there was no validation or enforcement from linkerd check or helm to meet this minimum requirement. This edge also improves `check` functionality for extensions by adding the `-oshort` flag, and prevents duplicate policy resources from being created for linked multicluster services. * Moved service mirror policy into multicluster base chart * Added `-oshort` flag for extension `check` commands * Updated minimum kubernetes version to 1.17.0 * Removed unused `crtExpiry` template parameter from helm charts * Fixed multicluster gateway name for ServerAuthorization * Added `priorityClassName` to the helm charts to configure control plane components
-
edge-21.10.15d5e7a05 · ·
This release includes some fixes in the `linkerd check`, along with a bunch of dependency updates across the dashboard, Go components, and others. On the proxy side, Support for `TLSv1.2` has been dropped (Only `TLSv1.3` cipher suite will be used), `h2` crate has been updated to support HTTP/2 messages with larger header values. * Updated `linkerd check` to avoid multiline errors with retryable checks * Fixed incorrect opaque ports warning in `linkerd check --proxy` with un-named ports * Bumped proxy-init to `1.4.1` which adds support for `--log-level` and `--log-format` flags (thanks @gusfcarvalho) * Removed the use of `TLSv1.2` in the proxy * Updated the `h2` crate in the proxy to support HTTP/2 messages with larger header values. * Updated various dependencies across the dashboard, policy-controller, etc (thanks @dependabot!)
-
stable-2.11.002064b02 · ·
## stable-2.11.0 This release introduces access control policies. Default policies may be configured at the cluster- and workspace-levels; and fine grained policies may be instrumented via the new `policy.linkerd.io/v1beta1` CRDs: `Server` and `ServerAuthorization`. These resources may be created to define how individual ports accept connections; and the `Server` resource will be a building block for future features that configure inbound proxy behavior. Furthermore, `ServiceProfile` retry configurations can now instrument retries for requests with bodies. This unlocks retry behavior for gRPC services. **Upgrade notes**: Please see the [upgrade instructions][upgrade-2110]. * Proxy * Reduced CPU & Memory usage by up to 30% in some load tests * Updated retries to support requests with bodies up to 64KB. ServiceProfiles may now configure retries for gRPC services * The proxy's container image is now based on `gcr.io/distroless/cc` to contain a minimal OS footprint that should not trigger unnecessary alerts in security scanners * Added the `inbound_http_errors_total` and `outbound_http_errors_total` metrics to reflect errors that caused the proxy to respond with errors * Added an `l5d-proxy-error` header that is included on responses on trusted connections for debugging purposes * Added a `l5d-client-id` header on mutually-authenticated inbound requests so that applications can discover the client's identity * Added metrics to reflect TCP and HTTP authorization decisions * Added `srv_name` and `saz_name` labels to inbound HTTP metrics * Fixed an issue that could cause the proxy to continually reconnect to defunct service endpoints * Dropped support for non-HTTP outbound services when `linkerd.io/inject: ingress` is used * Instrumented fuzz testing to help guard against unexpected panics * Control Plane * Added a new `policy-controller` container to the `linkerd-destination` pod--the first control plane component implemented in Rust * Added a new admission controller to validate that multiple `Server` resources do not reference the same port * Added a `linkerd-identity-trust-roots` ConfigMap which configures the trust root bundle for all pods in the core control plane namespace * Eliminated the `linkerd-controller` deployment so that Linkerd's core control plane now consists of only 3 deployments * Updated the proxy injector to configure the `proxy-init` container with `NET_RAW` and `NET_ADMIN` capabilities so that the container does not fail when the pod drops these capabilities * CLI * Enhanced `linkerd completion` to expand Kubernetes resources from the current kubectl context * Added an `authz` subcommand to display the authorization policies that impact a workload * Added a _short_ output mode for `linkerd check` that only prints failed checks * Added support for `ReplicaSets` to `linkerd stat` so that pods created by Argo `Rollout` resources can be inspected * Helm: please see the [upgrade instructions][upgrade-2110]. * Extensions: * Introduced a new (optional) SMI extension responsible for reading `specs.smi-spec.io` resources and converting them to Linkerd resources * In `stable-2.12`, this extension will be required to use `TrafficSplit` resources with Linkerd * Added an extensions page to the Linkerd Web UI * Viz * Added `Server` and `ServerAuthorization` resources for all ports * Added JSON log formatting * Jaeger * Added OpenTelemetry collector instead of OpenCensus * Multicluster * Added experimental support for `StatefulSet` workloads This release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible: Gustavo Fernandes de Carvalho @gusfcarvalho Oleg Vorobev @olegy2008 Bart Peeters @bartpeeters Stepan Rabotkin @EpicStep LiuDui @xichengliudui Andrew Hemming @drewhemm Ujjwal Goyal @importhuman Knut Götz @knutgoetz Sanni Michael @sannimichaelse Brandon Sorgdrager @bsord Gerald Pape @ubergesundheit Alexey Kostin @rumanzo rdileep13 @rdileep13 Takumi Sue @mikutas Akshit Grover @akshitgrover Sanskar Jaiswal @aryan9600 Aleksandr Tarasov @aatarasoff Taylor @skinn Miguel Ángel Pastor Olivar @migue wangchenglong01 @wangchenglong01 Josh Soref @jsoref Carol Chen @kipply Peter Smit @psmit Tarvi Pillessaar @tarvip James Roper @jroper Dominik Münch @muenchdo Szymon Gibała @Szymongib Mitch Hulscher @mhulscher [upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110
-
edge-21.9.53bac5a2e · ·
## edge-21.9.5 This edge is a release candidate for `stable-2.11.0`, containing a couple of improvements to `linkerd check`, some final tweaks before the stable release, and a couple of contributions from the community. * Had `linkerd check --proxy` stop failing on pods that are in Shutdown status (thanks @olegy2008!) * Lowered from error to warning a failed check on misconfigured opaque ports annotations, given that doesn't imply the installation is broken * Added log level and format settings to all the viz components (thanks @gusfcarvalho!) * Removed label from the multicluster gateway and service-mirror pods to allow them to be properly rolled out when upgrading
-
edge-21.9.422bbdad4 · ·
This edge is a release candidate for `stable-2.11.0`! It introduces a new `linkerd viz auth` command which shows metrics for server authorizations broken down by server for a given resource. It also shows the rate of unauthorized requests to each server. This is helpful for seeing a breakdown of which authorizations are being used and what proportion of traffic is being rejected. It also fixes an issue in the proxy where HTTP load balancers could continue trying to establish connections to endpoints that were removed from service discovery. In addition it improves the proxy's error handling so that it can signal to an inbound proxy when its peers outbound connections should be torn down. * Changed destination watch updates from `info` to `debug` to reduce the amount of logs (thanks @bartpeeters!) * Added the `linkerd viz auth` command which shows metrics for server authorizations broken down by server for a given resource * Fixed an issue where the policy controller's validating admission webhook attempted to validate ServerAuthorizations when it should only be validating Servers * Removed `omitWebhookSideEffects` setting now that we no longer support Kubernetes 1.12 * Improved proxy error handling so that it can signal to its peers that their outbound connections should be torn down * Fixed an issue where after upgrades there would be a mismatch in certs used by the policy controller validator; the destination pod is now restarted similar to the injector * Fixed a field reference in the Helm template to properly refer to `profileValidator.namespaceSelector` * Updated policy CRD versions to `v1beta1` * Added support for `stat`'s `-o json` option to Server resources * Fixed an issue in the proxy where HTTP load balancers could continue trying to establish connections to endpoints that were removed from service discovery * Added JSON output format to `linkerd viz authz` command