edge-21.9.2
This edge release gets us closer to 2.11 by further polishing the policy
feature. Also the proxy received a noticeable resource consumption improvement.
- Stopped creating the default authorizations for the kubelet
- Added missing ports to the destination controller's default list of ports, to
allow the sp-validator to start properly when using a default-deny policy - Set the destination and proxy-injector pods default policy to
all-unauthenticatedto allow the webhooks to be called from the kube-api
when using a default-deny policy - Extended inbound policies to cover the proxy's admin server
- Improved the proxy's error handling so that HTTP metrics include 5XX responses
for common errors - The proxy's outbound tap has been fixed to include route labels when service
profiles are configured - Enabled link-time optimizations in the Rust components (proxy and policy
controller), resulting in noticeable RSS and CPU consumption improvements - Made the admin servers in the control plane components properly shut down
(thanks @EpicStep!) - Updated linkerd-await, suppressing the error emitted when linkerd-await was
disabled