We’re excited to announce the release of Kuma 2.2. This new minor release adds some long-awaited features, more incremental improvements to our UI and policies, and many more minor features and bug fixes.
In order to take advantage of the latest and greatest in service mesh, we strongly suggest [upgrading to Kuma 2.2]. Upgrading is easy through kumactl or Helm.
Notable features
Flexibility
- OpenTelemetry support for tracing and access logging
- Added the ability to define MeshProxyPatch policies using JSONPatch, allowing greater power and flexibility to customize underlying Envoy configuration
- Multiple improvements and functionality added to the MeshHTTPRoute policy, including:
- Cross-zone support
- Request mirroring
- Host header rewrites for the MeshGateway
- Header matching
- Support for retry predicates and priorities
- Additional options for customizing the pods backing a MeshGatewayInstance deployment
- Upgraded underlying Envoy version to 1.25
- Various other bug fixes and quality-of-life improvements across the product
Scalability
- New MeshLoadBalancing policy, enabling more granular control of load balancing configuration between services
- Official support for deploying a Universal mode global control plane (Postgres-backed) to a Kubernetes cluster for better availability and resilience characteristics
Security
- Ability to provide a public key for offline token signing and validation
Changelog
- Modify helm.sh script to make sure no duplicate manifests will be present in packaged chart #6512 @bartsmykla
- chore(deps): bump Envoy from 1.22.2 to 1.22.7 #5982 @lahabana
- chore(deps): bump actions/setup-go from 3 to 4 #6311 @dependabot
- chore(deps): bump cirello.io/pglock from 1.10.0 to 1.11.0 #6149 @dependabot
- chore(deps): bump coredns from 1.10.0 to 1.10.1 #6227 @michaelbeaumont
- chore(deps): bump github.com/cilium/ebpf from 0.9.1 to 0.10.0 #6152 @dependabot
- chore(deps): bump github.com/containerd/cgroups from 1.0.4 to 1.1.0 #5878 @dependabot
- chore(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 #6051 @dependabot
- chore(deps): bump github.com/emicklei/go-restful/v3 from 3.10.1 to 3.10.2 #6261 @dependabot
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.10.3 to 0.11.0 #5947 @dependabot
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.1 #6307 #6316 @dependabot
- chore(deps): bump github.com/go-logr/logr from 1.2.3 to 1.2.4 #6454 @dependabot
- chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.4.3 to 4.5.0 #6071 @dependabot
- chore(deps): bump github.com/golang/protobuf from 1.5.2 to 1.5.3 #6263 @dependabot
- chore(deps): bump github.com/gruntwork-io/terratest from 0.41.9 to 0.41.15 #5924 #6076 #6258 @dependabot
- chore(deps): bump github.com/miekg/dns from 1.1.50 to 1.1.53 #6150 #6262 #6453 @dependabot
- chore(deps): bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.9.2 #5928 #6043 #6074 #6172 #6208 #6260 #6355 @dependabot
- chore(deps): bump github.com/onsi/gomega from 1.25.0 to 1.27.6 #5874 #6072 #6167 #6259 #6271 #6353 #6450 @dependabot
- chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.42.0 #6073 #6273 @dependabot
- chore(deps): bump github.com/prometheus/prometheus from 0.41.0 to 0.42.0 #5927 @dependabot
- chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 #6475 @dependabot
- chore(deps): bump github.com/spiffe/go-spiffe from 0.0.0-20190820222348-6adcf1eecbcc to github.com/spiffe/go-spiffe/v2 #6151 @dependabot
- chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.2 to 2.1.4 #6313 #6451 @dependabot
- chore(deps): bump github.com/testcontainers/testcontainers-go from 0.15.0 to 0.18.0 #6075 @dependabot
