CHANGES.md
Please visit Linkerd's Release page for for the latest release notes moving forward!
MutatingWebhookConfig timeout value to be configured (#12028)
(thanks @mikebell90)linkerd check error when using container images with
digests (#12059)This release addresses some issues in the destination service that could cause it to behave unexpectedly when processing updates.
Server selector are handled in the destination
service. When a Server that marks a port as opaque no longer selects a
resource, the resource's opaqueness will reverted to default settings
(#12031; fixes #11995)This edge release contains performance and stability improvements to the Destination controller, and continues stabilizing support for ExternalWorkloads.
This release continues support for ExternalWorkload resources throughout the control and data planes.
INVALID_ARGUMENT status codes
properly when a ServiceProfile is requested for a service that does not
exist. (#11980)createNamespaceMetadataJob Helm value to control whether the
namespace-metadata job is run during install (#11782)This edge release incrementally improves support for ExternalWorkload resources throughout the control plane.
This edge release introduces a number of different fixes and improvements. More
notably, it introduces a new cni-repair-controller binary to the CNI plugin
image. The controller will automatically restart pods that have not received
their iptables configuration.
MeshTLSAuthentication resource validation to allow SPIFFE URI
identities (#11882)cni-repair-controller to the linkerd-cni DaemonSet to
automatically restart misconfigured pods that are missing iptables rules
(#11699; fixes #11073)"duplicate metrics" warning in the multicluster service-mirror
component (#11875; fixes #11839)linkerd diagnostics endpoints json
output (#11889)Server updates are handled in the destination service. The
change will ensure that during a cluster resync, consumers won't be
overloaded by redundant updates (#11907)linkerd install error output to add a newline when a Kubernetes
client cannot be successfully initialised (#11917)This edge release includes fixes and improvements to the destination controller's endpoint resolution API.
This edge release contains improvements to the logging and diagnostics of the destination controller.
This edge release includes a restructuring of the proxy's balancer along with accompanying new metrics. The new minimum supported Kubernetes version is 1.22.
This edge release introduces new configuration values in the identity
controller for client-go's QPS and Burst settings. Default values for these
settings have also been raised from 5 (QPS) and 10 (Burst) to 100 and
200 respectively.
namespaceSelector fields for the tap-injector and jaeger-injector
webhooks. The webhooks are now configured to skip kube-system by default
(#11649; fixes #11647) (thanks @mikutas!)QPS and Burst settings in the
identity controller (#11644)PodDisruptionBudgets in the linkerd-viz Helm chart for tap and
tap-injector (#11628; fixes #11248) (thanks @mcharriere!)This edge release introduces support for the native sidecar containers entering
beta support in Kubernetes 1.29. This improves the startup and shutdown ordering
for the proxy relative to other containers, fixing the long-standing
shutdown issue with injected Jobs. Furthermore, traffic from other
initContainers can now be proxied by Linkerd.
In addition, this edge release includes Helm chart improvements, and improvements to the multicluster extension.
config.alpha.linkerd.io/proxy-enable-native-sidecar annotation
and Proxy.NativeSidecar Helm option that causes the proxy container to run
as an init-container (thanks @teejaded!) (#11465; fixes #11461)service-mirror when running
in HA mode (#11609; fixes #11603)linkerd check that ensures all extension namespaces are
configured properly (#11629; fixes #11509)linkerd-viz extension to
v2.48.0, resolving a number of CVEs in older Prometheus versions (#11633)nodeAffinity to deployment templates in the linkerd-viz and
linkerd-jaeger Helm charts (thanks @naing2victor!) (#11464; fixes
#10680)This edge release fixes a bug where Linkerd could cause EOF errors during bursts of TCP connections.
linkerd multicluster link command's
--gateway-addresses flag was not respected when a remote gateway exists
(#11564)This edge release contains observability improvements and bug fixes to the Destination controller, and a refinement to the multicluster gateway resolution logic.
This edge release fixes two bugs in the Destination controller that could cause outbound connections to hang indefinitely.
This edge release includes a fix for the ServiceProfile CRD resource schema.
The schema incorrectly required not response matches to be arrays, while the
in-cluster validator parsed not response matches as objects. In addition, an
issues has been fixed in linkerd profile. When used with the --open-api
flag, it would not strip trailing slashes when generating a resource from
swagger specifications.
ServiceProfile resources through linkerd profile --open-api (#11519)ServiceProfile CRD schema. The schema incorrectly
required that a not response match should be an array, which the service
profile validator rejected since it expected an object. The schema has been
updated to properly indicate that not values should be an object (#11510;
fixes #11483)Job informer. The destination controller uses the metadata API
to retrieve Job metadata, and relies mostly on informers. Without an
initialized informer, an error message would be logged, and the controller
relied on direct API calls (#11541; fixes #11531)This edge release fixes issues in the proxy and Destination controller which can result in Linkerd proxies sending traffic to stale endpoints. In addition, it contains other bugfixes and updates dependencies to include patches for the security advisories CVE-2023-44487/GHSA-qppj-fm5r-hxr3 and GHSA-c827-hfw6-qwvm.
INFO-level logging to the proxy when endpoints are added or removed
from a load balancer. These logs are enabled by default, and can be disabled
by setting the proxy log level to
warn,linkerd=info,linkerd_proxy_balance=warn or similar
(linkerd2-proxy#2486)grpc_status metric labels as a
string rather than as the numeric status code (linkerd2-proxy#2480; fixes
#11449)linkerd-jaeger's imagePullSecrets Helm value to also apply to
the namespace-metadata ServiceAccount (#11504)golang.google.org/grpc Go
package to include patches for CVE-2023-44487/GHSA-qppj-fm5r-hxr3 ([#11496])rustix to include patches for GHSA-c827-hfw6-qwvm
(linkerd2-proxy#2488 and #11512).This edge release includes a fix addressing an issue during upgrades for instances not relying on automated webhook certificate management (like cert-manager provides).
checksum/config annotation to the destination and proxy injector
deployment manifests, to force restarting those workloads whenever their
webhook secrets change during upgrade (thanks @iAnomaly!) (#11440)This edge release adds additional configurability to Linkerd's viz and multicluster extensions.
podAnnotations Helm value to allow adding additional annotations to
the Linkerd-Viz Prometheus Deployment (#11365) (thanks @cemenson)imagePullSecrets Helm values to the multicluster chart so that it can
be installed in an air-gapped environment. (#11285) (thanks @lhaussknecht)This edge release makes Linkerd even better.
linkerd-control-plane Helm chart
to support including SHA256 image digests in Linkerd manifests (thanks
@cromulentbanana!) (#11406)linkerd viz check to attempt to validate that the Prometheus scrape
interval will work well with the CLI and Web query parameters (#11376)multicluster check --timeout flag to limit the time
allowed for Kubernetes API calls (thanks @moki1202) (#11420)This edge release updates the proxy's dependency on the rustls library to
patch security vulnerability RUSTSEC-2023-0052
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when
acceting a TLS handshake from an untrusted peer with a maliciously-crafted
certificate. Furthermore, this edge release contains a few improvements to the
control plane and jaeger extension Helm charts.
rustls libraryprometheusUrl field for the heartbeat job in the control plane Helm
chart (thanks @david972!) (#11343; fixes #11342)podMonitors field in the
control plane Helm chart (thanks @jseiser!) (#11222; fixes #11175)opentelemetry-collector in the jaeger extension (thanks @iAnomaly!)
(#11283)This edge release updates the proxy's dependency on the webpki library to
patch security vulnerability RUSTSEC-2023-0052 (GHSA-8qv2-5vq6-g2g7), a
potential CPU usage denial-of-service attack when accepting a TLS handshake from
an untrusted peer with a maliciously-crafted certificate.
linkerd check --proxy incorrectly checking the proxy version of pods
in the completed state (thanks @mikutas!) (#11295; fixes #11280)linkerd.io/helm-release-version annotation from the
linkerd-control-plane Helm chart (thanks @mikutas!) (#11329; fixes
#10778)This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images, and includes a number of other fixes and small improvements.
remoteDiscoverySelector field in a
multicluster link would cause all services to be mirrored (#11309)linkerd multicluster gateways command; when no
metrics exist the command will return instantly (#11265)linkerd multicluster link (#11265)skipped messages when injecting namespaces with linkerd inject (thanks @mikutas!) (#10231)This release introduces direct pod-to-pod multicluster service mirroring. When clusters are deployed on a flat network, Linkerd can export multicluster services in a way where cross-cluster traffic does not need to go through the gateway. This enhances multicluster authentication and can reduce the need for provisioning public load balancers.
In addition, this release adds support for the
Gateway API HTTPRoute resource (in the
gateway.networking.k8s.io api group). This improves compatibility with other
tools that use these resources such as Flagger and
Argo Rollouts. The release also includes
a large number of features and improvements to HTTPRoute including the ability
to set timeouts and the ability to define consumer-namespace HTTPRoutes.
Finally, this release includes a number of bugfixes, performance improvements, and other smaller additions.
Upgrade notes: Please see the upgrade instructions.
linkerd multicluster gateways command (thanks
@hiteshwani29)logFormat value to the multicluster Link Helm Chart (thanks
@bunnybilou!)remoteDiscoverySelector field to the multicluster Link CRD,
which enables a service mirroring mode where the control plane
performs discovery for the mirrored service from the remote cluster, rather
than creating Endpoints for the mirrored service in the source clusterlinkerd uninstall issue for HTTPRoutegateway.networking.k8s.io HTTPRoutes in the policy
controllerResponseHeaderModifier HTTPRoute filterparent_refs that do not specify a portfailure-domain.beta.kubernetes.io/zone labels in Helm
charts with topology.kubernetes.io/zone labels (thanks @piyushsingariya!)server_port_subscribers Destination controller gauge metric with
server_port_subscribes and server_port_unsubscribes counter metricsoutbound_http_balancer_endpoints metricconfig.linkerd.io/admin-port
annotation (thanks @jclegras!)linkerd diagnostics policy command now displays outbound policy when
the target resource is a Servicekubelet NetworkAuthentication back since it is used by the
linkerd viz allow-scrapes subcommand.linkerd viz check command so that it will wait until the viz
extension becomes readyremote_write config would cause the
Prometheus config to be invalid (thanks @hiteshwani29)--to and --from flags for the linkerd viz stat
command (thanks @pranoyk)-o jsonpath flag to linkerd viz tap to allow filtering output fields
(thanks @hiteshwani29!)linkerd-viz web dashboard (thanks @mclavel!)linkerd.io/extension to certain resources to ensure they
pruned when appropriate (thanks @ClementRepo)namespace-metadata
Jobs (thanks @pssalman!)This release includes changes from a massive list of contributors! A special thank-you to everyone who helped make this release possible:
This is a release candidate for stable-2.14.0; we encourage you to help trying it out!
This edge release contains a number of improvements over the multi-cluster features introduced in the last edge release supporting flat networks. It also hardens the containers security stance by removing write access to the root filesystem.
linkerd multicluster link to allow clusters to be linked without a
gateway (#11226)readOnlyRootFilesystem: true in all the containers, as they don't
require write permissions (#11221; fixes #11142) (thanks @mikutas!)This edge release adds improvements to Linkerd's multi-cluster features as part of the flat network support planned for Linkerd stable-2.14.0. In addition, it fixes an issue (#10764) where warnings about an invalid metric were logged frequently by the Destination controller.
remoteDiscoverySelector field to the multicluster Link CRD,
which enables a service mirroring mode where the control plane
performs discovery for the mirrored service from the remote cluster, rather
than creating Endpoints for the mirrored service in the source cluster
(#11190, #11201, #11220, and #11224)linkerd-viz web dashboard (#11229) (thanks @mclavel!)server_port_subscribers Destination controller gauge metric with
server_port_subscribes and server_port_unsubscribes counter metrics
(#11206; fixes #10764)failure-domain.beta.kubernetes.io/zone labels in Helm
charts with topology.kubernetes.io/zone labels (#11148; fixes #11114)
(thanks @piyushsingariya!)This edge release restores a proxy setting for it to shed load less aggressively while under high load, which should result in lower error rates (see #11055). It also removes the usage of host networking in the linkerd-cni extension.
This edge release improves Linkerd's support for HttpRoute by allowing
parent_ref ports to be optional, allowing HttpRoutes to be defined in a
consumer's namespace, and adding support for the ResponseHeaderModifier filter.
It also fixes a panic in the destination controller.
parent_refs that do not specify a portResponseHeaderModifier HttpRoute filter--register flag over the
LINKERD_DOCKER_REGISTRY environment variable, making the precedence more
consistent (thanks @harsh020!)This edge release introduces support for HTTP filters configured through both
policy.linkerd.io and gateway.networking.k8s.io HTTPRoute resources.
Currently, RequestHeaderModifier and RequestRedirect HTTP filters are
supported. Additionally, this release fixes an issue with the linkerd-cni
chart.
This edge release adds support for the upstream gateway.networking.k8s.io
HTTPRoute resource (in addition to the policy.linkerd.io CRD installed by
Linkerd). Furthermore, it fixes a bug where the ingress-mode proxy would fail to
fall back to ServiceProfiles for destinations without HTTPRoutes.
gateway.networking.k8s.io HTTPRoutes in the policy
controllerNotFound client policies in ingress-mode proxiesThis edge release adds leader-election capabilities to the service-mirror
controller under the hood, as a precursor to HA mode in an upcoming release. It
also includes a linkerd viz tap improvement and a proxy startup bugfix, both
contributed by the community!
-o jsonpath flag to linkerd viz tap to allow filtering output fields
(thanks @hiteshwani29!)config.linkerd.io/admin-port
annotation (thanks @jclegras!)This edge release introduces timeout capabilities for HTTPRoutes in a manner compatible with the proposed changes to HTTPRoute in kubernetes-sigs/gateway-api#1997.
This release also includes several small improvements and fixes:
This edge release changes the behavior of the CNI plugin to run exclusively in
"chained mode". Instead of creating its own configuration file, the CNI plugin
will now wait until a conf file exists before appending its configuration.
Additionally, this change includes a bug fix for topology aware service
routing.
logFormat value to the multicluster Link Helm Chart (thanks
@bunnybilou!)This edge release includes fixes for several bugs related to HTTPRoute handling.
namespace field on HTTPRoute backendRefs was
ignored, and the backend Service would always be assumed to be in the
namespace as the parent ServiceThis edge release adds some minor improvements in the MeshTLSAuthentication CRD
and the extensions charts, and fixes an issue with linkerd multicluster check.
namespace-metadata
Jobs (thanks @pssalman!)linkerd multicluster check command failing in the presence of lots
of mirrored servicesThis edge release introduces the ability to configure the proxy's discovery cache timeouts via annotations. While most users will not need to do this, it can be useful to improve the mesh's resilience to control plane failures. This release also includes a number of other important improvements and bug fixes.
linkerd multicluster gateways command (thanks
@hiteshwani29)linkerd.io/extension to certain resources to ensure they
pruned when appropriate (thanks @ClementRepo)--to and --from flags for the linkerd viz stat
command (thanks @pranoyk)remote_write config would cause the
Prometheus config to be invalid (thanks @hiteshwani29)config.linkerd.io/proxy-outbound-discovery-cache-unused-timeout and
config.linkerd.io/proxy-inbound-discovery-cache-unused-timeout annotationslinkerd viz check command so that it will wait until the viz
extension becomes readyThis edge release improves compatibility with ArgoCD by changing the Linkerd control plane to create Lease resources at runtime rather than including them in the Helm chart. It also addresses a CVE by upgrading an underlying dependency.
h2 dependency to address CVE-2023-26964server_port_subscribers metric in the Destination
controller was sometimes absentThis edge release contains a number of bug fixes.
CLI
linkerd uninstall issue for HttpRoutelinkerd diagnostics policy command now displays outbound policy when
the target resource is a ServiceCNI
Control Plane
cluster.local domainHelm
unexpected argument found errorsMulticluster
Proxy
h2 dependency to include a patch for a theoretical
denial-of-service vulnerability discovered in CVE-2023-26964trust_dns_proto that are generally spurious.outbound_http_balancer_endpoints metricViz
kubelet NetworkAuthentication back since it is used by the
linkerd viz allow-scrapes subcommand.This stable release fixes an issue in the policy controller where a non-default cluster domain would return incorrect authorities in the outbound policy API. Additionally, this release updates a proxy dependency to fix CVE-2023-2694.
Proxy
h2 dependency to include a patch for a theoretical
denial-of-service vulnerability discovered in CVE-2023-26964Control Plane
cluster.local domainHelm
unexpected argument found errorsThis release introduces client-side policy to Linkerd, including dynamic routing
and circuit breaking. Gateway API HTTPRoutes
can now be used to configure policy for outbound (client) proxies as well as
inbound (server) proxies, by creating HTTPRoutes with Service resources as their
parentRef. See the Linkerd documentation for tutorials on dynamic request
routing and circuit breaking. New functionality for debugging HTTPRoute-based
policy is also included in this release, including new proxy metrics and the
ability to display outbound policies in the linkerd diagnostics policy CLI
command.
In addition, this release adds network-validator, a new init container to be
used when CNI is enabled. network-validator ensures that local iptables rules
are working as expected. It will validate this before linkerd-proxy starts.
network-validator replaces the noop container, runs as nobody, and drops
all capabilities before starting.
Finally, this release includes a number of bugfixes, performance improvements, and other smaller additions.
Upgrade notes: Please see the upgrade instructions.
CRDs
v1alpha1 to v1beta2CLI
linkerd prune command to the CLI (including most extensions) to
remove resources which are no longer part of Linkerd's manifestslinkerd diagnostics policy command now displays outbound policy when
the target resource is a ServiceControl Plane
linkerd-proxy to route
outbound traffic/metrics endpoint to the admin server, with process
metricsstatus field to
HTTPRoutes when a parent reference Server accepts or rejects itignoreOutboundPorts of proxy-injectorwaitBeforeExitSeconds to control plane, viz and jaeger
extension podsinternalTrafficPolicy of a service (thanks @yc185050!)NoEndpoints event would be sent to the
proxy regardless of the amount of endpoints that were still available
(thanks @utay!)Proxy
outbound_route_backend_http_requests_total,
outbound_route_backend_grpc_requests_total, and
outbound_http_balancer_endpoints metricslinkerd-proxy-init
proxy-init iptables rules to be idempotent upon init pod
restart (thanks @jim-minter!)proxy-init and linkerd-cniproxyInit.privileged setting to control whether the proxy-init
initContainer runs as a privileged processCNI
network-validator init container to ensure that iptables rules are
working as expectedresources field in the linkerd-cni chart (thanks @jcogilvie!)Viz
tap.ignoredHeaders Helm value to the linkerd-viz chart. This value
allows users to specify a comma-separated list of header names which will be
ignored by Linkerd Tap (thanks @ryanhristovski!)--viz-namespace which avoids requiring permissions for
listing all namespaces in linkerd viz subcommands (thanks @danibaeyens!)viz chart to allow for arbitrary annotations
on the Service objects (thanks @sgrzemski!)Multicluster
nodeSelector and tolerations helm parametersgateway.deploymentAnnotationsgateway.terminationGracePeriodSeconds (thanks @bunnybilou!)gateway.loadBalancerSourceRanges (thanks @Tyrion85!)Extensions
curlimages/curl 3rd-party image used to initialize
extensions namespaces metadata (so they are visible by linkerd check),
replaced by the new extension-init imageServerAuthorization resources to AuthorizationPolicy resources
in Linkerd extensionsAmong other dependency updates, the no-longer maintained ghodss/yaml library was replaced with sigs.k8s.io/yaml (thanks @Juneezee!)
