edge-23.9.1
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.
- Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
(#11296) - Introduced resource requests/limits for the policy controller resource in the
control plane helm chart (#11301) - Fixed an issue where an empty
remoteDiscoverySelectorfield in a
multicluster link would cause all services to be mirrored (#11309) - Removed time out from
linkerd multicluster gatewayscommand; when no
metrics exist the command will return instantly (#11265) - Improved help messaging for
linkerd multicluster link(#11265) - Changed how hostPort lookups are handled in the destination service.
Previously, when doing service discovery for an endpoint bound on a hostPort,
the destination service would return the corresponding pod IP. On pod
restart, this could lead to loss of connectivity on the client's side. The
destination service now always returns host IPs for service discovery on an
endpoint that uses hostPorts (#11328) - Updated HTTPRoute webhook rule to validate all apiVersions of the resource
(thanks @mikutas!) (#11149) - Fixed erroneous
skippedmessages when injecting namespaces withlinkerd inject(thanks @mikutas!) (#10231)