kumahq/kuma 1.8.0

on GitHub

Notable changes

🚀 CNI v2 with lots of improvements
🚀 Production settings for Builtin Gateway
🚀 URL rewrite in Builtin Gateway
🚀 Stats and Clusters in the GUI
🚀 Extra retryOn options for Retry
🚀 Better support for TCP logging
🚀 Filtering Envoy metrics
🚀 Projected service account token

Checkout the blog post about Kuma 1.8.0

Changelog

New features:

CNI v2 with lots of improvements:

• taint controller to prevent race condition #4650 @slonka
• all logs are easily accessible via kubectl logs command which greatly simplifies observability #4845 @slonka
• it uses new transparent engine implemented in kuma-net #4481 @slonka

URL rewrite in Builtin Gateway:

• support URL rewriting #4638 @michaelbeaumont

Stats and Clusters in the GUI:

• execute stats and clusters from the control plane #4557 #333 @jakubdyszkiewicz

Extra retryOn options for Retry:

• add extra http retryOn options #4744 @johnharris85

Better support for TCP logging:

• resilient tcp TCP access log streamer #4511 @parkanzky #4862 @jakubdyszkiewicz

Filtering Envoy metrics:

• added option to define filter for Envoy metrics #4503 @lukidzi

Projected service account token:

• support for projected service account token #4453 @lukidzi

Fixes:

Helm:

• remove duplicate keys in resources #4681 @michaelbeaumont
• add containersecuritycontext to CNI daemonset #4677 @jakubdyszkiewicz
• fix extraConfigMap and cp labels #4531 @lahabana
• use image.global.registry for imageExperimental #4641 @jakubdyszkiewicz

Gateway:

• ListenerReason for unresolved certificate refs, enable ReferenceGrant conformance tests #4806 @michaelbeaumont
• check hostname intersection between HTTPRoute and Gateway listener #4537 @michaelbeaumont
• create MeshGatewayInstance in same Mesh as Gateway #4794 @michaelbeaumont
• don't create invalid envoy config when routes and listeners don't match (backport #4837) #4841 @mergify
• hostname intersections, use new RouteReasons #4544 @michaelbeaumont
• improve HTTPRoute statuses with unresolved BackendRefs #4635 @michaelbeaumont
• npe without any timeout #4548 @michaelbeaumont
• rbac permissions for ReferenceGrant #4628 @michaelbeaumont
• workaround label value max length with hash #4545 @michaelbeaumont

Control Plane:

• check if kuma annotation or label is set but ignore value #4731 @lukidzi
• delete an empty TimeoutConfigurer #4554 @lobkovilya
• do not modify external service tags #4591 @jakubdyszkiewicz
• don't deploy Pod/Service webhooks in global #4673 @michaelbeaumont
• don't fail generation if other mesh CAs are misconfigured #4501 @michaelbeaumont
• external service datasource validation #4652 @jakubdyszkiewicz
• fix builtdns annotations for kubernetes #4660 @lahabana
• generate cluster name hash based on tags not config #4598 @lukidzi
• grant delete Pods in kuma-system namespace to control plane #4571 @michaelbeaumont
• localhost exposed application shouldn't be reachable #4750 @lukidzi
• make options for policies simpler #4722 @lahabana
• protect sort from empty locality #4820 @jakubdyszkiewicz
• registering dp on reconnect #4647 @jakubdyszkiewicz
• support GC service account #4483 @lobkovilya
• validate both old and new objects on Update #4589 @michaelbeaumont
• validation error with user tokens #4507 @jakubdyszkiewicz

Data Plane:

• access log path on windows when cp is on linux #4518 @jakubdyszkiewicz
• fix multi OS build of accesslogs #4767 @lahabana
• have envoy version check always work #4564 @lahabana
• propagate context for metrics aggregate #4640 @lukidzi
• set prometheus content-type when returning metrics #4706 @lukidzi

Other:

• add operations now create non-existent path elements #4595 @michaelbeaumont

Docs:

• new policy matching proposal #4474 @lobkovilya

Other changes:

Gateway:

• mention mesh name in gateway instance status #4678 @lahabana
• add listener connection limits #4755 @michaelbeaumont
• add loadBalancerIP to MeshGatewayInstance #4519 @michaelbeaumont
• allow MeshGateway Dataplane Pods to bind privileged ports #4535 @michaelbeaumont
• configure overload_manager based on max memory #4694 @michaelbeaumont
• multi-zone cross-mesh MeshGateway #4443 @michaelbeaumont
• propagate x-kuma-tags from MeshGateways #4476 @michaelbeaumont
• send default static payload for empty gateway #4617 @tharun208
• set path_with_escaped_slashes_action #4719 @michaelbeaumont
• set cluster HTTP2 stream and connection window size #4779 @michaelbeaumont
• set cluster per_connection_buffer_limit_bytes #4696 @michaelbeaumont
• set global_downstream_max_connections to 50000 #4724 @michaelbeaumont
• update to Gateway API v0.5.0, support v1beta1 resources #4599 @michaelbeaumont
• validate listeners for collapsibility #4765 @michaelbeaumont
• add MeshGateway dashboard #4555 @michaelbeaumont

Control Plane:

• config cleanup (backport #4855) #4857 @mergify
• don't set deprecated dns_resolver_config #4702 @michaelbeaumont
• don't set deprecated known_suffixes #4701 @michaelbeaumont
• remove deprecated Cluster.Http2ProtocolOptions #4528 @michaelbeaumont
• remove versions_ws #4512 @lahabana
• replace deprecated admin_access_log_path #4552 @lahabana
• add /policies endpoint to list all registered policies #4708 @lahabana
• authenticate DP every time #4685 @jakubdyszkiewicz
• enrich policies endpoint #4791 @jakubdyszkiewicz
• identify gateway service by deployment #4703 @parkanzky
• separate CA for Envoy Admin communication #4676 @jakubdyszkiewicz
• use remote address for Gateway #4530 @jakubdyszkiewicz
• add operations now create non-existent path elements #4595 @michaelbeaumont

Data Plane:

• remove envoy admin port flag #4574 @tharun208
• detect memory limit only on linux #4715 @jakubdyszkiewicz

kumactl:

• add a limit to the prom TSDB size #4651 @lahabana
• remove old flags in install tp #4760 @lahabana
• add MeshGateway to install demo #4679 @michaelbeaumont
• add install control-plane --registry flag #4533 @michaelbeaumont

Documentation:

• create MADR for MeshTrafficPermission #4666 @lobkovilya
• new policy matching proposal #4474 @lobkovilya
• policy matching, replace 'conf' with 'default' #4693 @lobkovilya

CNI:

• add cni ebpf plugin #4810 @bartsmykla
• implement the cni plugin #4481 @slonka #4618 @slonka #4613 @slonka #4850 @mergify #4642 @slonka #4788 @slonka #4858 @mergify #4826 @slonka #4695 @slonka #4846 @mergify
• taint controller #4852 @jakubdyszkiewicz
• use our cni with calico #4801 @slonka

Dependency updates:

• update demo to latest version #4572 @lahabana
• update Kuma GUI #4815 @kleinfreund #4723 @lahabana
• use github.com/emicklei/go-restful/v3 #4665 @mmorel-35
• bump alpine from 3.16.0 to 3.16.2 in /tools/releases/dockerfiles #4670 #4827 @dependabot
• bump github.com/containerd/cgroups from 1.0.3 to 1.0.4 #4717 @dependabot
• bump github.com/containernetworking/cni from 0.8.1 to 1.1.2 #4632 #4716 @dependabot
• bump github.com/golang-jwt/jwt/v4 from 4.4.1 to 4.4.2 #4499 @dependabot
• bump github.com/golang-migrate/migrate/v4 from 4.15.0 to 4.15.2 #4672 @dependabot
• bump github.com/gruntwork-io/terratest from 0.40.15 to 0.40.20 #4469 #4480 @dependabot
• bump github.com/miekg/dns from 1.1.49 to 1.1.50 #4492 @dependabot
• bump github.com/onsi/gomega from 1.19.0 to 1.20.0 #4671 @dependabot
• bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 #4783 @dependabot
• bump github.com/prometheus/common from 0.34.0 to 0.37.0 #4489 #4627 @dependabot
• bump github.com/spf13/cobra from 1.4.0 to 1.5.0 #4491 @dependabot
• bump go.uber.org/zap from 1.21.0 to 1.22.0 #4829 @dependabot
• bump google.golang.org/grpc from 1.47.0 to 1.48.0 #4631 @dependabot
• bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #4718 @dependabot
• bump k8s.io/apiextensions-apiserver from 0.24.0 to 0.24.3 #4493 #4624 @dependabot
• bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.3 #4498 #4581 @dependabot
• bump sigs.k8s.io/controller-tools from 0.9.0 to 0.9.2 #4549 @dependabot