This release includes changes from a massive list of contributors! A special thank-you to everyone who helped make this release possible:
This is a release candidate for stable-2.13.0 — we encourage you to help try it out!
This edge release introduces request-level HTTP circuit-breaking
using a consecutive failures failure accrual policy. Circuit breaking can be
configured by adding failure accrual annotations to a Service. In addition, this
release adds new outbound_route_backend_http_requests_total and
outbound_route_backend_grpc_requests_total proxy metrics, which can be
used to track how routing rules and backend distributions apply to
requests. These metrics contain labels describing the route's parent
(i.e. a Service), the route resource being used, and the backend
resource being used by each request.
Proxy
outbound_route_backend_http_requests_total and
outbound_route_backend_grpc_requests_total metricsPolicy Controller
/metrics endpoint to the admin server, with process
metricsViz
tap.ignoredHeaders Helm value to the linkerd-viz chart. This value
allows users to specify a comma-separated list of header names which will be
ignored by Linkerd Tap (thanks @ryanhristovski!)Multicluster
This edge release further enhances the OutboundPolicies API used by the proxy to route outbound traffic, and continues extending the HTTPRoute resource's Status field. It also starts integrating circuit-breaking functionality into the proxy, which will be configurable in a subsequent iteration.
true are considered when routing outbound requests--viz-namespace which avoids requiring permissions for
listing all namespaces in linkerd viz subcommands (thanks @danibaeyens!)This edge release removes TrafficSplits from the Linkerd dashboard as well as fixing a number of issues in the policy controller.
This edge release continues to improve dynamic Policy statuses and introduces support for header-based routing.
Destination Controller
linkerd-proxy to route
outbound trafficProxy
Policy Controller
policy-controller-write Lease when patching HTTPRoutesstatus field and filter out HTTPRoutes which have not
been acceptedAdded KubeAPI server ports to ignoreOutboundPorts of proxy-injector
Updated HTTPRoute version from v1alpha1 to v1beta2
Updated network-validator helm charts to use proxy-init resources
Fixed Grafana regular expression, enabling monitoring of filesystem usage (thanks @h-dav!)
This edge release continues to build support under the hood for the upcoming features in 2.13. Also included are several dependency updates and less verbose logging.
curlimages/curl 3rd-party image used to initialize
extensions namespaces metadata (so they are visible by linkerd check),
replaced by the new extension-init imageThis edge release includes a number of fixes and introduces a new CLI command,
linkerd prune. The new prune command should be used to remove resources
which are no longer part of the Linkerd manifest when doing an upgrade.
Previously, the recommendation was to use linkerd upgrade in conjunction with
kubectl apply --prune, however, that will not remove resources which are not
part of the input manifest, and it will not detect cluster scoped resources,
linkerd prune (included in all core extensions) should be preferred over it.
Additionally, this change contains a few fixes from our external contributors,
and a change to the viz Helm chart which allows for arbitrary annotations on
Service objects. Last but not least, the release contains a few proxy
internal changes to prepare for the new client policy API.
linkerd prune command to the CLI (including extensions) to
remove resources which are no longer part of Linkerd's manifestsviz chart to allow for arbitrary annotations
on the Service objects (thanks @sgrzemski!)NoEndpoints event would be sent to the
proxy regardless of the amount of endpoints that were still available (thanks
@utay!)This edge release adds the policy status controller which writes the status
field to HTTPRoutes when a parent reference Server accepts or rejects the
HTTPRoute. This field is currently not consumed by the policy controller, but
acts as the first step for considering HTTPRoute status when serving policy.
Additionally, the destination controller now uses the Kubernetes metadata API for resources which it only needs to track the metadata for — Nodes and ReplicaSets. For all other resources it tracks, it uses additional information so continues to use the API as before.
status field to
HTTPRoutes when a parent reference Server accepts or rejects itThis edge release sees the linkerd-cni plugin moved to
linkerd2-proxy-init and released from that repository. An iptables
improvement to linkerd-cni and proxy-init is the main focus. Other
minor fixes are also included.
proxy-init iptables rules to be idempotent upon init pod
restart (thanks @jim-minter!)proxy-init and linkerd-cniwaitBeforeExitSeconds to control plane, viz and jaeger
extension podsinternalTrafficPolicy of a service (thanks @yc185050!)limits and requests to network-validator for ResourceQuota interopnodeSelector and tolerations helm parametersThis edge release fixes a memory leak in the Linkerd control plane that could occur when many many pods were created. It also adds a number of new configuration options Multicluster extension's gateway.
gateway.deploymentAnnotationsgateway.terminationGracePeriodSeconds (thanks @bunnybilou!)gateway.loadBalancerSourceRanges (thanks @Tyrion85!)seccompProfileThis edge release fixes a caching issue in the destination controller, converts deprecated policy resources, and introduces several changes to how the proxy works.
A bug in the destination controller that could potentially lead to stale pods being considered in the load balancer has been fixed.
Several Linkerd extensions were still using the now deprecated ServerAuthorization resource. These instances have now been converted to using AuthorizationPolicy. Additionally, removed several policy resources that authenticated probes, since probes are now authenticated by default.
As part of ongoing policy work, there are several changes with how the proxy works. Routes are now lazily initialized so that service profile routes will not show up in metrics until the route is used. Furthermore, the proxy’s traffic splitting behavior has changed so that only available resources are used, resulting in less failfast errors.
Finally, this edge release contains a number of fixes and improvements from our contributors.
ServerAuthorization resources to AuthorizationPolicy resources
in Linkerd extensionsresources field in the linkerd-cni chart (thanks @jcogilvie!)--identity-external-ca would set an
incorrect field (thanks @anoxape!)linkerd viz tap would display wrong latency/duration
value (thanks @olegy2008!)This edge release introduces static and dynamic port overrides for CNI eBPF socket-level load balancing. In certain installations when CNI plugins run in eBPF mode, socket-level load balancing rewrites packet destinations to port 6443; as with 443 already, this port is now skipped as well on control plane components so that they can communicate with the Kubernetes API before their proxies are running.
Additionally, a potential panic and false warning have been fixed in the destination controller.
proxyInit.privileged setting to control whether the proxy-init
initContainer runs as a privileged processThis edge release fixes connection errors to pods that use hostPort
configurations. The CNI network-validator init container features
improved error logging, and the default linkerd-cni DaemonSet
configuration is updated to tolerate all node taints so that the CNI
runs on all nodes in a cluster.
destination service to properly discover targets using a hostPort
different than their containerPort, which was causing 502 errorsnetwork-validator with better logging allowing users to
determine whether failures occur as a result of their environment or the tool
itselfExists toleration to the linkerd-cni DaemonSet, allowing it
to be deployed in all nodes by default, regardless of taintsThis edge release introduces the use of the Kubernetes metadata API in the proxy-injector and tap-injector components. This can reduce the IO and memory footprint for those components as they now only need to track the metadata for certain resources, rather than the entire resource itself. Similar changes will be made for the destination component in an upcoming release.
This edge releases ships a few fixes in Linkerd's dashboard, and the multicluster extension. Additionally, a regression has been fixed in the CLI that blocked upgrades from versions older than 2.12.0, due to missing CRDs (even if the CRDs were present in-cluster). Finally, the release includes changes to the helm charts to allow for arbitrary (user-provided) labels on Linkerd workloads.
--from-manifest flagThis edge release adds network-validator, a new init container to be used when
CNI is enabled. network-validator ensures that local iptables rules are
working as expected. It will validate this before linkerd-proxy starts.
network-validator replaces the noop container, runs as nobody, and drops
all capabilities before starting.
iptables configuration during pod startuplinkerd check (thanks @ziollek!)readOnlyRootFilesystem: true in viz chart (thanks @mikutas!)linkerd multicluster install by re-adding pause container image
in chartThis edge release fixes an issue with CNI chaining that was preventing the Linkerd CNI plugin from working with other CNI plugins such as Cilium. It also includes several other fixes.
linkerd diagnostics policy command to inspect Linkerd policy stateconfig.linkerd.io/proxy-version annotation could be emptyThis edge release fixes some sections of the Viz dashboard appearing blank, and adds an optional PodMonitor resource to the Helm chart to enable easier integration with the Prometheus Operator. It also includes many fixes submitted by our contributors.
--api-addr flag (thanks @mikutas!)linkerd authz command to display AuthorizationPolicy resources
that target namespaces (thanks @aatarasoff!)NotIn label selector operator in the policy resources, being
erroneously treated as In.linkerd viz checkThis release includes several control plane and proxy fixes for stable-2.12.0.
In particular, it fixes issues related to control plane HTTP servers' header
read timeouts resulting in decreased controller success rates, lowers the
inbound connection pool idle timeout in the proxy, and fixes an issue where the
jaeger injector would put pods into an error state when upgrading from
stable-2.11.x.
Additionally, this release adds the linkerd.io/trust-root-sha256 annotation to
all injected workloads allowing predictable comparison of all workloads' trust
anchors via the Kubernetes API.
For Windows users, note that the Linkerd CLI's nupkg file for Chocolatey is
once again included in the release assets (it was previously removed in
stable-2.10.0).
Proxy
Control Plane
linkerd.io/trust-root-sha256 annotation on all injected workloads
to indicate certifcate bundleAuthorizationPolicy and MeshTLSAuthentication to
conform to specification (thanks @aatarasoff!)ClusterRoleBinding
to read all deployment resourcesHelm
namespace field in Linkerd helm chartsPodDisruptionBudget apiVersion from policy/v1beta1 to
policy/v1 (thanks @Vrx555!)Extensions
This release fixes an issue where the jaeger injector would put pods into an error state when upgrading from stable-2.11.x.
This release adds the linkerd.io/trust-root-sha256 annotation to all injected
workloads allowing predictable comparison of all workloads' trust anchors via
the Kubernetes API.
Additionally, this release lowers the inbound connection pool idle timeout to 3s. This should help avoid socket errors, especially for Kubernetes probes.
linkerd.io/trust-root-sha256 annotation on all injected workloads
to indicate certifcate bundlenamespace field in Linkerd helm chartsAuthorizationPolicy and MeshTLSAuthentication to
conform to specification (thanks @aatarasoff!)ClusterRoleBinding
to read all deployment resources.Increased control plane HTTP servers' read timeouts so that they no longer match the default probe intervals. This was leading to closed connections and decreased controller success rate.
This release introduces route-based policy to Linkerd, allowing users to define and enforce authorization policies based on HTTP routes in a fully zero-trust way. These policies are built on Linkerd's strong workload identities, secured by mutual TLS, and configured using types from the Kubernetes Gateway API.
The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft, and a host
of other improvements and performance enhancements.
Additionally, the linkerd-smi extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds before running linkerd install; with Helm, you'll
install the new linkerd-crds chart, then the linkerd-control-plane chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.
Upgrade notes: Please see the upgrade instructions.
Proxy
config.linkerd.io/shutdown-grace-period annotation to limit the
duration that the proxy may wait for graceful shutdownconfig.linkerd.io/access-log annotation to enable logging of
workload requestsiptables-nft mode for the proxy-init initContaineringress
mode/env.json log diagnostic endpointprocess_uptime_seconds_total metric to track proxy uptime in
secondscontainerPortsroute_group/route_kind/route_name)config.linkerd.io/skip-subnets), needed e.g. in Docker-in-Docker
workloads (thanks @michaellzc!)Control Plane
Terminated state for pods (thanks
@AgrimPrasad!)info; the controller
will now emit INFO level logs for some of its dependenciesdeny policy to not explicitly need to authorize probesnodeAffinity values for the control planelinkerd-smi extensionCLI
linkerd check command crashing when unexpected pods are found in
a Linkerd namespacelinkerd authz command to support AuthorizationPolicy and
HttpRoute resourceslinkerd check to allow RSA signed trust anchors (thanks
@danibaeyens!)linkerd install --crds must be run before linkerd installlinkerd upgrade --crds must be run before linkerd upgrade--default-inbound-policy setting was not being
respectedviz authz commandviz stat commandlinkerd viz tapHelm
linkerd2 chart into linkerd-crds and linkerd-control-planeproxy.await Helm value so that users can now disable
linkerd-await on control plane componentspolicyController.probeNetworks Helm value for configuring the
networks that probes are expected to be performed fromExtensions
This release includes changes from a massive list of contributors, including engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and others. A special thank-you to everyone who helped make this release possible:
Agrim Prasad @AgrimPrasad Ahmed Al-Hulaibi @ahmedalhulaibi Aleksandr Tarasov @aatarasoff Alexander Berger @alex-berger Ao Chen @chenaoxd Badis Merabet @badis Bjørn @Crevil Brian Dunnigan @bdun1013 Christian Schlotter @chrischdi Dani Baeyens @danibaeyens David Symons @multimac Dmitrii Ermakov @ErmakovDmitriy Elvin Efendi @ElvinEfendi Evan Hines @evan-hines-firebolt Eng Zer Jun @Juneezee Gustavo Fernandes de Carvalho @gusfcarvalho Harry Walter @haswalt Israel Miller @imiller31 Jack Gill @jackgill Jacob Henner @JacobHenner Jacob Lorenzen @Jaxwood Joakim Roubert @joakimr-axis Josh Ault @jault-figure João Soares @jasoares jtcarnes @jtcarnes Kim Christensen @kichristensen Krzysztof Dryś @krzysztofdrys Lior Yantovski @lioryantov Martin Anker Have @mahlunar Michael Lin @michaellzc Michał Romanowski @michalrom089 Naveen Nalam @nnalam Nick Calibey @ncalibey Nikola Brdaroski @nikolabrdaroski Or Shachar @or-shachar Pål-Magnus Slåtto @dev-slatto Raman Gupta @rocketraman Ricardo Gândara Pinto @rmgpinto Roberth Strand @roberthstrand Sankalp Rangare @sankalp-r Sascha Grunert @saschagrunert Steve Gray @steve-gray Steve Zhang @zhlsunshine Takumi Sue @mikutas Tanmay Bhat @tanmay-bhat Táskai Dominik @dtaskai Ujjwal Goyal @importhuman Weichung Shaw @wc-s Wim de Groot @wim-de-groot Yannick Utard @utay Yurii Dzobak @yuriydzobak 罗泽轩 @spacewander
This release is the second release candidate for stable-2.12.0.
At this point the Helm charts can be retrieved from the stable repo:
helm repo add linkerd https://helm.linkerd.io/stable
helm repo up
helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
helm install linkerd-control-plane \
-n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
linkerd/linkerd-control-plane
The following lists all the changes since edge-22.8.2:
linkerd.io/inject annotation from Namespace to
Workloads when its value is ingressconfig.linkerd.io/default-inbound-policy: all-authenticated
annotation to linkerd-multicluster’s Gateway deployment so that all clients
are required to be authenticatedReadHeaderTimeout of 10s to all the go http.Server instances, to
avoid being vulnerable to "slowrolis" attackslinkerd viz check --proxy to warn in case namespace have the
config.linkerd.io/default-inbound-policy: deny annotation, which would not
authorize scrapes coming from the linkerd-viz Prometheus instance--default-inbound-policy flaglinkerd install --help output--destination-pod flag to linkerd diagnostics endpoints subcommandproxyInit.runAsUser in values.yaml defaulting to non-zero, to
complement the new default proxyInit.runAsRoot: false that was rencently
changedThis release is considered a release candidate for stable-2.12.0 and we encourage you to try it out! It includes an update to the multicluster extension which adds support for Kubernetes v1.24 and also updates many CLI commands to support the new policy resources: ServerAuthorization and HTTPRoute.
This releases introduces default probe authorization. This means that on
clusters that use a default deny policy, probes do not have to be explicitly
authorized using policy resources. Additionally, the
policyController.probeNetworks Helm value has been added, which allows users
to configure the networks that probes are expected to be performed from.
Additionally, the linkerd authz command has been updated to support the policy
resources AuthorizationPolicy and HttpRoute.
Finally, some smaller changes include allowing to disable linkerd-await on
control plane components (using the existing proxy.await configuration) and
changing the default iptables mode back to legacy to support more cluster
environments by default.
linkerd authz command to support AuthorizationPolicy and
HttpRoute resourcesproxy.await Helm value so that users can now disable
linkerd-await on control plane componentsdeny policy to not explicitly need to authorize probespolicyController.probeNetworks Helm value for configuring the
networks that probes are expected to be performed fromlegacyThis release adds a new nft iptables mode, used by default in proxy-init.
When used, firewall configuration will be set-up through the iptables-nft
binary; this should allow hosts that do not support iptables-legacy (such as
RHEL based environments) to make use of the init container. The older
iptables-legacy mode is still supported, but it must be explictly turned on.
Moreover, this release also replaces the HTTPRoute CRD with Linkerd's own
version, and includes a number of fixes and improvements.
iptables-nft mode for proxy-init. When running in this mode,
the firewall will be configured with nft kernel API; this should allow
users to run the init container on RHEL-family hostsnodeAffinity
values for the control planeTerminated state for pods (thanks
@AgrimPrasad!)HTTRoute CRD version from gateway.networking.k8s.io with a
similar version from the policy.linkerd.io API group. While the CRD is
similar, it does not support the Gateway type, does not contain the
backendRefs fields, and does not support RequestMirror and ExtensionRef
filter types.info; the controller
will now emit INFO level logs for some of its dependenciesHTTPRoute paths are absolute; relative paths are
not supported by the proxy and the policy controller admission server will
reject any routes that use paths which do not start with /This release adds support for per-route authorization policy using the AuthorizationPolicy and HttpRoute resources. It also adds a configurable shutdown grace period to the proxy which can be used to ensure that proxy graceful shutdown completes within a certain time, even if there are outstanding open connections.
linkerd check command crashing when unexpected pods are found in
a Linkerd namespaceconfig.linkerd.io/shutdown-grace-period annotation to configure the
proxy's maximum grace period for graceful shutdownThis release includes a security improvement. When a user manually specified the
policyValidator.keyPEM setting, the value was incorrectly included in the
linkerd-config configmap. This means that this private key was erroneously
exposed to service accounts with read access to this configmap. Practically,
this means that the Linkerd proxy-injector, identity, and heartbeat pods
could read this value. This should not have exposed this private key to
other unauthorized users unless additional role bindings were added outside of
Linkerd. Nevertheless, we recommend that users who manually set control plane
certificates update the credentials for the policy validator after upgrading
Linkerd.
Additionally, the linkerd-multicluster extensions has several fixes related to fail fast errors during link watch restarts, improper label matching for mirrored services, and properly cleaning up mirrored endpoints in certain situations.
Lastly, the proxy can now retry gRPC requests that have responses with a TRAILERS frame. A fix to reduce redundant load balancer updates should also result in less connection churn.
prommatch package for asserting
expected metrics (thanks @krzysztofdrys!)linkerd install rather
than linkerd check --prematchLabels and matchExpressions to linkerd-multicluster's Link CRDlinkerd check due to missing RBAC for listing pods in
the clusterlinkerd authz to match the labels of pre-fetched Pods rather than
the multiple API calls it was doing—resulting in significant speed-up (thanks
@aatarasoff!)policyValidtor.keyPEM in linkerd-config ConfigMapThis edge release bumps the minimum supported Kubernetes version from v1.20
to v1.21, introduces some new changes, and includes a few bug fixes. Most
notably, a bug has been fixed in the proxy's outbound load balancer that could
cause panics, especially when the balancer would process many service discovery
updates in a short period of time. This release also fixes a panic in the
proxy-injector, and introduces a change that will include HTTP probe ports in
the proxy's inbound ports configuration, to be used for policy discovery.
runtimeClassName options to Linkerd's Helm chart (thanks @jtcarnes!)v1.21 from v1.20PublicIPToString to handle both IPv4 and IPv6 addresses in a
similar behavior (thanks @zhlsunshine!)cosign-installer action
to v1 (thanks @saschagrunert!)This edge release fixes an issue where Linkerd injected pods could not be
evicted by Cluster Autoscaler. It also adds the --crds flag to linkerd check
which validates that the Linkerd CRDs have been installed with the proper
versions.
