kumahq/kuma v2.14.0

2.14.0

on GitHub

We are excited to announce the latest release !

Mesh-scoped zone proxies - per-mesh Zone Ingress/Egress deployments, individually targetable by policy, replacing the single zone-wide proxy model.

Observability improvements

Sidecar Containers by default - sidecar containers are now enable by the default 🎉

Multiple bug fixes and improvements

Notable Changes

Observability

This release significantly expands observability across Kuma. The control plane now ships with new Grafana dashboards, histograms, and operational metrics for deeper insight into CP health, alongside component-based logging for finer-grained log control. Telemetry across the mesh is richer too: a new shared MeshOpenTelemetryBackend for policy-based OTel pipelines, expanded MeshTrace and MeshAccessLog OTEL support with zone and workload context, enhanced MeshMetric profiles and labels, DNS proxy metrics, and a number of Grafana panel fixes.

Mesh-scoped zone proxies

This release introduces mesh-scoped Zone Ingress and Egress, letting you deploy dedicated zone proxies per mesh instead of a single shared instance per zone. Because each proxy is now tied to a mesh, policies apply directly to it, including per-client MeshTrafficPermissions for fine-grained cross-zone access control. Egress also integrates with MeshIdentity, so cross-zone traffic leaving through the Egress carries proper workload identity.