- chore(deps): bump github.com/vishvananda/netns to 0.0.4 #6103 @mmorel-35
- chore(deps): bump go from 1.18 to 1.20.2 #6179 #6279 @jakubdyszkiewicz,@lahabana
- chore(deps): bump go.uber.org/multierr from 1.9.0 to 1.11.0 #6264 #6452 @dependabot
- chore(deps): bump golang.org/x/net from 0.5.0 to 0.8.0 #6003 #6042 #6209 @dependabot
- chore(deps): bump golang.org/x/sys from 0.4.0 to 0.7.0 #5948 #6476 @dependabot
- chore(deps): bump golang.org/x/text from 0.6.0 to 0.8.0 #6004 #6211 @dependabot
- chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.54.0 #5877 #5946 #6354 @dependabot
- chore(deps): bump google.golang.org/protobuf from 1.28.1 to 1.30.0 #6274 #6309 @dependabot
- chore(deps): bump gopkg.in/natefinch/lumberjack.v2 from 2.0.0 to 2.2.1 #5949 @dependabot
- chore(deps): bump helm.sh/helm/v3 from 3.11.0 to 3.11.2 #5962 #6265 @dependabot
- chore(deps): bump k8s.io/apiextensions-apiserver from 0.26.1 to 0.26.3 #6168 #6318 @dependabot
- chore(deps): bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 #6207 @dependabot
- chore(deps): bump k8s.io/kubectl from 0.26.1 to 0.26.3 #6171 #6308 @dependabot
- chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.1 to 0.14.6 #5875 #5926 #6210 #6455 @dependabot
- chore(deps): bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.3 #5876 #5925 @dependabot
- chore(deps): bump sigs.k8s.io/gateway-api from v0.5.1 to v0.6.0 #5559 @michaelbeaumont
- chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #5879 @dependabot
- chore(deps): remove dependency on github.com/prometheus/prometheus #6204 @lahabana
- chore(deps): security update #6397 #6473 @kumahq
- chore(deps): use latest kumahq/kuma-gui #5866 #5883 #5911 #5931 #5937 #5940 #5952 #5958 #6002 #6067 #6078 #6155 #6158 #6161 #6176 #6197 #6216 #6243 #6302 #6317 #6345 #6360 #6373 #6400 #6402 #6425 @kumahq
- feat(GatewayAPI): support HTTPRoutePathRedirect #6437 @michaelbeaumont
- feat(GatewayAPI): support ResponseHeaderModifier in HTTPRoute #6000 @michaelbeaumont
- feat(GatewayAPI): update to v0.6.2 #6293 @michaelbeaumont
- feat(MeshAccessLog): support OpenTelemetry #5999 @michaelbeaumont
- feat(MeshGateway): auto host rewrite for gateway route #6328 @bartsmykla
- feat(MeshGateway): support deployment customization for MeshGatewayInstance #6348 #6388 @johnharris85
- feat(MeshHTTPRoute): add RequestMirror filter #6064 @lobkovilya
- feat(MeshHTTPRoute): add header matching #5943 @michaelbeaumont
- feat(MeshHTTPRoute): add path modifier to redirect #5918 @lobkovilya
- feat(MeshHTTPRoute): cross-zone support #5984 @michaelbeaumont
- feat(MeshProxyPatch): add json patch support #6281 @bartsmykla
- feat(MeshRetry): add host selection predicates #6465 @johnharris85
- feat(MeshTrace): add support for opentelemetry trace backend #5992 @frzifus
- feat(api-server): manual mTLS #5979 @jakubdyszkiewicz
- feat(api-server): whoami endpoint #6120 @jakubdyszkiewicz
- feat(auth): separate authenticators for dp and zone proxy #5991 @jakubdyszkiewicz
- feat(helm): add default CNI resources #6287 @michaelbeaumont
- feat(helm): dynamic admission server port #6344 @d4kine
- feat(helm): make egress resources configurable #6286 @dascole
- feat(helm): make it possbile to install universal cp on k8s #5913 @slonka
- feat(k8s): add a configuration option to list allowed service accounts #6505 @slonka
- feat(k8s): add annotation
prometheus.metrics.kuma.io/aggregate-application-addressto scrape custom address on k8s #6289 @slonka - feat(k8s): set
kubectl.kubernetes.io/default-containerpod annotation #6055 @michaelbeaumont - feat(kds): allow running non-tls KDS server #6145 @slonka
- feat(kds): delta KDS #6278 #6358 @lukidzi
