-
edge-21.9.3d9470b3b · ·
This edge is a release candidate for `stable-2.11.0`! It features a new `linkerd authz` CLI command to list servers and authorizations for a workload, as well as policy resources support for `linkerd viz stat`. Furthermore, this edge release adds support for JSON log formatting, enables TLS detection on port 443 (previously marked as opaque), and further improves policy features. * Removed port 443 from the default list of opaque ports, this will allow the proxy to report metadata (such as the connection's SNI value) on TLS connections to port 443 * Added default policies for core Linkerd extensions * Added support for JSON log formatting to the policy controller * Added support for new policy resources to `viz stat` command * Added default policy annotation to `linkerd-identity` * Added a new `linkerd authz` command to the CLI to list all server and authorization resources that apply to a specific resource * Added TLS labels (including client identity) to authorization metrics in the proxy * Changed the opaque ports CLI check to consider service and pod ports when checking annotation values; previously, the check would naively issue warnings when the service annotation values were different from the pod it selected * Changed how the proxy forwards inbound connections to a pod locally; the proxy now targets the original address instead of a port bound on localhost to protect services that are only bound on loopback from being exposed to other pods * Improved memory utilization in the proxy, especially for TCP forwarding, where the memory allocated was reduced from 128KB to 16KB * Updated the inbound policy system for the proxies to always allow connections from localhost * Fixed an issue where the policy controller would not detect changes to the `proxyProtocol` field of `Server` resources * Fixed an issue where the policy admission controller would log a `WARN` message when deserializing `Server` structs
-
edge-21.9.2e62112fb · ·
## edge-21.9.2 This edge release gets us closer to 2.11 by further polishing the policy feature. Also the proxy received a noticeable resource consumption improvement. * Stopped creating the default authorizations for the kubelet * Added missing ports to the destination controller's default list of ports, to allow the sp-validator to start properly when using a default-deny policy * Set the destination and proxy-injector pods default policy to `all-unauthenticated` to allow the webhooks to be called from the kube-api when using a default-deny policy * Extended inbound policies to cover the proxy's admin server * Improved the proxy's error handling so that HTTP metrics include 5XX responses for common errors * The proxy's outbound tap has been fixed to include route labels when service profiles are configured * Enabled link-time optimizations in the Rust components (proxy and policy controller), resulting in noticeable RSS and CPU consumption improvements * Made the admin servers in the control plane components properly shut down (thanks @EpicStep!) * Updated linkerd-await, suppressing the error emitted when linkerd-await was disabled
-
edge-21.9.1e8ab1bba · ·
This release includes various improvements and feature additions across the policy feature i.e, New validating webhook for policy resources. This also includes changes in the proxy i.e, terminating TCP connections when a authorization is revoked, improvements in the proxy authorization metrics. In addition, proxy injector has also been updated to set the right `opaque-ports` annotation on services with default opaque ports. * Added a new validating admission controller to validate the policy resources * Updated the proxy-init to remove a rule which caused the packets from the proxy with destination != 127.0.0.1 on localhost to be sent to the inbound proxy * Updated inbound policy enforcement to interrupt TCP forwarding if a previously established authorization is revoked * Added new proxy metrics to expose authorization decisions * Updated inbound TCP metrics to only include a `srv_name` label * Updated the proxy to export route-oriented metrics only when a ServiceProfile is enabled * Updated the proxy's release build configuration to improve CPU and memory utilization * Added DNS name validation to the `proxy-identity` binary which creates the read-only private key required by the proxy (thanks @yorkijr!) * Updated the identity controller's default policy to be `cluster-unauthenticated` * Updated the proxy injector to include the correct default ports as opaque with services * Deprecated the usage of `vis stat ts` and print a warning about the SMI extension * Updated various dependencies across the dashboard, policy-controller (thanks @dependabot!)
-
edge-21.8.499eb1344 · ·
This edge release continues to build on the policy feature by adding support for cluster-scoped default policies and exposing policy labels on various prometheus metrics. The proxy has been updated to return HTTP-level authorization errors at the time that the request is processed, instead of when the connection is established. In addition, the proxy-injector has been updated to set the `opaque-ports` annotation on a workload to make sure that controllers can discover how the workload was configured. Also, the `sleep` binary has been added to the proxy image in order to restore the functionality required for `waitBeforeExitSeconds` to work. * Added `default-inbound-policy` annotation to the proxy-injector * Updated the proxy-injector to always add the `opaque-ports` annotation * Added `sleep` binary to proxy image * Updated inbound traffic metrics to include server and authorization labels * Updated the policy-controller to honor pod level port annotations when a `Server` resource definition does not match the ports defined for the workload * Updated the point at which the proxy returns HTTP-level authorization errors * Exposed permit and policy labels on HTTP metrics * Added support for cluster-scoped default policies * Dropped `nonroot` variant from the policy-controller's distroless base image to avoid erroring in some environments.