Changelog

• chore(deps): bump ci-tools/release-tool from 1.3.1 to 1.4.2 #15314 #15315 #15332 @lukidzi,@renovate
• chore(deps): bump coredns to v1.14.2 #15975 @bartsmykla
• chore(deps): bump debian from 13.2 to 13.5 #15393 #15951 #16747 @renovate
• chore(deps): bump debian:13.2 from 0d01188 to c71b05e #15340 @renovate
• chore(deps): bump debian:13.3 from 5cf544f to 3615a74 #15550 #15725 @renovate
• chore(deps): bump debian:13.4 from 55a15a1 to e2d08da #16235 #16393 #16513 @renovate
• chore(deps): bump envoy from 1.36.4 to 1.38.2 #15446 #16262 #16446 #16900 #16927 @lukidzi,@renovate,@slonka
• chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 #15643 @renovate
• chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug from 1321f45 to 35a3865 #15354 #15588 #16648 @renovate
• chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug-nonroot from ef70836 to 6cec643 #15355 #15589 #16649 @renovate
• chore(deps): bump gcr.io/distroless/static-debian12:debug-nonroot from 53ced32 to f414196 #15356 #15590 #16650 @renovate
• chore(deps): bump gcr.io/k8s-staging-build-image/distroless-iptables from 0.8.6 to 0.9.2 #15421 #15598 #15633 #16241 #16654 @renovate
• chore(deps): bump gcr.io/k8s-staging-build-image/distroless-iptables:v0.8.6 from 4e0a77d to 8366c73 #15357 @renovate
• chore(deps): bump ghcr.io/kumahq/ubuntu-netools:main from 9c4e99b to 5a7b674 #15316 #15485 #15551 #15592 #15726 #15763 #15936 #16035 #16111 #16236 #16811 @renovate
• chore(deps): bump ghcr.io/spiffe/spire-agent from 1.13.3 to 1.15.1 #15286 #15387 #15766 #15943 #16242 #16468 #16748 #16814 @renovate
• chore(deps): bump ghcr.io/spiffe/spire-server from 1.14.0 to 1.15.1 #15388 #15767 #15944 #16243 #16469 #16749 #16815 @renovate
• chore(deps): bump ginkgo from 2.27.3 to 2.29.0 #15360 #15494 #16445 #16470 #16665 @renovate
• chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 #16474 @renovate
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.58.0 to 1.65.0 #16145 @renovate
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/lambda from 1.77.4 to 1.88.5 #16147 @renovate
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.88.1 to 1.97.3 #16148 @renovate
• chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 #15904 @renovate
• chore(deps): bump github.com/cilium/ebpf from 0.20.0 to 0.21.0 #15777 @renovate
• chore(deps): bump github.com/cncf/xds/go from ee656c7 to dba9d58 #15419 #15552 @renovate
• chore(deps): bump github.com/containernetworking/plugins from 1.9.0 to 1.9.1 #15945 @renovate
• chore(deps): bump github.com/envoyproxy/go-control-plane* #15930 @renovate
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.3.0 to 1.3.3 #15664 @renovate
• chore(deps): bump github.com/exaring/otelpgx from 0.9.4 to 0.11.1 #15394 #16750 @renovate
• chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 #15490 @renovate
• chore(deps): bump github.com/gruntwork-io/terratest from 0.54.0 to 1.0.0 #15395 #15610 #16670 @renovate
• chore(deps): bump github.com/invopop/jsonschema from 0.13.0 to 0.14.0 #16666 @renovate
• chore(deps): bump github.com/jackc/pgx/v5 from 5.7.6 to 5.9.2 #15338 #15952 #15965 #16305 @renovate
• chore(deps): bump github.com/josephburnett/jd/v2 from 2.3.0 to 2.5.0 #15336 #15396 #15733 @renovate
• chore(deps): bump github.com/miekg/dns from 1.1.69 to 1.1.72 #15361 #15422 @renovate
• chore(deps): bump github.com/moby/spdystream from 0.5.0 to 0.5.1 #16291 @renovate
• chore(deps): bump github.com/onsi/gomega from 1.38.3 to 1.41.0 #15366 #15491 #16475 #16667 @renovate
• chore(deps): bump github.com/prometheus/common from 0.67.4 to 0.68.0 #15362 #16817 @renovate
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.40.0 to 0.42.0 #15826 #16250 @renovate
• chore(deps): bump go.opentelemetry.io/proto/otlp from 1.9.0 to 1.10.0 #15827 @renovate
• chore(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 #16476 @renovate
• chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.52.0 #15611 #16727 @renovate
• chore(deps): bump golang.org/x/exp from 8475f28 to c761662 #15317 #15381 #15593 #15661 #15814 #16237 #16514 #16812 @renovate