The previously noisy "cluster networks can be verified" check has been replaced
with one that now verifies each running Pod IP is contained within the current
clusterNetworks configuration value.
Additionally, linkerd-viz is no longer required for linkerd-multicluster's
gateways command — allowing the Gateways API to marked as deprecated for
2.12.
Finally, several security issues have been patched in the Docker images now that the builds are pinned only to minor — rather than patch — versions.
gateway command dependency on the linkerd-viz
extensiondst_target_cluster metric to linkerd-multicluster's service-mirror
controller probe traffic--crds flag to linkerd check which validates that the Linkerd
CRDs have been installedclusterNetworks configurationGateways API which is no longer used by
linkerd-multiclusterpromm package for making programatic Prometheus assertions in
tests (thanks @krzysztofdrys!)runAsUser configuration to extensions to fix a PodSecurityPolicy
violation when CNI is enabledThis edge release fixes a few proxy issues, improves the upgrade process, and introduces proto retries to Service Profiles. Also included are updates to the bash scripts to ensure that they follow best practices.
linkerd upgrade commandThis edge release ships a few changes to the chart values, a fix for multicluster headless services, and notable proxy features. HA functionality, such as PDBs, deployment strategies, and pod anti-affinity, have been split from the HA values and are now configurable for the control plane. On the proxy side, non-HTTP traffic will now be forwarded on the outbound side within the cluster when the proxy runs in ingress mode.
ingress-mode proxies to forward non-HTTP traffic within the cluster
(protocol detection will always be attempted for outbound connections)process_uptime_seconds_total to keep track of the
number of seconds since the proxy startedThis edge release adds more flexibility to the MeshTLSAuthentication and AuthorizationPolicy policy resources by allowing them to target entire namespaces. It also fixes a race condition when multiple CNI plugins are installed together as well as a number of other bug fixes.
linkerd install when the --ignore-cluster flag is passedenablePSP and
proxyInit.runAsRoot are setIn order to support having custom resources in the default Linkerd installation,
the CLI install flow is now always a 2-step process where linkerd install --crds must be run first to install CRDs only and then linkerd install is run
to install everything else. This more closely aligns the CLI install flow with
the Helm install flow where the CRDs are a separate chart. This also applies to
linkerd upgrade. Also, the config and control-plane sub-commands have been
removed from both linkerd install and linkerd upgrade.
On the proxy side, this release fixes an issue where proxies would not honor the cluster's opaqueness settings for non-pod/service addresses. This could cause protocol detection to be peformed, for instance, when using off-cluster databases.
This release also disables the use of regexes in Linkerd log filters (i.e., as
set by LINKERD2_PROXY_LOG). Malformed log directives could, in theory, cause a
proxy to stop responding.
The helm.sh/chart label in some of the CRDs had its formatting fixed, which
avoids issues when installing/upgrading through external tools that make use of
it, such as recent versions of Flux.
--crds flag to install/upgrade and remove config/control-plane stagesAuthorizationPolicy CRD to have an empty
requiredAuthenticationRefs entry that allows all trafficnodeAffinity config in all the charts for enhanced control on the
pods scheduling (thanks @michalrom089!)resources, nodeSelector and tolerations configs in the
linkerd-multicluster-link chart for enhanced control on the service mirror
deployment (thanks @utay!)helm.sh/chart label in CRDsconfig.linkerd.io/opaque-ports annotationThis edge release introduces new policy CRDs that allow for more generalized authorization policies.
The AuthorizationPolicy CRD authorizes clients that satisfy all the required
authentications to communicate with the Linkerd Server that it targets.
Required authentications are specified through the new MeshTLSAuthentication
and NetworkAuthentication CRDs.
A MeshTLSAuthentication defines a list of authenticated client IDs—specified
directly by proxy identity strings or referencing resources such as
ServiceAccounts.
A NetworkAuthentication defines a list of client networks that will be
authenticated.
Additionally, to support the new CRDs, policy-related labels have been changed
to better categorize policy metrics. A srv_kind label has been introduced
which splits the current srv_name value—formatted as kind:name—into separate
labels. The saz_name label has been removed and is replaced by the new
authz_kind and authz_name labels.
srv_kind label which allowed splitting the value of the
current srv_name labelsaz_name label and replaced it with the new authz_kind and
authz_name labelsAuthorizationPolicy, MeshTLSAuthentication,
NetworkAuthentication--proxy-version flag (thanks @importhuman!)This edge release ensures that in multicluster installations, mirror service endpoints have their readiness tied to gateway liveness. When the gateway for a target cluster is not alive, the endpoints that point to it on a source cluster will properly indicate that they are not ready.
namespace entry in linkerd-control-plane chartThis edge release includes a few fixes and quality of life improvements. An issue has been fixed in the proxy allowing HTTP Upgrade requests to work through multi-cluster gateways, and the init container's resource limits and requests have been revised. Additionally, more Go linters have been enabled and improvements have been made to the devcontainer.
linkerd-init resource (CPU/memory) limits and requests to ensure by
default the init container does not break a pod's Guaranteed QOS classNodeShutdown
during validation as they will not have a proxy containerThis edge release includes updates to dependencies, CI, and rust 1.59.0. It also
includes changes to the linkerd-jaeger chart to ensure that namespace labels
are preserved and adds support for imagePullSecrets, along with improvements
to the multicluster and policy functionality.
multicluster link command to clarify that the link is
one-directionimagePullSecrets to Jaeger Helm chartlinkerd-jaeger chartrepairEndpoints runsServer CRD to handle an empty PodSelectorThis edge release continues to address several security related lints and ensures they are checked by CI.
linkerd check warning for clusters that cannot verify their
clusterNetworks due to Nodes missing the podCIDR fieldServer CRD to allow having an empty PodSelectorlinkerd inject to only support https URLs to mitigate security
risksfailurePolicy was set to FailThis edge release fixes some Instant-related proxy panics that occur on Amazon
Linux. It also includes many behind the scenes improvements to the project's
CI and linting.
--controller-image-version install flag to simplify the way that
image versions are handled. The controller image version can be set using the
--set linkerdVersion flag or Helm valueInstant-related proxy panics
that occur on Amazon LinuxThis edge release updates the jaeger extension to be available in ARM architectures and applies some security-oriented amendments.
linkerd multicluster check which was reporting false warningsThis edge release removed the disableIdentity configuration now that the proxy
no longer supports running without identity.
privileged configuration to linkerd-cni which is required by some
environmentsdisableIdentity configurations now that the proxy no longer
supports running without identitylinkerd jaeger check would needlessly fail for BYO
Jaeger or collector installationsThis edge release adds support for per-request Access Logging for HTTP inbound
requests in Linkerd. A new annotation i.e. config.linkerd.io/access-log is added,
which configures the proxies to emit access logs to stderr. apache and json
are the supported configuration options, emitting access logs in Apache Common
Log Format and JSON respectively.
Special thanks to @tustvold for all the initial work around this!
config.linkerd.io/access-log annotationLINKERD2_PROXY_ACCESS_LOG proxy environment variable to configure
the access log format (thanks @tustvold)This edge release features a new configuration annotation, support for externally hosted Grafana instances, and other improvements in the CLI, dashboard and Helm charts. To learn more about using an external Grafana instance with Linkerd, you can refer to our docs.
config.linkerd.io/skip-subnets). This configuration option is ideal for
Docker-in-Docker (dind) workloads (thanks @michaellzc!)linkerd-jaeger Helm chart (thanks
@yuriydzobak!)DS_PROMETHEUS) in all Grafana
dashboards. This allows pointing to the right Prometheus datasource when
importing a dashboard--ignore-cluster flag in the CLI for the base
installation and extensions; manifests will now be rendered even if there is
an existing installation in the current Kubernetes context (thanks
@krzysztofdrys!)This release removes the Grafana component in the linkerd-viz extension. Users can now import linkerd dashboards into Grafana from the Linkerd org in Grafana. Users can also follow the instructions in the docs to install a separate Grafana that can be integrated with the Linkerd Dashboard.
repair sub-command in the CLIThis release sets the version of the extension Helm charts to 30.0.0-edge to ensure that previous versions of these charts can be upgraded properly.
RoleBinding for each multicluster link to prevent
conflicts when PSP is enabledThis release adds support for using the cert-manager CA Injector to configure Linkerd's webhooks.
This release adds support for custom HTTP methods in the viz stats (i.e CLI and Dashboard). Additionally, it also includes various smaller improvements.
linkerd-viz statslinkerd-identity-trust-roots
configmap to support cases where they are generated externally (thanks @wim-de-groot)installNamespace bool flag from the
linkerd-control-plane chart (thanks @mikutas)install command to error if container runtime check failsThis edge release contains a few improvements to the CLI commands and a major change around Helm charts.
The linkerd2 chart has been deprecated in favor of the linkerd-crds and
linkerd-control-plane charts. The former takes care of installing all the
required CRDs and the latter everything else. Of important note is that, as per
Helm best practice, we're no longer creating the linkerd namespace. Users
require to do that manually, or have the Helm tool do it explicitly. So the
install procedure would look something like this:
helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
linkerd/linkerd-control-plane
In order to upgrade, please delete your previously installed linkerd2 chart
and install the new charts as explained above.
Although the charts for the main extensions (viz, multicluster, jaeger, linkerd2-cni) were not deprecated, they also stopped creating their namespace and users are required to uninstall and reinstall them anew, e.g:
helm install linkerd-viz -n linkerd-viz --create-namespace linkerd/linkerd-viz
--obfuscate flag to linkerd diagnostics proxy-metrics to
obfuscate potentially private information in the output (thanks
@ahmedalhulaibi!)--set clusterNetworks in the
linkerd check output when that parameter doesn't contain all the node
podCIDRs (thanks @ElvinEfendi!)linkerd viz check and linkerd jaeger check, to
avoid the checks fail unnecessarilyThis edge removes the default SMI functionality that is included in
installations now that the linkerd-smi extension provides these resources. It
also relaxes the proxy-init's privileged value to only be set to true when
needed by certain installation configurations.
Along with some bug fixes, the repository's issue and feature request templates have been updated to forms; check them when opening a new issue! (thanks @mikutas).
--context flag (thanks @mikutas!)proxy-init's privileged: true only
when needed (thanks @alex-berger!)linkerd check would compare proxy versions of
uninjected pods leading to incorrect errors--default-inbound-policy flag to linkerd inject for setting a
non-default inbound policy on injected workloads (thanks @ahmedalhulaibi!)This edge release enables by default EndpointSlices in the destination
controller, which unblocks any functionality that is specific to
EndpointSlices such as as topology-aware hints. It also contains a couple of
internal cleanups and upgrades, by our external contributors!
linkerd check verifying the nodes aren't running the old
Docker container runtime and attempting to run proxy-init as root at the same
time, which doesn't work (thanks @alex-berger!)EndpointSlices in the destination controller by defaultlinkerd check -o shortThis edge release introduces a change in the destination service to honor
opaque ports set in the proxyProtocol field of Server resources. This
change makes it possible to set opaque ports directly in Server resources
without needing the opaque ports annotation on pods. The release also features
a number of fixes and improvements, a big thank you to our external
contributors for their continued support and involvement.
Server resources; ports can now be marked as opaque directly in Server
resources through the proxyProtocol field.proxyInit as root
(thanks @alex-berger!)Link CRD to code generation script; consumers of the
multicluster API can now use a typed API to interact with multicluster links
(thanks @zaharidichev!)v1alpha1 version of the policy APIslinkerd check header text (thanks @mikutas!)beta.kubernetes.io/os label with kubernetes.io/osThis edge releases fixes a compatibility issue that prevented the policy controller from starting in some Kubernetes distributions. This release also includes a new High Availability mode for the gateway component in multicluster extension. Various dependencies across the CNI plugin, Policy Controller and dashboard have also been upgraded. In the proxy, error logging when the proxy fails to accept a connection due to a system error has been improved.
openssl instead of rustls to fix
compatibility issues with some Kubernetes distributionslinkerd-cni to support latest CNI
versionsThis edge release introduces a new Services page in the web dashboard that shows
live calls and route metrics for meshed services. Additionally, the proxy-init
container is no longer enforced to run as root. Lastly, the proxy can now retry
requests with a content-length header—permitting requests emitted by grpc-go
to be retried.
proxy-init container to run as rootcontent-length headerTRACE to DEBUGlinkerd was the name of
the control plane namespace, leading to issues with installations that use a
non-default namespace namelogFormat and logLevel configuration values for the proxy-init
container (thanks @gusfcarvalho!)viz subcommand when
necessary (thanks @mikutas!)linkerd-sp-validator service account in the
linkerd-psp role binding (thanks @multimac!)In this edge, we're very excited to introduce Service Account Token Volume Projections, used to set up the pods' identities. These tokens are bounded specifically for this use case and are rotated daily, replacing the usage of the default tokens injected by Kubernetes which are overly permissive.
Note that this edge release updates the minimum supported kubernetes version to 1.20.
automountServiceAccountToken set to
falselinkerd check -o jsonThis edge release fixes a bug in the proxy that could cause it to be killed in certain situations. It also uses a more relaxed policy for the identity controller that allows it to work in environments where health checks come from outside of the pod network.
admin server so that it no longer
incorrectly appears as "DOWN" in the Prometheus UIauthz CLI commands would fail when policy resources had
an empty selectorThis edge release fixes linkerd check and the helm charts to explicitly indicate that the minimum Kubernetes version is 1.17.0. Prior to this change, there was no validation or enforcement from linkerd check or helm to meet this minimum requirement.
This edge also improves check functionality for extensions by adding the
-oshort flag, and prevents duplicate policy resources from being created for
linked multicluster services.
-oshort flag for extension check commandscrtExpiry template parameter from helm chartspriorityClassName to the helm charts to configure control plane
componentsThis release includes some fixes in the linkerd check, along with a
bunch of dependency updates across the dashboard, Go components, and
others. On the proxy side, Support for TLSv1.2 has been dropped
(Only TLSv1.3 cipher suite will be used), h2 crate has been updated
to support HTTP/2 messages with larger header values.
linkerd check to avoid multiline errors with retryable checkslinkerd check --proxy with
un-named ports1.4.1 which adds support for --log-level
and --log-format flags (thanks @gusfcarvalho)TLSv1.2 in the proxyh2 crate in the proxy to support HTTP/2 messages with
larger header values.This release introduces access control policies. Default policies may be
configured at the cluster- and workspace-levels; and fine grained policies may
be instrumented via the new policy.linkerd.io/v1beta1 CRDs: Server and
ServerAuthorization. These resources may be created to define how individual
ports accept connections; and the Server resource will be a building block for
future features that configure inbound proxy behavior.
Furthermore, ServiceProfile retry configurations can now instrument retries
for requests with bodies. This unlocks retry behavior for gRPC services.
Upgrade notes: Please see the upgrade instructions.
Proxy
gcr.io/distroless/cc to
contain a minimal OS footprint that should not trigger unnecessary alerts in
security scannersinbound_http_errors_total and outbound_http_errors_total
metrics to reflect errors that caused the proxy to respond with errorsl5d-proxy-error header that is included on responses on trusted
connections for debugging purposesl5d-client-id header on mutually-authenticated inbound requests so
that applications can discover the client's identitysrv_name and saz_name labels to inbound HTTP metricslinkerd.io/inject: ingress is usedControl Plane
policy-controller container to the linkerd-destination
pod--the first control plane component implemented in RustServer
resources do not reference the same portlinkerd-identity-trust-roots ConfigMap which configures the trust
root bundle for all pods in the core control plane namespacelinkerd-controller deployment so that Linkerd's core
control plane now consists of only 3 deploymentsproxy-init container with
NET_RAW and NET_ADMIN capabilities so that the container does not fail
when the pod drops these capabilitiesCLI
linkerd completion to expand Kubernetes resources from the current
kubectl contextauthz subcommand to display the authorization policies that
impact a workloadlinkerd check that only prints failed
checksReplicaSets to linkerd stat so that pods created by
Argo Rollout resources can be inspectedHelm: please see the upgrade instructions.
Extensions:
Introduced a new (optional) SMI extension responsible for reading
specs.smi-spec.io resources and converting them to Linkerd resources
In stable-2.12, this extension will be required to use TrafficSplit
resources with Linkerd
Added an extensions page to the Linkerd Web UI
Viz
Server and ServerAuthorization resources for all portsJaeger
Multicluster
StatefulSet workloadsThis release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible:
Gustavo Fernandes de Carvalho @gusfcarvalho Oleg Vorobev @olegy2008 Bart Peeters @bartpeeters Stepan Rabotkin @EpicStep LiuDui @xichengliudui Andrew Hemming @drewhemm Ujjwal Goyal @importhuman Knut Götz @knutgoetz Sanni Michael @sannimichaelse Brandon Sorgdrager @bsord Gerald Pape @ubergesundheit Alexey Kostin @rumanzo rdileep13 @rdileep13 Takumi Sue @mikutas Akshit Grover @akshitgrover Sanskar Jaiswal @aryan9600 Aleksandr Tarasov @aatarasoff Taylor @skinn Miguel Ángel Pastor Olivar @migue wangchenglong01 @wangchenglong01 Josh Soref @jsoref Carol Chen @kipply Peter Smit @psmit Tarvi Pillessaar @tarvip James Roper @jroper Dominik Münch @muenchdo Szymon Gibała @Szymongib Mitch Hulscher @mhulscher
This edge is a release candidate for stable-2.11.0, containing a couple of
improvements to linkerd check, some final tweaks before the stable release,
and a couple of contributions from the community.
linkerd check --proxy stop failing on pods that are in Shutdown status
(thanks @olegy2008!)This edge is a release candidate for stable-2.11.0! It introduces a new
linkerd viz auth command which shows metrics for server authorizations broken
down by server for a given resource. It also shows the rate of unauthorized
requests to each server. This is helpful for seeing a breakdown of which
authorizations are being used and what proportion of traffic is being rejected.
It also fixes an issue in the proxy where HTTP load balancers could continue trying to establish connections to endpoints that were removed from service discovery. In addition it improves the proxy's error handling so that it can signal to an inbound proxy when its peers outbound connections should be torn down.
info to debug to reduce the amount
of logs (thanks @bartpeeters!)linkerd viz auth command which shows metrics for server
authorizations broken down by server for a given resourceomitWebhookSideEffects setting now that we no longer support
Kubernetes 1.12profileValidator.namespaceSelectorv1beta1stat's -o json option to Server resourceslinkerd viz authz commandThis edge is a release candidate for stable-2.11.0! It features a new linkerd authz CLI command to list servers and authorizations for a workload, as well as
policy resources support for linkerd viz stat. Furthermore, this edge release
adds support for JSON log formatting, enables TLS detection on port 443
(previously marked as opaque), and further improves policy features.
viz stat commandlinkerd-identitylinkerd authz command to the CLI to list all server and
authorization resources that apply to a specific resourceproxyProtocol field of Server resourcesWARN
message when deserializing Server structsThis edge release gets us closer to 2.11 by further polishing the policy feature. Also the proxy received a noticeable resource consumption improvement.
all-unauthenticated to allow the webhooks to be called from the kube-api
when using a default-deny policyThis release includes various improvements and feature additions across the policy
feature i.e, New validating webhook for policy resources. This also includes changes
in the proxy i.e, terminating TCP connections when a authorization is revoked, improvements
in the proxy authorization metrics. In addition, proxy injector has also been updated
to set the right opaque-ports annotation on services with default opaque ports.
srv_name labelproxy-identity binary which creates the
read-only private key required by the proxy (thanks @yorkijr!)cluster-unauthenticatedvis stat ts and print a warning about the SMI extensionThis edge release continues to build on the policy feature by adding support for cluster-scoped default policies and exposing policy labels on various prometheus metrics. The proxy has been updated to return HTTP-level authorization errors at the time that the request is processed, instead of when the connection is established.
