github cloudnativelabs/kube-router v2.10.0
on GitHub

4 hours ago

Summary

v2.10.0 is a feature-and-hardening release focused on tighter network policy defaults, broader IPv6 parity in the
Network Routes Controller, and a refresh of the Kubernetes/Go toolchain. New user-facing functionality:

  • Default-deny pod-to-pod traffic in NPC - new --netpol-default-deny mode that lets the Network Policy
    Controller enforce a default-deny posture for pod<->pod traffic when no policy matches. See the new
    docs section (https://github.com/cloudnativelabs/kube-router/blob/master/docs/user-guide.md) on how it works.
  • IPv6 support for customImportReject in NRC - the custom import-reject prefix list now works for IPv6, and
    the default V6 default-route is properly rejected from peers (companion fix to the V4 behavior).
  • Configurable healthcheck bind address - new flag to control which address the healthcheck server listens on,
    useful for multi-homed nodes and stricter network segmentation.
  • EndpointSlice service.kubernetes.io/headless label recognized - NSC now treats headless services correctly
    when sourced from EndpointSlices.
  • LoadBalancer + NPC hardening - additional safety in the load balancer and network policy controllers,
    including control-character stripping in comments and an explicit error when deny by default is configured
    without a range.

On the maintenance side, this release bumps Go to 1.26.3 and the Kubernetes client libraries to v0.36 (which drove
the Go bump), updates GoBGP to v4.5.0, refreshes vishvananda/netlink, replaces docker/docker with
moby/moby/client, and pulls in the usual round of dependabot bumps across golang.org/x/*, gRPC, AWS SDK v2,
CodeQL, and other CI actions. There are no intentional breaking changes for end users in this release -- existing
flags and behaviors are preserved, with default-deny gated behind its opt-in flag.

Contributions

Thanks @rkojedzinszky, @Aprazor, @dodgex, & @rifelpet for contributions on this release!

Changelog

  • 50354a1 - test(testify): simplify slice comparisons <Aaron U'Ren>
  • 83f7623 - chore(codeql): update version v4.35.5 -> v4.36.0 <Aaron U'Ren>
  • 00d28bd - chore(ci-container.yml): update docker login-action v4.1.0 -> v4.2.0 <Aaron U'Ren>
  • 7b98762 - chore(ci-container.yml): update setup-buildx-action v4.0.0 -> v4.1.0 <Aaron U'Ren>
  • 7e90a65 - chore(goreleaser): update v2.15.4 -> v2.16.0 <Aaron U'Ren>
  • 32db6d8 - chore(.gitignore): remove more common AI paths <Aaron U'Ren>
  • e5b3fbb - fix(Makefile): always build kube-router and gobgp <Aaron U'Ren>
  • 4907653 - fix(.grype.yaml): don't include upstream CNI plugin in grype results <Aaron U'Ren>
  • f929648 - feat(AI): symlink AGENTS.md to CLAUDE.md <Aaron U'Ren>
  • 3346f35 - fact(modernize): modernize older go calls and add modernize linter <Aaron U'Ren>
  • 689e996 - chore(typos): update version v1.45.2 -> v1.46.3 <Aaron U'Ren>
  • d737584 - chore(doctoc): update documentation table-of-contents <Aaron U'Ren>
  • 8cb2c3d - chore(lint): update golangci-lint v2.11.4 -> v2.12.2 <Aaron U'Ren>
  • 43d5add - feat(NRC): add IPv6 support to customImportReject <Aaron U'Ren>
  • cd44da7 - test(NRC): add dual-stack variants and Test_AddDefinedSetContents <Aaron U'Ren>
  • fe8f3bc - test(NRC): backfill expected V6 default-route cross-family statements <Aaron U'Ren>
  • 8f95d66 - fix(NRC): correct exact-match policy name in checkPolicies test runner <Aaron U'Ren>
  • a61d77d - fact(NRC): rename defaultset -> defaultSet <Aaron U'Ren>
  • 41cc1b7 - fix(bgp): also reject defaultRouteSetV6 from peers <Richard Kojedzinszky>
  • 686aa3c - fact: make more idiomatic by removing yoda conditionals <Aaron U'Ren>
  • d608404 - fix(NPC): return error when deny by default without range <Aaron U'Ren>
  • 0b61e6f - doc: how --netpol-default-deny works <Aaron U'Ren>
  • 5c4b283 - feat(npc): enable default deny for pod<->pod <Aaron U'Ren>
  • 805de1b - feat(npc): initial draft of default-deny <Aaron U'Ren>
  • d746c84 - build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 <dependabot[bot]>
  • 7df8ab6 - build(deps): bump actions/stale from 10.2.0 to 10.3.0 <dependabot[bot]>
  • 6380377 - build(deps): bump golang.org/x/sys from 0.44.0 to 0.45.0 <dependabot[bot]>
  • d56b669 - build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 <dependabot[bot]>
  • 18b0dc2 - build(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 <dependabot[bot]>
  • 6f46473 - build(deps): bump docker/build-push-action from 7.1.0 to 7.2.0 <dependabot[bot]>
  • 7831dff - build(deps): replace docker/docker with moby/moby/client <Manuel Rüger>
  • cc47490 - build(deps): bump the k8s-dependencies group across 1 directory with 4 updates <dependabot[bot]>
  • e4585cb - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
  • 094ccc7 - build(deps): bump golang.org/x/net from 0.53.0 to 0.54.0 <dependabot[bot]>
  • d55d09e - build(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 <dependabot[bot]>
  • fe17c94 - chore(go): update 1.25.9 -> 1.26.3 as k8s >=0.36 requires it <Aaron U'Ren>
  • 81006c2 - fix(k8s): update k8s library calls for for version 0.36 <Aaron U'Ren>
  • ea9eb7d - build(deps): bump the k8s-dependencies group across 1 directory with 6 updates <dependabot[bot]>
  • 271c822 - build(deps): bump Grype v0.111.1 -> v0.112.0 <Aaron U'Ren>
  • f3ed6b0 - build(deps): bump github.com/osrg/gobgp v4.2.0 -> v4.5.0 <Aaron U'Ren>
  • 1ee7a4f - feat(dep-up): handle Grype and GoBGP version pinning <Aaron U'Ren>
  • 3317875 - feat(netlink): bump vishvananda/netlink to latest <Aaron U'Ren>
  • 7eaa3cf - test(NRC): add tests for policy based routing <Aaron U'Ren>
  • 48e65ac - Merge pull request #2069 from rifelpet/headless <Cat C>
  • c7b344d - test(NPC): add tests for sanitizeForComment control character stripping <Aprazors>
  • 687b4ae - fix(NPC,LBC): harden network policy and load balancer controllers <Aprazors>
  • c4652fe - build(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 <dependabot[bot]>
  • 38dfc4e - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
  • b142134 - build(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 <dependabot[bot]>
  • 1702f05 - build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2 <dependabot[bot]>
  • 41e325e - build(deps): bump github/codeql-action from 4.35.2 to 4.35.4 <dependabot[bot]>
  • c283d8d - Recognize headless label on EndpointSlices <Peter Rifel>
  • 67f25dc - feat(healthcheck): make healtcheck bind address configurable <dodgex>
  • e5f2a35 - build(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 <dependabot[bot]>
  • ae29924 - build(deps): bump github.com/aws/aws-sdk-go-v2/config <dependabot[bot]>
  • 93ee89c - build(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 <dependabot[bot]>
Check out latest releases or
releases around cloudnativelabs/kube-router v2.10.0

Don't miss a new kube-router release

NewReleases is sending notifications on new releases.

Get notifications