-
edge-21.8.39da7226f · ·
This release adds support for dynamic inbound policies. The proxy now discovers policies from the policy-controller API for all application ports documented in a pod spec. Rejected connections are logged. Policies are not yet reflected in the proxy's metrics. These policies also allow the proxy to skip protocol detection when a server is explicitly annotated as HTTP/2 or when the server is documented to be opaque or application-terminated TLS. * Added a new section to linkerd-viz's dashboard that lists installed extensions (thanks @sannimichaelse!) * Added the `enableHeadlessServices` Helm flag to the `linkerd multicluster link` command for enabling headless service mirroring (thanks @knutgoetz!) * Removed some unused and duplicate constants in the codebase (thanks @xichengliudui!) * Added support for exposing service metadata from exported to mirrored services in multicluster installations (thanks @importhuman!) * Fixed an issue where the policy controller's liveness checks would fail after the controller was disconnected but had successfully resumed its watches * Fixed the `linkerd-policy` service selector to properly select `destination` control plane components * Added additional environment variables to the proxy container to allow support for dynamic policy configuration
-
edge-21.8.279a5849f · ·
This edge release continues the policy work by adding a new controller, written in Rust, to expose a discovery API for inbound server policies. Apart from that, this release includes a number of changes from external contributors; the `linkerd-jaeger` helm chart now supports passing arguments to the Jaeger container through the chart's values file. A number of unused functions and variables have been also removed to improve the quality of the codebase. Finally, this release also comes with changes to the proxy's outbound behavior, a new extensions page on the dashboard, and support for querying service metrics using the `authority` label in `linkerd viz stat`. * Introduced new `linkerd-policy-controller`; the new controller is written in Rust and implements discovery APIs for inbound server policies, the container has been added to the `linkerd-destination` pod * Updated `linkerd-jaeger` helm chart to support passing arguments to the Jaeger container (thanks @bsord!) * Added support for querying service metrics using the `authority` label in `linkerd viz stat` * Improved code hygiene by removing unused constants and functions throughout the codebase (thanks @xichengliudui!) * Added a new extensions page to the dashboard to list all known built-in and third party extensions that can be used with Linkerd * Changed outbound behavior in the proxy to tear down server-side connections when the remote proxy returns responses that indicate proxy errors; the connection in this case will be reset to allow clients to connect to a new endpoint
-
edge-21.8.1c20c4a77 · ·
## edge-21.8.1 This releases includes initial changes w.r.t addition of Authorization into Linkerd. It includes adding the new `policy.linkerd.io` CRDs to the core install. This also includes numerous dependency updates both in the web and dashboard. * Added `servers.policy.linkerd.io` and `serverauthorizations.policy.linkerd.io` CRDs into the default Linkerd installation to support configuration and discovery of inbound policies * Modified the proxy to support upcoming policy features * Updated several dashboard dependencies to latest versions * Updated several proxy dependencies to latest versions
-
edge-21.7.5b83b4423 · ·
This release updates Linkerd to store the identity trust root in a ConfigMap to make it easier to manage and rotate the trust root. The release also lays the groundwork for StatefulSet support in the multicluster extension and removes deprecated PSP resources by default. * Added a `linkerd-identity-trust-roots` ConfigMap which contains the configured trust root bundle * Introduced support for StatefulSets across multicluster (disabled by default) * Stopped installing PSP resources by default since these are deprecated as of Kubernetes v1.21
-
edge-21.7.4b8c0c74d · ·
This release continues to focus on dependency updates. It also adds the `l5d-proxy-error` information header to distinguish proxy generated errors proxy generated errors from application generated errors. * Updated several project dependencies * Added a new `l5d-proxy-error` on responses that allows proxy-generated error responses to be distinguished from application-generated error responses. * Removed support for configuring HTTP/2 keepalives via the proxy. Configuring this setting would sometimes cause conflicts with Go gRPC servers and clients * Added a new `target_addr` label to `*_tcp_accept_errors` metrics to improve diagnostics, especially for TLS detection timeouts
-
edge-21.7.34f59fb1e · ·
This edge release introduces several changes around metrics. ReplicaSets are now a supported resource and metrics can be associated with them. A new metric has been added which counts proxy errors encountered before a protocol can be detected. Finally, the request errors metric has been split into separate inbound and outbound directions. * Fixed printing `check --pre` command usage if it fails after being unable to connect to Kubernetes (thanks @rdileep13!) * Updated the default skip and opaque ports to match that which is listed in the [documentation](https://linkerd.io/2.10/features/protocol-detection/#configuring-protocol-detection) * Added the `LINKERD2_PROXY_INBOUND_PORTS` environment variable during proxy injection which will be used by ongoing policy changes * Added client-go cache size metrics to the `diagnostics controller-metrics` command * Added validation that the certificate provided by an external issuer is a CA (thanks @rumanzo!) * Added metrics support for ReplicaSets * Replaced the `request_errors_total` metric with two new metrics: `inbound_http_errors_total` and `outbound_http_errors_total` * Introduced the `inbound_tcp_accept_errors_total` and `outbound_tcp_accept_errors_total` metrics which count proxy errors encountered before a protocol can be detected
