We are excited to announce the release of Kuma 2.0! This new major release is super exciting as we announce the first availability of our next generation policies, in addition to new eBPF capabilities!
Notable changes
- π We have added support for eBPF into both our CNI and init container configurations. Using eBPF can improve the performance of traffic flow latency by up to 12%.
- π Added the first 3 next generation policy updates:
- MeshTrafficPermission
- MeshTrafficLog
- MeshTrafficTrace
- π We have made multiple improvements to the UI as part of an ongoing effort to simplify and enrich the functionality of our admin dashboard. Specifically in 2.0 weβre releasing:
- New YAML / JSON search and syntax highlighting for policies and Envoy configuration dumps
- Filtering and column customization capabilities for Data Plane Proxies
- Simplified, more intuitive navigation structure
- π Improved our Datadog integration to record ingress and egress requests as separate services, allowing for easier debugging.
- π It is now possible to configure the specific TLS versions and ciphers that are supported by the control-plane / API server.
- π Users are now able to configure multiple UIDs to be ignored by traffic redirection (useful to workaround some issues with systemd-resolver).
- π Increased logging capabilities when using iptables for traffic redirection.
Checkout the blog post about Kuma 2.0.0
Changelog
- chore(.github): remove old release workflow #4836 @lobkovilya
- chore(api): remove DENY_WITH_SHADOW_ALLOW #5220 @lobkovilya
- chore(api): remove unused method and types #5148 @lobkovilya
- chore(api): remove unused timestamp.proto import #4906 @michaelbeaumont
- chore(api): skip Compute when building inbound access logs #5181 @jakubdyszkiewicz
- chore(bootstrap): improve validator policy bootstrap #5014 @lahabana
- chore(deps): bump actions/setup-go from 2 to 3 #5024 @dependabot
- chore(deps): bump cirello.io/pglock from 1.9.0 to 1.10.0 #5239 @dependabot
- chore(deps): bump github.com/Masterminds/sprig to 3.2.2 #5190 @mmorel-35
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.13 #5023 #5067 #5131 @dependabot
- chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #4996 @dependabot
- chore(deps): bump github.com/gruntwork-io/terratest from 0.40.20 to 0.40.24 #4969 #4993 #5162 @dependabot
- chore(deps): bump github.com/kumahq/kuma-net from 0.8.1 to 0.8.2 #5188 @dependabot
- chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 #4995 @dependabot
- chore(deps): bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.4.0 #4939 #4949 #5021 #5145 #5204 @dependabot
- chore(deps): bump github.com/onsi/gomega from 1.20.0 to 1.23.0 #4933 #4970 #5133 #5146 #5240 @dependabot
- chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #5203 @dependabot
- chore(deps): bump github.com/prometheus/prometheus from 0.37.0 to 0.39.1 #4887 #5134 @dependabot
- chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 #5155 #5241 @dependabot
- chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #4994 @dependabot
- chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 #5020 #5205 @dependabot
- chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #4930 @dependabot
- chore(deps): bump golang.org/x/text from 0.3.7 to 0.4.0 #5147 #5163 @dependabot
- chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.50.1 #4927 #5132 #5156 @dependabot
- chore(deps): bump k8s.io dependencies from 0.24.3 to 0.25.3 #4934 #5026 #5153 @michaelbeaumont
