github hashicorp/consul-k8s v0.26.0-beta2

latest releases: v1.4.0, v1.1.10, v1.2.6...
pre-release2 years ago

0.26.0-beta2 (May 06, 2021)

BREAKING CHANGES:

  • Connect: Add a security context to the init copy container and the envoy sidecar and ensure they
    do not run as root. If a pod container shares the same runAsUser (5995) as Envoy an error is returned
    on scheduling. [GH-493]

IMPROVEMENTS:

  • CRDs: Update ServiceDefaults with Mode, TransparentProxy and UpstreamConfigs fields. Note: Mode and TransparentProxy should not be set
    using this CRD but via annotations. [GH-502], [GH-485]

  • CRDs: Update ProxyDefaults with Mode and TransparentProxy fields. Note: Mode and TransparentProxy should not be set
    using the CRD but via annotations. [GH-505], [GH-485]

  • CRDs: Add CRD for MeshConfigEntry. Supported in Consul 1.10+ [GH-513]

  • Connect: No longer set multiple tagged addresses in Consul when k8s service has multiple ports and Transparent Proxy is enabled.
    [GH-511]

  • Connect: Allow exclusion of inbound ports, outbound ports and CIDRs, and additional user IDs when
    Transparent Proxy is enabled. [GH-506]

    The following annotations are supported:

    • consul.hashicorp.com/transparent-proxy-exclude-inbound-ports - Comma-separated list of inbound ports to exclude.
    • consul.hashicorp.com/transparent-proxy-exclude-outbound-ports - Comma-separated list of outbound ports to exclude.
    • consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs - Comma-separated list of IPs or CIDRs to exclude.
    • consul.hashicorp.com/transparent-proxy-exclude-uids - Comma-separated list of Linux user IDs to exclude.
  • Connect: Add the ability to set default tproxy mode at namespace level via label. [GH-501]

    • Setting the annotation consul.hashicorp.com/transparent-proxy to true/false will define whether tproxy is enabled/disabled for the pod.
    • Setting the label consul.hashicorp.com/transparent-proxy to true/false on a namespace will define the default behavior for pods in that namespace, which do not also have the annotation set.
    • The default tproxy behavior will be defined by the value of -enable-transparent-proxy flag to the consul-k8s inject-connect command. It can be overridden in a namespace by the the label on the namespace or for a pod using the annotation on the pod.

BUG FIXES:

  • Connect: Use runAsNonRoot: false for connect-init's container when tproxy is enabled. [GH-493]
  • CRDs: Fix a bug where the config field in ProxyDefaults CR was not synced to Consul because
    apiextensions.k8s.io/v1 requires CRD spec to have structured schema. [GH-495]
  • Connect: Fix a bug where health status in Consul is updated incorrectly due to stale pod information in cache.
    [GH-503]

Don't miss a new consul-k8s release

NewReleases is sending notifications on new releases.