We are excited to announce the latest release !
Notable Changes
MeshService and MeshMultiZoneService
A new, more robust way of representing services and managing the traffic in Kuma. Read more here and here.
Producer consumer policies
A new, more Kubernetes-native way of managing policies by service owners. Fully compatible with multi-zone deployments. Read more here.
Selective mTLS with a new MeshTLS policy
Roll out mTLS by leveraging permissive mTLS settings on individual services. Read more here.
More robust transparent proxying
Transparent proxy is now more consistent, easier to configure and observe.
Changelog
- chore(deps): bump Kong/public-shared-actions from 2.3.0 to 2.7.3 #11139 #11218 #11263 #11310 #11518 #11598 #11696 @dependabot
- chore(deps): bump coredns from v1.11.1 to v1.11.3 #11568 @michaelbeaumont
- chore(deps): bump debian from 12.5 to
27586f4
#10756 #11007 #11142 #11357 #11596 @dependabot - chore(deps): bump distroless/base-nossl-debian11 from
1dcd82e
tod66c60e
#10823 @dependabot - chore(deps): bump distroless/static-debian11 from
459f8ab
to55716e8
#10824 @dependabot - chore(deps): bump envoy from 1.30.2 to 1.30.6 #10645 #10692 #11488 @lukidzi
- chore(deps): bump github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0 #11259 @dependabot
- chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.3 to 3.3.0 #11281 @dependabot
- chore(deps): bump github.com/cilium/ebpf from 0.15.0 to 0.16.0 #11006 @dependabot
- chore(deps): bump github.com/containernetworking/cni from 1.2.1 to 1.2.3 #10703 #10939 @dependabot
- chore(deps): bump github.com/docker/docker from 27.0.3+incompatible to 27.1.1+incompatible #11012 #11084 @dependabot
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.4 to 1.1.0 #11097 @dependabot
- chore(deps): bump github.com/exaring/otelpgx from 0.6.1 to 0.6.2 #10701 @dependabot
- chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.17.1 to 4.18.1 #11353 @dependabot
- chore(deps): bump github.com/gruntwork-io/terratest from 0.46.15 to 0.47.2 #10700 #10899 #11282 #11677 @dependabot
- chore(deps): bump github.com/jackc/pgx/v5 from 5.6.0 to 5.7.1 #11358 #11436 @dependabot
- chore(deps): bump github.com/miekg/dns from 1.1.61 to 1.1.62 #11117 @dependabot
- chore(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2 #10938 @dependabot
- chore(deps): bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.20.2 #11005 #11099 #11212 #11258 @dependabot
- chore(deps): bump github.com/onsi/gomega from 1.33.1 to 1.34.2 #11004 #11048 #11262 @dependabot
- chore(deps): bump github.com/prometheus/client_golang from 1.19.1 to 1.20.4 #11119 #11215 #11352 #11522 @dependabot
- chore(deps): bump github.com/prometheus/common from 0.54.0 to 0.60.0 #10702 #11260 #11313 #11356 #11681 @dependabot
- chore(deps): bump github.com/sethvargo/go-retry from 0.2.4 to 0.3.0 #11046 @dependabot
- chore(deps): bump github.com/slok/go-http-metrics from 0.11.0 to 0.13.0 #10037 #11354 @dependabot
- chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.3.0 to 2.4.0 #11680 @dependabot
- chore(deps): bump github.com/testcontainers/testcontainers-go from 0.31.0 to 0.33.0 #10827 #11214 @dependabot
- chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.2 to 0.1.3 #10699 @dependabot
- chore(deps): bump github.com/vishvananda/netlink from 1.2.1-beta.2 to 1.3.0 #11213 @dependabot
- chore(deps): bump go from 1.22.7 to 1.23.2 #11363 #11631 @michaelbeaumont,@slonka
- chore(deps): bump golang.org/x/net from 0.26.0 to 0.30.0 #10826 #11096 #11355 #11683 @dependabot
- chore(deps): bump golang.org/x/sys from 0.21.0 to 0.26.0 #10825 #11047 #11098 #11314 #11679 @dependabot