In addition, the proxy-injector has been updated to set the opaque-ports
annotation on a workload to make sure that controllers can discover how the
workload was configured. Also, the sleep binary has been added to the proxy
image in order to restore the functionality required for waitBeforeExitSeconds
to work.
default-inbound-policy annotation to the proxy-injectoropaque-ports annotationsleep binary to proxy imageServer resource definition does not match the ports defined for the workloadnonroot variant from the policy-controller's distroless base image
to avoid erroring in some environments.This release adds support for dynamic inbound policies. The proxy now discovers policies from the policy-controller API for all application ports documented in a pod spec. Rejected connections are logged. Policies are not yet reflected in the proxy's metrics.
These policies also allow the proxy to skip protocol detection when a server is explicitly annotated as HTTP/2 or when the server is documented to be opaque or application-terminated TLS.
enableHeadlessServices Helm flag to the linkerd multicluster link command for enabling headless service mirroring (thanks @knutgoetz!)linkerd-policy service selector to properly select destination
control plane componentsThis edge release continues the policy work by adding a new controller, written
in Rust, to expose a discovery API for inbound server policies. Apart from
that, this release includes a number of changes from external contributors; the
linkerd-jaeger helm chart now supports passing arguments to the Jaeger
container through the chart's values file. A number of unused functions and
variables have been also removed to improve the quality of the codebase.
Finally, this release also comes with changes to the proxy's outbound behavior,
a new extensions page on the dashboard, and support for querying service
metrics using the authority label in linkerd viz stat.
linkerd-policy-controller; the new controller is written in
Rust and implements discovery APIs for inbound server policies, the container
has been added to the linkerd-destination podlinkerd-jaeger helm chart to support passing arguments to the
Jaeger container (thanks @bsord!)authority label in
linkerd viz statThis releases includes initial changes w.r.t addition of Authorization into
Linkerd. It includes adding the new policy.linkerd.io CRDs to the core install.
This also includes numerous dependency updates both in the web and dashboard.
servers.policy.linkerd.io and serverauthorizations.policy.linkerd.io
CRDs into the default Linkerd installation to support configuration and
discovery of inbound policiesThis release updates Linkerd to store the identity trust root in a ConfigMap to make it easier to manage and rotate the trust root. The release also lays the groundwork for StatefulSet support in the multicluster extension and removes deprecated PSP resources by default.
linkerd-identity-trust-roots ConfigMap which contains the configured
trust root bundleThis release continues to focus on dependency updates. It also adds the
l5d-proxy-error information header to distinguish proxy generated errors
proxy generated errors from application generated errors.
l5d-proxy-error on responses that allows proxy-generated error
responses to be distinguished from application-generated error responses.target_addr label to *_tcp_accept_errors metrics to improve
diagnostics, especially for TLS detection timeoutsThis edge release introduces several changes around metrics. ReplicaSets are now a supported resource and metrics can be associated with them. A new metric has been added which counts proxy errors encountered before a protocol can be detected. Finally, the request errors metric has been split into separate inbound and outbound directions.
check --pre command usage if it fails after being unable to
connect to Kubernetes (thanks @rdileep13!)LINKERD2_PROXY_INBOUND_PORTS environment variable during proxy
injection which will be used by ongoing policy changesdiagnostics controller-metrics
commandrequest_errors_total metric with two new metrics:
inbound_http_errors_total and outbound_http_errors_totalinbound_tcp_accept_errors_total and
outbound_tcp_accept_errors_total metrics which count proxy errors
encountered before a protocol can be detectedThis edge release focuses on dependency updates and has a couple of functional
changes. First, the Dockerfile used to build the proxy has been updated to use
the default distroless image, rather than the non-root variant. This change
is safe because the proxy already runs as non-root within the container. Second,
the ignoreInboundPorts parameter has been added in the linkerd2-cni helm
charts in order to enable tap support.
ignoreInboundPorts parameter to the linkerd2-cni plugin helm chartThis edge release adds support for emitting Kubernetes events in the identity controller when issuing leaf certificates. The event includes the identity, expiry date, and a hash of the certificate. Additionally, this release contains many dependency updates for the control plane's components, and it includes a fix for an issue with the clusterNetworks healthcheck.
linkerd check where the clusterNetworks healthcheck
would fail if the podCIDR field is omitted from a node's spec.bin/web script.This release contains a few improvements, from many contributors! Also under the hood, the destination service has received updates in preparation to the upcoming support for StatefulSets across multicluster.
linkerd check --proxy command to avoid hitting a timeout when
dealing with large clustersThis release moves the Linkerd proxy to a more minimal Docker base image, adds a check for detecting certain network misconfigurations, and replaces the deprecated OpenCensus collector with the OpenTelemetry collector in the jaeger extension.
This release fixes a problem with the HTTP body buffering that was added to support gRPC retries. Now, only requests with a retry configuration are buffered (and only when their bodies are less than 64KB).
Additionally, an issue with the outbound ingress-mode proxy where forwarded HTTP clients could fail to detect when the target pod was deleted, causing connections to retry forever has been fixed. This only impacted traffic forwarded directly to pod IPs and not load balanced services.
Finally, this release also includes some fixes in the CLI and dashboard.
namespace resource was erroneously being shown
in the dashboard's topology graphThis release adds support for retrying HTTP/2 requests with small (<64KB) message bodies, allowing the proxy to properly buffer message bodies when responses are classified as a failure. Documentation on how to configure retries can be found here.
This release also modifies the proxy's identity subsystem to instantiate a client on-demand so client connections are not retained continually. Also included in this release are various bug fixes and improvements as well as expanding support for resource-aware tab completion in the jaeger and multicluster CLI extensions.
gateway-port flag for the multicluster link
command (thanks @psmit!)jaeger and
multicluster commandsviz, jaeger and multicluster extensions could not
be installed on PodSecurityPolicy-enabled clusterslinkerd check --proxy could incorrectly report
out-of-date proxy versions caused by incorrect regex (thanks @aryan9600!)uninstall command to remove viz installations that used the
legacy linkerd.io/extension: linkerd-viz label (thanks @jsoref!)This edge release contains various improvements to the Viz and Jaeger install
charts, along with bug fixes in the CLI, and destination. This release also
adds kubernetes aware autocompletion to all viz commands, along with
ServiceProfiles to be part of the default viz install.
Finally, the proxy has been updated to continue supporting requests without
l5d-dst-override in ingress-mode proxies, to no longer include query parameters
in the OpenCensus trace spans, and to prevent timeouts with controller clients
of components with more than one replica.
hint.OpaqueTransport field from not being set when
H2 upgrades are disabledl5d-dst-override in ingress-mode proxieslinkerd check --proxy failure with pods that are part of Jobsviz install to also include ServiceProfiles of its components.
As a side-effect, linkerd diagnostics install-sp cmd has been removedServiceProfile.dstOverrides over
TrafficSplit when both are present for a servicecollector and jaeger components in the
jaeger extension (thanks @tarvip!)nodeselector, toleration fields for components
in the Viz extension (thanks @aatarasoff!)podAnnotations field
work with prometheus--addon-overwrite flag in linkerd upgradeThis edge release updates the proxy-init container to check whether the iptables
rules have already been added, which prevents errors if the proxy-init container
is restarted. Also, the viz stat command now has tab completion for Kubernetes
resources, saving you precious keystrokes! Finally, the proxy has been updated
with several fixes and improvements.
build.md for using a locally built proxy
(thanks @jroper!)viz stat
commandproxy-init to skip configuring firewall if rules existsviz uninstall to delete all RBAC objects (thanks @aryan9600!)l5d-client-id header on mutually-authenticated inbound requests so
that applications can discover the client's identity.l5d-dst-override header on outbound
requests when the proxy is in ingress-modeThis edge release adds support for versioned hint URLs in linkerd check and
support for traffic splitting through ServiceProfiles, among other fixes and
improvements. Additionally, more options have been added to the
linkerd-multicluster and linkerd-jaeger helm charts.
dstOverrides
field.nodePorts option to the multicluster helm chart (thanks @psmit!).nodeSelector and toleration options to the linkerd-jaeger helm chart
(thanks @aatarasoff!).check command when encountering an
error; each major CLI version will now point to that version's relevant
section in the Linkerd troubleshooting page.check command where error messages for
healthchecks that were being retried would be outputted repeatedly instead of
just once.l5d-dst-override header and by failing non-HTTP communication. Proxies
running in ingress-mode will not unexpectedly revert to insecure
communication as a result.This edge release adds a new output format short for linkerd check to show a
summary of the check output. This release also includes various proxy bug fixes
and improvements.
short format for the --output flag of the check
command to show a summary of check resultsThis edge release further consolidates the control plane by removing the linkerd-controller deployment and moving the sp-validator container into the destination deployment.
Annotation inheritance has been added so that all Linkerd annotations
on a namespace resource will be inherited by pods within that namespace.
In addition, the config.linkerd.io/proxy-await annotation has been added which
enables the linkerd-await
functionality by default, simplifying the implementation of the await behavior.
Setting the annotation value to disabled will prevent this behavior.
Some of the linkerd check functionality has been updated. The command
ensures that annotations and labels are properly located in the YAML and adds
proxy checks for the control plane and extension pods.
Finally, the nginx container has been removed from the Multicluster gateway pod, which will impact upgrades. Please see the note below.
Upgrade note: When the Multicluster extension is updated in both of the
source and target clusters there won't be any downtime because this change only
affects the readiness probe. The multicluster links must be re-generated with
the linkerd mc link command and the linkerd mc gateways will show
the target cluster as not alive until the linkerd mc link command is re-run,
however that shouldn't affect existing endpoints pointing to the target cluster.
This stable release adds CLI support for Apple Silicon M1 chips and support for
SMI's TrafficSplit v1alpha2.
There are several proxy fixes: handling FailedPrecondition errors gracefully,
inbound TLS detection from non-meshed workloads, and using the correct cached
client when the proxy is in ingress mode. The logging infrastructure has also
been improved to reduce memory pressure in high-connection environments.
On the control-plane side, there have been several improvements to the destination service such as support for Host IP lookups and ignoring pods in "Terminating" state. It also updates the proxy-injector to add opaque ports annotation to pods if their namespace has it set.
On the CLI side, linkerd repair has been updated to be aware about the control-plane
version and suggest the relevant version to generate the right config. Various
bugs have been fixed around linkerd identity, etc.
Upgrade notes: Please refer 2.10 upgrade instructions
if you are upgrading from 2.9.x or below versions.
Proxy:
destination controller when it returned a FailedPreconditionControl Plane:
v1alpha21.16.2.CLI:
linkerd repair to be aware of the client and server versionslinkerd uninstall to print error message when there are no
resources to uninstall.Helm:
Viz:
Multicluster:
Jaeger:
This edge supersedes edge-21.4.2 as a release candidate for stable-2.10.1!
This release adds support for TrafficSplit v1alpha2. Additionally, It includes
improvements to the web and proxy-init images.
v1alpha2proxy-init image to v1.3.11 which updates
the go version to be 1.16.2This edge release is another candidate for stable-2.10.1!
It includes some CLI fixes and addresses an issue where the outbound proxy would forward traffic to the wrong pod when running in ingress mode.
Thank you to all of our users that have helped test and identify issues in 2.10!
linkerd inject where the wrong annotation would be
added when using --ingress flaglinkerd repair caused by a mismatch
between CLI and server versionsmatches field from TrafficSplit CRDThis is a release candidate for stable-2.10.1!
This includes several fixes for the core installation as well the Multicluster, Jaeger, and Viz extensions. There are two significant proxy fixes that address TLS detection and admin server failures.
Thanks to all our 2.10 users who helped discover these issues!
metrics-api container so that it can
validate the certificate of an external PrometheusThis release fixes some issues around publishing of CLI binary for Apple Silicon M1 Chips. This release also includes some fixes and improvements to the dashboard, destination, and the CLI.
installNamespace toggle in the jaeger extension's install.
(thanks @jijeesh!)healthcheck pkg to have hintBaseURL configurable, useful
for external extensions using that pkgThis release includes various bug fixes and improvements to the CLI, the identity and destination control plane components as well as the proxy. This release also ships with a new CLI binary for Apple Silicon M1 chips.
linkerd identity command returned the root
certificate of a pod instead of its leaf certificatedestination control plane component sometimes
returned endpoint addresses with a 0 port number while pods were
undergoing a rollout (thanks @riccardofreixo!)linkerd check command when running extension
checksdestination controller when it returned a FailedPreconditionThis release introduces Linkerd extensions. The default control plane no longer
includes Prometheus, Grafana, the dashboard, or several other components that
previously shipped by default. This results in a much smaller and simpler set
of core functionalities. Visibility and metrics functionality is now available
in the Viz extension under the linkerd viz command. Cross-cluster
communication functionality is now available in the Multicluster extension
under the linkerd multicluster command. Distributed tracing functionality is
now available in the Jaeger extension under the linkerd jaeger command.
This release also introduces the ability to mark certain ports as "opaque", indicating that the proxy should treat the traffic as opaque TCP instead of attempting protocol detection. This allows the proxy to provide TCP metrics and mTLS for server-speaks-first protocols. It also enables support for TCP traffic in the Multicluster extension.
Upgrade notes: Please see the upgrade instructions.
Proxy
config.linkerd.io/opaque-ports
annotation on the Pod and Service or by using the --opaque-ports flag with
linkerd inject25,443,587,3306,5432,11211 have been removed from the default skip
ports; all traffic through those ports is now proxied and handled opaquely
by defaultlinkerd.io/inject: ingress) to use an excessive amount of memory/shutdown admin endpoint that may only be accessed over the
loopback network allowing batch jobs to gracefully terminate the proxy on
completionControl Plane
CLI
check command to include each installed extension's check
output; this allows users to check for proper configuration and installation
of Linkerd without running a command for each extensionmetrics, endpoints, and install-sp commands into subcommands
under the diagnostics command--opaque-ports flag to linkerd inject to easily mark ports
as opaque.repair command which will repopulate resources needed for
properly upgrading a Linkerd installationset, set-string, values, set-files customization
flags for the linkerd install and linkerd upgrade commandslinkerd identity command, used to fetch the TLS certificates
for injected pods (thanks @jimil749)get and logs command from the CLIHelm
Viz
linkerd viz subcommand which contains commands for
installing the viz extension and all visibility commandslinkerd viz list command to list pods with tap enabledtap APIServer would not refresh its certs
automatically when provided externally—like through cert-managerMulticluster
linkerd multicluster subcommand which contains commands for
installing the multicluster extension and all multicluster commandsconfig.linkerd.io/opaque-ports annotation when mirroring services so that
cross-cluster traffic can be correctly handled as opaqueJaeger
linkerd jaeger subcommand which contains commands for
installing the jaeger extension and all tracing commandslinkerd jaeger list command to list pods with tracing enabledThis release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible: Lutz Behnke Björn Wenzel Filip Petkovski Simon Weald GMarkfjard hodbn Hu Shuai Jimil Desai jiraguha Joakim Roubert Josh Soref Kelly Campbell Matei David Mayank Shah Max Goltzsche Mitch Hulscher Eugene Formanenko Nathan J Mehl Nicolas Lamirault Oleh Ozimok Piyush Singariya Naga Venkata Pradeep Namburi rish-onesignal Shai Katz Takumi Sue Raphael Taylor-Davies Yashvardhan Kukreja
This edge release is another release candidate for stable 2.10 and fixes some final bugs found in testing. A big thank you to users who have helped us identity these issues!
check command output hint anchors to match Linkerd component
names--set flagThis edge release is another release candidate, bringing us closer to
stable-2.10.0! It fixes the Helm install/upgrade procedure and ships some new
CLI commands, among other improvements.
proxy.image.versionlinkerd viz list to list meshed pods and indicate which can
be tapped, which need to be restarted before they can be tapped, and which
have tap disabledlinkerd jaeger list to list meshed pods and
indicate which will participate in tracing--opaque-ports flag to linkerd inject to specify the list of
opaque ports when injecting pods (and services)linkerd jaeger check, combining the checks for the
status of each component into a single checkThis edge is a release candidate for stable-2.10.0! It wraps up the functional
changes planned for the upcoming stable release. We hope you can help us test
this in your staging clusters so that we can address anything unexpected before
an official stable.
This release introduces support for CLI extensions. The Linkerd check command
will now invoke each extension's check command so that users can check the
health of their Linkerd installation and extensions with one command. Additional
documentation will follow for developers interested in creating extensions.
Additionally, there is no longer a default list of ports skipped by the proxy. These ports have been moved to opaque ports, meaning protocols like MySQL will be encrypted by default and without user input.
values.yaml by removing do not edit entries; they
are now hardcoded in the templatesinstall command so that it errors after detecting there is an
existing Linkerd installation in the clustermirror.linkerd.io label25,443,587,3306,5432,11211 have been removed from the default skip
ports; all traffic through those ports is now proxied and handled opaquely by
defaultcheck --proxy command when tap is
not configured for pods; this is now handled by the viz tap commandcheck commands
are invoked by Linkerd's check commandmetrics, endpoints, and install-sp commands into subcommands
under the diagnostics command.linkerd- prefix from non-cluster scoped resources in the Viz and
Jaeger extensionstcp_connection_duration_ms histogram from the metrics export to
fix high cardinality issues that surfaced through high memory usageThis release wraps up most of the functional changes planned for the upcoming
stable-2.10.0 release. Try this edge release in your staging cluster and
let us know if you see anything unexpected!
Service-export annotation
from mirror.linkerd.io/exported to multicluster.linkerd.io/exportconfig.linkerd.io/opaque-ports
annotation on newly-created Service objects when the annotation is set on
its parent NamespaceautomountServiceAccountToken (thanks @jimil749)install and uninstall behavior for extensions to prevent
control-plane components from being left in a broken statecr.l5d.io registryThis edge release introduces support for multicluster TCP!
The repair command was added which will repopulate resources needed for
upgrading from a 2.9.x installation. There will be an error message during the
upgrade process indicating that this command should be run so that users do not
need to guess.
Lastly, it contains a breaking change for Helm users. The global field has
been removed from the Helm chart now that it is no longer needed. Users will
need to pass in the identity certificates again—along with any other
customizations, no longer rooted at global.
Global field from the Linkerd Helm chart
now that it is unused because of the extension modelrepair command which will repopulate resources needed for properly
upgrading a Linkerd installationsidecarContainers key in the Viz extension Helm
chart to match that of the template (thanks @n-oden!)tapInjector.logLevel key to the Viz extension helm chart so that
the log level of the component can be configured--disable-tap flag from the inject command now that tap is no
longer part of the core installation (thanks @mayankshah1607!)check command to include each installed extension's check
output; this allows users to check for proper configuration and installation
of Linkerd without running a command for each extensionThis edge release continues improving the proxy's diagnostics and also avoids timing out when the HTTP protocol detection fails. Additionally, old resource versions were upgraded to avoid warnings in k8s v1.19. Finally, it comes with lots of CLI improvements detailed below.
viz.linkerd.io/tap-enabled annotation when
injecting a pod, which allowed providing clearer feedback for the linkerd tap commandjaeger.linkerd.io/tracing-enabled annotation
when injecting a pod, which also allowed providing better feedback for the
linkerd jaeger check commandlinkerd uninstall command so it fails gracefully when there
still are injected resources in the cluster (a --force flag was provided
too)linkerd profile --tap functionality into a new command linkerd viz profile --tap, given tap now belongs to the viz extensionlinkerd viz check command to include data-plane checksThis edge release continues to polish the Linkerd extension model and improves the robustness of the opaque transport.
check commands between
Linkerd extensionstls="passthru" when forwarding
non-mesh TLS connectionsThis edge release improves proxy diagnostics and recovery in situations where
the proxy is temporarily unable to route requests. Additionally, the viz and
multicluster CLI sub-commands have been updated for consistency.
