Tags: jonxie5/linkerd2
Tags
This edge release adds more flexibility to the MeshTLSAuthentication and AuthorizationPolicy policy resources by allowing them to target entire namespaces. It also fixes a race condition when multiple CNI plugins are installed together as well as a number of other bug fixes. * Added support for MeshTLSAuthentication resources to target an entire namespace, authenticating all ServiceAccounts in that namespace * Fixed a panic in `linkerd install` when the `--ignore-cluster` flag is passed * Fixed issue where pods would fail to start when `enablePSP` and `proxyInit.runAsRoot` are set * Added support for AuthorizationPolicy resources to target namespaces, applying to all Servers in that namespace * Fixed a race condition where the Linkerd CNI configuration could be overwritten when multiple CNI plugins are installed * Added test for opaque ports using Service and Pod IPs (thanks @krzysztofdrys!) * Fixed an error in the linkerd-viz Helm chart in HA mode
## edge-22.4.1 In order to support having custom resources in the default Linkerd installation, the CLI install flow is now always a 2-step process where `linkerd install --crds` must be run first to install CRDs only and then `linkerd install` is run to install everything else. This more closely aligns the CLI install flow with the Helm install flow where the CRDs are a separate chart. This also applies to `linkerd upgrade`. Also, the `config` and `control-plane` sub-commands have been removed from both `linkerd install` and `linkerd upgrade`. On the proxy side, this release fixes an issue where proxies would not honor the cluster's opaqueness settings for non-pod/service addresses. This could cause protocol detection to be peformed, for instance, when using off-cluster databases. This release also disables the use of regexes in Linkerd log filters (i.e., as set by `LINKERD2_PROXY_LOG`). Malformed log directives could, in theory, cause a proxy to stop responding. The `helm.sh/chart` label in some of the CRDs had its formatting fixed, which avoids issues when installing/upgrading through external tools that make use of it, such as recent versions of Flux. * Added `--crds` flag to install/upgrade and remove config/control-plane stages * Allowed the `AuthorizationPolicy` CRD to have an empty `requiredAuthenticationRefs` entry that allows all traffic * Introduced `nodeAffinity` config in all the charts for enhanced control on the pods scheduling (thanks @michalrom089!) * Introduced `resources`, `nodeSelector` and `tolerations` configs in the `linkerd-multicluster-link` chart for enhanced control on the service mirror deployment (thanks @utay!) * Fixed formatting of the `helm.sh/chart` label in CRDs * Updated container base images from buster to bullseye * Added support for spaces in the `config.linkerd.io/opaque-ports` annotation
ci: Update list of integration tests in release workflow Signed-off-by: Oliver Gould <[email protected]>
This edge release introduces new policy CRDs that allow for more gene… …ralized authorization policies. The `AuthorizationPolicy` CRD authorizes clients that satisfy all the required authentications to communicate with the Linkerd `Server` that it targets. Required authentications are specified through the new `MeshTLSAuthentication` and `NetworkAuthentication` CRDs. A `MeshTLSAuthentication` defines a list of authenticated client IDs—specified directly by proxy identity strings or referencing resources such as `ServiceAccount`s. A `NetworkAuthentication` defines a list of client networks that will be authenticated. Additionally, to support the new CRDs, policy-related labels have been changed to better categorize policy metrics. A `srv_kind` label has been introduced which splits the current `srv_name` value—formatted as `kind:name`—into separate labels. The `saz_name` label has been removed and is replaced by the new `authz_kind` and `authz_name` labels. * Introduced the `srv_kind` label which allowed splitting the value of the current `srv_name` label * Removed the `saz_name` label and replaced it with the new `authz_kind` and `authz_name` labels * Fixed an issue in the destination controller where an update would not be sent after an endpoint was discovered for a currently empty service * Introduced the following custom resource types to support generalized authorization policies: `AuthorizationPolicy`, `MeshTLSAuthentication`, `NetworkAuthentication` * Deprecated the `--proxy-version` flag (thanks @importhuman!) * Updated linkerd-viz to use new policy CRDs
* Disabled pprof endpoints on Linkerd control plane components by def… …ault * Fixed an issue where mirror service endpoints of headless services were always ready regardless of gateway liveness * Added server side validation for ServerAuthorization resources * Fixed an "origin not allowed" issue when using the latest Grafana with the Linkerd Viz extension
This edge release ensures that in multicluster installations, mirror … …service endpoints have their readiness tied to gateway liveness. When the gateway for a target cluster is not alive, the endpoints that point to it on a source cluster will properly indicate that they are not ready. * Fixed tap controller logging errors that were succeptible to log forgery by ensuring special characters are escaped * Fixed issue where mirror service endpoints were always ready regardless of gateway liveness * Removed unused `namespace` entry in `linkerd-control-plane` chart
This edge release includes a few fixes and quality of life improvemen… …ts. An issue has been fixed in the proxy allowing HTTP Upgrade requests to work through multi-cluster gateways, and the init container's resource limits and requests have been revised. Additionally, more Go linters have been enabled and improvements have been made to the devcontainer. * Changed `linkerd-init` resource (CPU/memory) limits and requests to ensure by default the init container does not break a pod's `Guaranteed` QOS class * Added a new check condition to skip pods whose status is `NodeShutdown` during validation as they will not have a proxy container * Fixed an issue that would prevent proxies from sending HTTP Upgrade requests (used in websockets) through multi-cluster gateways
This edge release includes updates to dependencies, CI, and rust 1.59… ….0. It also includes changes to the `linkerd-jaeger` chart to ensure that namespace labels are preserved and adds support for `imagePullSecrets`, along with improvements to the multicluster and policy functionality. * Added note to `multicluster link` command to clarify that the link is one-direction * Introduced `imagePullSecrets` to Jaeger Helm chart * Updated Rust to v1.59.0 * Fixed a bug where labels can be overwritten in the `linkerd-jaeger` chart * Fix broken mirrored headles services after `repairEndpoints` runs * Updated `Server` CRD to handle an empty `PodSelector`
This edge release continues to address several security related lints… … and ensures they are checked by CI. * Add `linkerd check` warning for clusters that cannot verify their `clusterNetworks` due to Nodes missing the `podCIDR` field * Changed `Server` CRD to allow having an empty `PodSelector` * Modified `linkerd inject` to only support `https` URLs to mitigate security risks * Fixed potential goroutine leak in the port forwarding used by several CLI commands and control plane components * Fixed timeouts in the policiy validator which could lead to failures if `failurePolicy` was set to `Fail`
This edge release fixes some `Instant`-related proxy panics that occu… …r on Amazon Linux. It also includes many behind the scenes improvements to the project's CI and linting. * Removed the `--controller-image-version` install flag to simplify the way that image versions are handled. The controller image version can be set using the `--set linkerdVersion` flag or Helm value * Lowercased logs and removed redundant lines from the Linkerd2 proxy init container * Prevented the proxy from logging spurious errors when its pod does not define any container ports * Added workarounds to reduce the likelihood of `Instant`-related proxy panics that occur on Amazon Linux
PreviousNext