-
edge-21.7.21462e7c8 · ·
This edge release focuses on dependency updates and has a couple of functional changes. First, the Dockerfile used to build the proxy has been updated to use the default `distroless` image, rather than the non-root variant. This change is safe because the proxy already runs as non-root within the container. Second, the `ignoreInboundPorts` parameter has been added in the linkerd2-cni helm charts in order to enable tap support. * Updated several project dependencies * Updated the Dockerfile-proxy to use the default distroless image, because the proxy already runs as non-root within the container * Added `ignoreInboundPorts` parameter to the linkerd2-cni plugin helm chart
-
edge-21.7.1d3cc21da · ·
This edge release adds support for emitting Kubernetes events in the identity controller when issuing leaf certificates. The event includes the identity, expiry date, and a hash of the certificate. Additionally, this release contains many dependency updates for the control plane's components, and it includes a fix for an issue with the clusterNetworks healthcheck. * Updated the identity controller to emit Kubernetes events when successfully issuing leaf certificates to injected pods. * Fixed an issue in `linkerd check` where the clusterNetworks healthcheck would fail if the `podCIDR` field is omitted from a node's spec. * Removed unnecessary controller port-forward logic from the `bin/web` script.
-
edge-21.6.544e24ca9 · ·
Change notes for edge-21.6.4 (#6370) ## edge-21.6.4 This release contains a few improvements, from many contributors! Also under the hood, the destination service has received updates in preparation to the upcoming support for StatefulSets across multicluster. * Improved the `linkerd check --proxy` command to avoid hitting a timeout when dealing with large clusters * Fixed the web component permissions in order to properly run the podCIDR check (thanks @aryan9600!) * Avoid having the proxy-init container fail when the main container is configured to drop either the NET_RAW or NET_ADMIN capabilities (thanks @aryan9600!) * Upgraded the proxy-init image to improve the output in "simulate" mode (thanks @liuerfire!) and to log to stdout instead of stderr (thanks @mo4islona!) * Added test-coverage reports to PRs (thanks @akshitgrover!)
-
edge-21.6.4c53097dc · ·
## edge-21.6.4 This release contains a few improvements, from many contributors! Also under the hood, the destination service has received updates in preparation to the upcoming support for StatefulSets across multicluster. * Improved the `linkerd check --proxy` command to avoid hitting a timeout when dealing with large clusters * Fixed the web component permissions in order to properly run the podCIDR check (thanks @aryan9600!) * Avoid having the proxy-init container fail when the main container is configured to drop either the NET_RAW or NET_ADMIN capabilities (thanks @aryan9600!) * Upgraded the proxy-init image to improve the output in "simulate" mode (thanks @liuerfire!) and to log to stdout instead of stderr (thanks @mo4islona!) * Added test-coverage reports to PRs (thanks @akshitgrover!)
-
edge-21.6.33705c259 · ·
This release moves the Linkerd proxy to a more minimal Docker base image, adds a check for detecting certain network misconfigurations, and replaces the deprecated OpenCensus collector with the OpenTelemetry collector in the jaeger extension. * Switched the Linkerd proxy's base docker image from Debian to a minimal distroless base image (thanks @tskinn!) * Added a check to verify that Linkerd's clusterNetworks settings match the cluster's pod CIDR networks (thanks @aryan9600!) * Replaced the deprecated OpenCensus collector with the OpenTelemetry collector in the jaeger extension (thanks @aatarasoff!)
-
edge-21.6.2db9f8506 · ·
This release fixes a problem with the HTTP body buffering that was added to support gRPC retries. Now, only requests with a retry configuration are buffered (and only when their bodies are less than 64KB). Additionally, an issue with the outbound ingress-mode proxy where forwarded HTTP clients could fail to detect when the target pod was deleted, causing connections to retry forever has been fixed. This only impacted traffic forwarded directly to pod IPs and not load balanced services. Finally, this release also includes some fixes in the CLI and dashboard. * Added a new check that verifies if the opaque ports annotation is misconfigured on services or pods (thanks @migue!) * Added support for resource aware completion for core linkerd command * Fixed an issue where `namespace` resource was erroneously being shown in the dashboard's topology graph * Added uninstall command support for legacy extension installs * Updated the proxy to only buffer request bodies when a request can be retried * Updated the proxy to prevent buffering indefinitely on requests when endpoints are updated in ingress mode * Fixed spelling mistakes across various files in the project (thanks @jsoref!)