- chore(deps): bump golang.org/x/text from 0.16.0 to 0.19.0 #11100 #11315 #11678 @dependabot
- chore(deps): bump gonum.org/v1/gonum from 0.15.0 to 0.15.1 #11138 @dependabot
- chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.67.0 #10758 #11521 @dependabot
- chore(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1 #11699 @dependabot
- chore(deps): bump helm.sh/helm/v3 from 3.14.4 to 3.16.1 #10531 #10898 #11118 #11435 @dependabot
- chore(deps): bump kumahq/ubuntu-netools from
8675216
to4243009
#10704 @dependabot - chore(deps): bump postgres from
46aa2ee
to4ec37d2
#10755 #11008 #11101 #11136 #11351 #11600 @dependabot - chore(deps): bump sigs.k8s.io/controller-tools from 0.16.1 to 0.16.2 #11280 @dependabot
- chore(deps): bump sigs.k8s.io/gateway-api from 1.1.0 to 1.2.0 #11676 @dependabot
- chore(deps): bump the go-opentelemetry-io group across 1 directory with 9 updates #10767 @dependabot
- chore(deps): bump the go-opentelemetry-io group with 9 updates #11211 #11433 @dependabot
- chore(deps): bump the k8s-libs group across 1 directory with 10 updates #10759 @dependabot
- chore(deps): bump the k8s-libs group with 5 updates #10937 @dependabot
- chore(deps): bump the k8s-libs group with 6 updates #11432 @dependabot
- chore(deps): bump the k8s-libs group with 8 updates #11137 @dependabot
- chore(deps): bump ubuntu from jammy-20240530 to jammy-20240808 #11141 @dependabot
- chore(deps): security update #11331 @kumahq
- chore(deps): use latest kumahq/kuma-gui #10587 #10627 #10629 #10632 #10633 #10635 #10636 #10644 #10647 #10650 #10666 #10673 #10674 #10687 #10718 #10720 #10727 #10795 #10797 #10838 #10840 #10843 #10846 #10861 #10881 #10895 #10902 #10909 #10911 #10912 #10950 #10967 #10971 #10985 #10986 #11011 #11015 #11016 #11030 #11243 #11269 #11271 #11290 #11291 #11295 #11299 #11303 #11306 #11320 #11340 #11366 #11368 #11370 #11374 #11376 #11411 #11419 #11446 #11451 #11453 #11454 #11480 #11495 #11530 #11535 #11536 #11559 #11577 #11580 #11594 #11595 #11603 #11622 #11647 #11751 @kumahq
- feat(GatewayAPI): support port in parentRef #10828 @michaelbeaumont
- feat(HostnameGenerator): automatically create default generators #11017 @jakubdyszkiewicz
- feat(Mesh*Route): require port with MeshMultiZoneService backends #11479 @michaelbeaumont
- feat(Mesh*Service): add first hostname as kubectl column #11714 @michaelbeaumont
- feat(MeshExternalService): added option to disable allow-all RBAC #11073 @lukidzi
- feat(MeshMultiZoneService): add support to MeshCircuitBreaker, MeshAccessLog, MeshHealthCheck, MeshRetry #11322 @michaelbeaumont
- feat(MeshMultiZoneService): support as target #11205 @michaelbeaumont
- feat(MeshMultizoneService): support multizone deployments of mesh services. #10643 #10648 #10667 #10683 #10883 #10984 @jakubdyszkiewicz
- feat(MeshService): add Mesh.MeshServices.Enabled to control behavior #11279 @michaelbeaumont
- feat(MeshService): add event to the Service that an unsupported port is being ignored #11033 @michaelbeaumont
- feat(MeshService): add grace period before deleting generated MeshServices on universal #11018 @michaelbeaumont
- feat(MeshService): automatically add port name when generating #11210 @michaelbeaumont
- feat(MeshService): create different clusters for real MeshServices #11251 @michaelbeaumont
- feat(MeshService): disable available services on disabled vips #10612 @jakubdyszkiewicz
- feat(MeshService): generate MeshService from Dataplanes on universal #10917 @michaelbeaumont
- feat(MeshService): mitigate and handle resource conflicts #11385 @jakubdyszkiewicz
