linkerd/linkerd2 stable-2.12.0

on GitHub

stable-2.12.0

This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes Gateway
API.

The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft, and a host
of other improvements and performance enhancements.

Additionally, the linkerd-smi extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds before running linkerd install; with Helm, you'll
install the new linkerd-crds chart, then the linkerd-control-plane chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.

Upgrade notes: Please see the upgrade instructions.

• Proxy

  • Added a config.linkerd.io/shutdown-grace-period annotation to limit the
    duration that the proxy may wait for graceful shutdown
  • Added a config.linkerd.io/access-log annotation to enable logging of
    workload requests
  • Added a new iptables-nft mode for the proxy-init initContainer
  • Added support for non-HTTP traffic forwarding within the mesh in ingress
    mode
  • Added the /env.json log diagnostic endpoint
  • Added a new process_uptime_seconds_total metric to track proxy uptime in
    seconds
  • Added support for dynamically discovering policies for ports that are not
    documented in a pod's containerPorts
  • Added support for route-based inbound HTTP metrics
    (route_group/route_kind/route_name)
  • Added a new annotation to configure skipping subnets in the init container
    (config.linkerd.io/skip-subnets), needed e.g. in Docker-in-Docker
    workloads (thanks @michaellzc!)

• Control Plane

  • Added support for per-route policy by supporting AuthorizationPolicy
    resources which can target HttpRoute or Server resources
  • Added support for bound service account token volumes for the control plane
    and injected workloads
  • Removed kube-system exclusions from watchers to fix service discovery for
    workloads in the kube-system namespace (thanks @JacobHenner!)
  • Updated healthcheck to ignore Terminated state for pods (thanks
    @AgrimPrasad!)
  • Updated the default policy controller log level to info; the controller
    will now emit INFO level logs for some of its dependencies
  • Added probe authorization by default, allowing clusters that use a default
    deny policy to not explicitly need to authorize probes
  • Fixed an issue where the proxy-injector would break when using
    nodeAffinity values for the control plane
  • Fixed an issue where certain control plane components were not restarting as
    necessary after a trust root rotation
  • Removed SMI functionality in the default Linkerd installation; this is now
    part of the linkerd-smi extension

• CLI

  • Fixed the linkerd check command crashing when unexpected pods are found in
    a Linkerd namespace
  • Updated the linkerd authz command to support AuthorizationPolicy and
    HttpRoute resources
  • Updated linkerd check to allow RSA signed trust anchors (thanks
    @danibaeyens!)
  • linkerd install --crds must be run before linkerd install
  • linkerd upgrade --crds must be run before linkerd upgrade
  • Fixed invalid yaml syntax in the viz extension's tap-injector template
    (thanks @wc-s!)
  • Fixed an issue where the --default-inbound-policy setting was not being
    respected
  • Added support for AuthorizationPolicy and HttpRoute to viz authz command
  • Added support for AuthorizationPolicy and HttpRoute to viz stat command
  • Added support for policy metadata in linkerd viz tap

• Helm

  • Split the linkerd2 chart into linkerd-crds and linkerd-control-plane
  • Charts are now versioned using SemVer independently of
    Linkerd releases
  • Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
  • Changed the proxy.await Helm value so that users can now disable
    linkerd-await on control plane components
  • Added the policyController.probeNetworks Helm value for configuring the
    networks that probes are expected to be performed from

• Extensions

  • Added annotations to allow Linkerd extension deployments to be evicted by
    the autoscaler when necessary
  • Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
    mode
  • Added a ServiceAccount token Secret to the multicluster extension to support
    Kubernetes versions >= v1.24

This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:

Agrim Prasad @AgrimPrasad
Ahmed Al-Hulaibi @ahmedalhulaibi
Aleksandr Tarasov @aatarasoff
Alexander Berger @alex-berger
Ao Chen @chenaoxd
Badis Merabet @badis
Bjørn @Crevil
Brian Dunnigan @bdun1013
Christian Schlotter @chrischdi
Dani Baeyens @danibaeyens
David Symons @multimac
Dmitrii Ermakov @ErmakovDmitriy
Elvin Efendi @ElvinEfendi
Evan Hines @evan-hines-firebolt
Eng Zer Jun @Juneezee
Gustavo Fernandes de Carvalho @gusfcarvalho
Harry Walter @haswalt
Israel Miller @imiller31
Jack Gill @jackgill
Jacob Henner @JacobHenner
Jacob Lorenzen @Jaxwood
Joakim Roubert @joakimr-axis
Josh Ault @jault-figure
João Soares @jasoares
jtcarnes @jtcarnes
Kim Christensen @kichristensen
Krzysztof Dryś @krzysztofdrys
Lior Yantovski @lioryantov
Martin Anker Have @mahlunar
Michael Lin @michaellzc
Michał Romanowski @michalrom089
Naveen Nalam @nnalam
Nick Calibey @ncalibey
Nikola Brdaroski @nikolabrdaroski
Or Shachar @or-shachar
Pål-Magnus Slåtto @dev-slatto
Raman Gupta @rocketraman
Ricardo Gândara Pinto @rmgpinto
Roberth Strand @roberthstrand
Sankalp Rangare @sankalp-r
Sascha Grunert @saschagrunert
Steve Gray @steve-gray
Steve Zhang @zhlsunshine
Takumi Sue @mikutas
Tanmay Bhat @tanmay-bhat
Táskai Dominik @dtaskai
Ujjwal Goyal @importhuman
Weichung Shaw @wc-s
Wim de Groot @wim-de-groot
Yannick Utard @utay
Yurii Dzobak @yuriydzobak
罗泽轩 @spacewander