Skip to content

@siggy siggy released this Apr 16, 2019 · 59 commits to master since this release

Announcing Linkerd 2.3 🎈

This stable release introduces a new TLS-based service identity system into the
default Linkerd installation, replacing --tls=optional and the linkerd-ca
controller. Now, proxies generate ephemeral private keys into a tmpfs directory
and dynamically refresh certificates, authenticated by Kubernetes ServiceAccount
tokens, and tied to ServiceAccounts as the identity primitive.

In this release, all meshed HTTP communication is private and authenticated by

Among the many improvements to the web dashboard, we've added a Community page
to surface news and updates from

For more details, see the announcement blog post:

To install this release, run: curl | sh

Upgrade notes: The linkerd-ca controller has been removed in favor of the
linkerd-identity controller. If you had previously installed Linkerd with
--tls=optional, manually delete the linkerd-ca deployment after upgrading.
Also, --single-namespace mode is no longer supported. For full details on
upgrading to this release, please see the
upgrade instructions.

Special thanks to: @codeman9, @harsh-98, @huynq0911, @KatherineMelnyk,
@liquidslr, @paranoidaditya, @Pothulapati, @TwinProduction, and @yb172!

Full release notes:

  • CLI
    • Introduced an upgrade command! This allows an existing Linkerd control
      plane to be reinstalled or reconfigured; it is particularly useful for
      automatically reusing flags set in the previous install or upgrade
    • Introduced the linkerd metrics command for fetching proxy metrics
    • Breaking Change: The --linkerd-cni-enabled flag has been removed from
      the inject command; CNI is configured at the cluster level with the
      install command and no longer applies to the inject command
    • Breaking Change Removed the --disable-external-profiles flag from the
      install command; external profiles are now disabled by default and can be
      enabled with the new --enable-external-profiles flag
    • Breaking change Removed the --api-port flag from the inject and
      install commands, since there's no benefit to running the control plane's
      destination API on a non-default port (thanks, @paranoidaditya)
    • Breaking change Removed the --tls=optional flag from the
      linkerd install command, since TLS is now enabled by default
    • Changed install to accept or generate an issuer Secret for the Identity
    • Changed install to fail in the case of a conflict with an existing
      installation; this can be disabled with the --ignore-cluster flag
    • Added the ability to adjust the Prometheus log level via
    • Implemented --proxy-cpu-limit and --proxy-memory-limit for setting the
      proxy resources limits (--proxy-cpu and --proxy-memory were deprecated in
      favor of proxy-cpu-request and proxy-memory-request) (thanks @TwinProduction!)
    • Added a validator for the --proxy-log-level flag
    • Updated the inject and uninject subcommands to issue warnings when
      resources lack a Kind property (thanks @Pothulapati!)
    • The inject command proxy options are now converted into config
      annotations; the annotations ensure that these configs are persisted in
      subsequent resource updates
    • Changed inject to require fetching a configuration from the control plane;
      this can be disabled with the --ignore-cluster and --disable-identity
      flags, though this will prevent the injected pods from participating in mesh
    • Included kubectl version check as part of linkerd check (thanks @yb172!)
    • Updated linkerd check to ensure hint URLs are displayed for RPC checks
    • Fixed sporadic (and harmless) race condition error in linkerd check
    • Introduced a check for NET_ADMIN in linkerd check
    • Fixed permissions check for CRDs
    • Updated the linkerd dashboard command to serve the dashboard on a fixed
      port, allowing it to leverage browser local storage for user settings
    • Updated the linkerd routes command to display rows for routes that are not
      receiving any traffic
    • Added TCP stats to the stat command, under the -o wide and -o json flags
    • The stat command now always shows the number of open TCP connections
    • Removed TLS metrics from the stat command; this is in preparation for
      surfacing identity metrics in a clearer way
    • Exposed the install-cni command and its flags, and tweaked their descriptions
    • Eliminated false-positive vulnerability warnings related to go.uuid
  • Controller
    • Added a new public API endpoint for fetching control plane configuration
    • Breaking change Removed support for running the control plane in
      single-namespace mode, which was severely limited in the number of features
      it supported due to not having access to cluster-wide resources; the end
      goal being Linkerd degrading gracefully depending on its privileges
    • Updated automatic proxy injection and CLI injection to support overriding
      inject defaults via pod spec annotations
    • Added support for the annotation on pod
      specs; this will override the injected proxy version
    • The auto-inject admission controller webhook is updated to watch pods