Full release notes:
set, set-string, values, set-files customization
flags for the linkerd install and linkerd multicluster install commandslinkerd metrics could return metrics for the incorrect
set of pods when there are overlapping label selectorsclient and server prefixes in the proxy logs for socket-level errors
to indicate which side of the proxy encountered the errorlinkerd viz check sub-command to verify the states of the
linkerd-viz componentslog-format flag to optionally output the control plane component log
output as JSON (thanks @mo4islona!)metrics and profile subcommands to use the
namespace specified by the current-context of the KUBECONFIG so that it is
no longer necessary to use the --namespace flag to query resources in the
current namespace. Queries for resources in namespaces other than the
current namespace still require the --namespace flaglinkerd viz install that
manages all functionality dependent on Prometheus, thus removing most of the
dependencies on Prometheus from the linkerd core installationlinkerd multicluster check command to properly work.This edge release continues the work on decoupling non-core Linkerd components.
Commands that use the viz extension i.e, dashboard, edges, routes,
stat, tap and top are moved to the viz sub-command. These commands are still
available under root but are marked as deprecated and will be removed in a
later stable release.
This release also upgrades the proxy's dependencies to the Tokio v1 ecosystem.
vizSucceeded status when watching IP addresses
in destination. This allows the re-use of IPs of terminated podscollector.jaegerAddr in
the Jaeger extension.podAntiAffinity use-casevalues.yaml in Helm and flags in CLI.linkerd-viz namespace
resource in the viz extension (thanks @nlamirault)--ignore-cluster
flag (thanks @piyushsingariya)This edge release introduces a new "opaque transport" feature that allows the
proxy to securely transport server-speaks-first and otherwise opaque TCP
traffic. Using the config.linkerd.io/opaque-ports annotation on pods and
namespaces, users can configure ports that should skip the proxy's protocol
detection.
Additionally, a new linkerd-viz extension has been introduced that separates
the installation of the Grafana, Prometheus, web, and tap components. This
extension closely follows the Jaeger and multicluster extensions; users can
install and uninstall with the linkerd viz .. command as well as configure
for HA with the --ha flag.
The linkerd viz install command does not have any cli flags to customize the
install directly, but instead follows the Helm way of customization by using
flags such as set, set-string, values, set-files.
Finally, a new /shutdown admin endpoint that may only be accessed over the
loopback network has been added. This allows batch jobs to gracefully terminate
the proxy on completion. The linkerd-await utility can be used to automate
this.
linkerd multicluster check command to validate that the
linkerd-multicluster extension is working correctlylinkerd edges command (thanks @jsoref!)ca.crt field in the identity issuer secret
and the trust anchors in the Linkerd config; these values being different is
not a failure case for the linkerd check command (thanks @cypherfox!)linkerd check command since it now
depends on a component that is installed with the Viz extensionlinkerd check (thanks
@pradeepnnv!)linkerd.io/proxy-version when it is
overridden by annotations (thanks @mateiidavid!)linkerd-viz helm chart (thanks
@jimil749!)proxy-mutator to jaeger-injector in the linkerd-jaeger extension/shutdown admin endpoint that may only be accessed over the
loopback network allowing batch jobs to gracefully terminate the proxy on
completionlinkerd identity command, used to fetch the TLS certificates
for injected pods (thanks @jimil749)linkerd-multicluster extensionThis edge release adds support for the config.linkerd.io/opaque-ports
annotation on pods and namespaces, to configure ports that should skip the
proxy's protocol detection. In addition, it adds new CLI commands related to the
linkerd-jaeger extension, fixes bugs in the CLI install and upgrade
commands and Helm charts, and fixes a potential false positive in the proxy's
HTTP protocol detection. Finally, it includes improvements in proxy performance
and memory usage, including an upgrade for the proxy's dependency on the Tokio
async runtime.
config.linkerd.io/opaque-ports annotation on pods and
namespaces, to indicate to the proxy that some ports should skip protocol
detectionlinkerd install --ha failed to honor flagslinkerd upgrade --ha can override existing configslinkerd-config-overrides secret to avoid breaking
upgrades performed with the help of kubectl apply --prunelinkerd jaeger check CLI command to validate that the
linkerd-jaeger extension is working correctlylinkerd jaeger uninstall CLI command to print the linkerd-jaeger
extension's resources so that they can be piped into kubectl deletelinkerd-cni daemonset may not be installed on all
intended nodes, due to missing tolerations to the linkerd-cni Helm chart
(thanks @rish-onesignal!)tap APIServer would not refresh its certs
automatically when provided externally—like through cert-managerThis edge release is functionally the same as edge-20.12.2. It fixes an issue
that prevented the release build from occurring.
proxy-injector and sp-validator did not refresh
their certs automatically when provided externally—like through cert-managerjaeger install command to allow
setting Helm values when installing the Linkerd-jaeger extensionlinkerd-jaeger extensioninstall --ha was only partially applying the high
availability configmulticluster link command and not being installed through HelmThis edge release continues the work of decoupling non-core Linkerd components by moving more tracing related functionality into the Linkerd-jaeger extension.
linkerd-jaeger extensionThis edge release improves the proxy's support high-traffic workloads. It also
contains the first steps towards decoupling non-core Linkerd components, the
first iteration being a new linkerd jaeger sub-command for installing tracing.
Please note this is still a work in progress.
content-type when synthesizing gRPC error
responsesproxy-init image to v1.3.8 which is based off of
buster-20201117-slim to reduce potential security vulnerabilitieslinkerd-config doesn't have an entry for
Global configs (thanks @hodbn!)/jaeger directory now contains the charts and commands
for installing the tracing component.This edge release improves support for CNI by properly handling parameters
passed to the nsenter command, relaxes checks on root and intermediate
certificates (following X509 best practices), and fixes two issues: one that
prevented installation of the control plane into a custom namespace and one
which failed to update endpoint information when a headless service is modified.
This release also improves linkerd proxy performance by eliminating unnecessary
endpoint resolutions for TCP traffic and properly tearing down serverside
connections when errors occur.
linkerd check so that it doesn't attempt to validate the subject
alternative name (SAN) on root and intermediate certificates. SANs for leaf
certificates will continue to be validatedlinkerd-namespace flag is not honored when
passed to the install and upgrade commandsbuster-20201117-slim to
reduce potential security vulnerabilitiesv1.3.7 which fixes CNI issues in certain
environments by properly parsing nsenter argsThis edge release reduces memory consumption of Linkerd proxies which maintain many idle connections (such as Prometheus). It also removes some obsolete commands from the CLI and allows setting custom annotations on multicluster gateways.
get and logs command from the CLIThis release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP connections, allowing Linkerd to transparently encrypt and authenticate all TCP connections in the cluster the moment it's installed. It also adds ARM support, introduces a new multi-core proxy runtime for higher throughput, adds support for Kubernetes service topologies, and lots, lots more, as described below:
Proxy
debug or
trace log levels are disabledControl Plane
--enable-endpoint-slices flag to use this resource rather than the
Endpoints API in clusters where this new API is supportedDashboard
CLI
--addon-config flag to --config to clarify this flag can be
used to set any Helm valuelinkerd commandMulticluster
service-mirror controller with separate controllers
that will be installed per target cluster through linkerd multicluster linkunlink command for removing multicluster linksPrometheus
global.prometheusUrl to the Helm config to have linkerd use an
external Prometheus instance instead of the one provided by defaultOther
linkerd.io/inject: ingress annotation and accompanying
--ingress flag to the inject command, to configure the proxy to support
service profiles and enable per-route metrics and traffic splits for HTTP
ingress controllerskubernetes.io/tls
so they can be provisioned by cert-managerghcr.io from gcr.io; Users
who pull the images into private repositories should take note of this
changelinkerd-config ConfigMapThis release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible: Abereham G Wodajie, Alexander Berger, Ali Ariff, Arthur Silva Sens, Chris Campbell, Daniel Lang, David Tyler, Desmond Ho, Dominik Münch, George Garces, Herrmann Hinz, Hu Shuai, Jeffrey N. Davis, Joakim Roubert, Josh Soref, Lutz Behnke, MaT1g3R, Marcus Vaal, Markus, Matei David, Matt Miller, Mayank Shah, Naseem, Nil, OlivierB, Olukayode Bankole, Paul Balogh, Rajat Jindal, Raphael Taylor-Davies, Simon Weald, Steve Gray, Suraj Deshmukh, Tharun Rajendran, Wei Lun, Zhou Hao, ZouYu, aimbot31, iohenkies, memory, and tbsoares
This edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0.
check command would error when there is no Prometheus
configuredcheck command to warn instead of error when webhook certificates
are near expiry--ingress flag to the inject command which adds the recently
introduced linkerd.io/inject: ingress annotation--registry flag from the multicluster install commandThis edge supersedes edge-20.10.5 as a release candidate for stable-2.9.0. It
adds a new linkerd.io/inject: ingress annotation to support service profiles
and enable per-route metrics and traffic splits for HTTP ingress controllers
linkerd.io/inject: ingress annotation to configure the
proxy to support service profiles and enable per-route metrics and traffic
splits for HTTP ingress controllersdebug or trace log levels are disabledlinkerd profile CLI commandThis edge supersedes edge-20.10.4 as a release candidate for stable-2.9.0. It adds a fix for updating the destination service when there are no endpoints
NoEndpoints message. This ensures that the clients get the correct set of
endpoints during an update.This edge release is a release candidate for stable-2.9.0. For the proxy, there have been changes to improve performance, remove unused code, and configure ports that can be ignored by default. Also, this edge release adds enhancements to the multicluster configuration and observability, adds more translations to the dashboard, and addresses a bug in the CLI.
global.proxy.destinationGetNetworks to global.clusterNetworks.
This is a cluster-wide setting and can no longer be overridden per-pod100.64.0.0/10 to the set of discoverable
networks--all-namespaces flag is handled by the
linkerd edges commandThis edge release is a release candidate for stable-2.9.0. It overhauls the discovery and routing logic implemented by the proxy, simplifies the way that Linkerd stores configuration, and adds new Helm values to configure additional labels, annotations, and namespace selectors for webhooks.
l5d-dst-override header is no longer honoredTrafficSplits are only applied when a client targets a service's IPThis edge release adds more improvements for mTLS for all TCP traffic. It also includes significant internal improvements to the way Linkerd configuration is stored within the cluster.
client_id and server_id labels.linkerd-configproxy-injector uses to derive the configuration
used when injecting workloadsThis edge release includes a couple of external contributions towards improved cert-manager support and Grafana charts fixes, among other enhancements.
kubernetes.io/tls,
so they can be provisioned by cert-manager (thanks @cypherfox!)service-mirror multicluster component so that it retries
connections to the target cluster's Kubernetes API when it's not reachable,
instead of blockingThis edge release introduces support for authenticated docker registries and fixes a recent multicluster regression.
This edge release includes fixes and updates for the control plane and CLI.
--dest-cni-bin-dir flag to the linkerd install-cni command, to
configure the directory on the host where the CNI binary will be placedcollector.name and jaeger.name config fields from the tracing
addonThis edge release continues the work of adding support for mTLS for all TCP
traffic and changes the default container registry to ghcr.io from gcr.io.
If you are upgrading from stable-2.8.x with the Linkerd CLI using the
linkerd upgrade command, you must add the --addon-overwrite flag to ensure
that the grafana image is properly set.
proxy.destinationGetNetworks variable to set the
LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS variable in the proxy chart
templatelinkerd check commandThis edge release contains an important proxy update that allows linkerd to continue to operate normally in HA during node outages. We're also adding full Kubernetes 1.19 support!
linkerd check for multicluster that was spuriously claiming the
absence of some resourcesenable-endpoint-slices flag to not be persisted
when set via linkerd upgrade (thanks @Matei207!)--frozen-lockfile to avoid accidental update of dashboard JS
dependencies in CI (thanks @tharun208!)This edge release adds support for topology-aware service routing to
the Destination controller. When providing service discovery updates to proxies,
the Destination controller will now filter endpoints based on the service's
topology preferences. Additionally, this release includes bug fixes for the
linkerd check CLI command and web dashboard.
linkerd check will no longer warn about a looser webhook failure policy in
HA modeAuthority dropdown not being populated (thanks to @tharun208!)This edge release adds an internationalization framework to the dashboard,
Spanish translations to the dashboard UI, and a linkerd multicluster uninstall
command for graceful removal of the multicluster components.
linkerd check --multicluster if the multicluster
support is not installedThis edge adds multi-arch support to Linkerd! Our docker images and CLI now support the amd64, arm64, and arm architectures.
This edge brings a new approach to multicluster service mirror controllers and the way services in target clusters are selected for mirroring.
The long-awaited Bring-Your-Own-Prometheus case has been finally addressed.
Many other improvements from our great contributors are described below. Also note progress is still being made under the covers for future support for Service Topologies (by @Matei207) and delivering image builds in multiple platforms (by @aliariff).
service-mirror controller, with separate controllers
that will be installed per target cluster through linkerd multicluster link. More info here.global.prometheusUrl to the Helm config to have linkerd use an
external Prometheus instance instead of the one provided by default.linkerd check that was failing to wait for Prometheus to be
available right after having installed linkerd.priorityClassName for CNI DaemonSet pods, and to
install CNI in an existing namespace (both options provided through the CLI
and as Helm configs) (thanks @alex-berger!)linkerd.io/helm-release-version annotation with checksum/config for
forcing restarting the component during upgrades (thanks @naseemkullah!)This edge release adds support for the new Kubernetes
EndpointSlice
resource to the Destination controller. Using the EndpointSlice API is more
efficient for the Kubernetes control plane than using the Endpoints API. If
the cluster supports EndpointSlices (a beta feature in Kubernetes 1.17),
Linkerd can be installed with --enable-endpoint-slices flag to use this
resource rather than the Endpoints API.
linkerd command (thanks @WLun001!)This edge release moves Linkerd's bundled Prometheus into an add-on. This makes the Linkerd Prometheus more configurable, gives it a separate upgrade lifecycle from the rest of the control plane, and will allow users to disable the bundled Prometheus instance. In addition, this release includes fixes for several issues, including a regression where the proxy would fail to report OpenCensus spans.
linkerd check --proxy, fixing an issue where the check would be retried indefinitely
as long as evicted pods are presentThis edge release features the option to persist prometheus data to a volume instead of memory, so that historical metrics are available when prometheus is restarted. Additional changes are outlined in the bullet points below.
linkerd stat would fail if any control plane components
were unhealthy, even when other replicas are healthy. The check conditions
for these commands have been improvedplain or json using
the config.linkerd.io/proxy-log-format annotation or the
global.proxy.logFormat value in the helm chart
(thanks again @naseemkullah!)linkerd install --addon-config= now supports URLs in addition to local
filescreatedBy
version tag. This is now controlled by cniPluginVersion in the helm chartThis edge release moves the proxy onto a new version of the Tokio runtime. This allows us to more easily integrate with the ecosystem and may yield performance benefits as well.
linkerd inject command to throw an error while injecting
non-compliant pods (thanks @mayankshah1607)This release fixes multicluster gateways support on EKS.
linkerd check retry on failures.bin continued to be improved, thanks to @joakimr-axis!This edge release is a release candidate for stable-2.8.1. It includes a fix to support multicluster gateways on EKS.
config.linkerd.io/proxy-destination-get-networks annotation configures
the networks for which a proxy can discover metadata. This is an advanced
configuration option that has security implications.This release introduces new a multi-cluster extension to Linkerd, allowing it to establish connections across Kubernetes clusters that are secure, transparent to the application, and work with any network topology.
linkerd multicluster sub-commands that provide
tooling to create the resources needed to discover services across
Kubernetes clusters.linkerd multicluster gateways command exposes gateway-specific
telemetry to supplement the existing stat and tap commands.linkerd-cni component has been promoted from experimental to
stable.linkerd profile --open-api now honors the x-linkerd-retryable and
x-linkerd-timeout OpenAPI annotations.grpc-status: UNAVAILABLE trailer.NOTE: Linkerd's multicluster extension does not yet work on Amazon
EKS. We expect to follow this release with a stable-2.8.1 to address this
issue. Follow #4582 for updates.
This release includes changes from a massive list of contributors. A special thank-you to everyone who helped make this release possible: @aliariff, @amariampolskiy, @arminbuerkle, @arthursens, @christianhuening, @christyjacob4, @cypherfox, @daxmc99, @dr0pdb, @drholmie, @hydeenoble, @joakimr-axis, @jpresky, @kohsheen1234, @lewiscowper, @lundbird, @matei207, @mayankshah1607, @mmiller1, @naseemkullah, @sannimichaelse, & @supra08.
This edge release is our second release candidate for stable-2.8, including
various fixes and improvements around multicluster support.
linkerd multicluster gateways commandThis edge release is a release candidate for stable-2.8! It introduces several
improvements and fixes for multicluster support.
linkerd checklinkerd checknginx-configuration ConfigMap to linkerd-gateway-config (please
manually remove the former if upgrading from an earlier multicluster
install, thanks @mayankshah1607!)mc-gateway and mc-probelinkerd-prometheusbin/ scripts (thanks @joakimr-axis!)linkerd mc allowlinkerd-gateway component to use the inbound proxy, rather
than nginx, for gateway; this allows Linkerd to detect loops and propagate
identityThis edge release adds refinements to the Linkerd multicluster implementation, adds new health checks for the tracing add-on, and addresses an issue in which outbound requests from the proxy result in looping behavior.
multicluster command along with subcommands to configure and
deploy Linkerd workloads which enable services to be mirrored across
clusterslinkerd stat outputaddon-overwrite upgrade flag which allows users to overwrite the
existing addon config rather than merging into it--close-wait-timeout inject flag which sets the
nf_conntrack_tcp_timeout_close_wait property which can be used to mitigate
connection issues with application that hold half-closed socketslinkerd-multicluster namespace
by defaultglobal.grafanaUrl variable to allow using an existing Grafana
installationController
Proxy
errno label is included to describe the underlying errors in the proxy's
metricsInternal
This edge release contains everything required to get up and running with multicluster. For a tutorial on how to do that, check out the documentation.
linkerd check that validates that all clusters
part of a multicluster setup have compatible trust anchorsinkerd cluster export-service command to work by
transforming yaml instead of modifying cluster statelinkerd cluster export-service
command to operate on lists of serviceslinkerd check commandlinkerd install command for release buildsThis edge release includes several new CLI commands for use with multi-cluster gateways, and adds liveness checks and metrics for gateways. Additionally, it makes the proxy's gRPC error-handling behavior more consistent with other implementations, and includes a fix for a bug in the web UI.
linkerd cluster setup-remote command for setting up a
multi-cluster gatewaylinkerd cluster gateways command to display stats for
multi-cluster gatewayslinkerd cluster export-service to modify a provided YAML file
and output it, rather than mutating the clustergrpc-status: UNAVAILABLE trailer when a gRPC
response stream is interrupted by a transport errorThis edge release fixes a packaging issue in edge-20.4.3.
