Get ready to elevate your Kuma experience with the release of Kuma 2.6.0, a jam-packed update that brings a myriad of exciting features to the table. From introducing a new MeshMetric policy to expanding policy targeting capabilities for MeshGateways, this minor release is packed with enhancements that will transform your network connectivity.
Check out the blog post for more details!
Upgrading
We strongly suggest upgrading to Kuma 2.6.0. Upgrading is straightforward through kumactl or Helm.
Be sure to carefully read the Upgrade Guide before upgrading Kuma.
Notable Changes
-
π Expanded Policy Targeting
Kuma now allows a wider range of policies, including MeshCircuitBreaker, MeshFaultInjection, and MeshAccessLog, to target MeshGateways. This expands the granularity of policy enforcement and enables more fine-grained control over network traffic at the gateway level.
-
π MeshMetric Policy for Comprehensive Traffic Metrics
Kuma introduces the new MeshMetric policy, which provides a centralized and consistent approach to collecting traffic metrics across all data plane proxies in a mesh. This policy simplifies the management of metrics configurations and ensures that all traffic data is captured uniformly.
-
π Streamlined MeshGateway Routing
MeshHTTPRoute and MeshTCPRoute can now replace MeshGatewayRoute for configuring how a MeshGateway should process network traffic. This change provides greater flexibility and control over gateway routing rules.
-
π Modernized Default Policies
The default legacy policies automatically created during mesh creation have been replaced with new,
targetRefstyle policies. -
π Enhanced Traffic Flow without mTLS
When mTLS is not enabled for a mesh, traffic now flows by default, eliminating the need for a TrafficRoute policy.
-
π Improved GUI Experience
Kuma 2.6.0 introduces a number of enhancements to the graphical user interface (GUI), making it more user-friendly and intuitive.
-
π Effortless Single-Zone to Multi-Zone Migration
Kuma's zone federation allows you to effortlessly migrate from a single-zone deployment to a multi-zone configuration. This means you can start small with a single zone and gradually federate additional zones as your network grows, ensuring a smooth and controlled scaling process.
Changelog
- chore(deps): bump actions/cache from 3.3.2 to 4.0.0 #8865 #8985 @dependabot
- chore(deps): bump actions/checkout from 3.1.0 to 4.1.1 #8862 @dependabot
- chore(deps): bump actions/download-artifact and actions/upload-artifact from 3 to 4 #8701 @michaelbeaumont
- chore(deps): bump actions/github-script from 6 to 7 #8422 #8530 @dependabot
- chore(deps): bump actions/setup-go from 4 to 5 #8586 @dependabot
- chore(deps): bump actions/upload-artifact from 3.1.0 to 4.2.0 #8863 #8986 @dependabot
- chore(deps): bump debian from
fab22dftob16cef8#8465 #8685 #8853 @dependabot - chore(deps): bump distroless/base-nossl-debian11 from
1ae8df5to61c9d7a#8659 @dependabot - chore(deps): bump distroless/static-debian11 from
cdb2034to1e5b9bb#8657 @dependabot - chore(deps): bump github.com/bakito/go-log-logr-adapter from v0.0.2 to latest #8646 @michaelbeaumont
- chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 #8693 @dependabot
- chore(deps): bump github.com/containernetworking/plugins from 1.3.0 to 1.4.0 #8588 @dependabot
- chore(deps): bump github.com/emicklei/go-restful/v3 from 3.11.0 to 3.11.2 #8791 @dependabot
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 #8738 @dependabot
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 #8857 #8971 @dependabot
- chore(deps): bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.1 #8883 @dependabot
- chore(deps): bump github.com/exaring/otelpgx from 0.5.2 to 0.5.3 #8975 @dependabot
- chore(deps): bump github.com/go-logr/logr from 1.3.0 to 1.4.1 #8726 @dependabot
- chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.16.2 to 4.17.0 #8724 @dependabot
- chore(deps): bump github.com/google/uuid from 1.4.0 to 1.6.0 #8644 #9018 @dependabot
