stable-2.4.0

Announcing Linkerd 2.4 🎈

This release adds traffic splitting functionality, support for the Kubernetes
Service Mesh Interface (SMI), graduates high-availability support out of
experimental status, and adds a tremendous list of other improvements,
performance enhancements, and bug fixes.

Linkerd's new traffic splitting feature allows users to dynamically control the
percentage of traffic destined for a service. This powerful feature can be used
to implement rollout strategies like canary releases and blue-green deploys.
Support for the Service Mesh Interface (SMI) makes it
easier for ecosystem tools to work across all service mesh implementations.

Along with the introduction of optional install stages via the linkerd install config
and linkerd install control-plane commands, the default behavior of
the linkerd inject command only adds annotations and defers injection to the
always-installed proxy injector component.

Finally, there have been many performance and usability improvements to the
proxy and UI, as well as production-ready features including:

• A new linkerd edges command that provides fine-grained observability into
  the TLS-based identity system
• A --enable-debug-sidecar flag for the linkerd inject command that improves
  debugging efforts

Linkerd recently passed a CNCF-sponsored security audit! Check out the in-depth
report here.

To install this release, run: curl https://run.linkerd.io/install | sh

Upgrade notes: Use the linkerd upgrade command to upgrade the control
plane. This command ensures that all existing control plane's configuration and
mTLS secrets are retained. For more details, please see the upgrade
instructions for more details.

Special thanks to: @alenkacz, @codeman9, @dwj300, @jackprice, @liquidslr
@matej-g, @Pothulapati, @zaharidichev,

Full release notes:

• CLI
  • Breaking Change Removed the --proxy-auto-inject flag, as the proxy
    injector is now always installed
  • Breaking Change Replaced the --linkerd-version flag with the
    --proxy-version flag in the linkerd install and linkerd upgrade
    commands, which allows setting the version for the injected proxy sidecar
    image, without changing the image versions for the control plane
  • Introduced install stages: linkerd install config and linkerd install control-plane
  • Introduced upgrade stages: linkerd upgrade config and linkerd upgrade control-plane
  • Introduced a new --from-manifests flag to linkerd upgrade allowing
    manually feeding a previously saved output of linkerd install into the
    command, instead of requiring a connection to the cluster to fetch the
    config
  • Introduced a new --manual flag to linkerd inject to output the proxy
    sidecar container spec
  • Introduced a new --enable-debug-sidecar flag to linkerd inject, that
    injects a debug sidecar to inspect traffic to and from the meshed pod
  • Added a new check for unschedulable pods and PSP issues (thanks,
    @liquidslr!)
  • Disabled the spinner in linkerd check when running without a TTY
  • Ensured the ServiceAccount for the proxy injector is created before its
    Deployment to avoid warnings when installing the proxy injector (thanks,
    @dwj300!)
  • Added a linkerd check config command for verifying that linkerd install config was successful
  • Improved the help documentation of linkerd install to clarify flag usage
  • Added support for private Kubernetes clusters by changing the CLI to connect
    to the control plane using a port-forward (thanks, @jackprice!)
  • Fixed linkerd check and linkerd dashboard failing when any control plane
    pod is not ready, even when multiple replicas exist (as in HA mode)
  • New Added a linkerd edges command that shows the source and
    destination name and identity for proxied connections, to assist in
    debugging
  • Tap can now be disabled for specific pods during injection by using the
    --disable-tap flag, or by using the config.linkerd.io/disable-tap
    annotation
  • Introduced pre-install healthcheck for clock skew (thanks, @matej-g!)
  • Added a JSON option to the linkerd edges command so that output is
    scripting friendly and can be parsed easily (thanks @alenkacz!)
  • Fixed an issue when Linkerd is installed with --ha, running linkerd upgrade without --ha will disable the high availability control plane
  • Fixed an issue with linkerd upgrade where running without --ha would
    unintentionally disable high availability features if they were previously
    enabled
  • Added a --init-image-version flag to linkerd inject to override the
    injected proxy-init container version
  • Added the --linkerd-cni-enabled flag to the install subcommands so that
    NET_ADMIN capability is omitted from the CNI-enabled control plane's PSP
  • Updated linkerd check to validate the caller can create
    PodSecurityPolicy resources
  • Added a check to linkerd install to prevent installing multiple control
    planes into different namespaces avoid conflicts between global resources
  • Added support for passing a URL directly to linkerd inject (thanks
    @Pothulapati!)
  • Added more descriptive output to the linkerd check output for control
    plane ReplicaSet readiness
  • Refactored the linkerd endpoints to use the same interface as used by the
    proxy for service discovery information
  • Fixed a bug where linkerd inject would fail when given a path to a file
    outside the current directory
  • Graduated high-availability support out of experimental status
  • Modified the error message for linkerd install to provide instructions for
    proceeding when an existing installation is found
• Controller
  • Added Go pprof HTTP endpoints to all control plane components' admin servers
    to better assist debugging efforts
  • Fixed bug in the proxy injector, where sporadically the pod workload owner
    wasn't properly determined, which would result in erroneous stats
  • Added support for a new config.linkerd.io/disable-identity annotation to
    opt out of identity for a specific pod
  • Fixed pod creation failure when a ResourceQuota exists by adding a default
    resource spec for the proxy-init init container
  • Fixed control plane components failing on startup when the Kubernetes API
    returns an ErrGroupDiscoveryFailed
  • Added Controller Component Labels to the webhook config resources (thanks,
    @Pothulapati!)
  • Moved the tap service into its own pod
  • New Control plane installations now generate a self-signed certificate
    and private key pair for each webhook, to prepare for future work to make
    the proxy injector and service profile validator HA
  • Added the config.linkerd.io/enable-debug-sidecar annotation allowing the
    --enable-debug-sidecar flag to work when auto-injecting Linkerd proxies
  • Added multiple replicas for the proxy-injector and sp-validator
    controllers when run in high availability mode (thanks to @Pothulapati!)
  • Defined least privilege default security context values for the proxy
    container so that auto-injection does not fail (thanks @codeman9!)
  • Default the webhook failure policy to Fail in order to account for
    unexpected errors during auto-inject; this ensures uninjected applications
    are not deployed
  • Introduced control plane's PSP and RBAC resources into Helm templates; these
    policies are only in effect if the PSP admission controller is enabled
  • Removed UPDATE operation from proxy-injector webhook because pod mutations
    are disallowed during update operations
  • Default the mutating and validating webhook configurations sideEffects
    property to None to indicate that the webhooks have no side effects on
    other resources (thanks @Pothulapati!)
  • Added support for the SMI TrafficSplit API which allows users to define
    traffic splits in TrafficSplit custom resources
  • Added the linkerd.io/control-plane-ns label to all Linkerd resources
    allowing them to be identified using a label selector
  • Added Prometheus metrics for the Kubernetes watchers in the destination
    service for better visibility
• Proxy
  • Replaced the fixed reconnect backoff with an exponential one (thanks,
    @zaharidichev!)
  • Fixed an issue where load balancers can become stuck
  • Added a dispatch timeout that limits the amount of time a request can be
    buffered in the proxy
  • Removed the limit on the number of concurrently active service discovery
    queries to the destination service
  • Fix an epoll notification issue that could cause excessive CPU usage
  • Added the ability to disable tap by setting an env var (thanks,
    @zaharidichev!)
  • Changed the proxy's routing behavior so that, when the control plane does
    not resolve a destination, the proxy forwards the request with minimal
    additional routing logic
  • Fixed a bug in the proxy's HPACK codec that could cause requests with very
    large header values to hang indefinitely
  • Fixed a memory leak that can occur if an HTTP/2 request with a payload ends
    before the entire payload is sent to the destination
  • The l5d-override-dst header is now used for inbound service profile
    discovery
  • Added errors totals to response_total metrics
  • Changed the load balancer to require that Kubernetes services are resolved
    via the control plane
  • Added the NET_RAW capability to the proxy-init container to be compatible
    with PodSecurityPolicys that use drop: all
  • Fixed the proxy rejecting HTTP...

edge-19.7.3

edge-19.7.3

• CLI
  • Graduated high-availability support out of experimental status
  • Modified the error message for linkerd install to provide instructions for
    proceeding when an existing installation is found
• Controller
  • Added Prometheus metrics for the Kubernetes watchers in the destination
    service for better visibility

edge-19.7.2

• CLI
  • Refactored the linkerd endpoints to use the same interface as used by the
    proxy for service discovery information
  • Fixed a bug where linkerd inject would fail when given a path to a file
    outside the current directory
• Proxy
  • Fixed a bug where DNS queries could persist longer than necessary
  • Improved router eviction to remove idle services in a more timely manner
  • Fixed a bug where the proxy would fail to process requests with obscure
    characters in the URI

edge-19.7.1

edge-19.7.1

• CLI
  • Added more descriptive output to the linkerd check output for control
    plane ReplicaSet readiness
  • Breaking change Renamed config.linkerd.io/debug annotation to
    config.linkerd.io/enable-debug-sidecar, to match the
    --enable-debug-sidecar CLI flag that sets it
  • Fixed a bug in linkerd edges that caused incorrect identities to be
    displayed when requests were sent from two or more namespaces
• Controller
  • Added the linkerd.io/control-plane-ns label to the SMI Traffic Split CRD
• Proxy
  • Fixed proxied HTTP/2 connections returning 502 errors when the upstream
    connection is reset, rather than propagating the reset to the client
  • Changed the proxy to treat unexpected HTTP/2 frames as stream errors rather
    than connection errors

edge-19.6.4

edge-19.6.4

This release adds support for the SMI Traffic Split
API. Creating a TrafficSplit resource will cause Linkerd to split traffic
between the specified backend services. Please see the spec
for more details.

• CLI
  • Added a check to install to prevent installing multiple control planes
    into different namespaces
  • Added support for passing a URL directly to linkerd inject (thanks
    @Pothulapati!)
  • Added the --all-namespaces flag to linkerd edges
• Controller
  • Added support for the SMI TrafficSplit API which allows users to define
    traffic splits in TrafficSplit custom resources
• Web UI
  • Improved UI for Edges table in dashboard by changing column names, adding a
    "Secured" icon and showing an empty Edges table in the case of no returned
    edges

edge-19.6.3

This is an edge release of Linkerd! The latest stable release is stable-2.3.2.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Updated linkerd check to validate the caller can create
    PodSecurityPolicy resources
• Controller
  • Default the mutating and validating webhook configurations sideEffects
    property to None to indicate that the webhooks have no side effects on
    other resources (thanks @Pothulapati!)
• Proxy
  • Added the NET_RAW capability to the proxy-init container to be compatible
    with PodSecurityPolicys that use drop: all
  • Fixed the proxy rejecting HTTP2 requests that don't have an :authority
  • Improved idle service eviction to reduce resource consumption for clients
    that send requests to many services
• Web UI
  • Removed the "Debug" page from the Linkerd dashboard while the functionality
    of that page is being redesigned
  • Added an Edges table to the resource detail view that shows the source,
    destination name, and identity for proxied connections

edge-19.6.2

This is an edge release of Linkerd! The latest stable release is stable-2.3.2.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

• CLI
  • Added the --linkerd-cni-enabled flag to the install subcommands so that
    NET_ADMIN capability is omitted from the CNI-enabled control plane's PSP
• Controller
  • Default to least-privilege security context values for the proxy container
    so that auto-inject does not fail on restricted PSPs (thanks @codeman9!)
  • Default the webhook failure policy to Fail in order to account for
    unexpected errors during auto-inject; this ensures uninjected applications
    are not deployed
  • Introduced control plane's PSP and RBAC resources into Helm templates;
    these policies are only in effect if the PSP admission controller is
    enabled
  • Removed UPDATE operation from proxy-injector webhook because pod
    mutations are disallowed during update operations
• Proxy
  • The l5d-override-dst header is now used for inbound service profile
    discovery
  • Include errors in response_total metrics
  • Changed the load balancer to require that Kubernetes services are resolved
    via the control plane
• Web UI
  • Fixed dashboard behavior that caused incorrect table sorting

stable-2.3.2

This stable release fixes a memory leak in the proxy.

To install this release, run: curl https://run.linkerd.io/install | sh

Full release notes:

• Proxy
  • Fixed a memory leak that can occur if an HTTP/2 request with a payload
    ends before the entire payload is sent to the destination

edge-19.6.1

edge-19.6.1

• CLI
  • Fixed an issue where, when Linkerd is installed with --ha, running
    linkerd upgrade without --ha will disable the high availability
    control plane
  • Added a --init-image-version flag to linkerd inject to override the
    injected proxy-init container version
• Controller
  • Added multiple replicas for the proxy-injector and sp-validator
    controllers when run in high availability mode (thanks to @Pothulapati!)
• Proxy
  • Fixed a memory leak that can occur if an HTTP/2 request with a payload
    ends before the entire payload is sent to the destination
• Internal
  • Moved the proxy-init container to a separate linkerd/proxy-init Git
    repository

stable-2.3.1

This stable release adds a number of proxy stability improvements.

To install this release, run: curl https://run.linkerd.io/install | sh

Special thanks to: @zaharidichev and @11Takanori!

Full release notes:

• Proxy
  • Changed the proxy's routing behavior so that, when the control plane
    does not resolve a destination, the proxy forwards the request with minimal
    additional routing logic
  • Fixed a bug in the proxy's HPACK codec that could cause requests with
    very large header values to hang indefinitely
  • Replaced the fixed reconnect backoff with an exponential one (thanks,
    @zaharidichev!)
  • Fixed an issue where requests could be held indefinitely by the load balancer
  • Added a dispatch timeout that limits the amount of time a request can be
    buffered in the proxy
  • Removed the limit on the number of concurrently active service discovery
    queries to the destination service
  • Fixed an epoll notification issue that could cause excessive CPU usage
  • Added the ability to disable tap by setting an env var (thanks,
    @zaharidichev!)