Releases: linkerd/linkerd2
edge-25.1.1
Overall status: RECOMMENDED
Cautions
This release requires that the Kubernetes API server be able to use TLS v1.3. That's been supported since Kubernetes v1.19, and Linkerd currently requires at least Kubernetes v1.22, so this shouldn't be an issue for anyone. It also validates that proxy.runAsRoot be set if proxyInit.closeWaitTimeoutSecs is set -- this was a functional requirement anyway, but we now validate it at install time.
Changes
Welcome to 2025! This first release of the year bumps the minimum TLS version when talking to the API server to v1.3 (see the CAUTIONS above), adds proper iptables support for RHEL nodes, allows Linkerd to talk to running Pods which haven't passed readiness checks yet (thanks, Tuomo!), and allows specifying both podAnnotations per deployment (thanks, Takumi Sue!) and labels for the Viz dashboard (thanks, omer2500!). It also validates that proxy.runAsRoot is set if you try to set proxyInit.closeWaitTimeoutSecs, correctly handles proxy log levels with quotes, cleans up CLI output of port forwarding errors, adds the pod UID and proxy container name to the environment, fixes a bug with installing extensions with Helm in IPv6 clusters, and removes some unneeded CNI configuration values. Finally, thanks to Joakim Roubert for cleaning up some development shell scripting!
What's Changed
- proxy: v2.269.0 by @l5d-bot in #13401
- build(deps): bump libc from 0.2.165 to 0.2.166 by @dependabot in #13400
- build(deps): bump socket2 from 0.5.7 to 0.5.8 by @dependabot in #13404
- build(deps): bump bytes from 1.8.0 to 1.9.0 by @dependabot in #13403
- build(deps): bump tracing from 0.1.40 to 0.1.41 by @dependabot in #13402
- ci: pin cargo-nextest to v0.9.67 by @olix0r in #13411
- policy: Add e2e egress tests by @zaharidichev in #13390
- test(policy): update e2e_egress_network for reliability by @olix0r in #13412
- test(policy): fix assert_status_accepted to panic by @olix0r in #13413
- proxy: v2.270.0 by @l5d-bot in #13414
- chore(just): retry failures when loading pause container by @olix0r in #13415
- build(deps): bump mio from 1.0.2 to 1.0.3 by @dependabot in #13417
- build(deps): bump allocator-api2 from 0.2.20 to 0.2.21 by @dependabot in #13416
- build(deps): bump libc from 0.2.166 to 0.2.167 by @dependabot in #13418
- build(deps): bump k8s.io/endpointslice from 0.31.2 to 0.31.3 by @dependabot in #13386
- build(deps-dev): bump eslint-plugin-promise from 7.1.0 to 7.2.1 in /web/app by @dependabot in #13408
- build(deps): bump cc from 1.2.1 to 1.2.2 by @dependabot in #13423
- build(deps): bump errno from 0.3.9 to 0.3.10 by @dependabot in #13421
- build(deps): bump tracing-subscriber from 0.3.18 to 0.3.19 by @dependabot in #13422
- build(deps): bump clap from 4.5.21 to 4.5.22 by @dependabot in #13436
- build(deps): bump tokio-util from 0.7.12 to 0.7.13 by @dependabot in #13431
- refactor(policy): move policy-controller library to runtime by @olix0r in #13419
- chore: update Go code for new lints by @olix0r in #13437
- build(deps): bump tokio from 1.41.1 to 1.42.0 by @dependabot in #13438
- build(deps): bump anyhow from 1.0.93 to 1.0.94 by @dependabot in #13439
- build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in #13440
- build(deps): update linkerd/dev from v43 to v44 by @olix0r in #13428
- build(deps): bump EmbarkStudios/cargo-deny-action from 1.6.3 to 2.0.4 by @dependabot in #13424
- build(deps): bump thiserror from 1.0.68 to 2.0.4 by @dependabot in #13435
- build(deps): bump unicode-ident from 1.0.13 to 1.0.14 by @dependabot in #13359
- build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.1 by @dependabot in #13434
- build(deps): bump github.com/prometheus/common from 0.60.1 to 0.61.0 by @dependabot in #13429
- build(deps): bump github.com/emicklei/proto from 1.13.2 to 1.13.3 by @dependabot in #13430
- build(deps): bump golang.org/x/tools from 0.27.0 to 0.28.0 by @dependabot in #13433
- build(deps): bump clap from 4.5.22 to 4.5.23 by @dependabot in #13448
- build(deps): bump pest_derive from 2.7.14 to 2.7.15 by @dependabot in #13447
- build(deps): bump thiserror from 2.0.4 to 2.0.6 by @dependabot in #13446
- build(deps): bump tj-actions/changed-files from 45.0.4 to 45.0.5 by @dependabot in #13449
- build(deps-dev): bump webpack from 5.96.1 to 5.97.1 in /web/app by @dependabot in #13443
- build(deps-dev): bump @babel/preset-react from 7.25.9 to 7.26.3 in /web/app by @dependabot in #13444
- chore: group cargo dependabot updates by @olix0r in #13450
- build(deps): bump libc from 0.2.167 to 0.2.168 by @dependabot in #13453
- build(deps): bump cc from 1.2.2 to 1.2.3 by @dependabot in #13452
- build(deps): bump tokio-stream from 0.1.16 to 0.1.17 by @dependabot in #13454
- build(deps): bump url from 2.5.2 to 2.5.4 by @dependabot in #13385
- refactor(multicluster): Replace use of unstructured API with typed bindings for Link CR by @adleong in #13420
- feat(helm): Allow specifying podAnnotations per deployment by @mikutas in #13388
- Simplify cni config by @alpeb in #13407
- build(deps): bump chrono from 0.4.38 to 0.4.39 by @dependabot in #13456
- build(deps): bump nanoid from 3.3.7 to 3.3.8 in /web/app by @dependabot in #13455
- build(deps): bump serde from 1.0.215 to 1.0.216 by @dependabot in #13465
- proxy: v2.271.0 by @l5d-bot in #13468
- build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot in #13466
- build(deps): bump k8s.io/client-go from 0.31.3 to 0.31.4 by @dependabot in #13460
- build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 by @dependabot in #13467
- chore(ci): simplify protoc scripts by @olix0r in #13459
- build(deps): bump k8s.io/endpointslice from 0.31.3 to 0.31.4 by @dependabot in #13463
- build(deps): bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 by @dependabot in #13470
- bin: shellscript housekeeping by @joakimr-axis in #13469
- build(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in #13471
- build(deps): bump k8s.io/endpointslice from 0.31.4 to 0.32.0 by @dependabot in #13472
- build(deps): bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 by @dependabot in #13473
- build(deps): bump cni-plugin from v1.5.2 to v1.6.0 by @alpeb in #13474
- feat(linkerd-cni): add support for plain iptables commands by @alpeb in #13457
- chore: group k8s.io dependabot updates by @olix0r in #13476
- build(deps): bump google.golang.org/grpc from 1.68.1 to 1.69.0 by @dependabot in #13477
- build(deps-dev): bump webpack-dev-server from 5.1.0 to 5.2.0 in /web/app by @dependabot in #13478
- feat(viz): add option to add labels to web service by @omer2500 in #13305
- chore(proxy-injector): reduce test boilerplate by @olix0r in #13479
- fix(helm): add validation for proxyInit.closeWaitTimeoutSecs by @alpeb in #13481
- chore: remove bin/helm-doc by @alpeb in https://github.com...
Contributors
Assets 14
- 75 MB
2025-01-16T22:18:39Z - 74.4 MB
2025-01-16T22:18:39Z - 65 Bytes
2025-01-16T22:18:39Z - 65 Bytes
2025-01-16T22:18:39Z - 73.4 MB
2025-01-16T22:18:39Z - 65 Bytes
2025-01-16T22:18:39Z - 67.7 MB
2025-01-16T22:18:39Z - 65 Bytes
2025-01-16T22:18:39Z - 72.4 MB
2025-01-16T22:18:39Z - 65 Bytes
2025-01-16T22:18:39Z -
2025-01-16T21:55:31Z -
2025-01-16T21:55:31Z - Loading
edge-24.11.8
Overall status: RECOMMENDED
Cautions
N/A
Changes
This release bumps dependencies to change Linkerd's logic around Kubernetes leases to make sure that patches don't get stuck indefinitely.
What's Changed
- build(deps): bump libc from 0.2.164 to 0.2.165 by @dependabot in #13397
- build(deps): bump itoa from 1.0.13 to 1.0.14 by @dependabot in #13398
- build(deps): bump kubert from 0.21.2 to 0.22.0 by @olix0r in #13399
Full Changelog: edge-24.11.7...edge-24.11.8
Contributors
Assets 14
edge-24.11.7
Overall status: RECOMMENDED
Cautions
N/A
Changes
This release removes the initial delay for the policy controller, allowing for faster control-plane startups, quietens the policy controller's reconciliation logs, and adds logging to make it clear which policy-controller pod is responsible for updating statuses.
What's Changed
Full Changelog: edge-24.11.6...edge-24.11.7
Contributors
Assets 14
edge-24.11.6
Overall status: NOT RECOMMENDED, use edge-24.11.7 instead
Cautions
edge-24.11.6 has been superseded by edge-24.11.7.
Changes
edge-24.11.6 has been superseded by edge-24.11.7.
What's Changed
- Add federated service e2e test by @adleong in #13352
- build(deps): bump @fortawesome/free-regular-svg-icons from 6.6.0 to 6.7.1 in /web/app by @dependabot in #13381
- build(deps): bump k8s.io/apiextensions-apiserver from 0.31.2 to 0.31.3 by @dependabot in #13366
- build(deps): bump @fortawesome/fontawesome-svg-core from 6.6.0 to 6.7.1 in /web/app by @dependabot in #13383
- build(deps): bump @fortawesome/free-solid-svg-icons from 6.6.0 to 6.7.1 in /web/app by @dependabot in #13382
- fix(policy): remove readiness probe delay by @olix0r in #13380
- chore(policy): polish logging by @olix0r in #13379
- ci(multicluster): increase federated test timeout by @olix0r in #13393
- chore(policy): run status reconcilation at fixed interval by @olix0r in #13384
- fix(policy): ensure status controller honors leader expiry by @olix0r in #13392
- chore(policy): set an informative field manager on patches by @olix0r in #13394
- chore(policy): simplify status controller type matching by @olix0r in #13395
Full Changelog: edge-24.11.5...edge-24.11.6
Contributors
Assets 14
edge-24.11.5
Overall status: RECOMMENDED
Cautions
N/A
Changes
In this release, the proxy emits new request_frame_size and response_frame_size metrics with information about TCP frame distributions, correctly accounts for closed connections in route metrics, and fixes a (rare) panic for resources in which managedFields has no timestamp. Additionally, linkerd check checks to be sure that your Link resources match your CLI version, keywords in docker build now use correct cases (thanks, Derek Brown!), and we now test Linkerd on Kubernetes 1.31.