      creation and update events; with this change, proxy auto-injection now works
      for all kinds of workloads, including StatefulSets, DaemonSets, Jobs, etc
    • Service profile validation is now performed via a webhook endpoint; this
      prevents Kubernetes from accepting invalid service profiles
    • Changed the default CPU request from 10m to 100m for HA deployments;
      this will help some intermittent liveness/readiness probes from failing due
      to tight resource constraints
    • Updated destination service to return TLS identities only when the
      destination pod is TLS-aware and is in the same controller namespace
    • Lessen klog level to improve security
    • Updated control plane components to query Kubernetes at startup to determine
      authorized namespaces and if ServiceProfile support is available
    • Modified the stats payload to include the following TCP stats:
      tcp_open_connections, tcp_read_bytes_total, tcp_write_bytes_total
    • Instrumented clients in the control plane connecting to Kubernetes, thus
      providing better visibility for diagnosing potential problems with those
    • Renamed the "linkerd-proxy-api" service to "linkerd-destination"
    • Bumped Prometheus to version 2.7.1 and Grafana to version 5.4.3
  • Proxy
    • Introduced per-proxy private key generation and dynamic certificate renewal
    • Fixed a connection starvation issue where TLS discovery detection on
      slow or idle connections could block all other connections from being
      accepted on the inbound listener of the proxy
    • Fixed a stream leak between the proxy and the control plane that could
      cause the linkerd-controller pod to use an excessive amount of memory
    • Added a readiness check endpoint on :4191/ready so that Kubernetes doesn't
      consider pods ready until they have acquired a certificate from the Identity
    • Some l5d-* informational headers have been temporarily removed from
      requests and responses because they could leak information to external
    • The proxy's connect timeouts have been updated, especially to improve
      reconnect behavior between the proxy and the control plane
    • Increased the inbound/router cap on MAX_CONCURRENT_STREAMS
    • The l5d-remote-ip header is now set on inbound requests and outbound
    • Fixed issue with proxy falling back to filesystem polling due to improperly
      sized inotify buffer
  • Web UI
    • New Added a Community page to surface news and updates from
    • Added a Debug page to the web dashboard, allowing you to introspect service
      discovery state
    • The Overview page in the Linkerd dashboard now renders appropriately when
      viewed on mobile devices
    • Added filter functionality to the metrics tables
    • Added stable sorting for table rows
    • Added TCP stats to the Linkerd Pod Grafana dashboard
    • Added TCP stat tables on the namespace landing page and resource detail page
    • The topology graph now shows TCP stats if no HTTP stats are available
    • Improved table display on the resource detail page for resources with
      TCP-only traffic
    • Updated the resource detail page to start displaying a table with TCP stats
    • Modified the Grafana variable queries to use a TCP-based metric, so that
      if there is only TCP traffic then the dropdowns don't end up empty
    • Fixed sidebar not updating when resources were added/deleted (thanks
    • Added validation to the "new service profile" form (thanks @liquidslr!)
    • Added a Grafana dashboard and web tables for displaying Job stats
      (thanks, @Pothulapati!)
    • Removed TLS columns from the dashboard tables; this is in preparation for
      surfacing identity metrics in a clearer way
    • Fixed the behavior of the Top query 'Start' button if a user's query returns
      no data
    • Fixed an issue with the order of tables returned from a Top Routes query
    • Added text wrap for paths in the modal for expanded Tap query data
    • Fixed a quoting issue with service profile downloads (thanks, @liquidslr!)
    • Updated sorting of route table to move default routes to the bottom
    • Removed 'Help' hierarchy and surfaced links on navigation sidebar
    • Ensured that all the tooltips in Grafana displaying the series are shared
      across all the graphs
  • Internals
    • Improved the bin/go-run script for the build process so that on failure,
      all associated background processes are terminated
    • Added more log errors to the integration tests
    • Removed the GOPATH dependence from the CLI dev environment
    • Consolidated injection code from CLI and admission controller code paths
    • Enabled the following linters: unparam, unconvert, goimports,
      goconst, scopelint, unused, gosimple
    • Bumped base Docker images
    • Added the flags -update and -pretty-diff to tests to allow overwriting
      fixtures and to print the full text of the fixtures upon mismatches
    • Introduced golangci-lint tooling, using .golangci.yml to centralize
      the config
    • Added a -cover parameter to track code coverage in go tests
      (more info in
    • Renamed a function in a test that was shadowing a go built-in function
      (thanks @huynq0911!)
Assets 8
You can’t perform that action at this time.