- feat(MeshService): permissive mtls #10929 @jakubdyszkiewicz
- feat(MeshService): proxies stats and state #10970 @jakubdyszkiewicz
- feat(MeshTimeout): support MeshMultiZoneService #11206 @michaelbeaumont
- feat(api-server): extend Inspect API with new ResourceRules #11040 @Automaat
- feat(autoreachableservices): support kuma.io/service in mesh subset #11244 @jakubdyszkiewicz
- feat(helm): add possibility to configure env vars with value form referenced field #10716 @Automaat
- feat(insights): add resources to global insights #11216 @jakubdyszkiewicz
- feat(insights): count new services as resources #11083 @jakubdyszkiewicz
- feat(kds): remove kds v1 #10946 @Icarus9913
- feat(kuma-cp): add backendRef indexes to rules #11175 @lobkovilya
- feat(kuma-cp): add possibility to omit top level targetRef in policies #11321 @Automaat
- feat(kuma-cp): add resource owner to resources in ResourceSet #11043 @Automaat
- feat(kuma-cp): don't trace intercp pings #10936 @michaelbeaumont
- feat(kuma-cp): exit with 0 when kubernetes leader election is lost #11106 @michaelbeaumont
- feat(kuma-cp): introduce ResourceRules #10886 @lobkovilya
- feat(kuma-cp): make loggers naming from xds package consistent #10965 @Automaat
- feat(kuma-cp): resolve labels for backendref #11360 @jakubdyszkiewicz
- feat(kuma-cp): set
kuma.io/env
label #11053 @michaelbeaumont - feat(kuma-cp): set
kuma.io/mesh
label using ComputeLabels func #11104 @lobkovilya - feat(kuma-cp): set
kuma.io/mesh
on universal resource labels #11037 @michaelbeaumont - feat(kuma-cp): standarize cluster name for Mesh*Service #11398 @lukidzi
- feat(kuma-cp): support producer policy flow #11308 @lobkovilya
- feat(kuma-cp): use ResourceIdentifier in MeshContext structs #11203 @lobkovilya
- feat(kuma-dp): respond probes of kuma-sidecar from kuma-dp process instead of Envoy #11107 @jijiechen
- feat(kuma-dp): support TCP and gRPC probes for data planes running on Kubernetes #10624 @jijiechen
- feat(kumactl): add no-dataplanes profile and skip secrets when exporting #10964 @lahabana
- feat(kumactl): add server info when doing export #10914 @lahabana
- feat(meshexternalservice): make egress optional on the mesh to pass the traffic of mesh external service through egress. #11445 @jakubdyszkiewicz
- feat(meshexternalservice): remove MeshTrafficPermission support for MeshExternalService and allow traffic when using egress #11075 @lukidzi
- feat(meshexternalservice): remove unix support #11350 @slonka
- feat(meshexternalservice): route traffic through egress only #11080 @lukidzi
- feat(meshexternalservice): support MeshExternalService in MeshGateway and MeshHTTPRoute #11383 @slonka
- feat(meshexternalservice): use common protocol field #11378 @slonka
- feat(meshloadbalancingstrategy): support for multizoneservice #11276 @jakubdyszkiewicz
- feat(meshpassthrough): add support for delegated gateway #10675 @lukidzi
- feat(meshtls): implement policy for granular mtls configuration #11229 #11233 #11254 #11437 #11447 #11468 #11469 @lukidzi,@slonka
- feat(observability): default installation with exclusive mesh services #11452 @jakubdyszkiewicz
- feat(policy): implicitly reference MeshService objects with kuma.io/service #11230 @michaelbeaumont
- feat(policy): support targeting real MeshExternalService in MeshAccessLog, MeshCircuitBreaker, MeshHTTPRoute, MeshHealthCheck, MeshLoadBalancingStrategy, MeshRetry, MeshTCPRoute, MeshTimeout #11162 #11163 #11220 #11231 #11232 #11236 #11272 #11273 @lukidzi
- feat(policy): support targeting real MeshService in MeshAccessLog, MeshCircuitBreaker, MeshHTTPRoute, MeshHealthCheck, MeshRetry, MeshTCPRoute, MeshTimeout #11060 #11063 #11068 #11070 #11154 #11161 #11222 @Automaat
- feat(reachableservices): support defining reachable services for MeshService and MeshExternalService #10869 @lukidzi
- feat(transparent-proxy): add comments to tproxy iptables rules #10809 #10811 @bartsmykla
- feat(transparent-proxy): add iptables logging with new flag and annotation #10743 @bartsmykla
- feat(transparent-proxy): add option to exclude inbound ip addresses from transparent proxy #10884 @bartsmykla
- feat(transparent-proxy): add option to exclude ip addresses from outbound redirection #10867 @bartsmykla
- feat(transparent-proxy): add option to uninstall transparent proxy #10890 @bartsmykla
- feat(transparent-proxy): allow
--kuma-dp-user
to accept UIDs and deprecate--kuma-dp-uid
flag #10920 @bartsmykla - feat(transparent-proxy): allow configure transparent proxy from config file #11089 #11403 @bartsmykla
- feat(transparent-proxy): allow insert instead of append redirect rules #11267 @bartsmykla
- feat(transparent-proxy): enforce root privileges for (un)install commands #11166 @bartsmykla
- feat(transparent-proxy): handle option to drop invalid packets #10676 @bartsmykla
- feat(transparent-proxy): improve the way identifying/locating iptables binaries #11207 #11277 @bartsmykla
- feat(transparent-proxy): improve the way picking iptables executables/binaries #11165 #11302 @bartsmykla
- feat(transparent-proxy): remove deprecated flags and annotations for outbound port exclusions for UIDs #10983 @bartsmykla
- feat(transparent-proxy): remove deprecated redirect inbound port IPv6 #10906 @bartsmykla
- fix(HostnameGenerator): fix issues syncing HostnameGenerator policies from global CP to zone CPs #11062 @jakubdyszkiewicz
- fix(HostnameGenerator): selectors validation and matching #10688 @jakubdyszkiewicz
- fix(HostnameGenerator): sort resources before generating hostnames #11010 @michaelbeaumont
- fix(MeshAccessLog): strengthen validation for MeshAccessLog and MeshGateway #11560 @michaelbeaumont
- fix(MeshGateway): apply policies to clusters from real backendRefs #11531 @michaelbeaumont
- fix(MeshGateway): handle unresolved real backendRefs #11461 @michaelbeaumont
- fix(MeshGateway): prevent duplicate virtual hosts #10866 @michaelbeaumont
- fix(MeshLoadBalancingStrategy): apply to real resource targeted policies with MeshGateway #11582 @michaelbeaumont
- fix(MeshLoadBalancingStrategy): only allow
loadBalancer
with MeshGateway and to.targetRef.kind: Mesh #11563 @michaelbeaumont - fix(MeshPassthrough): Route / as a prefix instead of the whole path #11204 @michaelbeaumont
- fix(MeshService): add port name when converting from Service #10638 @michaelbeaumont
- fix(MeshService): don't duplicate headless service VIPs #10682 @michaelbeaumont
- fix(MeshService): don't exclude kuma.io/service if using reachableBackends #11301 @michaelbeaumont
- fix(MeshService): don't skip endpoints for headless #10684 @michaelbeaumont
- fix(MeshService): don't skip endpoints for headless with ZoneIngress #10735 @michaelbeaumont
- fix(MeshService): don't sync deletion grace period label #11064 @michaelbeaumont
- fix(MeshService): limit display name to 63 characters #10719 @michaelbeaumont
- fix(api): when resource has origin zone assume is local #11766 @lukidzi
- fix(api-server): make clearer error messages for "method not allowed" errors on the global CP #11069 @michaelbeaumont
- fix(autoreachableservices): do not filter out MeshMultiZoneService #11747 @lukidzi
- fix(cni): set proper namespace for the taint controller #10651 @slonka