- chore(deps): bump github.com/gruntwork-io/terratest from 0.46.7 to 0.46.11 #8589 #8790 #8968 @dependabot
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.2 #8587 #8860 @dependabot
- chore(deps): bump github.com/miekg/dns from 1.1.56 to 1.1.58 #8421 #8970 @dependabot
- chore(deps): bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.15.0 #8520 #8859 #8973 @dependabot
- chore(deps): bump github.com/onsi/gomega from 1.30.0 to 1.31.1 #8976 @dependabot
- chore(deps): bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 #8728 @dependabot
- chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 #8858 @dependabot
- chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 #8974 @dependabot
- chore(deps): bump github.com/testcontainers/testcontainers-go from 0.26.0 to 0.27.0 #8725 @dependabot
- chore(deps): bump github/codeql-action from 2 to 3.23.1 #8662 #8864 #8984 @dependabot
- chore(deps): bump golang from 1.21.4 to 1.21.6 #8616 #8944 @jakubdyszkiewicz,@michaelbeaumont
- chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 #8665 @dependabot
- chore(deps): bump golang.org/x/net from 0.18.0 to 0.20.0 #8519 #8789 @dependabot
- chore(deps): bump golang.org/x/sys from 0.14.1-0.20231108175955-e4099bfacb8c to 0.16.0 #8521 #8774 @dependabot
- chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.61.0 #8645 #8686 #9017 @dependabot
- chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 #8727 @dependabot
- chore(deps): bump helm.sh/helm/v3 from 3.13.2 to 3.14.0 #8643 #8969 @dependabot
- chore(deps): bump ossf/scorecard-action from 2.1.2 to 2.3.1 #8861 @dependabot
- chore(deps): bump postgres from
e213539to49c276f#8785 #8842 #8866 @dependabot - chore(deps): bump sigs.k8s.io/controller-runtime from 0.16.3 to 0.17.0 #8972 @dependabot
- chore(deps): bump sigs.k8s.io/controller-tools from 0.13.0 to 0.14.0 #8856 @dependabot
- chore(deps): bump the go-opentelemetry-io group with 3 updates #8420 @dependabot
- chore(deps): bump the go-opentelemetry-io group with 5 updates #8967 @dependabot
- chore(deps): bump the k8s-libs group from 0.28.3 to 0.28.4 #8419 @dependabot
- chore(deps): bump the k8s-libs group with 1 update #8854 @dependabot
- chore(deps): bump the k8s-libs group with 3 updates #8642 @dependabot
- chore(deps): bump the k8s-libs group with 4 updates #8966 @dependabot
- chore(deps): bump ubuntu from
2b7412eto6042500#8518 #8658 @dependabot - chore(deps): fix update insecure dependencies by setting bigger swap #8677 @slonka
- chore(deps): more explicit image tag in envoy.Dockerfile #8482 @michaelbeaumont
- chore(deps): security update #8696 #9104 @kumahq
- chore(deps): tag ubuntu image more explicitly #8988 @michaelbeaumont
- chore(deps): use latest kumahq/kuma-gui #8400 #8401 #8405 #8418 #8425 #8434 #8440 #8441 #8446 #8452 #8453 #8454 #8470 #8480 #8481 #8488 #8496 #8501 #8504 #8507 #8531 #8534 #8538 #8546 #8550 #8554 #8561 #8564 #8577 #8579 #8583 #8585 #8590 #8592 #8594 #8600 #8601 #8619 #8620 #8637 #8638 #8684 #8709 #8712 #8714 #8735 #8751 #8758 #8779 #8784 #8794 #8797 #8802 #8803 #8810 #8835 #8841 #8848 #8850 #8869 #8870 #8871 #8886 #8895 #8899 #8903 #8910 #8914 #8917 #8941 #8948 #8987 #9003 #9004 #9008 #9040 #9052 #9055 @kumahq
- feat(ExternalService): make ExternalServices independent of TrafficPermission #8745 @lukidzi
- feat(ExternalService): validate same value for service and address #8641 @jakubdyszkiewicz
- feat(MeshAccessLog): select gateway listeners #8560 @michaelbeaumont
- feat(MeshCircuitBreaker): select MeshGateway listeners #8562 @michaelbeaumont
- feat(MeshFaultInjection): select MeshGateway listeners #8574 @michaelbeaumont
- feat(MeshFaultInjection): support ExternalServices with ZoneEgress #8742 @lukidzi
- feat(MeshHTTPRoute): add basic gRPC support #8752 @lukidzi
- feat(MeshHTTPRoute): add hostToBackendHostname rewrite with MeshGateway #8772 @michaelbeaumont
- feat(MeshHTTPRoute): basic MeshGateway support #8402 @michaelbeaumont
- feat(MeshHTTPRoute): support hostnames with MeshGateway #8663 @michaelbeaumont