- feat(kds): enable nack backoff #5894 @jakubdyszkiewicz
- feat(kuma-cp): allow Mesh default resources regeneration without deletion and restart #6223 @michaelbeaumont
- feat(kuma-cp): init container first by default #5857 @zekth
- feat(kumactl): generate public key command #5917 @jakubdyszkiewicz
- feat(kumactl): remove ca-cert or skip-verify requirement #6140 @jakubdyszkiewicz
- feat(persistence): change lib/pq to pgx #6257 @slonka
- feat(persistence): create pgx store #6359 #6457 @slonka
- feat(policies): extend policy matching API to work with egress and external services #6379 @lobkovilya
- feat(policies): implement MeshLoadBalancingStrategy #6117 #6163 #6202 #6390 @lobkovilya
- feat(tokens): allow kid to be a string #5944 @jakubdyszkiewicz
- feat(tokens): issue tokens offline #5919 @jakubdyszkiewicz
- feat(tokens): offline validation #6085 @jakubdyszkiewicz
- feat(tproxy): make tproxy v2 and CNI v2 default #6083 @bartsmykla
- fix(GatewayAPI): always set an explicit HTTPRoute Parents in status #6367 @michaelbeaumont
- fix(GatewayAPI): correctly handle invalid backendRefs #6428 @michaelbeaumont
- fix(MeshHTTPRoute): filter URLRewrite should be configured with ClusterSpecifier #5920 @lobkovilya
- fix(MeshRetry): guard against multiple previous priorities #6496 @johnharris85
- fix(MeshTimeout): apply MeshTimeout defaults when one of
fromortosection is missing #5902 @Automaat - fix(ca/builtin): be less verbose when creating CA secrets #6217 @michaelbeaumont
- fix(docker): set
SHELLto an existing binary #6192 @michaelbeaumont - fix(docker): use no ssl image #5560 @slonka
- fix(helm): add appProtocol to services we create #6157 @lahabana
- fix(helm): don't include taint controller env when cni disabled #6148 @lukidzi
- fix(helm): dont specify a default type for extraSecrets #5932 @wheelerlaw
- fix(helm): make it possible to use custom CA in egress and ingress #5980 @lahabana
- fix(helm): postgres client cert setup #6335 @slonka
- fix(helm): remove universal on kubernetes env vars that are supposed to be provided via secrets #5938 @slonka
- fix(helm): security contexts for ebpf cleanup hook #6235 @bartsmykla
- fix(helm): set CP memory limits, by default equal to memory request, set CP CPU requests #6127 @michaelbeaumont
- fix(helm): set migration container resources and securityContext #6255 @michaelbeaumont
- fix(helm): set readOnlyRootFilesystem/runAsNonRoot, create a ServiceAccount in correct release namespace #6121 @michaelbeaumont
- fix(helm): set readOnlyRootFilesystem/runAsUser/runAsGroup on ingress/egress deployments #6164 @michaelbeaumont
- fix(helm): upgrade CRDs instead of installing missing CRDs #6403 @jakubdyszkiewicz
- fix(helm): use emptyDir at /tmp with CP #6162 @michaelbeaumont
- fix(kuma-cni): ipv6 iptables with provided gateway and CNI V2 #6374 @jakubdyszkiewicz
- fix(kuma-cp): allow names of the resource to be longer and validate the length #6123 @lukidzi
- fix(kuma-cp): change default value for KubeOutboundsAsVIPs #6057 @Automaat
- fix(kuma-cp): change validation of resources synced to global #6178 @jakubdyszkiewicz
- fix(kuma-cp): don't let CA requests for other meshes block generation #6282 @michaelbeaumont
- fix(kuma-cp): traffic split with internal and external service #5904 @lobkovilya
- fix(kuma-cp): zone ingress mixes services with the same name in different meshes #6364 @lobkovilya
- fix(kumactl): don't check compatibility when talking to a preview version #6143 @lahabana
- fix(policy): merging of policies results in not applying policy on some outbounds #6460 @jakubdyszkiewicz
- fix(tproxy): allow disabling ipv6 for tproxy #5923 @bartsmykla