From edge.20.4.3 release notes:
This edge release adds functionality to the CLI to output more detail and includes changes which support the multi-cluster functionality. Also, the helm support has been expanded to make installation more configurable. Finally, the HA reliability is improved by ensuring that control plane pods are restarted with a rolling strategy
linkerd check --proxy command to list all data plane
pods which are not up-to-date rather than just printing the first one it
encounters--proxy flag to the linkerd version command which lists all
proxy versions running in the cluster and the number of pods running each
versionlinkerd.io/workload-ns which indicates the namespace of the workload/pod/live
admin endpoint instead of the /metrics endpoint, because the /live
endpoint returns a smaller payloadThis release is superseded by edge-20.4.4
This edge release adds functionality to the CLI to output more detail and includes changes which support the multi-cluster functionality. Also, the helm support has been expanded to make installation more configurable. Finally, the HA reliability is improved by ensuring that control plane pods are restarted with a rolling strategy
linkerd check --proxy command to list all data plane
pods which are not up-to-date rather than just printing the first one it
encounters--proxy flag to the linkerd version command which lists all
proxy versions running in the cluster and the number of pods running each
versionlinkerd.io/workload-ns which indicates the namespace of the workload/pod/live
admin endpoint instead of the /metrics endpoint, because the /live
endpoint returns a smaller payloadThis release brings a number of CLI fixes and Controller improvements.
--skip-outbound-ports or --skip-inbound-ports were usedunmeshed flag to the stat command, such that unmeshed resources
are only displayed if the user opts-in--smi-metrics flag to install, to allow installation of the
experimental linkerd-smi-metrics componentlinkerd stat, causing incorrect output formatting when
using the --o wide flaglinkerd uninstall to fail when attempting to delete
PSPslinkerd-smi-metrics deployment to avoid
pod scheduling problems during upgradelinkerd-destination service,
enabling mirrored remote services to change cluster gatewaysoperationID field to tap OpenAPI response to prevent issues during
upgrade from 2.6 to 2.7This release introduces some cool new functionalities, all provided by our awesome community of contributors! Also two bugs were fixed that were introduced since edge-20.3.2.
linkerd uninstall command to uninstall the control plane (thanks
@Matei207!)linkerd routes -o wide to not show the proper actual
success rateautomountServiceAccountToken
disabled (thanks @mayankshah1607!)This release introduces several fixes and improvements to the CLI.
This release introduces new experimental CLI commands for querying metrics using the Service Mesh Interface (SMI) and for multi-cluster support via service mirroring.
If you would like to learn more about service mirroring or SMI, or are interested in experimenting with these features, please join us in Linkerd Slack for help and feedback.
linkerd cluster commands for managing multi-cluster
service mirroringlinkerd alpha clients command, which uses the
smi-metrics API to display client-side metrics from each of a resource's
clientslinkerd check checks to prevent spurious failures
when run immediately after cluster creation or Linkerd installationThis release introduces substantial proxy improvements as well as new observability and security functionality.
linkerd alpha stat command, which uses the smi-metrics API;
the latter enables access to metrics to be controlled with RBAC(x-linkerd-timeout) via OpenAPI spec (thanks @lewiscowper!)linkerd2 chart README (thanks @lundbird!)This release introduces new functionality mainly focused around observability
and multi-cluster support via service mirroring.
If you would like to learn more about service mirroring or are interested in
experimenting with this feature, please join us in Linkerd
Slack for help and feedback.
linkerd check command to check for extension server
certificate (thanks @christyjacob4!)This release introduces the first optional add-on tracing, added through the
new add-on model!
The existing optional tracing components Jaeger and OpenCensus can now be
installed as add-on components.
There will be more information to come about the new add-on model, but please refer to the details of #3955 for how to get started.
linkerd diagnostics command to get metrics only from the
control plane, excluding metrics from the data plane proxies (thanks
@srv-twry!)linkerd install --prometheus-image option for installing a
custom Prometheus image (thanks @christyjacob4!)linkerd upgrade where changes to the Namespace
object were ignored (thanks @supra08!)tracing add-on which installs Jaeger and OpenCensus as add-on
components (thanks @Pothulapati!!)This release includes the results from continued profiling & performance analysis on the Linkerd proxy. In addition to modifying internals to prevent unwarranted memory growth, new metrics were introduced to aid in debugging and diagnostics.
Also, Linkerd's CNI plugin is out of experimental, check out the docs at https://linkerd.io/2/features/cni/ !
CLI
linkerd stat command (thanks
@mayankshah1607!)linkerd top output (thanks
@kohsheen1234!)linkerd metrics that was causing a panic when
port-forwarding failed (thanks @mayankshah1607!)linkerd check verifying the number of replicas for
Linkerd components in HA (thanks @mayankshah1607!)linkerd upgrade's output that are no longer
relevant (thanks @supra08!)Controller
(x-linkerd-retryable) via OpenAPI spec (thanks @kohsheen1234!)Proxy
request_errors_total metric exposing the number of requests that
receive synthesized responses due to proxy errorsHelm
enforcedHostRegexp variable to allow configuring the
linkerd-web component enforced host (that was previously introduced to
protect against DNS rebinding attacks) (thanks @sannimichaelse!)Internal
This release adds support for integrating Linkerd's PKI with an external
certificate issuer such as cert-manager as well as streamlining the
certificate rotation process in general. For more details about cert-manager
and certificate rotation, see the
docs. This release also
includes performance improvements to the dashboard, reduced memory usage of
the proxy, various improvements to the Helm chart, and much much more.
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: This release includes breaking changes to our Helm charts. Please see the upgrade instructions.
Special thanks to: @alenkacz, @bmcstdio, @daxmc99, @droidnoob, @ereslibre, @javaducky, @joakimr-axis, @JohannesEH, @KIVagant, @mayankshah1607, @Pothulapati, and @StupidScience!
Full release notes:
tap APIService check to aid with uncovering Kubernetes API
aggregation layer issues (thanks @droidnoob!)linkerd check --pre --linkerd-cni-enabled before
installation and linkerd check after installation if the CNI plugin is
present--as-group flag so that users can impersonate
groups for Kubernetes operations (thanks @mayankshah1607!)linkerd check to ensure that the
kube-system namespace has the
config.linkerd.io/admission-webhooks:disabled label set--skip-inbound-ports and --skip-outbound-ports (thanks to @javaducky!)linkerd check --precheck and upgrade commands--identity-issuer-certificate-file,
--identity-issuer-key-file and identity-trust-anchors-file to linkerd upgrade to support trust anchor and issuer certificate rotation--namespace and --all-namespaces
results in an error as they are mutually exclusiveDashboard.Replicas parameter to the Linkerd Helm chart to allow
configuring the number of dashboard replicas (thanks @KIVagant!)uninject command to work with namespace resources (thanks
@mayankshah1607!)--identity-external-issuer flag to linkerd install that
configures Linkerd to use certificates issued by an external certificate
issuer (such as cert-manager)linkerd inject (thanks
@mayankshah1607!)linkerd check --preinstall ensuring Kubernetes Secrets
can be created and accessedlinkerd tap sometimes displaying incorrect pod names for unmeshed
IPs that match multiple running podslinkerd install --ignore-cluster and --skip-checks fasterlinkerd upgrade to fail when used with
--from-manifest--cluster-domain an install-only flag (thanks @bmcstdio!)check to ensure that proxy trust anchors match configuration
(thanks @ereslibre!)linkerd stat command that requires a window size
of at least 15 seconds to work properly with Prometheuslinkerd-web service--wait-before-exit-seconds flag to linkerd inject for the
proxy sidecar to delay the start of its shutdown process (a huge commit
from @KIVagant, thanks!)conntrack to the debug container to help with connection
tracking debuggingtap where mismatch cluster domain and trust domain caused
tap to hangidentity RBAC resource which caused start up
errors in k8s 1.6 (thanks @Pothulapati!)cert-manager) to the linkerd-identity servicenoInitContainer parameter to cniEnabledhelm install where the lists of ignored inbound and
outbound ports would not be reflectedlinkerd-cni Helm chart not setting proper namespace
annotations and labelslinkerd check to the dashboard in the /controlplane viewtap expanded view in the
dashboardHost: header validation to the linkerd-web service, to protect
against DNS rebinding attackslinkerd.io/inject is either enabled or disabled (thanks
@mayankshah1607)tap, injector and sp-validator to use old
certificates after helm upgrade due to not being restarteddebug containerdoc command to auto-generate documentation for the proxy
configuration annotations (thanks @StupidScience!)--trace-collector and --trace-collector-svc-account flags to
linkerd inject that configures the OpenCensus trace collector used by
proxies in the injected workload (thanks @Pothulapati!)--control-plane-tracing flag to linkerd install that
enables distributed tracing in the control plane (thanks @Pothulapati!)This edge release is a release candidate for stable-2.7 and fixes an issue
where the proxy could consume inappropriate amounts of memory.
grpc-status headers when signaling proxy errors
to gRPC clientsThis edge release is a release candidate for stable-2.7.
The linkerd check command has been updated to improve the control plane
debugging experience.
tap APIService check to aid with uncovering Kubernetes API
aggregation layer issues (thanks @droidnoob!)This edge release is a release candidate for stable-2.7.
An update to the Helm charts has caused a breaking change for users who
have installed Linkerd using Helm. In order to make the purpose of the
noInitContainer parameter more explicit, it has been renamed to
cniEnabled.
linkerd check --pre --linkerd-cni-enabled before
installation and linkerd check after installation if the CNI plugin is
present--as-group flag so that users can impersonate
groups for Kubernetes operations (thanks @mayankshah160!)noInitContainer parameter to cniEnabledhelm install where the lists of ignored inbound and
outbound ports would not be reflectedlinkerd check to ensure that the
kube-system namespace has the
config.linkerd.io/admission-webhooks:disabled label setlinkerd.io/inject is either enabled or disabled (thanks
@mayankshah1607)This edge release includes experimental improvements to the Linkerd proxy's request buffering and backpressure infrastructure.
Additionally, we've fixed several bugs when installing Linkerd with Helm,
updated the CLI to allow using both port numbers and port ranges with the
--skip-inbound-ports and --skip-outbound-ports flags, and fixed a
dashboard error that can occur if the dashboard is open in a browser while
updating Linkerd.
Note: The linkerd-proxy version included with this release is more
experimental than usual. We'd love your help testing, but be aware that there
might be stability issues.
--skip-inbound-ports and --skip-outbound-ports (thanks to @javaducky!)linkerd-web servicelinkerd-cni Helm chart not setting proper namespace
annotations and labelsThis edge release adds support for pod IP and service cluster IP lookups,
improves performance of the dashboard, and makes linkerd check --pre perform
more comprehensive checks.
The --wait-before-exit-seconds flag has been added to allow Linkerd users to
opt in to preStop hooks. The details of this change are in
#3798.
Also, the proxy has been updated to v2.82.0 which improves gRPC error
classification and ensures that
resolutions are released when
the associated balancer becomes idle.
Finally, an update to follow best practices in the Helm charts has caused a breaking change. Users who have installed Linkerd using Helm must be certain to read the details of #3822
linkerd check --precheck and upgrade commands--wait-before-exit-seconds flag to linkerd inject for the
proxy sidecar to delay the start of its shutdown process (a huge commit
from @KIVagant, thanks!)--identity-issuer-certificate-file,
--identity-issuer-key-file and identity-trust-anchors-file to linkerd upgrade to support trust anchor and issuer certificate rotationlinkerd stat command that requires a window size
of at least 15 seconds to work properly with Prometheus--namespace and --all-namespaces
results in an error as they are mutually exclusivetap, injector and sp-validator to use old
certificates after helm upgrade due to not being restartedDashboard.Replicas parameter to the Linkerd Helm chart to allow
configuring the number of dashboard replicas (thanks @KIVagant!)linkerd check to the dashboard in the /controlplane viewtap expanded view in the
dashboarduninject command to work with namespace resources (thanks
@mayankshah1607!)conntrack to the debug container to help with connection
tracking debuggingtap where mismatch cluster domain and trust domain caused
tap to hangidentity RBAC resource which caused start up
errors in k8s 1.6 (thanks @Pothulapati!)debug containerdoc command to auto-generate documentation for the proxy
configuration annotations (thanks @StupidScience!)This edge release adds support for integrating Linkerd's PKI with an external
certificate issuer such as cert-manager, adds distributed tracing support
to the Linkerd control plane, and adds protection against DNS rebinding
attacks to the web dashboard. In addition, it includes several improvements to
the Linkerd CLI.
--identity-external-issuer flag to linkerd install that
configures Linkerd to use certificates issued by an external certificate
issuer (such as cert-manager)linkerd inject (thanks
@mayankshah1607!)linkerd check --preinstall ensuring Kubernetes Secrets
can be created and accessedlinkerd tap sometimes displaying incorrect pod names for unmeshed
IPs that match multiple running podscert-manager) to the linkerd-identity serviceHost: header validation to the linkerd-web service, to protect
against DNS rebinding attacks--trace-collector and --trace-collector-svc-account flags to
linkerd inject that configures the OpenCensus trace collector used by
proxies in the injected workload (thanks @Pothulapati!)--control-plane-tracing flag to linkerd install that
enables distributed tracing in the control plane (thanks @Pothulapati!)Also, thanks to @joakimr-axis for several fixes and improvements to internal build scripts!
This edge release adds dashboard UX enhancements, and improves the speed of the CLI.
linkerd install --ignore-cluster and --skip-checks fasterlinkerd upgrade to fail when used with
--from-manifestThis edge release adds support for headless services, improves the upgrade
process after installing Linkerd with a custom cluster domain, and enhances
the check functionality to report invalid trust anchors.
--cluster-domain an install-only flag (thanks @bmcstdio!)check to ensure that proxy trust anchors match configuration
(thanks @ereslibre!)This release introduces distributed tracing support, adds request and response
headers to linkerd tap, dramatically improves the performance of the
dashboard on large clusters, adds traffic split visualizations to the
dashboard, adds a public Helm repo, and many more improvements!
For more details, see the announcement blog post: https://linkerd.io/2019/10/10/announcing-linkerd-2.6/
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: Please see the upgrade instructions.
Special thanks to: @alenkacz, @arminbuerkle, @bmcstdio, @bourquep, @brianstorti, @kevtaylor, @KIVagant, @pierDipi, and @Pothulapati!
Full release notes:
json output option to the linkerd tap command, which
exposes request and response headers--address flag to linkerd dashboard, allowing users to
specify a port-forwarding address (thanks @bmcstdio!)--cluster-domain flag to the linkerd install command that
allows setting a custom cluster domain (thanks @arminbuerkle!)--disable-heartbeat flag for linkerd install | upgrade
commandscadvisor metrics,
substantially reducing the number of time-series stored in most clustersconfig.linkerd.io/trace-collector and
config.alpha.linkerd.io/trace-collector-service-account pod spec
annotations to support per-pod tracingconfig.linkerd.io/admission-webhooks: disabled label (thanks
@hasheddan!)Linkerd Namespace Grafana dashboard, allowing users to view
historical data for a given namespace, similar to CLI output for linkerd stat deploy -n myNs (thanks @bourquep!)1.12.9 for controller builds to include
security fixes1.16v12.0.0This edge release is a release candidate for stable-2.6.
stable-2.6.This edge release is a release candidate for stable-2.6.
linkerd edges and linkerd endpointsThis edge release is a release candidate for stable-2.6.
linkerd tapThis edge release introduces experimental support for distributed tracing as well as a redesigned sidebar in the Web UI!
Experimental support for distributed tracing means that Linkerd data plane
proxies can now emit trace spans, allowing you to see the exact amount of time
spent in the Linkerd proxy for traced requests. The new
config.linkerd.io/trace-collector and
config.alpha.linkerd.io/trace-collector-service-account tracing annotations
allow specifying which pods should emit trace spans.
The goal of the dashboard's sidebar redesign was to reduce load on Prometheus and simplify navigation by providing top-level views centered around namespaces and workloads.
--cluster-domain flag to the linkerd install command
that allows setting a custom cluster domain (thanks @arminbuerkle!)linkerd endpoints command to use the correct Destination API
address (thanks @Pothulapati!)--disable-heartbeat flag for linkerd install|upgrade commandsconfig.linkerd.io/admission-webhooks: disabled label
on namespaces so that the pods creation events in these namespaces are
ignored by the proxy injector; this fixes situations in HA deployments
where the proxy-injector is installed in kube-system (thanks
@hasheddan!)config.linkerd.io/trace-collector and
config.alpha.linkerd.io/trace-collector-service-account pod spec
annotations to support per-pod tracingjson output option to the linkerd tap commandcadvisor metrics,
substantially reducing the number of time-series stored in most clustersMuch of our effort has been focused on improving our build and test infrastructure, but this edge release lays the groundwork for some big new features to land in the coming releases!
helm repo add linkerd-edge https://helm.linkerd.io/edge && helm install linkerd-edge/linkerd2This edge release adds traffic splits into the Linkerd dashboard as well as a variety of other improvements.
--address flag to linkerd dashboard (thanks @bmcstdio!)LINKERD2_PROXY_DESTINATION_SVC_ADDR
environment variable when starting upA new Grafana dashboard has been added which shows historical data for a
selected namespace. The build process for controller components now requires
Go 1.12.9. Additional contributions were made towards support for custom
cluster domains.
Linkerd Namespace Grafana dashboard, allowing users to view
historical data for a given namespace, similar to CLI output for linkerd stat deploy -n myNs (thanks @bourquep!)1.12.9 for controller builds to include
security fixesLINKERD2_PROXY_DESTINATION_GET_SUFFIXES proxy environment variable,
in preparation for custom cluster domain support (thanks @arminbuerkle!)This release adds Helm support, tap authentication and authorization via RBAC, traffic split stats, dynamic logging levels, a new cluster monitoring dashboard, and countless performance enhancements and bug fixes.
For more details, see the announcement blog post: https://linkerd.io/2019/08/20/announcing-linkerd-2.5/
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: Use the linkerd upgrade command to upgrade the control
plane. This command ensures that all existing control plane's configuration
and mTLS secrets are retained. For more details, please see the upgrade
instructions.
Special thanks to: @alenkacz, @codeman9, @ethan-daocloud, @jonathanbeber, and @Pothulapati!
Full release notes:
linkerd tap, linkerd top and linkerd profile --tap
to require tap.linkerd.io RBAC privileges. See
https://linkerd.io/tap-rbac for more infolinkerd stat trafficsplits
subcommandlinkerd routes command traffic split awarelinkerd --as flag which allows users to impersonate
another user for Kubernetes operations--all-namespaces (-A) option to the linkerd get,
linkerd edges and linkerd stat commands to retrieve resources across
all namespaceslinkerd check command
to include the control plane pods' live statuslinkerd upgrade config command that was causing it to
crash--use-wait-flag to the linkerd install-cni command, to
configure the CNI plugin to use the -w flag for iptables commands--restrict-dashboard-privileges flag to linkerd install
command, to disallow tap in the dashboardlinkerd uninject not removing linkerd.io/inject: enabled
annotationslinkerd stat -h example commands (thanks @ethan-daocloud!)linkerd stat when resources share the
same label selector for pods (thanks @jonathanbeber!)linkerd stat command (thanks
@jonathanbeber!)linkerd edges command output and a
new -o wide flag that shows the identity of the client and server if
knownlinkerd check command to validate the user has
privileges necessary to create CronJobslinkerd check --pre command validating that if
PSP is enabled, the NET_RAW capability is availablel5d-require-id header is now set on tap requests so that a
connection is established over TLSkube-system namespace to provide
access to tapTargetRefInvalidArgument for external
name services so that the proxy does not immediately fail the requestroot in the CNI mode (thanks @codeman9!)/proxy-log-level endpoint to update the log level at
runtimerequest_handle_us histogram to measure proxy overheadlinkerd-web
service account is not authorized to tap resources, users will see a link
to documentation to remedy the errorThis edge release is a release candidate for stable-2.5.