- feat(MeshHealthCheck): select MeshGateway listeners #8570 @michaelbeaumont
- feat(MeshLoadBalancingStrategy): add option to configure ActiveRequestBias #8553 @lukidzi
- feat(MeshLoadBalancingStrategy): select MeshGateway listeners #8571 @michaelbeaumont
- feat(MeshLoadBalancingStrategy): support kind MeshGateway #8889 @michaelbeaumont
- feat(MeshMetric): add create conflicts to the metric #8894 @jakubdyszkiewicz
- feat(MeshMetric): implement OpenTelemetry API for MeshMetric #8874 @Automaat
- feat(MeshRateLimit): select MeshGateway listeners #8733 @michaelbeaumont
- feat(MeshRateLimit): support ExternalServices with ZoneEgress #8743 @lukidzi
- feat(MeshRetry): select MeshGateway listeners #8734 @michaelbeaumont
- feat(MeshTCPRoute): add kafka protocol support #8781 @lukidzi
- feat(MeshTCPRoute): support MeshGateway #8817 @michaelbeaumont
- feat(MeshTimeout): add RequestHeadersTimeout option and configure MeshGateway #8896 @lukidzi
- feat(MeshTimeout): select MeshGateway listeners #8573 @michaelbeaumont
- feat(MeshTrace): select MeshGateway listeners #8595 @michaelbeaumont
- feat(MeshTrace): support kind MeshGateway #8888 @michaelbeaumont
- feat(api-server): add /_resources endpoint #8529 @lahabana
- feat(api-server): add _rules api to MeshGateways #8540 @lahabana
- feat(api-server): add dataplanes/_rules new inspect api #8442 @lahabana
- feat(api-server): skip auth on specific endpoints #8458 @jakubdyszkiewicz
- feat(bootstrap): support customizing corefile template from kuma-cp #8634 @jijiechen
- feat(dataplane): ignored listeners with ignored labels in selector #8463 @jakubdyszkiewicz
- feat(grafana): change fixed interval to rate interval variable #8713 @jakubdyszkiewicz
- feat(gui): add disabled in the index.html and remove disabled page #8813 @lahabana
- feat(injector): add ephemeral-storage resource request/limit for sidecars #8882 @jijiechen
- feat(intercp): drop leader on cp shutdown #9046 @jakubdyszkiewicz
- feat(k8s): show ZoneEgress zone as column #8913 @michaelbeaumont
- feat(k8s): show ZoneIngress zone as column #8906 @michaelbeaumont
- feat(kds): add zoneCP info in zone-insights #8720 @lahabana
- feat(kds): log additional gRPC status codes at info level #8502 @michaelbeaumont
- feat(kuma-cp): added comment and more explicit structure #8753 @lukidzi
- feat(kuma-cp): create default target ref policies #8920 @lukidzi
- feat(kuma-cp): deprecate standalone mode #8478 @jakubdyszkiewicz
- feat(kuma-cp): disable the default creation of TrafficPermission and TrafficRoute #8964 @lukidzi
- feat(kuma-cp): enable zone-originated MeshGateway #8919 @lobkovilya
- feat(kuma-cp): enable zone-originated policies #8801 @lobkovilya
- feat(kuma-cp): hash-suffix remove feature flag #8461 @lobkovilya
- feat(kuma-cp): move protocol information to mesh context #8479 @lukidzi
- feat(kuma-cp): require
kuma.io/origin: zonelabel when creating zone-origination policies #8873 @lobkovilya - feat(kuma-cp): support cross-zone MeshTCPRoute #8509 @michaelbeaumont
- feat(kuma-cp): support labels in ResourceMeta #8516 @lobkovilya
- feat(kuma-cp): use labels for KDS sync #8762 @lobkovilya
- feat(kuma-dp): add coredns logging flag #8485 @timothy-spencer
- feat(kumactl): basic export command #8718 #9009 @jakubdyszkiewicz,@slonka
- feat(kumactl): export in kube format #8747 @jakubdyszkiewicz
- feat(kumactl): make k8s resources applicable on other clusters #8775 @jakubdyszkiewicz
- feat(kumactl): more profiles in export #8780 @jakubdyszkiewicz
- feat(mads): extend MADS service to use data from MeshMetric policy #8608 @slonka
- feat(policy): Add
MeshMetricapi #8576 @Automaat - feat(policy): Implement dynamic DPP configuration based on
MeshMetricpolicy #8793 @Automaat - feat(policy): add OpenTelemetry support for MeshMetric #8893 @Automaat
- feat(policy): add
MeshMetricpolicy e2e tests #8750 @Automaat - feat(policy): add possibility to target only gateways/sidecars #8868 @lukidzi
- feat(policy): add tags to backends for support VirtualOutbounds #8744 @lukidzi
