Announcing Linkerd 2.11.2 🎉

[olix0r]

Howdy Linkerd folks,

We're happy to announce the next stable release of Linkerd: stable-2.11.2!

This release pulls in many small fixes and improvements from the main
development branch. It features changes to the multicluster extension to
support the new linkerd-failover extension so that clients can
failover across services hosted on remote clusters.

To install this release, you can run:

curl --proto '=https' --tlsv1.2 -fSsL https://run.linkerd.io/install | sh

As always, we're excited to hear your feedback. Please try out the new release and let us know if you see anything unexpected!

Changes

• CLI

  • Updated check to avoid checking the proxy version of uninjected pods
  • Updated check to skip evicted pods
  • Updated extension install commands to support the --ignore-cluster flag

• Core

  • Fixed a bug in the destination controller that could prevent service
    endpoint updates from being sent to the proxy
  • Updated the destination controller to honor Server resources when
    determining an endpoint's opaqueness
  • Updated the proxy to correctly honor opaque protocol hints for
    non-Kubernetes targets, i.e., when a workload's
    config.linkerd.io/enable-external-profiles annotation is set to true
  • Updated controller webhook servers to ensure that TLS v1.2 or greater is
    used
  • Disabled pprof in control plane admin endpoints by default
  • Updated controllers to ensure that user input is quoted & escaped
    in log messages
  • Updated the proxy's linkerd-await post-start hook to timeout after 2
    minutes. This makes it easier to debug proxies that fail to become ready
  • Updated the proxy init container to support JSON log formatting
  • Added a config.linkerd.io/skip-subnets workload annotation that can be
    used to configure the proxy-init to skip rewriting all traffic to a given
    subnet. This is primarily intended to support docker-in-docker deployments
  • Updated the policy controller to use an openssl backend for its admission
    controller server on x86_64 to improve interopability with more exotic
    Kubernetes server configurations
  • Updated the policy controller to dynamically reload its webhook server
    credentials without restarting
  • Updated the Server CRD to relax OpenAPI schema validation requirements
  • Updated the policy controller webhook server to enforce validation of
    Server and ServerAuthorization resources
  • Added a proxyInit.runAsRoot helm variable that may be set to false to run
    the proxy-init container as a non-root user
  • Updated controller servers to limit the amount of data that may be buffered
    to guard against malicious clients
  • Removed use of the deprecated beta.kubernetes.io/node label

• Jaeger

  • Upgraded jaeger to v1.31 and opentelemetry-collector to v0.43 to support
    ARM

• Multicluster

  • Updated service mirrors so that local services reflect the
    readiness of the remote service. When the remote service has no ready
    endpoints or when its gateway is unavailable, the mirrored local service
    will also have no ready endpoints
  • Fixed a configuration issue that prevented multicluster gateways from
    running on ARM nodes
  • Updated multicluster service mirrors to only create mirrored services when
    the service's namespace already exists in the local cluster
  • Fixed a bug that prevented WebSocket requests from being routed by gateways
  • Updated the linkerd-multicluster-link Helm chart so that a RoleBinding
    is created for each target cluster. This role binding is now only created
    when the enablePSP helm value is set to true
  • Added a linkerd multicluster install --ha flag to run gateways with
    multiple replicas, pod disruption budgets, anti-affinity settings, etc