-
edge-21.6.14efcbf0e · ·
This release adds support for retrying HTTP/2 requests with small (<64KB) message bodies, allowing the proxy to properly buffer message bodies when responses are classified as a failure. Documentation on how to configure retries can be found [here](https://linkerd.io/2.10/tasks/configuring-retries/). This release also modifies the proxy's identity subsystem to instantiate a client on-demand so client connections are not retained continually. Also included in this release are various bug fixes and improvements as well as expanding support for resource-aware tab completion in the jaeger and multicluster CLI extensions. * Added support for specifying a `gateway-port` flag for the `multicluster link` command (thanks @psmit!) * Added support for Kubernetes resource aware tab completion for `jaeger` and `multicluster` commands * Fixed an issue where `viz`, `jaeger` and `multicluster` extensions could not be installed on `PodSecurityPolicy`-enabled clusters * Fixed an issue where `linkerd check --proxy` could incorrectly report out-of-date proxy versions caused by incorrect regex (thanks @aryan9600!) * Added support for the proxy to retry HTTP/2 requests with message bodies <= 64KB * Modified the proxy's controller stack to create new client connections on-demand * Fixed Viz's `uninstall` command to remove viz installations that used the legacy `linkerd.io/extension: linkerd-viz` label (thanks @jsoref!) * Expanded the "linkerd-existence" health check to also check for the destination pod readiness
-
edge-21.5.3a38fe31d · ·
This edge release contains various improvements to the Viz and Jaeger install charts, along with bug fixes in the CLI, and destination. This release also adds kubernetes aware autocompletion to all viz commands, along with ServiceProfiles to be part of the default `viz install`. Finally, the proxy has been updated to continue supporting requests without `l5d-dst-override` in ingress-mode proxies, to no longer include query parameters in the OpenCensus trace spans, and to prevent timeouts with controller clients of components with more than one replica. * Separated protocol hint setting from H2 upgrades in destination profile response, thus preventing `hint.OpaqueTransport` field from not being set when H2 upgrades are disabled * Updated OpenCensus trace spans for HTTP requests to no longer include query parameters (thanks @aatarasoff!) * Reverted [linkerd/linkerd2-proxy#992](https://github.com/linkerd/linkerd2-proxy/pull/992) to support requests without `l5d-dst-override` in ingress-mode proxies * Fixed an issue in the proxy to prevent timeouts with controller clients of components with more than one replica * Fixed `linkerd check --proxy` failure with pods that are part of Jobs * Updated `viz install` to also include ServiceProfiles of its components. As a side-effect, `linkerd diagnostics install-sp` cmd has been removed * Added support for Kubernetes resource aware tab completion for all viz commands * Updated destination to prefer `ServiceProfile.dstOverrides` over `TrafficSplit` when both are present for a service * Added toggle flags for `collector` and `jaeger` components in the jaeger extension (thanks @tarvip!) * Added support for setting `nodeselector`, `toleration` fields for components in the Viz extension (thanks @aatarasoff!) * Fixed a templating issue in Viz, making `podAnnotations` field work with prometheus * Updated Golang version to 1.16.4 * Removed unnecessary `--addon-overwrite` flag in `linkerd upgrade`
-
edge-21.5.264b17aae · ·
This edge release updates the proxy-init container to check whether the iptables rules have already been added, which prevents errors if the proxy-init container is restarted. Also, the `viz stat` command now has tab completion for Kubernetes resources, saving you precious keystrokes! Finally, the proxy has been updated with several fixes and improvements. * Added instructions to `build.md` for using a locally built proxy (thanks @jroper!) * Added support for Kubernetes resource aware tab completion to the `viz stat` command * Updated `proxy-init` to skip configuring firewall if rules exists * Fixed `viz uninstall` to delete all RBAC objects (thanks @aryan9600!) * Improved diagnostics for rejected profile discovery * Added the `l5d-client-id` header on mutually-authenticated inbound requests so that applications can discover the client's identity. * Reduced proxy resource usage when there are no profiles * Changed the admin server to assume all meshed connections are HTTP/2 and fail connections when that is not the case * Updated the proxy to require the `l5d-dst-override` header on outbound requests when the proxy is in ingress-mode * Removed support for TCP-forwarding in ingress-mode
-
stable-2.10.25535e9c4 · ·
This stable release fixes a proxy task leak that could be triggered when clients disconnect when a service is in failfast. It also includes fixes for the fuzz testing that was performed on the proxy and its dependencies; check out the [Introducing fuzz testing for Linkerd](https://linkerd.io/2021/05/07/fuzz-testing-for-linkerd/) blog post for a summary of that work! * Added versions to the the hint URLs output by the `check` command so that users are directed to the correct stable version documentation * Fixed an issue where the opaque ports annotation on a namespace would overwrite the annotations on services in that namespace