• chore(deps): bump golang.org/x/net from 0.50.0 to 0.55.0 #15740 #16738 @renovate
• chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 #15778 @renovate
• chore(deps): bump golang.org/x/sys from 0.39.0 to 0.45.0 #15367 #15559 #15779 #16252 #16752 @renovate
• chore(deps): bump golang.org/x/text from 0.32.0 to 0.36.0 #15368 #16253 @renovate
• chore(deps): bump golang.org/x/tools from 0.40.0 to 0.45.0 #15398 #15613 #15830 #16254 #16527 @renovate
• chore(deps): bump golangci-lint from 2.7.2 to 2.12.2 #15369 #15614 #15670 #15780 #15820 #15966 #16477 #16522 @renovate
• chore(deps): bump gonum.org/v1/gonum from 0.16.0 to 0.17.0 #15370 @renovate
• chore(deps): bump google.golang.org/genproto/googleapis/* from 97cd9d5 to 0a33c5d #15335 #15382 #15486 #15553 #15594 #15662 #15727 #15815 #15937 #16112 #16238 #16301 #16394 #16444 #16515 #16651 #16741 @renovate
• chore(deps): bump google.golang.org/genproto/googleapis/api from 0a33c5d to 3dc84a4 #16813 @renovate
• chore(deps): bump google.golang.org/grpc from 1.77.0 to 1.81.1 #15339 #15615 #16120 #16528 #16656 @renovate
• chore(deps): bump helm from 4.0.4 to 4.2.0 #15390 #15600 #15822 #16668 @renovate
• chore(deps): bump helm.sh/helm/v4 from 4.1.3 to 4.1.4 #16216 @renovate
• chore(deps): bump k8s.io/klog/v2 from 2.130.1 to 2.140.0 #15781 @renovate
• chore(deps): bump k8s.io/kube-openapi from 4e65d59 to aa012df #15487 #15764 #15938 #16113 #16302 #16467 #16516 #16652 #16742 @renovate
• chore(deps): bump k8s.io/utils from bc988d5 to ff6756f #15318 #15358 #15595 #15939 #16517 @renovate
• chore(deps): bump kindest/node from 1.31.14 to 1.35.1 #15954 @renovate
• chore(deps): bump kubectl from 1.34.3 to 1.36.1 #15371 #15601 #15730 #15946 #16307 #16400 #16657 @renovate
• chore(deps): bump kubernetes monorepo from 0.35.2 to 0.35.3 #15947 @renovate
• chore(deps): bump kubernetes monorepo from 0.35.3 to 0.35.4 #16308 @renovate
• chore(deps): bump kubernetes monorepo from 0.35.4 to 0.36.0 #16401 @renovate
• chore(deps): bump kubernetes monorepo from 0.36.0 to 0.36.1 #16658 @renovate
• chore(deps): bump kubernetes packages from 0.34.3 to 0.35.0 #15327 @renovate
• chore(deps): bump kubernetes packages from 0.35.0 to 0.35.1 #15602 @renovate
• chore(deps): bump kubernetes packages from 0.35.1 to 0.35.2 #15731 @renovate
• chore(deps): bump kumahq/ci-tools from v1.4.3 to v1.4.6 #15686 #15754 #16928 @lukidzi
• chore(deps): bump metallb from 0.15.3 to 0.16.1 #16753 #16816 @renovate
• chore(deps): bump npm:@redocly/cli from 2.18.1 to 2.19.1 #15647 @lukidzi
• chore(deps): bump opentelemetry-go monorepo #15257 #15893 #16121 #16819 @renovate
• chore(deps): bump opentelemetry-go-contrib monorepo from 0.64.0 to 0.65.0 #15560 @renovate
• chore(deps): bump opentelemetry-go-contrib monorepo from 0.65.0 to 0.67.0 #15783 @renovate
• chore(deps): bump opentelemetry-go-contrib monorepo from 0.67.0 to 0.68.0 #16255 @renovate
• chore(deps): bump opentelemetry-go-contrib monorepo from 0.68.0 to 0.69.0 #16820 @renovate
• chore(deps): bump postgres:latest from 38d5c9d to 8ff36f3 #15341 #15384 #15554 #15596 #15728 #15940 #16239 #16395 #16518 #16653 #16744 @renovate
• chore(deps): bump projectcalico/tigera-operator from 3.31.2 to 3.32.0 #15322 #15667 #16309 #16478 @renovate
• chore(deps): bump registry.k8s.io/pause to ee6521f #16110 @renovate
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.24.1 #15427 #15492 #15771 #16660 @renovate
• chore(deps): bump sigs.k8s.io/controller-tools from 0.19.0 to 0.21.0 #15328 #15604 #16529 @renovate
• chore(deps): bump sigs.k8s.io/gateway-api from 1.4.1 to 1.5.1 #15734 #15948 @renovate
• chore(deps): security update #15480 #15546 #15638 #15788 #15874 #16506 #16865 @kumahq
• chore(deps): upgrade coredns version from v1.13.1 to 1.14.1 #15483 @lukidzi
• chore(deps): upgrade envoy from v1.37.0 to 1.37.1 #15905 @lukidzi
• chore(deps): upgrade kumahq/ci-tools from v1.4.2 to v1.4.3 #15539 @lukidzi
