Skip to content

v1.6.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Jun 07:18
v1.6.0
5f20416
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Netmaker v1.6.0 Release Notes 🚀

🚀 What’s New

🔁 Site-to-Site ACLs (Beta)

Using Netmaker's Egress function at local sites, paired with local routing rules, you can bridge entire networks (site-to-site). Now, Netmaker allows you to define ACL policies that control what traffic is allowed between these sites.

  • Build site-to-site rules between egress resources on different networks.
  • Combine egress resources, nodes, and specific IPs in a single policy.

🛡️ Egress ACLs with IP Restriction

Netmaker's Egress function forwards traffic to external networks like offices and data centres. Netmaker's Access Controls can now target individual IPs inside of an egress range using the ip ACL target type. This enables you to limit access to specific IPs within an external network.

  • Restrict access to specific endpoints within a larger egress CIDR.
  • Combine egress resources, nodes, tags, and individual IPs in the same policy.

📦 Egress Applications Catalogue (Beta)

Simplified application-aware egress routing with a built-in catalogue of popular SaaS and cloud services.

  • Select from a catalogue of applications, including AWS, Google Cloud, Microsoft 365, Salesforce, GitHub, etc.
  • Create egress resources directly from predefined application templates without manually managing domain lists.
  • Automatically resolve and maintain application domains, ensuring routing policies stay up to date as services evolve.
  • Reduce administrative overhead and improve policy consistency across environments.

⏱️ JIT Group Memberships

Just-In-Time (JIT) access is a workflow within Netmaker where users request temporary access to the network, which is approved by administrators for a predefined time period. JIT access within Netmaker can now be scoped to user groups per network.

  • Enable JIT for all non-admin users, or limit it to selected user groups.
  • Users request access; admins approve or deny with email notifications.
  • Expired grants are cleaned up automatically, and users are notified.

🔗 SIEM Integration

Netmaker provides audit logs of actions and events on the platform. Netmaker can now be integrated with certain providers to forward audit events to your security stack.

  • Supported providers: Splunk, Datadog, Elastic, and Microsoft Sentinel.
  • Events are exported through the SIEM exporter service.

🔑 Default Enrollment Keys

Enrollment keys are how devices join the network via Netclient. Administrators can now designate a default enrollment key for any network in order to simplify device onboarding.

  • Set default enrollment keys per network.
  • Regenerate key tokens without recreating the key.

🗄️ Database Schema Migration

This release introduces schema changes to the following core entities:

  • Nodes
  • Pending Users
  • User Invites
  • Posture Check Violations

Impact:

  • The database structure will be updated automatically during the upgrade.
  • Downgrades may not be supported after migration.

👉 Action Required:

  • Ensure the application starts successfully and migrations are complete.
  • Validate core functionality post-upgrade.

For detailed upgrade steps, refer to the official upgrade documentation:

Server Upgrades v1.5.1+

🧰 Improvements & Fixes

  • Netclient registration UX — Host registration over OAuth/basic auth now returns clear websocket close reasons on failure (auth errors, missing access, posture violations, and server errors).

  • User group management — Streamlined user role permissions and group updates, role-downgrade handling.

  • Orphan reference cleanup — Removes stale network references left behind after resource deletion.

  • Scalability & reliability — Optimised node status calculation, offline-status hooks, zombie/orphan node cleanup, and ACL cache race fixes.

  • API hardening — Auth rate limiting on REST endpoints and activity-log permission fixes.

  • Egress improvements — CIDR validation for ACL egress IPs, multi-domain egress routing, and domain-answer handling for preset-based egress.

  • Failover removed — Legacy per-node failover APIs and CLI commands have been removed in favour of gateway-based patterns.

🐞 Known Issues

  • IPv6-only machines
    Netclients cannot currently auto-upgrade on IPv6-only systems.

  • Multi-network join performance
    Multi-network netclient joins using an enrollment key still require optimisation.

  • systemd-resolved DNS limitation
    On systems using systemd-resolved in uplink mode, only the first 3 entries in resolv.conf are honoured; additional entries are ignored. This may cause DNS resolution issues. Stub mode is recommended.

  • Windows Desktop App + mixed gateway modes
    When the Windows Desktop App is connected to both:

    • a Full Tunnel Gateway, and
    • a Split Tunnel Gateway

    The gateway monitoring component may disconnect from the Split Tunnel Gateway.

Assets 9
Loading