This edge release is a release candidate for stable-2.5.
--use-wait-flag to the linkerd install-cni command, to
configure the CNI plugin to use the -w flag for iptables commandsThis edge release introduces a new linkerd stat trafficsplits subcommand, to
show traffic split metrics. It also introduces a "Kubernetes cluster
monitoring" Grafana dashboard.
linkerd stat trafficsplits subcommandlinkerd uninject not removing linkerd.io/inject: enabled
annotationslinkerd stat -h example commands (thanks @ethan-daocloud!)request_handle_us histogram to measure proxy overheadlinkerd install and linkerd upgrade to use Helm charts for
templatingv2.14.3linkerd-heartbeat requestsThis edge release introduces the new Linkerd control plane Helm chart, named
linkerd2. Helm users can now install and remove the Linkerd control plane by
using the helm install and helm delete commands. Proxy injection also now
uses Helm charts.
No changes were made to the existing linkerd install behavior.
For detailed installation steps using Helm, see the notes for #3146.
linkerd top and linkerd profile --tap to require
tap.linkerd.io RBAC privileges, see https://linkerd.io/tap-rbac for
more infotap.linkerd.io APIService to enable usage in kubectl auth can-i commands--restrict-dashboard-privileges flag to linkerd install
command, to restrict the dashboard's default privileges to disallow taplinkerd-linkerd-tap-admin, which gives
cluster-wide tap privileges. Also introduced a new ClusterRoleBinding,
linkerd-linkerd-web-admin, which binds the linkerd-web service account
to the new tap ClusterRolelinkerd-heartbeat jobs from pod listing
in the linkerd control plane to streamline get po output (thanks
@Pothulapati!)linkerd-web
service account is not authorized to tap resources, users will see a link
to documentation to remedy the errorThis edge release introduces a new tap APIService. The Kubernetes apiserver
authenticates the requesting tap user and then forwards tap requests to the
new tap APIServer. The linkerd tap command now makes requests against the
APIService.
With this release, users must be authorized via RBAC to use the linkerd tap
command. Specifically linkerd tap requires the watch verb on all resources
in the tap.linkerd.io/v1alpha1 APIGroup. More granular access is also
available via sub-resources such as deployments/tap and pods/tap.
linkerd check command to validate the user has
privileges necessary to create CronJobslinkerd --as flag which allows users to impersonate
another user for Kubernetes operationslinkerd tap command now makes requests against the tap APIServiceTargetRefInvalidArgument for external
name services so that the proxy does not immediately fail the requestl5d-require-id header is now set on tap requests so that a
connection is established over TLSAPIService/v1alpha1.tap.linkerd.io global resourceClusterRoleBinding/linkerd-linkerd-tap-auth-delegator
global resourceSecret/linkerd-tap-tls resource into the linkerd
namespaceRoleBinding/linkerd-linkerd-tap-auth-reader resource into
the kube-system namespaceLINKERD2_PROXY_TAP_SVC_NAME environment variable so that the
tap server attempts to authorize client identitiesdep with Go modules for dependency managementlinkerd check command
to include the control plane pods' live status--all-namespaces (-A) option to the linkerd get, linkerd edges and linkerd stat commands to retrieve resources across all
namespacesroot in the CNI mode (thanks @codeman9!)l5d-require-id header to enforce TLS outbound
communication from the Tap serverlinkerd routes command traffic-split awarelinkerd upgrade config command that was causing it to
crashlinkerd statcommand (thanks
@jonathanbeber!)linkerd stat when resources share the
same label selector for pods (thanks @jonathanbeber!)linkerd edges command output and a
new -o wide flag that shows the identity of the client and server if
knownlinkerd check --pre command validating that if
PSP is enabled, the NET_RAW capability is available/proxy-log-level endpoint to update the log level at runtimeThis release adds traffic splitting functionality, support for the Kubernetes Service Mesh Interface (SMI), graduates high-availability support out of experimental status, and adds a tremendous list of other improvements, performance enhancements, and bug fixes.
Linkerd's new traffic splitting feature allows users to dynamically control the percentage of traffic destined for a service. This powerful feature can be used to implement rollout strategies like canary releases and blue-green deploys. Support for the Service Mesh Interface (SMI) makes it easier for ecosystem tools to work across all service mesh implementations.
Along with the introduction of optional install stages via the linkerd install config and linkerd install control-plane commands, the default
behavior of the linkerd inject command only adds annotations and defers
injection to the always-installed proxy injector component.
Finally, there have been many performance and usability improvements to the proxy and UI, as well as production-ready features including:
linkerd edges command that provides fine-grained observability into
the TLS-based identity system--enable-debug-sidecar flag for the linkerd inject command that
improves debugging effortsLinkerd recently passed a CNCF-sponsored security audit! Check out the in-depth report here.
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: Use the linkerd upgrade command to upgrade the control
plane. This command ensures that all existing control plane's configuration
and mTLS secrets are retained. For more details, please see the upgrade
instructions
for more details.
Special thanks to: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr, @matej-g, @Pothulapati, @zaharidichev
Full release notes:
--proxy-auto-inject flag, as the proxy
injector is now always installed--linkerd-version flag with the
--proxy-version flag in the linkerd install and linkerd upgrade
commands, which allows setting the version for the injected proxy sidecar
image, without changing the image versions for the control planelinkerd install config and linkerd install control-planelinkerd upgrade config and linkerd upgrade control-plane--from-manifests flag to linkerd upgrade allowing
manually feeding a previously saved output of linkerd install into the
command, instead of requiring a connection to the cluster to fetch the
config--manual flag to linkerd inject to output the proxy
sidecar container spec--enable-debug-sidecar flag to linkerd inject, that
injects a debug sidecar to inspect traffic to and from the meshed podlinkerd check when running without a TTYlinkerd check config command for verifying that linkerd install config was successfullinkerd install to clarify flag usagelinkerd check and linkerd dashboard failing when any control
plane pod is not ready, even when multiple replicas exist (as in HA mode)linkerd edges command that shows the source and
destination name and identity for proxied connections, to assist in
debugging--disable-tap flag, or by using the config.linkerd.io/disable-tap
annotationlinkerd edges command so that output is
scripting friendly and can be parsed easily (thanks @alenkacz!)--ha, running linkerd upgrade without --ha will disable the high availability control planelinkerd upgrade where running without --ha would
unintentionally disable high availability features if they were previously
enabled--init-image-version flag to linkerd inject to override the
injected proxy-init container version--linkerd-cni-enabled flag to the install subcommands so
that NET_ADMIN capability is omitted from the CNI-enabled control
plane's PSPlinkerd check to validate the caller can create
PodSecurityPolicy resourceslinkerd install to prevent installing multiple control
planes into different namespaces avoid conflicts between global resourceslinkerd inject (thanks
@Pothulapati!)linkerd check output for control
plane ReplicaSet readinesslinkerd endpoints to use the same interface as used by
the proxy for service discovery informationlinkerd inject would fail when given a path to a file
outside the current directorylinkerd install to provide instructions
for proceeding when an existing installation is foundconfig.linkerd.io/disable-identity annotation to
opt out of identity for a specific podResourceQuota exists by adding a
default resource spec for the proxy-init init containerErrGroupDiscoveryFailedconfig.linkerd.io/enable-debug-sidecar annotation allowing the
--enable-debug-sidecar flag to work when auto-injecting Linkerd proxiesproxy-injector and sp-validator
controllers when run in high availability mode (thanks to @Pothulapati!)Fail in order to account for
unexpected errors during auto-inject; this ensures uninjected applications
are not deployedUPDATE operation from proxy-injector webhook because pod
mutations are disallowed during update operationssideEffects
property to None to indicate that the webhooks have no side effects on
other resources (thanks @Pothulapati!)linkerd.io/control-plane-ns label to all Linkerd resources
allowing them to be identified using a label selectorl5d-override-dst header is now used for inbound service profile
discoveryresponse_total metricsNET_RAW capability to the proxy-init container to be
compatible with PodSecurityPolicys that use drop: all:authoritylinkerd upgrade in order to test
upgrading from the latest stable release instead of the latest edge and
reflect the typical use caselinkerd/proxy-init Git
repositorylinkerd install to provide instructions
for proceeding when an existing installation is foundlinkerd endpoints to use the same interface as used by
the proxy for service discovery informationlinkerd inject would fail when given a path to a file
outside the current directorylinkerd check output for control
plane ReplicaSet readinessconfig.linkerd.io/debug annotation to
config.linkerd.io/enable-debug-sidecar, to match the
--enable-debug-sidecar CLI flag that sets itlinkerd edges that caused incorrect identities to be
displayed when requests were sent from two or more namespaceslinkerd.io/control-plane-ns label to the SMI Traffic Split CRDThis release adds support for the SMI Traffic Split API. Creating a TrafficSplit resource will cause Linkerd to split traffic between the specified backend services. Please see the spec for more details.
install to prevent installing multiple control planes
into different namespaceslinkerd inject (thanks
@Pothulapati!)--all-namespaces flag to linkerd edgeslinkerd check to validate the caller can create
PodSecurityPolicy resourcessideEffects
property to None to indicate that the webhooks have no side effects on
other resources (thanks @Pothulapati!)NET_RAW capability to the proxy-init container to be
compatible with PodSecurityPolicys that use drop: all:authority--linkerd-cni-enabled flag to the install subcommands so
that NET_ADMIN capability is omitted from the CNI-enabled control
plane's PSPFail in order to account for
unexpected errors during auto-inject; this ensures uninjected applications
are not deployedUPDATE operation from proxy-injector webhook because pod
mutations are disallowed during update operationsl5d-override-dst header is now used for inbound service profile
discoveryresponse_total metrics--ha, running
linkerd upgrade without --ha will disable the high availability
control plane--init-image-version flag to linkerd inject to override the
injected proxy-init container versionproxy-injector and sp-validator
controllers when run in high availability mode (thanks to @Pothulapati!)linkerd/proxy-init Git
repositoryThis stable release fixes a memory leak in the proxy.
To install this release, run: curl https://run.linkerd.io/install | sh
Full release notes:
linkerd edges command so that output is
scripting friendly and can be parsed easily (thanks @alenkacz!)--enable-debug-sidecar
flag to work when auto-injecting Linkerd proxieslinkerd upgrade to test upgrading from
the latest stable release instead of the latest edge, to reflect the
typical use caseThis stable release adds a number of proxy stability improvements.
To install this release, run: curl https://run.linkerd.io/install | sh
Special thanks to: @zaharidichev and @11Takanori!
Full release notes:
linkerd edges command that shows the source and
destination name and identity for proxied connections, to assist in
debugging--disable-tap flag, or by using the config.linkerd.io/disable-tap
annotationlinkerd check and linkerd dashboard failing when any control
plane pod is not ready, even when multiple replicas exist (as in HA mode)ErrGroupDiscoveryFailedSpecial thanks to @zaharidichev for adding end to end tests for proxies with TLS!
linkerd check config command for verifying that linkerd install config was successfullinkerd install to clarify flag usageResourceQuota exists by adding a
default resource spec for the proxy-init init containerAs of this edge release the proxy injector component is always installed. To
have the proxy injector inject a pod you still can manually add the
linkerd.io/inject: enable annotation into the pod spec, or at the namespace
level to have all your pods be injected by default. With this release the
behaviour of the linkerd inject command changes, where the proxy sidecar
container YAML is no longer included in its output by default, but instead it
will just add the annotations to defer the injection to the proxy injector.
For use cases that require the full injected YAML to be output, a new
--manual flag has been added.
Another important update is the introduction of install stages. You still have
the old linkerd install command, but now it can be broken into linkerd install config which installs the resources that require cluster-level
privileges, and linkerd install control-plane that continues with the
resources that only require namespace-level privileges. This also applies to
the linkerd upgrade command.
CLI
--proxy-auto-inject flag, as the proxy
injector is now always installed--linkerd-version flag with the
--proxy-version flag in the linkerd install and linkerd upgrade
commands, which allows setting the version for the injected proxy sidecar
image, without changing the image versions for the control planelinkerd install config and linkerd install control-planelinkerd upgrade config and linkerd upgrade control-plane--from-manifests flag to linkerd upgrade allowing
manually feeding a previously saved output of linkerd install into the
command, instead of requiring a connection to the cluster to fetch the
config--manual flag to linkerd inject to output the proxy
sidecar container spec--enable-debug-sidecar option to linkerd inject, that
injects a debug sidecar to inspect traffic to and from the meshed podlinkerd check when running without a TTYController
config.linkerd.io/disable-identity annotation to
opt out of identity for a specific podWeb UI
Internal
This stable release introduces a new TLS-based service identity system into
the default Linkerd installation, replacing --tls=optional and the
linkerd-ca controller. Now, proxies generate ephemeral private keys into a
tmpfs directory and dynamically refresh certificates, authenticated by
Kubernetes ServiceAccount tokens, and tied to ServiceAccounts as the identity
primitive
In this release, all meshed HTTP communication is private and authenticated by default.
Among the many improvements to the web dashboard, we've added a Community page to surface news and updates from linkerd.io.
For more details, see the announcement blog post: https://linkerd.io/2019/04/16/announcing-linkerd-2.3/
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: The linkerd-ca controller has been removed in favor of
the linkerd-identity controller. If you had previously installed Linkerd
with --tls=optional, manually delete the linkerd-ca deployment after
upgrading. Also, --single-namespace mode is no longer supported. For full
details on upgrading to this release, please see the upgrade
instructions.
Special thanks to: @codeman9, @harsh-98, @huynq0911, @KatherineMelnyk, @liquidslr, @paranoidaditya, @Pothulapati, @TwinProduction, and @yb172!
Full release notes:
upgrade command! This allows an existing Linkerd control
plane to be reinstalled or reconfigured; it is particularly useful for
automatically reusing flags set in the previous install or upgradelinkerd metrics command for fetching proxy metrics--linkerd-cni-enabled flag has been removed
from the inject command; CNI is configured at the cluster level with the
install command and no longer applies to the inject command--disable-external-profiles flag from
the install command; external profiles are now disabled by default and
can be enabled with the new --enable-external-profiles flag--api-port flag from the inject and
install commands, since there's no benefit to running the control
plane's destination API on a non-default port (thanks, @paranoidaditya)--tls=optional flag from the linkerd install command, since TLS is now enabled by defaultinstall to accept or generate an issuer Secret for the Identity
controllerinstall to fail in the case of a conflict with an existing
installation; this can be disabled with the --ignore-cluster flag--controller-log-level--proxy-cpu-limit and --proxy-memory-limit for setting the
proxy resources limits (--proxy-cpu and --proxy-memory were deprecated
in favor of proxy-cpu-request and proxy-memory-request) (thanks
@TwinProduction!)--proxy-log-level flaginject and uninject subcommands to issue warnings when
resources lack a Kind property (thanks @Pothulapati!)inject command proxy options are now converted into config
annotations; the annotations ensure that these configs are persisted in
subsequent resource updatesinject to require fetching a configuration from the control
plane; this can be disabled with the --ignore-cluster and
--disable-identity flags, though this will prevent the injected pods
from participating in mesh identitylinkerd check (thanks @yb172!)linkerd check to ensure hint URLs are displayed for RPC checkslinkerd checklinkerd checklinkerd dashboard command to serve the dashboard on a fixed
port, allowing it to leverage browser local storage for user settingslinkerd routes command to display rows for routes that are
not receiving any traffic-o wide and -o json
flagsstat command now always shows the number of open TCP connectionsstat command; this is in preparation for
surfacing identity metrics in a clearer wayinstall-cni command and its flags, and tweaked their
descriptionsconfig.linkerd.io/proxy-version annotation on pod
specs; this will override the injected proxy version10m to 100m for HA deployments;
this will help some intermittent liveness/readiness probes from failing
due to tight resource constraintstcp_open_connections, tcp_read_bytes_total, tcp_write_bytes_totallinkerd-controller pod to use an excessive amount of memory:4191/ready so that Kubernetes
doesn't consider pods ready until they have acquired a certificate from
the Identity controllerl5d-* informational headers have been temporarily removed from
requests and responses because they could leak information to external
clientsl5d-remote-ip header is now set on inbound requests and outbound
responsesbin/go-run script for the build process so that on failure,
all associated background processes are terminatedunparam, unconvert, goimports,
goconst, scopelint, unused, gosimple-update and -pretty-diff to tests to allow overwriting
fixtures and to print the full text of the fixtures upon mismatches.golangci.yml to centralize the
config-cover parameter to track code coverage in go tests (more info
in TEST.md)inject to allow the --disable-identity flag to be used
without having to specify the --ignore-cluster flaglinkerd upgrade command not upgrading proxy containers (thanks
@jon-walton for the issue report!)linkerd upgrade command not installing the identity service
when it was not already installedSpecial thanks to @KatherineMelnyk for updating the web component to read the
UUID from the linkerd-config ConfigMap!
stat command; this is in preparation for
surfacing identity metrics in a clearer wayupgrade command now outputs a URL that explains next steps for
upgrading--linkerd-cni-enabled flag has been removed
from the inject command; CNI is configured at the cluster level with the
install command and no longer applies to the inject commandconfig.linkerd.io/proxy-version annotation on pod
specs; this will override the injected proxy version10m to 100m for HA deployments;
this will help some intermittent liveness/readiness probes from failing
due to tight resource constraintsCommonName field on CSRs is now set to the proxy's identity nameupgrade command! This allows an existing Linkerd control
plane to be reinstalled or reconfigured; it is particularly useful for
automatically reusing flags set in the previous install or upgradeinject command proxy options are now converted into config
annotations; the annotations ensure that these configs are persisted in
subsequent resource updatesstat command now always shows the number of open TCP connections--disable-external-profiles flag from
the install command; external profiles are now disabled by default and
can be enabled with the new --enable-external-profiles flagl5d-* informational headers have been temporarily removed from
requests and responses because they could leak information to external
clientsThis edge release introduces a new TLS Identity system into the default
Linkerd installation, replacing --tls=optional and the linkerd-ca
controller. Now, proxies generate ephemeral private keys into a tmpfs
directory and dynamically refresh certificates, authenticated by Kubernetes
ServiceAccount tokens, via the newly-introduced Identity controller.
Now, all meshed HTTP communication is private and authenticated by default.
install to accept or generate an issuer Secret for the Identity
controllerinstall to fail in the case of a conflict with an existing
installation; this can be disabled with the --ignore-cluster flaginject to require fetching a configuration from the control
plane; this can be disabled with the --ignore-cluster and
--disable-identity flags, though this will prevent the injected pods
from participating in mesh identity--tls=optional flag from the linkerd install command, since TLS is now enabled by defaultlinkerd-controller pod to use an excessive amount of memory:4191/ready so that Kubernetes
doesn't consider pods ready until they have acquired a certificate from
the Identity controllerbin/go-run script for the build process so that on failure,
all associated background processes are terminatedSpecial thanks to @liquidslr for many useful UI and log changes, and to @mmalone and @sourishkrout at @smallstep for collaboration and advice on the Identity system!