- feat(policy): allow policies with from and to configuring egress #8739 @lukidzi
- feat(policy): implement MeshMetric xds #8617 @Automaat
- feat(policy): support MeshGateway listener matching #8551 @michaelbeaumont
- feat(resources): add kuma.io/display-name label #8705 @jakubdyszkiewicz
- feat(routes): handle routing if there are no TrafficRoutes #8614 @michaelbeaumont
- feat(universal): add VIP_REFRESH_INTERVAL #9042 @nicoche
- feat(vip): record generation metrics #9047 @nicoche
- feat(xds): do not generate independent listener for vips, use additional_addresses instead #8796 @jijiechen
- feat(zone): create Zone resources on zone cp automatically and generate ZoneInsights #8584 @jakubdyszkiewicz
- fix(MeshCircuitBreaker): revert validator and check if config is empty #9028 @lukidzi
- fix(MeshFaultInjection): handle listener protocol correctly #8815 @michaelbeaumont
- fix(MeshHTTPRoute): generate better resources when using HTTPS #9038 @michaelbeaumont
- fix(MeshHTTPRoute): make ordering more consistent #8715 @michaelbeaumont
- fix(MeshHTTPRoute): use 302 as default status code on Universal to match Kubernetes #8409 @michaelbeaumont
- fix(MeshHealthCheck): handle gateway listener protocol correctly #8812 @michaelbeaumont
- fix(MeshRateLimit): remove validation of Mesh type and proxyTypes for⦠#9041 @lukidzi
- fix(MeshRetry): handle gateway listener protocol correctly #8811 @michaelbeaumont
- fix(ZoneEgress): rewrite host header on ExternalService requests #8403 @michaelbeaumont
- fix(ZoneIngress): subset routing when tag is present on all subsets #8443 @michaelbeaumont
- fix(ZoneWatch): stop watching Zone if ZoneInsight not found #8766 @michaelbeaumont
- fix(api): secret in k8s format #8741 @jakubdyszkiewicz
- fix(gateway): check if external service from context when no trafficpermission #8957 @lukidzi
- fix(gateway): isolate routes to SNI matches #9054 @michaelbeaumont
- fix(k8s): support injection with label kuma.io/sidecar-injection: 'true' #8464 @michaelbeaumont
- fix(kds): avoid rare cases where onStreamClosed is called with no state #8703 @lahabana
- fix(kds): fix deletion of previous zones in components #8867 @lahabana
- fix(kds): fix resource sync #9014 @lukidzi
- fix(kds): make status tracker work when there's no metadata #8711 @lahabana
- fix(kds): race condition on fill metadata #8872 @jakubdyszkiewicz
- fix(kuma-cp): assign
extensionsinZoneInsightSinkconstructor #8940 @bartsmykla - fix(kuma-cp): don't remove Service if MeshGateway is absent for a while (i.e. due to renaming) #8450 @lobkovilya
- fix(kuma-cp): don't run outbound proxy generator when there is no TrafficRoute #9082 @michaelbeaumont
- fix(kuma-cp): enable hash-suffix only if Zone has KDS feature #8460 @lobkovilya
- fix(kuma-cp): failure during the migration from non-federated to federated zone #8938 @lobkovilya
- fix(kuma-cp): fix address check to not be loopback ipv4 and ipv6 #8490 @lukidzi
- fix(kuma-cp): global upgrade #8890 @lobkovilya
- fix(kuma-cp): make metadata retrieve method public #8918 @lukidzi
- fix(kuma-cp): return sorted list of k8s secrets #9030 @lukidzi
- fix(kuma-cp): set creationTime on KDS sync #8945 @lobkovilya
- fix(kuma-cp): treat envoy admin errors as 4xx #8615 @lobkovilya
- fix(kuma-cp): upgrade from Zone CP without labels to new one #8839 @lobkovilya
- fix(kuma-cp): use column names in sql insert #8688 @lobkovilya
- fix(kuma-cp): use pagination store for secret store #9033 @lukidzi
- fix(metrics): fix kds metrics for simple watchdog #8428 @slonka
- fix(metrics): unify zone name in metrics for k8s and universal #8435 @slonka
- fix(policy): allow period in targetRef names #8754 @michaelbeaumont
- fix(policy): first lexicographically wins, kind MeshGateway with tags over kind MeshGateway #8691 @michaelbeaumont
- fix(policy): improve validator messages, allow string failoverthreshold #8929 @lahabana
- fix(policy): support delegated gateways #8740 @michaelbeaumont
- fix(vips): skip ignored listeners #8937 @jakubdyszkiewicz