- chore(deps): bump k8s.io/client-go from 0.25.1 to 0.25.2 #5062 @dependabot
- chore(deps): bump kumahq/kuma-gui to f3dba73d4c264b094b6b351a8b44f2d5a0dc4ecb #4842 #4925 #5092 #5106 #5109 #5139 #5141 #5167 #5179 #5197 #5214 #5232 #5234 #5248 #5251 @kleinfreund,@kumahq
- chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0 #4968 @dependabot
- chore(deps): bump sigs.k8s.io/controller-tools from 0.9.2 to 0.10.0 #5059 @dependabot
- chore(deps): update kuma-grafana-datasource #4856 @bartsmykla
- chore(gateway): remove invalid options for MeshGatewayRoute #4890 @michaelbeaumont
- chore(gui): removes update/gui command #4954 @kleinfreund
- chore(helm): remove unused
critical-podannotation #4952 @michaelbeaumont - chore(helm): switch merbridge image registry to upstream #4838 @bartsmykla
- chore(kuma-cp): adjust timeout in cp probes #4983 @jakubdyszkiewicz
- chore(kuma-cp): config cleanup #4855 @jakubdyszkiewicz
- chore(kuma-cp): improve logging in K8S controllers #4982 @jakubdyszkiewicz
- chore(kuma-cp): improve test xds client #4976 @jakubdyszkiewicz
- chore(kuma-cp): remove disabling metrics from kuma-cp.defaults #4894 @lahabana
- chore(kuma-cp): resource manager wrapper #5057 @jakubdyszkiewicz
- chore(kuma-init): use iptables-legacy in kuma-init #5040 @bartsmykla
- chore(pkg/gc): don't rely on core.Now var for time #4918 @lahabana
- chore(plugins): remove some unecessary interfaces and methods #4997 @lahabana
- chore(proto): remove protos for new policies #5218 @lobkovilya
- chore(test): added resource builder #5123 #5195 @jakubdyszkiewicz
- chore(test): added support for GRPC to test-server #4904 @lobkovilya
- chore(test): make unit test compatible with IPV6 host #5198 @jakubdyszkiewicz
- chore(xds): drop deprecated envoy.config.route.v3.HeaderMatcher.exact_match #4953 @michaelbeaumont
- docs(MADR): new tracing policy proposal #4938 @michaelbeaumont
- docs(MADR): update MADR 007 #5129 @lobkovilya
- docs(gateway): explain the semantics of a PREFIX match #5013 @michaelbeaumont
- docs(gateway): explain the semantics of a prefix rewrite to / #5016 @michaelbeaumont
- docs(proto): fixed default serviceAddress and upgrade docs #5236 @lukidzi
- docs(proto): rewrite dataplane proto docs #5219 @jakubdyszkiewicz
- feat(ebpf): CNI uses libbpf CO:RE #5233 @lukidzi
- feat(ebpf): refactor merbridge using libbpf with CO:RE #5034 @bartsmykla
- feat(ebpf): transparent proxy with eBPF in init containers #4919 #5046 #5066 #5095 @bartsmykla
- feat(gateway): add MeshGateway support to MeshAccessLog #5101 @michaelbeaumont
- feat(gateway): add
crossMeshtoMeshGatewayConfig#5183 @michaelbeaumont - feat(gateway): add service-upstream annotation for delegated nginx #4913 @michaelbeaumont
- feat(gateway): install
kumaGatewayClassif gateway API CRDs present #5001 @michaelbeaumont - feat(gateway): match new policies to MeshGateways #5110 @michaelbeaumont
- feat(inspect): implement rule-based view for new policies #5000 #5184 #5189 #5202 @jakubdyszkiewicz,@lobkovilya
- feat(kuma-cp): add flag to disable taint controller #4852 @jakubdyszkiewicz
- feat(kuma-cp): add possibility to restrict TLS version and ciphers #5186 @lahabana
- feat(kuma-cp): add possibility to run MADS on TLS #5210 @lahabana
- feat(kuma-cp): add possibility to split datadog services based on traffic direction and destination #5063 @Automaat
- feat(kuma-cp): added validation for backend name #5081 @Automaat
- feat(kuma-cp): created default control plane user #5064 @jakubdyszkiewicz
- feat(kuma-cp): extensible token issuers #5083 @jakubdyszkiewicz