• chore(deps): use latest kumahq/kuma-gui #15313 #15346 #15349 #15351 #15373 #15374 #15375 #15444 #15459 #15509 #15514 #15521 #15531 #15533 #15536 #15618 #15622 #15624 #15626 #15630 #15636 #15645 #15658 #15702 #15705 #15707 #15721 #15739 #15742 #15746 #15747 #15749 #15792 #15804 #15810 #15842 #15869 #15871 #15886 #15925 #15971 #15992 #16026 #16045 #16079 #16103 #16125 #16181 #16211 #16259 #16292 #16295 #16316 #16317 #16344 #16352 #16370 #16372 #16453 #16491 #16495 #16500 #16504 #16561 #16585 #16598 #16674 #16678 #16691 #16704 #16708 #16712 #16761 #16767 #16780 #16825 #16845 #16851 #16853 #16854 #16855 #16862 #16863 #16872 #16905 #16918 #16922 #16931 #16938 #16942 @kumahq
• feat(MeshMetric): use KRI format for workload metric attribute #15508 @Automaat
• feat(MeshTrafficPermission): use cliques instead of connected components as an optimization when building rules #15412 @lobkovilya
• feat(api): add spiffeId to dataplane layout endpoint #16021 @Automaat
• feat(bootstrap): add UDS support for Envoy admin API #15795 @Automaat
• feat(charts): expose CP HPA behavior #16576 @bartsmykla
• feat(distribution): extra files in tarball #15996 @Automaat
• feat(dns): add workload labels to DNS proxy metrics #15918 @Automaat
• feat(helm): add custom issuer support for cert-manager integration #15377 @slonka
• feat(helm): allow to customize san #16282 @lukidzi
• feat(helm): expose divisor for GOMAXPROCS/GOMEMLIMIT env vars #15919 @Automaat
• feat(hostnamegenerator): validate rendered template at creation #16679 @lukidzi
• feat(k8s): enable sidecar containers by default #16502 @lukidzi
• feat(k8s): remove CPU limit from init/sidecar container #16207 @lukidzi
• feat(k8s): remove cpu limit on validation container #16263 @lukidzi
• feat(kuma-cp): add MeshOpenTelemetryBackend for shared policy-based OpenTelemetry backends #15863 #15865 #15868 #15872 #15898 #16022 #16673 #16909 @bartsmykla,@lukidzi
• feat(kuma-cp): add mesh-scoped zone proxies #15748 #15759 #15809 #15811 #15843 #15870 #16014 #16346 #16354 #16367 #16380 #16461 #16563 #16574 #16575 #16584 #16597 #16599 #16601 #16625 #16627 #16709 #16758 #16762 #16765 #16768 #16797 #16824 #16876 @Automaat,@lobkovilya,@lukidzi,@slonka
• feat(kuma-cp): component based logging #16097 #16499 #16586 #16616 #16617 @Automaat,@bartsmykla
• feat(kuma-cp): improve control-plane observability with dashboards, histograms, and operational metrics #15538 #15709 #15722 #15743 #15837 #15998 #16052 #16201 #16229 #16783 @Automaat,@bartsmykla
• feat(kuma-cp): set hasRulesTargetRef in /_resource endpoint #15524 @lobkovilya
• feat(kuma-cp): support running without inbound tags #15439 #15441 #15443 #15445 #15458 #15499 #15675 #15680 #15685 #15703 #16020 #16024 #16030 #16551 #16552 #16559 #16564 #16572 #16590 #16688 @Automaat,@lahabana,@mail2sudheerobbu-oss
• feat(kuma-dp): auto-detect DNS proxy bind address #15568 @slonka
• feat(kuma-dp): gate /ready on DNS proxy config with 15s timeout #16294 @lukidzi
• feat(kumactl): add deprecation warning to install observability #15706 @Automaat
• feat(kumactl): allow applying entire directories #15813 @lahabana
• feat(mads): add flag to disable MADS server #16042 @Automaat
• feat(matches): add matches to shared inbound.Rule struct #16647 @lobkovilya
• feat(meshaccesslog): add %KUMA_ZONE%, %KUMA_WORKLOAD% vars and OTel resource attrs #15692 @Automaat
• feat(meshexternalservice): allow to define priority for endpoints #15571 @lukidzi
• feat(meshidentity): introduce an extension to the MeshIdentity #15537 @lukidzi
• feat(meshmetric): extend Basic profile metrics #16044 @Automaat
• feat(meshmetric): use plain workload name in extra labels #15897 @Automaat
• feat(meshtrace): add HTTP/HTTPS OTEL support #15563 @bartsmykla
• feat(meshtrace): inject kuma.mesh/zone/workload span tags #15695 @Automaat
• feat(meshtrafficpermission): deprecate 'from' field in favor of 'rules' #16182 @Automaat
• feat(metrics): deprecate metrics pod annotations #15710 @Automaat
• feat(mmzs): deprecate names longer than 63 chars #16539 @slonka
• feat(xds): enable reusePort for all platforms #16501 @lukidzi
