stable-2.14.2

stable-2.14.2

This stable release fixes issues in the proxy and Destination controller which
can result in Linkerd proxies sending traffic to stale endpoints. In addition,
it contains a bug fix for profile resolutions for pods bound on host ports and
includes patches for security advisory CVE-2023-44487/GHSA-qppj-fm5r-hxr3

• Control Plane

  • Fixed an issue where the Destination controller could stop processing
    changes in the endpoints of a destination, if a proxy subscribed to that
    destination stops reading service discovery updates. This issue results in
    proxies attempting to send traffic for that destination to stale endpoints
    (#11491, fixes #11480, #11279, #10590)
  • Fixed an issue where the Destination controller would not update pod
    metadata for profile resolutions for a pod accessed via the host network
    (e.g. HostPort endpoints) (#11334)
  • Addressed CVE-2023-44487/GHSA-qppj-fm5r-hxr3 by upgrading several
    dependencies (including Go's gRPC and net libraries)

• Proxy

  • Fixed a regression where the proxy rendered grpc_status metric labels as
    a string rather than as the numeric status code (linkerd2-proxy#2480;
    fixes #11449)
  • Fixed a regression introduced in stable-2.13.0 where proxies would not
    terminate unused service discovery watches, exerting backpressure on the
    Destination controller, potentially causing it to become
    stuck (linkerd2-proxy#2484)

edge-23.10.3

edge-23.10.3

This edge release fixes issues in the proxy and Destination controller which can
result in Linkerd proxies sending traffic to stale endpoints. In addition, it
contains other bugfixes and updates dependencies to include patches for the
security advisories CVE-2023-44487/GHSA-qppj-fm5r-hxr3 and GHSA-c827-hfw6-qwvm.

• Fixed an issue where the Destination controller could stop processing
  changes in the endpoints of a destination, if a proxy subscribed to that
  destination stops reading service discovery updates. This issue results in
  proxies attempting to send traffic for that destination to stale endpoints
  (#11483, fixes #11480, #11279, and #10590)
• Fixed a regression introduced in stable-2.13.0 where proxies would not
  terminate unused service discovery watches, exerting backpressure on the
  Destination controller which could cause it to become stuck
  (linkerd2-proxy#2484 and linkerd2-proxy#2486)
• Added INFO-level logging to the proxy when endpoints are added or removed
  from a load balancer. These logs are enabled by default, and can be disabled
  by setting the proxy log level to
  warn,linkerd=info,linkerd_proxy_balance=warn or similar
  (linkerd2-proxy#2486)
• Fixed a regression where the proxy rendered grpc_status metric labels as a
  string rather than as the numeric status code (linkerd2-proxy#2480; fixes
  #11449)
• Extended linkerd-jaeger's imagePullSecrets Helm value to also apply to
  the namespace-metadata ServiceAccount (#11504)
• Updated the control plane's dependency on the golang.google.org/grpc Go
  package to include patches for CVE-2023-44487/GHSA-qppj-fm5r-hxr3 ([#11496])
• Updated dependencies on rustix to include patches for GHSA-c827-hfw6-qwvm
  (linkerd2-proxy#2488 and #11512).

edge-23.10.2

edge-23.10.2

This edge release includes a fix addressing an issue during upgrades for
instances not relying on automated webhook certificate management (like
cert-manager provides).

• Added a checksum/config annotation to the destination and proxy injector
  deployment manifests, to force restarting those workloads whenever their
  webhook secrets change during upgrade (thanks @iAnomaly!) (#11440)
• Fixed policy controller error when deleting a Gateway API HTTPRoute resource
  (#11471)

edge-23.10.1

edge-23.10.1

This edge release adds additional configurability to Linkerd's viz and
multicluster extensions.

• Added a podAnnotations Helm value to allow adding additional annotations to
  the Linkerd-Viz Prometheus Deployment (#11365) (thanks @cemenson)
• Added imagePullSecrets Helm values to the multicluster chart so that it can
  be installed in an air-gapped environment. (#11285) (thanks @lhaussknecht)

edge-23.9.4

edge-23.9.4

This edge release makes Linkerd even better.

