stable-2.12.0
This release introduces route-based policy to Linkerd, allowing users to define
and enforce authorization policies based on HTTP routes in a fully zero-trust
way. These policies are built on Linkerd's strong workload identities, secured
by mutual TLS, and configured using types from the Kubernetes Gateway
API.
The 2.12 release also introduces optional request logging ("access logging"
after its name in webservers), optional support for iptables-nft
, and a host
of other improvements and performance enhancements.
Additionally, the linkerd-smi
extension is now required to use TrafficSplit,
and the installation process has been updated to separate management of the
Linkerd CRDs from the main installation process. With the CLI, you'll need to
linkerd install --crds
before running linkerd install
; with Helm, you'll
install the new linkerd-crds
chart, then the linkerd-control-plane
chart.
These charts are now versioned using SemVer independently
of Linkerd releases. For more information, see the upgrade
notes.
Upgrade notes: Please see the upgrade instructions.
-
Proxy
- Added a
config.linkerd.io/shutdown-grace-period
annotation to limit the
duration that the proxy may wait for graceful shutdown - Added a
config.linkerd.io/access-log
annotation to enable logging of
workload requests - Added a new
iptables-nft
mode for theproxy-init
initContainer - Added support for non-HTTP traffic forwarding within the mesh in
ingress
mode - Added the
/env.json
log diagnostic endpoint - Added a new
process_uptime_seconds_total
metric to track proxy uptime in
seconds - Added support for dynamically discovering policies for ports that are not
documented in a pod'scontainerPorts
- Added support for route-based inbound HTTP metrics
(route_group
/route_kind
/route_name
) - Added a new annotation to configure skipping subnets in the init container
(config.linkerd.io/skip-subnets
), needed e.g. in Docker-in-Docker
workloads (thanks @michaellzc!)
- Added a
-
Control Plane
- Added support for per-route policy by supporting AuthorizationPolicy
resources which can target HttpRoute or Server resources - Added support for bound service account token volumes for the control plane
and injected workloads - Removed kube-system exclusions from watchers to fix service discovery for
workloads in the kube-system namespace (thanks @JacobHenner!) - Updated healthcheck to ignore
Terminated
state for pods (thanks
@AgrimPrasad!) - Updated the default policy controller log level to
info
; the controller
will now emit INFO level logs for some of its dependencies - Added probe authorization by default, allowing clusters that use a default
deny
policy to not explicitly need to authorize probes - Fixed an issue where the proxy-injector would break when using
nodeAffinity
values for the control plane - Fixed an issue where certain control plane components were not restarting as
necessary after a trust root rotation - Removed SMI functionality in the default Linkerd installation; this is now
part of thelinkerd-smi
extension
- Added support for per-route policy by supporting AuthorizationPolicy
-
CLI
- Fixed the
linkerd check
command crashing when unexpected pods are found in
a Linkerd namespace - Updated the
linkerd authz
command to support AuthorizationPolicy and
HttpRoute resources - Updated
linkerd check
to allow RSA signed trust anchors (thanks
@danibaeyens!) linkerd install --crds
must be run beforelinkerd install
linkerd upgrade --crds
must be run beforelinkerd upgrade
- Fixed invalid yaml syntax in the viz extension's tap-injector template
(thanks @wc-s!) - Fixed an issue where the
--default-inbound-policy
setting was not being
respected - Added support for AuthorizationPolicy and HttpRoute to
viz authz
command - Added support for AuthorizationPolicy and HttpRoute to
viz stat
command - Added support for policy metadata in
linkerd viz tap
- Fixed the
-
Helm
- Split the
linkerd2
chart intolinkerd-crds
andlinkerd-control-plane
- Charts are now versioned using SemVer independently of
Linkerd releases - Added missing port in the Linkerd viz chart documentation (thanks @haswalt!)
- Changed the
proxy.await
Helm value so that users can now disable
linkerd-await
on control plane components - Added the
policyController.probeNetworks
Helm value for configuring the
networks that probes are expected to be performed from
- Split the
-
Extensions
- Added annotations to allow Linkerd extension deployments to be evicted by
the autoscaler when necessary - Added ability to run the Linkerd CNI plugin in non-chained (stand-alone)
mode - Added a ServiceAccount token Secret to the multicluster extension to support
Kubernetes versions >= v1.24
- Added annotations to allow Linkerd extension deployments to be evicted by
This release includes changes from a massive list of contributors, including
engineers from Adidas, Intel, Red Hat, Shopify, Sourcegraph, Timescale, and
others. A special thank-you to everyone who helped make this release possible:
Agrim Prasad @AgrimPrasad
Ahmed Al-Hulaibi @ahmedalhulaibi
Aleksandr Tarasov @aatarasoff
Alexander Berger @alex-berger
Ao Chen @chenaoxd
Badis Merabet @badis
Bjørn @Crevil
Brian Dunnigan @bdun1013
Christian Schlotter @chrischdi
Dani Baeyens @danibaeyens
David Symons @multimac
Dmitrii Ermakov @ErmakovDmitriy
Elvin Efendi @ElvinEfendi
Evan Hines @evan-hines-firebolt
Eng Zer Jun @Juneezee
Gustavo Fernandes de Carvalho @gusfcarvalho
Harry Walter @haswalt
Israel Miller @imiller31
Jack Gill @jackgill
Jacob Henner @JacobHenner
Jacob Lorenzen @Jaxwood
Joakim Roubert @joakimr-axis
Josh Ault @jault-figure
João Soares @jasoares
jtcarnes @jtcarnes
Kim Christensen @kichristensen
Krzysztof Dryś @krzysztofdrys
Lior Yantovski @lioryantov
Martin Anker Have @mahlunar
Michael Lin @michaellzc
Michał Romanowski @michalrom089
Naveen Nalam @nnalam
Nick Calibey @ncalibey
Nikola Brdaroski @nikolabrdaroski
Or Shachar @or-shachar
Pål-Magnus Slåtto @dev-slatto
Raman Gupta @rocketraman
Ricardo Gândara Pinto @rmgpinto
Roberth Strand @roberthstrand
Sankalp Rangare @sankalp-r
Sascha Grunert @saschagrunert
Steve Gray @steve-gray
Steve Zhang @zhlsunshine
Takumi Sue @mikutas
Tanmay Bhat @tanmay-bhat
Táskai Dominik @dtaskai
Ujjwal Goyal @importhuman
Weichung Shaw @wc-s
Wim de Groot @wim-de-groot
Yannick Utard @utay
Yurii Dzobak @yuriydzobak
罗泽轩 @spacewander