• feat(xds): expose delta xDS via Helm and fix k8s injection #16392 @lukidzi
• fix(MADR): small inaccuracy in SNI format document #16458 @lobkovilya
• fix(MeshMetric): ensure all internal entities in Basic filter #15418 @lahabana
• fix(MeshTrafficPermission): don't fallback to legacy rules when using MeshIdentity #16910 @lobkovilya
• fix(ServiceInsight): don't compute when meshServices.mode is Exclusive #16921 @lobkovilya
• fix(ServiceInsights): resyncer produces ServiceInsights with empty name #16912 @lobkovilya
• fix(api): KRI 404 for cluster-scoped types #16180 @Automaat
• fix(api): add KRI support for Zone resource #16101 @Automaat
• fix(api): add better message for spiffe validator #16919 @lukidzi
• fix(api-server): add missing HTTP server timeouts to prevent slowloris DoS #16166 @Automaat
• fix(api-server): dedup origins in inbound MTP multi-rule response #16126 @Automaat
• fix(api-server): handle wrapped IssuerDisabled errors correctly #16904 @lukidzi
• fix(api-server): harden localhost admin auth #16416 @bartsmykla
• fix(api-server): include HostnameGenerator #16108 @aviralgarg05
• fix(api-server): include insights when filtering dataplanes by labels #15413 @Automaat
• fix(api-server): nil panic in updateResource on store error #16005 @Automaat
• fix(api-server): simplify and fix hostname inspection for multi-zone … #15227 @lukidzi
• fix(api-server): validate auth in KRI endpoints #15581 @lahabana
• fix(api-server): validate origin label on resource delete #16826 @lobkovilya
• fix(config): check if domain starts with dot #16278 @lukidzi
• fix(defaults): compute labels on default policies #16637 @Automaat
• fix(dns): bind proxy to loopback #16071 @bartsmykla
• fix(dp): make readiness reporter dual-stack #16174 @Automaat
• fix(dp-server): bound shutdown, propagate appCtx #16541 @bartsmykla
• fix(e2e): update envoyconfig golden files #16781 @lobkovilya
• fix(gatewayapi): ensure statuses are deterministic #15928 @lahabana
• fix(gatewayapi): per-listener AttachedRoutes #15960 @bartsmykla
• fix(gatewayapi): reconcile gateways from class spec #16624 @Automaat
• fix(grafana): fix DNS panel duplicate series error #16492 @Automaat
• fix(grafana): fix success rate showing as red #16540 @Automaat
• fix(grafana): success rate stat shows red when no errors #16493 @Automaat
• fix(grafana): use correct response code metric name #16498 @Automaat
• fix(hds): interval fallback checks wrong field #15839 @Automaat
• fix(helm): allow to define annotation and disable ttl for prehook #16084 @lukidzi
• fix(inspect): show MeshHTTPRoutes using MMZS when using _rules endpoint #15646 @lukidzi
• fix(intercp): raise gRPC message size limits to match KDS #16373 @lukidzi
• fix(k8s): preserve status on cache hit in cachingConverter #15437 @Automaat
• fix(k8s): replace depracted mgr.GetEventRecorderFor() #15506 @lukidzi
• fix(kds): default usedonly when fetching stats #16711 @Automaat
• fix(kds): reconnect mux client when GlobalToZone stream is closed by … #16326 @lukidzi
• fix(kds): resource not found on KDS init #15758 @lobkovilya
• fix(kri): add KRI to overviews and OpenAPI items #16925 @Automaat
• fix(kri): apply default zone and namespace in KRI strings #15921 @Automaat
• fix(kri): match HashSuffixMapper hash #16047 @Automaat
• fix(kri): revert defaults injection #16046 @Automaat
• fix(kuma-cp): add events.k8s.io API group to RBAC #15635 @lukidzi
• fix(kuma-cp): k8s EnableReloadableTokens defaulting #16017 @Automaat
• fix(kuma-cp): use system trust when CA cert is not provided #16777 @lobkovilya
• fix(kuma-dp): add logging for MeshMetric application scraping failures #15513 @Automaat
• fix(kuma-dp): ship kuma-dp self metrics to OpenTelemetry backends #16226 @Automaat
• fix(kuma-init): properly validate ip family condition #16810 @lukidzi
• fix(lint): remove unused nolint gosec directives #15862 @Automaat
• fix(matchers): match delegated gw dpps #15791 @bartsmykla
• fix(mesh): reject listeners on gateway dataplanes #16606 @Automaat