- fix(cni): set proper namespace for the taint controller (backport of #10651) #10662 @kumahq
- fix(e2e): loosen up assertion on traffic route test #11764 @Automaat
- fix(egress): same external service tag in multiple meshes #11667 @jakubdyszkiewicz
- fix(federation): export mesh secrets before Mesh objects #11497 @michaelbeaumont
- fix(federation): set skipCreatingInitialPolicies on exported Meshes #11501 @michaelbeaumont
- fix(injector): set allowPrivilegeEscalation: false on
kuma-validation
container #11178 @voidlily - fix(inspect-api): add missing resources to BaseMeshContext #11482 @lobkovilya
- fix(inspect-api): added check if dpp is affected by zone policy #11425 @lukidzi
- fix(inspect-api): amend openapi types for arbitrary objects #11515 @johncowen
- fix(inspect-api): correct resource types in the inspect API to types of the policy, not the type of targetRef #11438 @lobkovilya
- fix(inspect-api): don't panic when outbound doesn't have 'kuma.io/service' tag #11613 @lobkovilya
- fix(inspect-api): don't set 'toRules' when
meshServices.mode: Exclusive
#11623 @lobkovilya - fix(inspect-api): make
conf
an array of unknown structs in OpenAPI spec #11528 @johncowen - fix(k8s): always authenticate with latest service account token #11399 @michaelbeaumont
- fix(k8s): avoid nil TargetRef pointer dereference (backport of #10746) #10763 @kumahq
- fix(k8s): avoid nil TargetRef pointer dereference in pod controller #10746 @czeslavo
- fix(k8s): check if labels has changed when reconciling #11758 @lukidzi
- fix(k8s): reenable deep copies when interacting with k8s resources #10561 @michaelbeaumont
- fix(kds): do not log an error when context cancelled #10923 @lukidzi
- fix(kuma-cp): Global Inspect API returns incorrect list of affected gateways dataplanes #11790 @lobkovilya
- fix(kuma-cp): add labels to dataplane object on universal #11449 @lukidzi
- fix(kuma-cp): allow specifying namespace when targeting MeshExternalService in policies #11474 @Automaat
- fix(kuma-cp): check if zone is online before forwarding request #10919 @lukidzi
- fix(kuma-cp): consumer scoped policies should be applied only on dpps from the same namespace #11300 @Automaat
- fix(kuma-cp): couldn't use
to[].targetRef: Mesh
on non-federated zones #11428 @lobkovilya - fix(kuma-cp): deprecate use kuma.io/mesh annotation and use label instead #11690 @lukidzi
- fix(kuma-cp): do not sync policies with empty topLevel targetRef to zones that does not support it #11457 @Automaat
- fix(kuma-cp): don't add namespace labels when resource was synced from universal zone #10913 #11020 @Automaat
- fix(kuma-cp): don't allow namespace-scoped policies with 'to' and 'from' arrays at the same time #11750 @lobkovilya
- fix(kuma-cp): don't override owner and creation time Create opts #11009 @michaelbeaumont
- fix(kuma-cp): don't wait before ticking the first time in watchdog #11105 @michaelbeaumont
- fix(kuma-cp): fix conn closed error on transaction rollback #10665 @Automaat
- fix(kuma-cp): handle cases when requested BackendRefIdentifier contains ports #11278 @lobkovilya
- fix(kuma-cp): map port to section name for reachable backends #11736 @lukidzi
- fix(kuma-cp): paginate Secrets correctly in universal #10954 @michaelbeaumont
- fix(kuma-cp): panic when DPP uses outbounds with 'backendRef.Labels' and no meshservices were matched #11604 @lobkovilya
- fix(kuma-cp): pass future meta to Validate when creating a resource #10927 @michaelbeaumont
- fix(kuma-cp): properly match policies to gateway when calling _rules endpoint #11504 @Automaat
