Release Notes
Changes since v2.3.0-beta.4
New Features
- Add Envoy network RBAC support to ListenerPolicy for IP-based access control at the network layer (#13528)
- Enable parsing and verification of OAuth2/OIDC access and ID tokens as JWT with dynamic metadata support (#13558)
- Expose Envoy's
body_formatforDirectResponse(#13678) - Added
upstreamProxyProtocolfield toBackendConfigPolicyto support sending PROXY protocol headers to upstream backends (#13689) - Deployments can be scaled to zero. (#13712)
- Add DNS refresh rate and jitter configuration to BackendConfigPolicy (#13722)
- Add fault injection support to TrafficPolicy for chaos engineering and resiliency testing. Supports delay injection, abort injection (HTTP/gRPC), response rate limiting, and per-route disable override. (#13730)
- rustformation: allow default buffering behavior to be bypassed; auto-detect websocket and other tunnel upgrade request to bypass buffering; (#13796)
kubectl get DirectResponseshows ACCEPTED and ATTACHED columns. (#13834)- Adds the ability to set request and response dynamic metadata via rustformations (#13835)
Bug Fixes
- Fixed BackendTLSPolicy not being attached when
sectionNameis specified intargetRefs. (#13780) - Fix context leak in cliPortForwarder when StdoutPipe or StderrPipe fails (#13781)
- Fixed a TOCTOU race in OIDC provider config discovery that could cause redundant HTTP requests when the cache is refreshed under concurrent access. (#13797)
- Bump github.com/go-jose/go-jose/v4 to v4.1.4 to address GHSA-78h2-9frx-2jm8. (#13821)
Cleanup
- Replace usage of Envoy STRICT_DNS cluster type with DNSCluster (#13710)
- Helm: add controller-scoped overrides for controller deployment pod/scheduling/resource values, and deprecate the equivalent top-level chart values in favor of
controller.*. (#13787)
Dependency Updates
- Bumps go to 1.26.2 (#13812)
Contributors
Thanks to all the contributors who made this release possible:
