kumahq/kuma 2.11.0

on GitHub

We are excited to announce the latest release!

Notable Changes

Better control on namespaces joining the mesh

Kuma now supports accessing to resources in specific namespaces on Kubernetes. This enhances security and ensures that Kuma does not impact running applications that are not intended to be part of the Mesh.

Embedded DNS server

We historically used CoreDNS to support service naming - a mapping of hostname to Virtual IPs (VIPs) in Kuma. In this release, we introduced an embedded DNS server and it is enabled by default.

Added MeshHTTPRoute support for multiple policies

Support of specifying MeshHTTPRoutes in spec.to[].targetRef is added for MeshAccesslog, MeshTimeout and MeshRetry policies.

Continued improvement of OpenAPI

Added specs for Dataplane and DataplaneOverview resource types and added security schemas.

Improvements on transparent proxy config driven by ConfigMaps

The experimental feature of configuring the transparent proxy using Kubernetes ConfigMaps is improved.

Changelog

• chore(deps): bump coredns from v1.12.0 to v1.12.1 #13649 @Automaat
• chore(deps): bump debian from 12.9 to 12.11 #13126 #13605 @renovate
• chore(deps): bump dependencies in opentelemetry-go group #13492 #13607 @renovate
• chore(deps): bump docker.io/bitnami/kubectl from 1.32.3 to 1.33.1 #13472 #13560 @renovate
• chore(deps): bump envoy from 1.32.3 to v1.34.1 #13148 #13242 #13438 #13513 @lukidzi
• chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug from 1368c7b to 84c4a85 #13594 @renovate
• chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug-nonroot from 393a396 to 081a62d #13595 @renovate
• chore(deps): bump gcr.io/distroless/static-debian12:debug-nonroot from 14a28be to 633d5fa #13596 @renovate
• chore(deps): bump gcr.io/k8s-staging-build-image/distroless-iptables from v0.7.3 to v0.7.5 #13430 #13604 @renovate
• chore(deps): bump ghcr.io/kumahq/ubuntu-netools from 5417a86 to cdf2203 #13597 @renovate
• chore(deps): bump github.com/cilium/ebpf from v0.17.3 to v0.18.0 #13329 @renovate
• chore(deps): bump github.com/containernetworking/cni from v1.2.3 to v1.3.0 #13346 @renovate
• chore(deps): bump github.com/containernetworking/plugins from v1.6.2 to v1.7.1 #13473 @renovate
• chore(deps): bump github.com/exaring/otelpgx from v0.9.0 to v0.9.3 #13494 #13561 @renovate
• chore(deps): bump github.com/golang-jwt/jwt/v5 from v5.2.1 to v5.2.2 #13168 @renovate
• chore(deps): bump github.com/golang-migrate/migrate/v4 from v4.18.2 to v4.18.3 #13468 @renovate
• chore(deps): bump github.com/jackc/pgx/v5 from v5.7.2 to v5.7.5 #13172 #13184 #13562 @renovate
• chore(deps): bump github.com/josephburnett/jd/v2 from v2.0.0-20240818191833-6125a15c637a to v2.2.3 #13214 #13268 #13524 @renovate
• chore(deps): bump github.com/miekg/dns from v1.1.63 to v1.1.66 #13134 #13323 #13525 @renovate
• chore(deps): bump github.com/prometheus/client_golang from v1.21.1 to v1.22.0 #13365 @renovate
• chore(deps): bump github.com/prometheus/client_model from v0.6.1 to v0.6.2 #13390 @renovate
• chore(deps): bump github.com/prometheus/common from v0.63.0 to v0.64.0 #13566 @renovate
• chore(deps): bump github.com/vishvananda/netlink from v1.3.1-0.20250303224720-0e7078ed04c8 to v1.3.1 #13526 @renovate
• chore(deps): bump golang from 1.23.6 to 1.24.2 #13132 #13367 @kumahq,@lukidzi
• chore(deps): bump golang.org/x/crypto from v0.36.0 to v0.38.0 #13331 #13529 @renovate
• chore(deps): bump golang.org/x/net from v0.37.0 to v0.40.0 #13272 #13530 @renovate
• chore(deps): bump golang.org/x/sync from v0.12.0 to v0.13.0 #13332 @renovate
• chore(deps): bump golang.org/x/tools from v0.31.0 to v0.33.0 #13351 #13567 @renovate
• chore(deps): bump gonum.org/v1/gonum from v0.15.1 to v0.16.0 #13189 @renovate
• chore(deps): bump google.golang.org/grpc from v1.71.0 to v1.72.1 #13325 #13475 #13564 @renovate
• chore(deps): bump google.golang.org/protobuf from v1.36.5 to v1.36.6 #13186 @renovate
• chore(deps): bump grafana/grafana from 11.5.2 to 12.0.0 #13215 #13609 @renovate
• chore(deps): bump helm.sh/helm/v3 from v3.17.2 to v3.18.0 #13369 #13606 @renovate
• chore(deps): bump k8s-libs from v0.32.3 to v0.33.1 #13476 #13565 @renovate
• chore(deps): bump kumactl install demo / observability container images #13326 #13470 #13568 @renovate
• chore(deps): bump postgres from 81f32a8 to 6efd0df #13600 #13620 @renovate
• chore(deps): bump prom/prometheus from v3.2.1 to v3.3.1 #13419 #13497 @renovate
• chore(deps): bump redis from 6aafb7f to b3ad798 #13601 @renovate
• chore(deps): bump sigs.k8s.io/controller-runtime from v0.20.3 to v0.21.0 #13188 #13622 @renovate
• chore(deps): bump sigs.k8s.io/controller-tools from v0.17.2 to v0.18.0 #13328 #13608 @renovate
• chore(deps): bump sigs.k8s.io/gateway-api from v1.2.1 to v1.3.0 #13477 @renovate
• chore(deps): upgrade debian11 to debian12 image #13265 @lukidzi
• chore(deps): upgrade min k8s version from 1.25.x to 1.27.x and max k8s version from 1.31.x to 1.32.x #13152 @lukidzi
• chore(deps): use latest kumahq/kuma-gui #13121 #13122 #13128 #13130 #13133 #13140 #13181 #13182 #13199 #13204 #13249 #13250 #13251 #13275 #13276 #13277 #13280 #13284 #13295 #13300 #13309 #13315 #13317 #13368 #13374 #13375 #13385 #13404 #13412 #13417 #13423 #13425 #13433 #13434 #13439 #13442 #13444 #13464 #13481 #13482 #13484 #13487 #13489 #13501 #13505 #13512 #13521 #13523 #13536 #13537 #13546 #13547 #13550 #13554 #13555 #13573 #13575 #13585 #13628 #13633 #13642 #13645 #13657 #13664 @kumahq
• feat(api): rename zone-ingress/global-secrets to k8s conventions name #13418 @lukidzi
• feat(dns): switch to use embedded DNS server by default instead of CoreDNS #13124 #13552 @lahabana,@lukidzi
• feat(hostnamegenerator): add possibility to define extension #13557 @lukidzi
• feat(inspect-api): use real dataplane metadata when computing config for proxy #13591 @Automaat
• feat(k8s): restrict set of permissions on Kubernetes #13104 #13320 #13377 #13378 #13387 #13388 #13465 #13466 @lukidzi
• feat(kri): format Identifier as KRI #13311 @lobkovilya
• feat(kuma-cp): add metadata field to DataplaneInsight for storing XDS metadata #13522 @bartsmykla
• feat(kuma-cp): deduplicate dataplane inbounds by address and port combination #12760 @Automaat
• feat(kuma-cp/tproxy): switch injector to config annotations and mounts for tproxy config #13491 @bartsmykla
• feat(kuma-dp): add support for dynamic transparent proxy config #13409 @bartsmykla
• feat(kumactl): skip non-system-namespace policies when exporting federation #13114 @lukidzi
• feat(meshaccesslog): add support for MeshHTTPRoute #13615 @lobkovilya
• feat(meshhttproute): rename routeConfiguration and routes to use KRI #13322 @lobkovilya
• feat(meshretry): add MeshHTTPRoute support #13534 @lobkovilya
• feat(meshtimeout): add MeshHTTPRoute support #13502 @lobkovilya
• feat(oapi): add dataplane openapi spec #13479 @slonka
• feat(oapi): add missing dataplane overview endpoints and fix casing #13483 @slonka
• feat(oapi): add security schemas #13656 @slonka
• feat(xds): add option to bind outbounds to real loopback IP:PORT #13503 @lukidzi
• feat(xds): introduce deltaXds for configuration exchange #13356 #13467 @lukidzi
• fix(accesslogstreamer): stop adding newline to the msg #13583 @lobkovilya
• fix(api): don't store status field from API requests #13636 @lukidzi
• fix(api-server): ensure base path start with slash to prevent ServeMux panic #13543 @led0nk
• fix(autoreachableservices): fix nil pointer by skipping policies with targetRef.kind Dataplane #13616 @Automaat
• fix(defaults): ensure that we use consistent store to retrive signing key #13644 @slonka
• fix(kds): detect properly hanging stream for the same zone #12983 @lukidzi
• fix(kds): don't override status field #13618 @lukidzi
• fix(kuma-cp): fix top level MeshService deprecation message and point users to Dataplane kind #13520 @Automaat
• fix(kuma-cp): forbid creation of resource with zone origin on global #13619 #13639 @lukidzi
• fix(kuma-dp): change log level of fetcher from info to debug #13399 @lukidzi
• fix(kumactl): avoid logger issues by importing controller-runtime directly #13337 @bartsmykla
• fix(kumactl): change mtls backend builtin to provided and skip validation #13318 @lukidzi
• fix(kumactl): don't export mesh object twice #13111 @lukidzi
• fix(meshexternalservice): allow 63 length k8s MeshExternalService resource creation #13655 @Icarus9913
• fix(openapi): rename RSAbits to rsaBits #13383 @slonka
• fix(rules): fix incorrect behaviour of MeshTimeout/MeshRetry policies when referencing routes #13559 @lobkovilya
• fix(secrets): correctly compare other meshes secrets when using crossMesh #13426 @lukidzi
• fix(vip): don't fail once previous address is out of range of new range #13678 @lukidzi
• fix(xds): use correct context to cleanup dataplane object when the proxy is disconnecting #13504 @jijiechen
• perf(rules): add withNegation flag to simplify to policy flow #13151 @lukidzi