What's Changed
- Add service mirror tests for federated services by @adleong in #13336
- Add tests for federated service watcher by @adleong in #13329
- lint: fix docker build warnings by @DerekTBrown in #13351
- build(deps): bump codecov/codecov-action from 5.0.2 to 5.0.4 by @dependabot in #13354
- policy: add EgressNetwork integration tests for Http Grpc routes by @zaharidichev in #13342
- proxy: v2.266.0 by @l5d-bot in #13353
- policy: Add TCP and TLS route API tests by @zaharidichev in #13348
- build(deps): bump itoa from 1.0.11 to 1.0.13 by @dependabot in #13357
- build(deps): bump proc-macro2 from 1.0.89 to 1.0.90 by @dependabot in #13358
- build(deps): bump codecov/codecov-action from 5.0.4 to 5.0.7 by @dependabot in #13360
- policy: use TLS/TCP filters in new version of proxy API by @zaharidichev in #13362
- proxy: v2.267.0 by @l5d-bot in #13363
- build(deps): bump cpufeatures from 0.2.15 to 0.2.16 by @dependabot in #13370
- build(deps): bump proc-macro2 from 1.0.90 to 1.0.92 by @dependabot in #13369
- build(deps): bump k8s.io/kube-aggregator from 0.31.2 to 0.31.3 by @dependabot in #13365
- ci: update latest k8s version to 1.31 by @olix0r in #13374
- proxy: v2.268.0 by @l5d-bot in #13375
- Add check for link version by @adleong in #13376
- fix(test): ensure that the controller sets rate limit status by @olix0r in #13377
- fix(destination): avoid panic on missing managed fields timestamp by @olix0r in #13378
Full Changelog: edge-24.11.4...edge-24.11.5
Contributors
Assets 14
edge-24.11.4
Overall status: RECOMMENDED
Cautions
N/A
Changes
This release fixes a bug (issue 13327) where Linkerd could constantly re-update the status clause of HTTPRoute if another Gateway API controller was present in the system (thanks Derek Brown!), ensures that all of the proxy-injector's logs are valid JSON when JSON logging is enabled (thanks, Micah See!), and cleans up HTTPRoute validation to make sure that if a backendRef is a Service, it must have a valid port.
What's Changed
- chore(policy): fix HttpLocalRateLimit type casing by @olix0r in #13324
- build(deps): bump cc from 1.2.0 to 1.2.1 by @dependabot in #13331
- build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 by @dependabot in #13330
- build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.0 by @dependabot in #13333
- build(deps): bump DavidAnson/markdownlint-cli2-action from 17.0.0 to 18.0.0 by @dependabot in #13332
- [fix 13327] ignore HTTPRoute .status.parents re-ordering by @DerekTBrown in #13328
- Integration test for rate-limiting by @alpeb in #13326
- feat(policy): check Service port in admission controller by @olix0r in #13325
- build(deps): bump serde_json from 1.0.132 to 1.0.133 by @dependabot in #13340
- Ensure consistent JSON logging for proxy-injector container by @MicahSee in #13335
- build(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /web/app by @dependabot in #13344
- build(deps): bump codecov/codecov-action from 5.0.0 to 5.0.2 by @dependabot in #13341
- build(deps): bump libc from 0.2.162 to 0.2.164 by @dependabot in #13339
- build(deps): bump openssl-src from 300.4.0+3.4.0 to 300.4.1+3.4.0 by @dependabot in #13338
New Contributors
- @DerekTBrown made their first contribution in #13328
- @MicahSee made their first contribution in #13335
Full Changelog: edge-24.11.3...edge-24.11.4
Contributors
Assets 14
edge-24.11.3
Overall status: RECOMMENDED
Cautions
N/A
Changes
edge-24.11.3 brings local rate limiting to Linkerd! Using the new HTTPLocalRateLimitPolicy resource, you can attach rate limits to Servers to protect workloads from being overwhelmed by excessive traffic. Additionally, it improves metrics for TCPRoute and TLSRoute egress control, correctly handles the case where a Route type changes parents (fixing [issue #13280]), allows linkerd diagnostics endpoints to correctly handle workloads with multiple endpoints, and removes unneeded references to linkerd-base from the linkerd-control-plane chart README (thanks, Brandon Ros!).
What's Changed
- Remove empty
shortnames: []from HTTPLocalRateLimitPolicy by @alpeb in #13297 - build(deps): bump golang.org/x/net from 0.30.0 to 0.31.0 by @dependabot in #13302
- build(deps): bump tj-actions/changed-files from 45.0.3 to 45.0.4 by @dependabot in #13304
- build(deps): bump allocator-api2 from 0.2.18 to 0.2.19 by @dependabot in #13301
- build(deps): bump security-framework-sys from 2.12.0 to 2.12.1 by @dependabot in #13298
- build(deps-dev): bump @babel/core from 7.25.8 to 7.26.0 in /web/app by @dependabot in #13296
- build(deps): bump golang.org/x/tools from 0.26.0 to 0.27.0 by @dependabot in #13303
- build(deps): bump allocator-api2 from 0.2.19 to 0.2.20 by @dependabot in #13309
- HTTPLocalRateLimitPolicy validator by @alpeb in #13251
- build(deps): bump cc from 1.1.36 to 1.2.0 by @dependabot in #13312
- build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 by @dependabot in #13311
- proxy: v2.264.0 by @l5d-bot in #13316
- proxy: v2.265.0 by @l5d-bot in #13319
- build(deps): bump serde from 1.0.214 to 1.0.215 by @dependabot in #13308
- build(deps): bump cpufeatures from 0.2.14 to 0.2.15 by @dependabot in #13307
- Implement status handling for HTTPLocalRateLimitPolicy CRD by @alpeb in #13314
- build(deps): bump clap from 4.5.20 to 4.5.21 by @dependabot in #13322
- build(deps): bump clap_lex from 0.7.2 to 0.7.3 by @dependabot in #13321
- build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by @dependabot in #13320
- Allow diagnostics endpoints command to receive more than one message by @adleong in #13285
- remove linkerd-base references by @brandonros in #13323
- Update outbound policy watches when routes change parents by @adleong in #13315
New Contributors
- @brandonros made their first contribution in #13323
Full Changelog: edge-24.11.2...edge-24.11.3
Contributors
Assets 14
edge-24.11.2
Overall status: NOT RECOMMENDED, use edge-24.11.3 instead
Cautions
linkerd diagnostics endpoints may not correctly show all endpoints for federated Services. We recommend using edge-24.11.3 instead, which fixes this issue.
Changes
edge-24.11.2 brings federated Services to Linkerd multicluster setups! Every federated Service appears exactly the same from every cluster (rather than having names like svc-cluster) and Linkerd seamlessly handles everything to gather the relevant endpoints from all clusters, without requiring application changes or HTTPRoute configuration.
What's Changed
- build(deps): bump cc from 1.1.35 to 1.1.36 by @dependabot in #13275
- build(deps): bump anyhow from 1.0.92 to 1.0.93 by @dependabot in #13281
- build(deps-dev): bump webpack from 5.95.0 to 5.96.1 in /web/app by @dependabot in #13260
- proxy: v2.262.0 by @l5d-bot in #13283
- proxy: v2.263.1 by @l5d-bot in #13286
- build(deps): bump tokio from 1.41.0 to 1.41.1 by @dependabot in #13289
- build(deps): bump libc from 0.2.161 to 0.2.162 by @dependabot in #13288
- build(deps): temporarily pin linkerd2-proxy-api to main by @olix0r in #13290
- Add federated service watcher by @adleong in #13267
- Add support for federated services to the service mirror controller by @adleong in #13269
- Remove duplicate variable by @adleong in #13291
- chore(ci): increase multicluster test timeout by @olix0r in #13293
- chore(just): increase mc test timeout by @olix0r in #13294
- feat(destination): set parent and profile references by @olix0r in #13292
- Add HTTPLocalRateLimitPolicy support by @alpeb in #13231
Full Changelog: edge-24.11.1...edge-24.11.2
Contributors
Assets 14
edge-24.11.1
Overall status: RECOMMENDED
Cautions
N/A
Changes
edge-24.11.1 brings egress monitoring and control to Linkerd! Using the new EgressNetwork CRD as a parentRef for an HTTPRoute, GRPCRoute, TCPRoute, or TLSRoute, you can see which workloads are making egress calls and set policy on what's allowed and what isn't.