• fix(meshaccesslog): deduplicate access logs for shared inbound port #16374 @lukidzi
• fix(meshaccesslog): skip dangling otel backendRef #16106 @bartsmykla
• fix(meshaccesslog): validate otel keys #16623 @bartsmykla
• fix(meshcircuitbreaker): set track remaining without policy match #16757 @slonka
• fix(meshfaultinjection): deprecate spec.from field #16102 @Automaat
• fix(meshhttproute): dedup duplicate routes on gateway virtual hosts #16786 @lukidzi
• fix(meshhttproute): skip routes with unresolvable backends #16324 @lukidzi
• fix(meshidentity): add a trailing slash to prefix matcher #15438 @lukidzi
• fix(meshidentity): env-aware UsesWorkloadLabel #16356 @bartsmykla
• fix(meshmetric): basic profile drops user metrics whose label values contain basicProfile substrings #16612 @Automaat
• fix(meshpassthrough): validate wildcard DNS domain names properly #16570 @mail2sudheerobbu-oss
• fix(meshroute): use kri sni for local meshservices #16739 @lobkovilya
• fix(meshservice): don't remove synced services #16940 @lukidzi
• fix(meshtrace): otel endpoint validation and IPv6 #15682 @bartsmykla
• fix(meshtrace): simplify OTel HTTP code #15625 @bartsmykla
• fix(plugins): dont panic on removed policy #16215 @lukidzi
• fix(policies): allow empty 'to' override #16212 @Automaat
• fix(policy): race condition when listener state is switched from Ignored to Ready #16323 @lobkovilya
• fix(policy-gen): don't set mesh label on Global-scoped k8s resources #16930 @lobkovilya
• fix(postgres): retry SafeToRetry errors on reads #16210 @Automaat
• fix(security): prevent file inclusion attacks #15500 @bartsmykla
• fix(sni): use old sni format and transport matches on mixed env #16944 @lukidzi
• fix(store): reject non-positive page size and negative offset #16358 @lukidzi
• fix(tokens): better error when valid_from is in the future #16018 @Automaat
• fix(tracing): prevent span.End() panic during OTel shutdown #15570 @Automaat
• fix(transparent-proxy): allow TCP DNS queries #15401 @bartsmykla
• fix(transparent-proxy): remove redundant TCP DNS port matchers #16138 @sardarmscs
• fix(upgrade): fix UPGRADE.md 2.9.x MeshTiemout format #16027 @gforns
• fix(validation): improve messages for targetRef validation #16104 @lobkovilya
• fix(xds): add a feature flag to enable reuse ports #16677 @lukidzi
• fix(xds): allow delta xDS auth to tolerate omitted node #16459 @lukidzi
• fix(xds): configure google_grpc xds max_receive_message_length #16775 @lukidzi
• fix(xds): deduplicate filter in inbound:passthrough filter chain #16080 @lukidzi
• fix(xds): don't create empty filter chain for a gateway #15532 @lukidzi
• fix(xds): enable reuse_port on inbound:passthrough listener #16605 @lahabana
• fix(xds): pass namespace in reachable backends ref lookup #16086 @Automaat
• fix(xds): prevent panic on send to closed channel during stream closure #15511 @Automaat
• fix(xds): reduce xds config size from 16mb to 4mb #16906 @lukidzi
• fix(xds): set listener stat_prefix #15623 @bartsmykla
• fix(xds): set unknown cluster name when no MS available #16760 @lukidzi
• fix(xds): skip SNI when BackendRef port not found #16213 @Automaat
• fix(xds): support wildcard cert for CP cert #16053 @lahabana
• fix(xds): use listener name as vhost fallback when kuma.io/service absent #15997 @Automaat
• fix(zoneingress): no public address causes DPP reconciliation failure #15926 @lobkovilya
• perf(gateway): drop redundant exact match for root path prefix #16782 @lahabana
• perf(k8s): cache labels + spec per resourceVersion #16200 @Automaat
• perf(meshmetric): precompile include/exclude selectors #16611 @Automaat
• perf(meshmetric): reduce per-scrape allocations on the merge and newline-dedup paths #16613 @Automaat
• perf(xds): skip redundant OTel status cache writes #16198 @bartsmykla
• refactor(kds): replace util.ZoneTag with core_model.ZoneOfResource #16169 @Automaat
• test(compatibility): compute versions from versions.yml #16171 @Automaat
• test(meshservice): universal e2e for label propagation #16573 @Automaat