- feat(kuma-cp): move Mesh Cache to runtime #5140 @Automaat
- feat(kuma-cp): universal resources schema validation #5107 @slonka
- feat(kuma-cp): use zone token to auth zone ingress #5103 @jakubdyszkiewicz
- feat(kuma-dp): publish metrics with text_readouts from envoy #5159 @Automaat
- feat(kumactl): add option to install with experimental transparent proxy #4958 @michaelbeaumont
- feat(kumactl): use exclude ports for uids from kuma-net #4975 @slonka
- feat(policy): Add MeshAccessLog policy #4908 #4998 #5035 #5168 #5177 @michaelbeaumont,@slonka
- feat(policy): Add MeshTrace policy #5069 #5085 #5243 @michaelbeaumont,@slonka
- feat(policy): Add MeshTrafficPermission policy #4835 #5009 #5075 @lobkovilya
- feat(policy): add interfaces for policy plugins #4909 @lahabana
- feat(policy): reimplemented matching for new policies #4780 #4950 #4957 #4977 #5068 #5084 #5166 #5172 #5174 @lahabana,@lobkovilya
- feat(service-insights): add external service in api #5119 @lahabana
- fix(.github): links in PR template #4905 @michaelbeaumont
- fix(.github): use github app in pr-comment action #5164 @lahabana
- fix(api): nil dereference in MeshAccessLog configurer #5258 @lobkovilya
- fix(cni): add empty registry to experimental cni #4847 @slonka
- fix(cni): hook up log level to cni #4849 @slonka
- fix(cni): make cni logs available via kubectl logs #4845 @slonka
- fix(cni): retry loading images #4860 @slonka
- fix(docs): fixed location of developer tools in DEVELOPER.md docs #4988 @Automaat
- fix(gateway): add support for retryOn #5091 @lahabana
- fix(gateway): cross-mesh gateways with same service #5247 @michaelbeaumont
- fix(gateway): don't create invalid envoy config when routes and listeners don't match #4837 @michaelbeaumont
- fix(gateway): route URL prefix rewriting #5006 @michaelbeaumont
- fix(gateway): skip ExternalService if none match #5207 @michaelbeaumont
- fix(gateway): sort routes #5007 @michaelbeaumont
- fix(gatewayapi): don't NPE if the
GatewayClassref doesn't exist #5187 @michaelbeaumont - fix(gatewayapi): reconcile Gateways and HTTPRoutes on ReferenceGrant changes #4944 @michaelbeaumont
- fix(gatewayapi): update gateway-api and fix failing RouteKind tests #5175 @michaelbeaumont
- fix(helm): customize location of kuma-init repository for ebpf cleanup #5230 @lukidzi
- fix(helm): use
podAnnotationseverywhere possible #4991 @lahabana - fix(kuma-cp): collapsed grafana dashboards #4839 @jakubdyszkiewicz
- fix(kuma-cp): deep copy tags when gen. outbounds #5070 @bartsmykla
- fix(kuma-cp): disable statsForAllMethods in grpc stats #5226 @jakubdyszkiewicz
- fix(kuma-cp): do not override source address when TP is not enabled #4951 @lukidzi
- fix(kuma-cp): multiple external services pointing to same address #5185 @slonka
- fix(kuma-cp): override grafana plugin files by default #5208 @slonka
- fix(kuma-cp): reissue admin tls cert on dp address change #5222 @jakubdyszkiewicz
- fix(kuma-cp): remove Dataplane for Pod without IP #4964 @jakubdyszkiewicz
- fix(kuma-cp): return content type of inspect endpoints #4965 @jakubdyszkiewicz
- fix(kuma-dp): resilient TCP access log streamer #4862 @jakubdyszkiewicz
- fix(kumactl): get APIVersions from k8s server #5182 @michaelbeaumont
- fix(tools): add 'v' prefix to preview version format #5004 @michaelbeaumont
- fix(tools): support both GitHub app tokens and PATs #4869 @michaelbeaumont
- perf(kuma-cp): avoid rebuilding endpoint map #4974 @jakubdyszkiewicz
- refactor(kuma-dp): add xds authentication customization #4990 @michaelbeaumont