• Added a controlPlaneVersion override to the linkerd-control-plane Helm chart
  to support including SHA256 image digests in Linkerd manifests (thanks
  @cromulentbanana!) (#11406)
• Improved linkerd viz check to attempt to validate that the Prometheus scrape
  interval will work well with the CLI and Web query parameters (#11376)
• Improved CLI error handling to print differentiated error information when
  versioncheck.linkerd.io cannot be resolved (thanks @dtaskai) (#11377)
• Fixed an issue where the destination controller would not update pod metadata
  for profile resolutions for a pod accessed via the host network (e.g.
  HostPort endpoints) (#11334).
• Added a validating webhook config for httproutes.gateway.networking.k8s.io
  resources (thanks @mikutas!) (#11150)
• Introduced a new multicluster check --timeout flag to limit the time
  allowed for Kubernetes API calls (thanks @moki1202) (#11420)

stable-2.13.7

stable-2.13.7

This stable release backports two fixes that address security
vulnerabilities. The proxy's dependency on the webpki library has been updated
to patch RUSTSEC-2023-0052, a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
proxy-init images have been updated to patch CVE-2023-2603 surfaced in the
runtime image's libcap library. Finally, the release contains a backported fix
for service discovery on endpoints that use hostPorts which could potentially
disrupt connections on pod restarts.

• Control Plane

  • Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts (#11328)

• Proxy

  • Addressed security vulnerability RUSTSEC-2023-0052 (#11389)

• CNI

  • Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI
    plugin (#11348)

stable-2.14.1

stable-2.14.1

This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
remoteDiscoverySelector field in the Link resource would cause all services
to be exported. Finally, this release includes numerous other fixes and
enhancements and addresses two security vulnerabilities,
CVE-2023-2603 detected in the proxy-init runtime
image's libcap library and RUSTSEC-2023-0052, a
potential CPU usage denial-of-service attack in the proxy's webpki library
dependency.

• CLI

  • Fixed linkerd check --proxy incorrectly checking the proxy version of
    pods in the completed state (thanks @mikutas!) ([#11295]; fixes [#11280])
  • Fixed erroneous skipped messages when injecting namespaces with linkerd inject (thanks @mikutas!) ([#10231])

• CNI

  • Addressed security vulnerability CVE-2023-2603 in
    proxy-init and CNI plugin ([#11296])

• Control Plane

  • Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  • Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

• Helm

  • Removed unnecessary linkerd.io/helm-release-version annotation from the
    linkerd-control-plane Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  • Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

• Multicluster

  • Fixed an issue where an empty remoteDiscoverySelector field in a
    multicluster link would cause all services to be mirrored ([#11309])
  • Removed time out from linkerd multicluster gateways command; when no
    metrics exist the command will return instantly ([#11265])
  • Improved help messaging for linkerd multicluster link ([#11265])

• Proxy

  • Addressed security vulnerability
    RUSTSEC-2023-0052 in the proxy ([#11361])

edge-23.9.3

edge-29.9.3

This edge release updates the proxy's dependency on the rustls library to
patch security vulnerability RUSTSEC-2023-0052
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when
acceting a TLS handshake from an untrusted peer with a maliciously-crafted
certificate. Furthermore, this edge release contains a few improvements to the
control plane and jaeger extension Helm charts.

• Addressed security vulnerability RUSTSEC-2023-0052 in
  the proxy by updating its dependency on the rustls library
• Added a prometheusUrl field for the heartbeat job in the control plane Helm
  chart (thanks @david972!) (#11343; fixes #11342)
• Introduced support for arbitrary labels in the podMonitors field in the
  control plane Helm chart (thanks @jseiser!) (#11222; fixes #11175)
• Added support for config merge and Deployment environment to
  opentelemetry-collector in the jaeger extension (thanks @iAnomaly!)
  (#11283)

edge-23.9.2

edge-29.9.2

This edge release updates the proxy's dependency on the webpki library to
patch security vulnerability RUSTSEC-2023-0052 (GHSA-8qv2-5vq6-g2g7), a
potential CPU usage denial-of-service attack when accepting a TLS handshake from
an untrusted peer with a maliciously-crafted certificate.

• Addressed security vulnerability RUSTSEC-2023-0052 in the proxy (#11361)
• Fixed linkerd check --proxy incorrectly checking the proxy version of pods
  in the completed state (thanks @mikutas!) (#11295; fixes #11280)
• Removed unnecessary linkerd.io/helm-release-version annotation from the
  linkerd-control-plane Helm chart (thanks @mikutas!) (#11329; fixes
  #10778)

edge-23.9.1

edge-23.9.1

This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

• Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  (#11296)
• Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart (#11301)
• Fixed an issue where an empty remoteDiscoverySelector field in a
  multicluster link would cause all services to be mirrored (#11309)
• Removed time out from linkerd multicluster gateways command; when no
  metrics exist the command will return instantly (#11265)
• Improved help messaging for linkerd multicluster link (#11265)
• Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts (#11328)
• Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) (#11149)
• Fixed erroneous skipped messages when injecting namespaces with linkerd inject (thanks @mikutas!) (#10231)