What's Changed
- build(deps): bump softprops/action-gh-release from 2.0.8 to 2.0.9 by @dependabot in #13254
- build(deps): bump thiserror from 1.0.65 to 1.0.66 by @dependabot in #13253
- build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 by @dependabot in #13252
- policy: Make global egress network namespace configurable by @zaharidichev in #13250
- Unblock dualstack integration test by @alpeb in #13255
- build(deps): bump thiserror from 1.0.66 to 1.0.68 by @dependabot in #13271
- build(deps-dev): bump html-webpack-plugin from 5.6.2 to 5.6.3 in /web/app by @dependabot in #13258
- build(deps-dev): bump @babel/runtime from 7.25.7 to 7.26.0 in /web/app by @dependabot in #13257
- build(deps-dev): bump @babel/eslint-parser from 7.25.8 to 7.25.9 in /web/app by @dependabot in #13256
- build(deps): bump core-js from 3.38.1 to 3.39.0 in /web/app by @dependabot in #13259
- build(deps): bump anyhow from 1.0.91 to 1.0.92 by @dependabot in #13263
- build(deps): bump anstyle from 1.0.9 to 1.0.10 by @dependabot in #13262
- build(deps): bump cc from 1.1.31 to 1.1.35 by @dependabot in #13273
- policy: limit TCPRoute to one per policy response by @zaharidichev in #13272
- policy: Remove redundant GRPC rule match on default egress GRPCRoute by @zaharidichev in #13279
- Add v1alpha2 version to Link CRD by @adleong in #13268
- proxy: v2.261.0 by @l5d-bot in #13278
Full Changelog: edge-24.10.5...edge-24.11.1
Contributors
Assets 14
edge-24.10.5
Overall status: RECOMMENDED
Cautions
As of edge-24.10.5, if you configure a timeout on a GRPCRoute, a request that hits the timeout will correctly return a DEADLINE-EXCEEDED gRPC status rather than an UNAVAILABLE gRPC status.
Changes
edge-24.10.5 fixes a bug where requests that hit GRPCRoute timeouts would return gRPC status UNAVAILABLE instead of DEADLINE-EXCEEDED.
What's Changed
- policy: Serve EgressNetwork responses by @zaharidichev in #13206
- build(deps): bump crazy-max/ghaction-chocolatey from 3.0.0 to 3.2.0 by @dependabot in #13237
- build(deps-dev): bump @babel/preset-env from 7.25.8 to 7.26.0 in /web/app by @dependabot in #13236
- build(deps-dev): bump eslint-plugin-jsx-a11y from 6.10.0 to 6.10.2 in /web/app by @dependabot in #13235
- build(deps-dev): bump @babel/preset-react from 7.25.7 to 7.25.9 in /web/app by @dependabot in #13233
- build(deps): bump @babel/eslint-plugin from 7.25.7 to 7.25.9 in /web/app by @dependabot in #13232
- build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @dependabot in #13229
- build(deps): bump pin-project from 1.1.6 to 1.1.7 by @dependabot in #13228
- build(deps): bump regex from 1.11.0 to 1.11.1 by @dependabot in #13227
- build(deps): bump anstyle from 1.0.8 to 1.0.9 by @dependabot in #13226
- build(deps): bump pin-project-lite from 0.2.14 to 0.2.15 by @dependabot in #13225
- build(deps-dev): bump eslint-plugin-react from 7.37.1 to 7.37.2 in /web/app by @dependabot in #13234
- build(deps): bump openssl-src from 300.3.2+3.3.2 to 300.4.0+3.4.0 by @dependabot in #13222
- build(deps): bump k8s.io/apimachinery from 0.31.1 to 0.31.2 by @dependabot in #13221
- proxy: v2.260.0 by @l5d-bot in #13244
- build(deps): bump github.com/prometheus/common from 0.60.0 to 0.60.1 by @dependabot in #13241
- build(deps): bump rustix from 0.38.36 to 0.38.38 by @dependabot in #13240
- build(deps): bump serde from 1.0.213 to 1.0.214 by @dependabot in #13239
- build(deps): bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #13223
- build(deps): bump k8s.io/endpointslice from 0.31.1 to 0.31.2 by @dependabot in #13220
- policy: limit globally affecting egress networks to a single namespace by @zaharidichev in #13246
- build(deps): bump k8s.io/kube-aggregator from 0.31.1 to 0.31.2 by @dependabot in #13217
- build(deps): bump k8s.io/apiextensions-apiserver from 0.31.1 to 0.31.2 by @dependabot in #13219
- build(deps): bump google-github-actions/auth from 2.1.6 to 2.1.7 by @dependabot in #13249
Full Changelog: edge-24.10.4...edge-24.10.5