github cloudnativelabs/kube-router v2.8.0
on GitHub

one hour ago

Security Notice

This release contains an important security fix. A GitHub Security Advisory (GHSA) & CVE with full details will be
published soon. We are releasing the fix ahead of the advisory to give operators time to upgrade.

We strongly recommend that all users upgrade to v2.8.0 as soon as possible. This is especially critical for
multi-tenant clusters or clusters where untrusted users have the ability to create or modify Service resources.

If you have questions or concerns, please reach out via the #kube-router channel on
Kubernetes Slack or email admin@kube-router.io.

Breaking Changes

Service IP Range Validation on by Default

This release introduces a new command-line flag which is by default enabled:

  • --strict-external-ip-validation (default: true) -- When enabled, externalIPs and loadBalancerIPs on Service
    resources are validated against the configured --service-external-ip-range and --loadbalancer-ip-range flags.
    IPs that fall outside the allowed ranges or that conflict with the cluster IP range are rejected. When no ranges are
    configured and strict mode is enabled, all externalIPs and loadBalancerIPs are rejected (default-deny). We recommend
    enabling this flag on all clusters.

See the user guide for configuration details.

For this release the kube-router team STRONGLY recommends that you either:

  • Have all of your service ranges defined correctly via the --service-external-ip-range and --loadbalancer-ip-range flags
    and ensure that all of your current services have VIPs that are contained in the ranges defined before upgrading to v2.8.0
  • Set --strict-external-ip-validation=false as one of your options to kube-router before upgrading to v2.8.0. Note
    doing this in a multi-tenant cluster is not recommended by the project.

Prometheus Metric Changes

kube_router_controller_bgp_peers has been replaced with the new metric kube_router_bgp_peer_info which contains
more information about the peer's state as well as includes externally configured peers (whereas the previous metric
only showed kube-router based peering info).

Summary

v2.8.0 brings a security hardening release focused on service IP validation, along with SCTP support, a new BGP peer
info metric, and extensive documentation improvements.

Additionally, with this release the kube-router project officially welcomes @catherinetcai to our small maintainer
group! Big thanks for all of the support she's already provided and we look forward to seeing how she improves
kube-router in the months / years to come. :)

SCTP Support

kube-router now supports the SCTP protocol in Service resources, extending the existing TCP and UDP support. This includes
proper handling in IPVS service proxy, iptables rules, and node port specifications.

BGP Peer Info Metric

A new Prometheus metric kube_router_bgp_peer_info has been added, providing detailed information about BGP peer
state. The previous controller_bgp_peers metric name has been replaced.

Documentation Overhaul

This release includes a significant documentation refresh:

  • Updated and modernized the user guide, architecture docs, and troubleshooting guide
  • Added table of contents to long-form documentation
  • Corrected spelling and grammar throughout
  • Added a code of conduct and pull request template
  • Added AI agent guidelines for contributors
  • Added a supported versions statement
  • Updated the architecture diagram to include the Load Balancer Allocator controller

Contributions

Thanks to the community members who contributed to this release:

Changelog

  • 0e94d43 - doc(user-guide.md): add service IP validation to table of contents <Aaron U'Ren>
  • a1f0b2e - fix: validate external IPs and LB IPs against configured ranges <Aaron U'Ren>
  • 06cff2e - doc: remove slashes from headings to fix website generation <Aaron U'Ren>
  • 193bef9 - doc: update architecture diagram with lbc <Aaron U'Ren>
  • dec6b7d - chore(.gitignore): add a place for personal scripts <Aaron U'Ren>
  • 4ff7c86 - doc: add a statement about supported versions of kube-router <Aaron U'Ren>
  • 070d956 - feat(lint): add basic typos checker to ensure less spelling mistakes in the future <Aaron U'Ren>
  • 1df7ecd - doc: add table of contents to long markdown files <Aaron U'Ren>
  • 2f26e67 - doc(troubleshoot.md): add content to the guide <Aaron U'Ren>
  • 3e193a7 - doc: correct spelling and grammar mistakes <Aaron U'Ren>
  • 06b0b74 - doc: update and modernize documentation <Aaron U'Ren>
  • e4b356c - doc(CODE_OF_CONDUCT.md): add a basic code of conduct <Aaron U'Ren>
  • b5b1081 - doc(development): update / clarify development / contribution practices <Aaron U'Ren>
  • f566822 - chore: add Cat C (catherinetcai) to maintainer list <Aaron U'Ren>
  • 39efb92 - feat: add support for SCTP <Roman Kuzmitskii>
  • 62d1788 - chore(PULL_REQUEST_TEMPLATE.md): add a pull request template to help guide users towards adhering to the AI policy <Aaron U'Ren>
  • ac57ed5 - doc(ai): add AI documentation and usage guidelines with AGENTS file <Aaron U'Ren>
  • f05ae5a - doc(metrics.md): replace controller_bgp_peers -> bgp_peer_info <Aaron U'Ren>
  • b1a34ed - feat(gobgp): add kube_router_bgp_peer_info metric <Roman Kuzmitskii>
  • b40e947 - build(deps): bump golang.org/x/net from 0.49.0 to 0.51.0 <dependabot[bot]>
  • 5cee14c - build(deps): bump goreleaser/goreleaser-action from 6 to 7 <dependabot[bot]>
Check out latest releases or
releases around cloudnativelabs/kube-router v2.8.0

Don't miss a new kube-router release

NewReleases is sending notifications on new releases.

Get notifications