- fix(kuma-cp): remove automatically created MeshServices when mode is switched to
Disabled
#11675 @lobkovilya - fix(kuma-cp): resources that were created on 2.7.x are missing namespace labels when synced on global #11794 @lobkovilya
- fix(kuma-cp): use contexts instead of channels in watchdog #11110 @lahabana
- fix(kuma-cp): validation for explicit DPP outbounds with BackendRef #11415 @lobkovilya
- fix(kuma-dp): don't fail if envoy version is not semver #11095 @lahabana
- fix(kumactl): fix flag in information banner for
kumactl generate tls-certificate
#11318 @f100024 - fix(kumactl): remove service in prometheus config #10969 @lahabana
- fix(kumactl): support empty docs in in kumactl apply #10951 @lahabana
- fix(mads): add mutex when checking if reconcile is needed and reconciling #11578 @lobkovilya
- fix(meshexternalservice): allow defining only name or labels #11502 @lukidzi
- fix(meshexternalservice): generate correct sni for sidecar and egress #11382 @lukidzi
- fix(meshexternalservice): map from/to policy to resource rule for Egress #11384 @lukidzi
- fix(meshgateway): do not override annotations from deployment #10698 @Automaat
- fix(meshgatewayinstance): remove required since we generate serviceName #11151 @lukidzi
- fix(meshhttproute): deref pointer to weight or use default 1 #11051 @lukidzi
- fix(meshmetric): add missing timestamp in mapper #10966 @slonka
- fix(meshmultizoneservice): order of matched mesh services #11475 @jakubdyszkiewicz
- fix(meshpassthrough): do not require port #10941 @lukidzi
- fix(meshpassthrough): don't remove all filters chains #11540 @lukidzi
- fix(meshservice): do not wipe out identities of synced service #10655 @jakubdyszkiewicz
- fix(meshservice): permissive mTLS of synced services #11749 @jakubdyszkiewicz
- fix(meshservice): use only labels to index services #11450 @jakubdyszkiewicz
- fix(observability): use internal and external requests in outgoing status code panel #10974 @michaelbeaumont
- fix(policy): don't fail once cannot map MeshExternalService to tags rules #11155 @lukidzi
- fix(policy): verify zone if dpp origin is zone and metadata exists #11462 @lukidzi
- fix(resourcerules): add own mesh to the MeshContext, so it could be successfully resolved #11525 @lobkovilya
- fix(transparent-proxy): avoid mounting xtables.lock for newer versions of legacy iptables #11113 @bartsmykla
- fix(transparent-proxy): check DNS related CLI flags earlier #11402 @bartsmykla
- fix(transparent-proxy): conntrack zone splitting in docker containers with custom network #11684 @bartsmykla
- fix(transparent-proxy): enable
kuma.io/transparent-proxying-ip-family-mode
annotation per pod #10905 @bartsmykla - fix(transparent-proxy): fix IPv6 iptables rules when no IPv6 DNS servers #10800 @bartsmykla
- fix(transparent-proxy): fix pod delay when CNI on GKE with OS Login #11050 @bartsmykla
- fix(transparent-proxy): refactor and make validation to work on IPv6 #11395 @bartsmykla
- fix(utils): enhance the logic to check if a channel is closed #10894 @sjmshsh
- fix(xds): accelerate universal dp XDS generation #11180 @Icarus9913
- fix(xds): explicitly set initial fetch timeout to zero to keep Envoy wait for xds resources #11024 @jijiechen
- fix(xds): make sure ADS are ordered #11579 @jakubdyszkiewicz
- fix(xds): resolve eds deadlock introduced by initial fetch timeout #11602 @jakubdyszkiewicz
- perf(k8s): do not update resource on control-plane restart #11327 @lukidzi
- perf(kuma-cp): faster service to dpp matching #10628 @jakubdyszkiewicz
- revert(kuma-cp): do not use additional addresses #11601 @lukidzi