Skip to content

@siggy siggy released this Aug 20, 2019 · 78 commits to master since this release

Announcing Linkerd 2.5 🎈

This release adds Helm support, tap authentication and authorization via RBAC,
traffic split stats, dynamic logging levels, a new cluster monitoring dashboard,
and countless performance enhancements and bug fixes.

For more details, see the announcement blog post:

To install this release, run: curl | sh

Upgrade notes: Use the linkerd upgrade command to upgrade the control
plane. This command ensures that all existing control plane's configuration and
mTLS secrets are retained. For more details, please see the upgrade

Special thanks to: @alenkacz, @codeman9, @ethan-daocloud, @jonathanbeber,
and @Pothulapati!

Full release notes:

  • CLI
    • New Updated linkerd tap, linkerd top and linkerd profile --tap to
      require RBAC privileges. See
      for more info
    • New Added traffic split metrics via linkerd stat trafficsplits
    • Made the linkerd routes command traffic split aware
    • Introduced the linkerd --as flag which allows users to impersonate another
      user for Kubernetes operations
    • Introduced the --all-namespaces (-A) option to the linkerd get,
      linkerd edges and linkerd stat commands to retrieve resources across
      all namespaces
    • Improved the installation report produced by the linkerd check command
      to include the control plane pods' live status
    • Fixed bug in the linkerd upgrade config command that was causing it to
    • Introduced --use-wait-flag to the linkerd install-cni command, to
      configure the CNI plugin to use the -w flag for iptables commands
    • Introduced --restrict-dashboard-privileges flag to linkerd install
      command, to disallow tap in the dashboard
    • Fixed linkerd uninject not removing enabled
    • Fixed linkerd stat -h example commands (thanks @ethan-daocloud!)
    • Fixed incorrect "meshed" count in linkerd stat when resources share the
      same label selector for pods (thanks @jonathanbeber!)
    • Added pod status to the output of the linkerd stat command (thanks
    • Added namespace information to the linkerd edges command output and a new
      -o wide flag that shows the identity of the client and server if known
    • Added a check to the linkerd check command to validate the user has
      privileges necessary to create CronJobs
    • Added a new check to the linkerd check --pre command validating that if
      PSP is enabled, the NET_RAW capability is available
  • Controller
    • New Disabled all unauthenticated tap endpoints. Tap requests now require
      RBAC authentication and authorization
    • New Introduced optional cluster heartbeat cron job
    • The l5d-require-id header is now set on tap requests so that a connection
      is established over TLS
    • Introduced a new RoleBinding in the kube-system namespace to provide
      access to tap
    • Added HTTP security headers on all dashboard responses
    • Added support for namespace-level proxy override annotations (thanks
    • Added resource limits when HA is enabled (thanks @Pothulapati!)
    • Added pod anti-affinity rules to the control plane pods when HA is enabled
      (thanks @Pothulapati!)
    • Fixed a crash in the destination service when an endpoint does not have a
    • Updated the destination service to return InvalidArgument for external
      name services so that the proxy does not immediately fail the request
    • Fixed an issue with discovering StatefulSet pods via their unique hostname
    • Fixed an issue with traffic split where outbound proxy stats are missing
    • Upgraded the service profile CRD to v1alpha2. No changes required for users
      currently using v1alpha1
    • Updated the control plane's pod security policy to restrict workloads from
      running as root in the CNI mode (thanks @codeman9!)
    • Bumped Prometheus to 2.11.1
    • Bumped Grafana to 6.2.5
  • Proxy
    • New Added a new /proxy-log-level endpoint to update the log level at
    • New Updated the tap server to only admit requests from the control
      plane's tap controller
    • Added request_handle_us histogram to measure proxy overhead
    • Fixed gRPC client cancellations getting recorded as failures rather than
      as successful
    • Fixed a bug where tap would stop streaming after a short amount of time
    • Fixed a bug that could cause the proxy to leak service discovery resolutions
      to the Destination controller
  • Web UI
    • New Added "Kubernetes cluster monitoring" Grafana dashboard with cluster
      and containers metrics
    • Updated the web server to use the new tap APIService. If the linkerd-web
      service account is not authorized to tap resources, users will see a link to
      documentation to remedy the error
Assets 8
You can’t perform that action at this time.