--api-port flag from the inject and
install commands, since there's no benefit to running the control
plane's destination API on a non-default port (thanks, @paranoidaditya)linkerd metrics command for fetching proxy metricslinkerd routes command to display rows for routes that are
not receiving any trafficlinkerd dashboard command to serve the dashboard on a fixed
port, allowing it to leverage browser local storage for user settingslinkerd checklinkerd check (thanks @yb172!)-o wide and -o json
flagsmutatingwebhookconfiguration so that it is recreated when
the proxy injector is restarted, so that the MWC always picks up the
latest config template during version upgradel5d-remote-ip header is now set on inbound requests and outbound
responseslinkerd check to ensure hint URLs are displayed for RPC checkstcp_open_connections, tcp_read_bytes_total, tcp_write_bytes_totalunparam, unconvert, goimports,
goconst, scopelint, unused, gosimpleThis stable release polishes some of the CLI help text and fixes two issues that came up since the stable-2.2.0 release.
To install this release, run: curl https://run.linkerd.io/install | sh
Full release notes:
--proxy-auto-inject flag to indicate that
it is no longer experimentalprofile help text to match the other commandsendpoints command--proxy-cpu-limit and --proxy-memory-limit for setting the
proxy resources limits (--proxy-cpu and --proxy-memory were deprecated
in favor of proxy-cpu-request and proxy-memory-request) (thanks
@TwinProduction!)inject and uninject subcommands to issue warnings when
resources lack a Kind property (thanks @Pothulapati!)install-cni command and its flags, and tweaked their
descriptions--proxy-auto-inject flag to indicate that
it is no longer experimentalprofile help text to match the other commandsendpoints command (also @Pothulapati!)--proxy-log-level flaglinkerd check-update and -pretty-diff to tests to allow overwriting
fixtures and to print the full text of the fixtures upon mismatches.golangci.yml to centralize the
config-cover parameter to track code coverage in go tests (more info
in TEST.md)--single-namespaceThis stable release introduces automatic request retries and timeouts, and
graduates auto-inject to be a fully-supported (non-experimental) feature. It
adds several new CLI commands, including logs and endpoints, that provide
diagnostic visibility into Linkerd's control plane. Finally, it introduces two
exciting experimental features: a cryptographically-secured client identity
header, and a CNI plugin that avoids the need for NET_ADMIN kernel
capabilities at deploy time.
For more details, see the announcement blog post: https://blog.linkerd.io/2019/02/12/announcing-linkerd-2-2/
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: The default behavior for proxy auto injection and service profile ownership has changed as part of this release. Please see the upgrade instructions for more details.
Special thanks to: @alenkacz, @codeman9, @jonrichards, @radu-matei, @yeya24, and @zknill
Full release notes:
linkerd check in order
to validate service profiles in all namespaceslinkerd endpoints command to introspect Linkerd's service
discovery state--tap flag to linkerd profile to generate service profiles
using the route results seen during the taplinkerd.io/inject: disabled annotation on pod
specs to disable injection for specific pods when running linkerd injectbasePath in OpenAPI 2.0 files when running linkerd profile --open-apilinkerd check client timeout from 5 seconds to 30 seconds to
fix issues for clusters with slow API serverslinkerd routes to no longer return rows for ExternalName
services in the namespace--proto flag to linkerd profile to output a service profile
based on a Protobuf spec filelinkerd install so that setting up proxy auto-injection (flag
--proxy-auto-inject) no longer requires enabling TLS (flag --tls)linkerd check failure, pointing to a relevant
section in our new FAQ page with resolution steps for each caselinkerd install-sp command to generate service profiles
for the control plane, providing per-route metrics for control plane
components--proxy-bind-timeout flag from linkerd install and linkerd inject, as the proxy no longer accepts this environment variablelinkerd check output, fixed bug with --single-namespacelinkerd routes is called in single-namespace modelinkerd logs command to surface logs from any container in the
Linkerd control planelinkerd uninject command to remove the Linkerd proxy from a
Kubernetes configlinkerd inject to re-inject a resource that already has a
Linkerd proxylinkerd routes to list all routes, including those without
trafficlinkerd check and linkerd inject outputslinkerd inject command is
run on List type resources with multiple itemslinkerd dashboard command to use port-forwarding instead of
proxying when connecting to the web UI and GrafanaServiceProfile CRDlinkerd check command to disallow setting both the --pre
and --proxy flags simultaneously--routes flag to the linkerd top command, for grouping table
rows by route instead of by path*_rules.yml fileslinkerd routes command outputlinkerd install output to use non-default service accounts,
emptyDir volume mounts, and non-root users--ha installslinkerd.io/inject
annotation on the pod or namespacelinkerd.io/created-by annotation to the linkerd-cni DaemonSetdebugListPodsGetProfiles API call not returning immediately when no profile
exists (resulting in proxies logging warnings)linkerd dashboard to maintain proxy connection when browser open
failsGet and GetProfiles APIs to accept a proxy_id parameter
in order to return more tailored resultsl5d-override-dst headerLINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT environment variable to
customize the timeout for DNS queries to canonicalize a namelinkerd check in order
to validate service profiles in all namespaceslinkerd.io/inject annotation on the pod or namespace. More info:
https://linkerd.io/2/proxy-injection/ServiceProfiles are now defined in client and server
namespaces, rather than the control plane namespace. ServiceProfiles
defined in the client namespace take priority over ones defined in the
server namespacelinkerd.io/created-by annotation to the linkerd-cni DaemonSet
(thanks @codeman9!)Debuglinkerd endpoints command to introspect Linkerd's service
discovery state--tap flag to linkerd profile to generate a ServiceProfile
by using the route results seen during the taplinkerd.io/inject: disabled annotation on pod
specs to disable injection for specific pods when running linkerd injectbasePath in OpenAPI 2.0 files when running linkerd profile --open-apilinkerd check client timeout from 5 seconds to 30 seconds to
fix issues for clusters with a slower API serverlinkerd routes will no longer return rows for ExternalName services in
the namespaceServiceProfile field validation in linkerd checkGet and GetProfiles API now accept a proxy_id parameter in order
to return more tailored resultsListPods (thanks @alenkacz!)--proto flag to linkerd profile to output a service profile
based on a Protobuf spec filelinkerd install so that setting up proxy auto-injection (flag
--proxy-auto-inject) no longer requires enabling TLS (flag --tls)linkerd check failure, pointing to a relevant
section in our new FAQ page with resolution steps for each caseListPods (thanks @alenkacz!)GetProfiles API call not returning immediately when no profile
exists (resulting in proxies logging warnings)linkerd install-sp command to generate service profiles
for the control plane, providing per-route metrics for control plane
components--proxy-bind-timeout flag from linkerd install and linkerd inject commands, as the proxy no longer accepts this environment variablelinkerd check output, fixed check bug when using
--single-namespace (thanks to @djeeg for the bug report!)linkerd stat now supports DaemonSets (thanks @zknill!)linkerd routes is called in single-namespace model5d-override-dst headerLINKERD2_PROXY_DNS_CANONICALIZE_TIMEOUT environment variable to
customize the timeout for DNS queries to canonicalize a nameisRetryable property to service profiles to
enable configuring retries on a per-route basislinkerd dashboard to maintain proxy connection when browser open
failslinkerd logs command to surface logs from any container in the
Linkerd control plane (shout out to
Stern!)linkerd uninject command to remove the Linkerd proxy from a
Kubernetes configlinkerd inject to re-inject a resource that already has a
Linkerd proxylinkerd routes to list all routes, including those without
trafficlinkerd check and linkerd inject outputslinkerd inject command is
run on List type resources with multiple itemslinkerd dashboard command to use port-forwarding instead of
proxying when connecting to the web UI and GrafanaServiceProfile CRD (thanks, @alenkacz!)linkerd check command to disallow setting both the --pre
and --proxy flags simultaneously (thanks again, @alenkacz!)Upgrade notes: The control plane components have been renamed as of the edge-18.12.1 release to reduce possible naming collisions. To upgrade an older installation, see the Upgrade Guide.
--routes flag to the linkerd top command, for grouping table rows
by route instead of by path*_rules.yml fileslinkerd routes command outputSpecial thanks to @radu-matei for cleaning up a whole slew of Go lint warnings, and to @jonrichards for improving the Rust build setup!
Upgrade notes: The control plane components have been renamed as of the edge-18.12.1 release to reduce possible naming collisions. To upgrade an older installation, see the Upgrade Guide.
linkerd install config (thanks @codeman9!)
emptyDir volume mount for prometheus and grafana pods--ha installsThis stable release introduces several major improvements, including per-route metrics, service profiles, and a vastly improved dashboard UI. It also adds several significant experimental features, including proxy auto-injection, single namespace installs, and a high-availability mode for the control plane.
For more details, see the announcement blog post: https://blog.linkerd.io/2018/12/06/announcing-linkerd-2-1/
To install this release, run: curl https://run.linkerd.io/install | sh
Upgrade notes: The control plane components have been renamed in this
release to reduce possible naming collisions. Please make sure to read the
upgrade
instructions if
you are upgrading from the stable-2.0.0 release.
Special thanks to: @alenkacz, @alpeb, @benjdlambert, @fahrradflucht, @ffd2subroutine, @hypnoglow, @ihcsim, @lucab, and @rochacon
Full release notes:
linkerd routes command displays per-route stats for any resourcelinkerd routes --open-api flag generates a service profile based on an
OpenAPI specification (swagger) filelinkerd routes command displays per-route stats for services with
service profiles--ha flag to linkerd install command, for HA deployment of the
control plane--from flag is present--registry install flag not accepting hosts with
ports--output stat flag, for printing stats as JSONtop table to set column widths dynamically--single-namespace install flag for installing the control plane
with Role permissions instead of ClusterRole permissions--proxy-auto-inject flag to the install command, allowing for
auto-injection of sidecar containers--proxy-cpu and --proxy-memory flags to the install and
inject commands, giving the ability to configure CPU + Memory requests--context flag to specify the context to use to talk to the
Kubernetes apiserverLINKERD_NAMESPACE env var, in addition to the --linkerd-namespace flagcheck and dashboard commands is configurable via
the --wait flagtop command now aggregates by HTTP method as welllinkerd- to prevent name
collisions with existing resourceslinkerd install --disable-h2-upgrade flag has been added to control
automatic HTTP/2 upgradingv1.9.11 that would merge, rather
than append, the proxy container into the applicationtap subsystem has been reimplemented to be more efficient
and and reliable
control_classification label on response_total metric/routes/routesUpgrade notes: The control plane components have been renamed as of the edge-18.12.1 release to reduce possible naming collisions. To upgrade an older installation, see the Upgrade Guide.
Upgrade notes: The control plane components have been renamed in this release to reduce possible naming collisions. To upgrade an existing installation:
curl https://run.linkerd.io/install-edge | shlinkerd install | kubectl apply -f -kubectl -n linkerd get deploy,cm -oname | grep -v linkerd | xargs kubectl -n linkerd deletelinkerd inject my-app.yml | kubectl apply -f -kubectl -n linkerd get svc -oname | grep -v linkerd | xargs kubectl -n linkerd deleteFor more information, see the Upgrade Guide.
linkerd routes command displays per-route stats for any
resource!linkerd routes --open-api flag generates a service profile based
on an OpenAPI specification (swagger) file/routeslinkerd- to
prevent name collisions with existing resourceslinkerd install --disable-h2-upgrade flag has been added to
control automatic HTTP/2 upgradingtap subsystem has been reimplemented to be more
efficient and and reliable
linkerd routes command displays per-route stats for services
with service profiles--ha flag to linkerd install command, for HA
deployment of the control plane (thanks @benjdlambert!)/routesv1.9.11 that would
merge, rather than append, the proxy container into the applicationcontrol_--from flag is presentclassification label on response_total metricThis release includes a major redesign of the web frontend to make use of the Material design system. Additional features that leverage the new design are coming soon! This release also includes the following changes:
--registry install flag not accepting
hosts with ports (thanks, @alenkacz!)--output stat flag, for printing stats as JSONtop table to set column widths dynamically--single-namespace install flag for installing
the control plane with Role permissions instead of ClusterRole permissionsThis release brings major improvements to the CLI as described below, including support for auto-injecting deployments via a Kubernetes Admission Controller. Proxy auto-injection is experimental, and the implementation may change going forward.
--proxy-auto-inject flag to the install command,
allowing for auto-injection of sidecar containers (Thanks @ihcsim!)--proxy-cpu and --proxy-memory flags to the
install and inject commands, giving the ability to configure CPU +
Memory requests (Thanks @benjdlambert!)--context flag to specify the context to use to
talk to the Kubernetes apiserver (Thanks @ffd2subroutine!)Special thanks to @alenkacz for contributing to this release!
LINKERD_NAMESPACE env var, in addition to the --linkerd-namespace
flagcheck and dashboard commands is
configurable via the --wait flagtop command now aggregates by HTTP method as wellSpecial thanks to @rochacon, @fahrradflucht and @alenkacz for contributing to this release!
check --pre command verifies the caller has sufficient
permissions to install Linkerdcheck command verifies that Prometheus has data for proxied
podshyper crate dependency corrects HTTP/1.0 Keep-Alive behaviorlinkerd check now validates Linkerd proxy versions and readinesslinkerd inject now provides an injection status report, and
warns when resources are not injectablelinkerd top now has a --hide-sources flag, to hide the source
column and collapse top results accordinglytap and top have been improved to sample up to 100 RPSSpecial thanks to @sourishkrout for contributing a web readability fix!
linkerd top command has been added, displays live traffic statslinkerd check has been updated with additional checks, now supports a
--pre flag for running pre-install checkslinkerd check and linkerd dashboard now support a --wait flag that
tells the CLI to wait for the control plane to become readylinkerd tap now supports a --output flag to display output in a wide
format that includes src and dst resources and namespaceslinkerd stat includes additional validation for command line inputs/top, aggregates
tap data in real time to display live traffic stats/tap page has multiple improvements, including displaying additional
src/dst metadata, improved form controls, and better latency formattingh2 crate fixed a HTTP/2 window management bugrustls crate fixed a bug that could improperly fail TLS streamslinkerd inject now supports injecting all resources in a
folderlinkerd tap no longer crashes when there are many podsSpecial thanks to @ihcsim for contributing the inject improvement!
Linkerd2 v18.7.3 completes the rebranding from Conduit to Linkerd2, and improves overall performance and stability.
/tap page now supports additional filtersLinkerd2 v18.7.2 introduces new stability features as we work toward production readiness.
process_cpu_seconds_total was calculated incorrectly/tapLinkerd2 v18.7.1 is the first release of the Linkerd2 project, which was formerly hosted at github.com/runconduit/conduit.
vYY.M.ngcr.io/linkerd-io repolinkerdConduit v0.5.0 introduces a new, experimental feature that automatically enables Transport Layer Security between Conduit proxies to secure application traffic. It also adds support for HTTP protocol upgrades, so applications that use WebSockets can now benefit from Conduit.
conduit install --tls=optional enables automatic, opportunistic
TLS. See the docs for more info.CONNECT streams.conduit stat now supports a virtual authority resource that aggregates
traffic by the :authority (or Host) header of an HTTP request.dashboard, stat, and tap have been updated to describe TLS state for
traffic.conduit tap now has more detailed information, including the direction
of each message (outbound or inbound).conduit stat now more-accurately records histograms for low-latency
services.conduit dashboard now includes error messages when a Conduit-enabled pod
fails.conduit tap could crash due to a null-pointer access. This has been
fixed.Conduit v0.4.4 continues to improve production suitability and sets up internals for the upcoming v0.5.0 release.
Special thanks to @alenkacz for improving docker build times!
Conduit v0.4.3 continues progress towards production readiness. It features a new latency-aware load balancer.
conduit stat is now slightly more predictable in the way it outputs
things, especially for commands like watch conduit stat all --all-namespaces.Special thanks to @ihcsim for contributing his first PR to the project and to @roanta for discussing the Peak-EWMA load balancing algorithm with us.
Conduit v0.4.2 is a major step towards production readiness. It features a wide array of fixes and improvements for long-running proxies, and several new telemetry features. It also lays the groundwork for upcoming releases that introduce mutual TLS everywhere.
conduit inject now works with statefulset resources.conduit stat now supports the all Kubernetes resource, which
shows traffic stats for all Kubernetes resources in a namespace.10s) from
environment configuration.Special thanks to @carllhw, @kichristensen, & @sfroment for contributing to this release!
When upgrading from v0.4.1, we suggest that the control plane be upgraded to v0.4.2 before injecting application pods to use v0.4.2 proxies.
Conduit 0.4.1 builds on the telemetry work from 0.4.0, providing rich, Kubernetes-aware observability and debugging.
conduit dashboard Pod and ReplicationController views.conduit tap now operates on most Kubernetes
resources.conduit stat and conduit tap now both support kubectl-style resource
strings (deploy, deploy/web, and deploy web), specifically:
namespacesdeploymentsreplicationcontrollersservicespodsConduit 0.4.0 overhauls Conduit's telemetry system and improves service discovery reliability.
conduit stat has been completely rewritten to accept arguments like
kubectl get. The --to and --from filters can be used to filter
traffic by destination and source, respectively. conduit stat currently
can operate on Namespace and Deployment Kubernetes resources. More
resource types will be added in the next release!:4191/metrics,
including rich destination labeling for outbound HTTP requests. The proxy
no longer pushes metrics to the control plane.SIGINT or SIGTERM, gracefully draining requests
until all are complete or SIGQUIT is received.--skip-outbound-ports to
communicate with such services.Special thanks to @ahume, @alenkacz, & @xiaods for contributing to this release!
When upgrading from v0.3.1, it's important to upgrade proxies before upgrading
the controller. As you upgrade proxies, the controller will lose visibility
into some data plane stats. Once all proxies are updated, conduit install |kubectl apply -f - can be run to upgrade the controller without causing any
data plane disruptions. Once the controller has been restarted, traffic stats
should become available.
Conduit 0.3.1 improves Conduit's resilience and transparency.
Host header fields are no longer sent on
the same HTTP/1 connection even when those hostnames resolve to the same
IP address.$KUBECONFIG with multiple paths is now supported. (PR #482 by
@hypnoglow).conduit check now checks for the availability of a Conduit update. (PR
#460 by @ahume).ExternalName are now supported.Conduit 0.3 focused heavily on production hardening of Conduit's telemetry system. Conduit 0.3 should "just work" for most apps on Kubernetes 1.8 or 1.9 without configuration, and should support Kubernetes clusters with hundreds of services, thousands of instances, and hundreds of RPS per instance.
With this release, Conduit also moves from experimental to alpha---meaning that we're ready for some serious testing and vetting from you. As part of this, we've published the Conduit roadmap, and we've also launched some new mailing lists: conduit-users, conduit-dev, and conduit-announce.
kubectlconduit dashboard now runs on an ephemeral port, removing port 8001
conflictsconduit inject now skips pods with hostNetwork=true--verbose
flag for debuggingKnown Issues:
This is a big milestone! With this release, Conduit adds support for HTTP/1.x and raw TCP traffic, meaning it should "just work" for most applications that are running on Kubernetes without additional configuration.
tap commandtap also now works with HTTP/1.x trafficCaveats:
Conduit 0.1.2 continues down the path of increasing usability and improving debugging and introspection of the service mesh itself.
conduit check command reports on the health of your Conduit
installation.conduit completion command provides shell completion.tap failure when pods do not belong to a deployment. (Thanks
@FaKod!)Conduit 0.1.1 is focused on making it easier to get started with Conduit.
conduit inject command now supports a --skip-outbound-ports flag
that directs Conduit to bypass proxying for specific outbound ports, making
Conduit easier to use with non-gRPC or HTTP/2 protocols.conduit tap command output has been reformatted to be line-oriented,
making it easier to parse with common UNIX command line utilities.Conduit 0.1.0 is the first public release of Conduit.
conduit dashboard will not work with
earlier versions of kubectl.