From 028a68265ed2e09a3c4524ef9a7e83bc31029fd1 Mon Sep 17 00:00:00 2001 From: Matei David Date: Fri, 13 Jan 2023 17:58:42 +0000 Subject: [PATCH] edge-23.1.1 (#10129) This edge release introduces a number of different fixes changes to the proxy. The proxy has been updated to initialize routes lazily, which means service profile routes will now only show up in the metrics when a route is used. In the extensions, old (`ServerAuthorization`) resources have been converted to `AuthorizationPolicy` -- as part of this change, redundant policy resources have been cleaned up. A bug in the destination controller that could potentially lead to stale pods being considered in the load balancer has been fixed; operations that could previously result in this behavior are now infallible. Support has been added for `Pod Security Admission`, used instead of `Pod Security Policy`, as part of this change, some of the extension charts have been modified to include a `cniEnabled` flag that will impact the policy used. Finally, this edge release contains a number of fixes and improvements from our contributors. * Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources in Linkerd extensions * Removed policy resources bound to admin servers in extensions (previously these resources were used to authorize probes but now are authorized by default) * Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!) * Fixed an issue in the CLI where `--identity-external-ca` would set an incorrect field (thanks @anoxape!) * Fixed an issue in the destination controller that could result in stale endpoints when using EndpointSlice objects. Logic that previously resulted in undefined behavior is now infallible and endpoints will no longer be skipped during removal * Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!) * Added support for Pod Security Admission (superseedes PSPs); through this change extensions now have a `cniEnabled` value in their charts that will directly influence which PSA policy to use * Changed routes to be initialized lazily. Service Profile routes will no longer show up in metrics until the route is used (default routes are always available when no Service Profile is defined for a service) * Changed the proxy's behavior when traffic splitting so that only services that are not in failfast are used. This will enable the proxy to manage failover without external coordination * Updated tokio (async runtime) in the proxy which should reduce CPU usage, especially for proxy's pod local (i.e in the same network namespace) communication Signed-off-by: Matei David Co-authored-by: Kevin Leimkuhler --- CHANGES.md | 48 +++++++++++++++++++ charts/linkerd-control-plane/Chart.yaml | 2 +- charts/linkerd-control-plane/README.md | 2 +- charts/linkerd2-cni/Chart.yaml | 2 +- charts/linkerd2-cni/README.md | 2 +- jaeger/charts/linkerd-jaeger/Chart.yaml | 2 +- jaeger/charts/linkerd-jaeger/README.md | 2 +- .../charts/linkerd-multicluster/Chart.yaml | 2 +- .../charts/linkerd-multicluster/README.md | 2 +- viz/charts/linkerd-viz/Chart.yaml | 2 +- viz/charts/linkerd-viz/README.md | 2 +- 11 files changed, 58 insertions(+), 10 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 86171cc39..d0826d5d4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,53 @@ # Changes +## edge-23.1.1 + +This edge release fixes a caching issue in the destination controller, converts +deprecated policy resources, and introduces several changes to how the proxy +works. + +A bug in the destination controller that could potentially lead to stale pods +being considered in the load balancer has been fixed. + +Several Linkerd extensions were still using the now deprecated +ServerAuthorization resource. These instances have now been converted to using +AuthorizationPolicy. Additionally, removed several policy resources that +authenticated probes, since probes are now authenticated by default. + +As part of ongoing policy work, there are several changes with how the proxy +works. Routes are now lazily initialized so that service profile routes will +not show up in metrics until the route is used. Furthermore, the proxy’s +traffic splitting behavior has changed so that only available resources are +used, resulting in less failfast errors. + +Finally, this edge release contains a number of fixes and improvements from our +contributors. + +* Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources + in Linkerd extensions +* Removed policy resources bound to admin servers in extensions (previously + these resources were used to authorize probes but now are authorized by + default) +* Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!) +* Fixed an issue in the CLI where `--identity-external-ca` would set an + incorrect field (thanks @anoxape!) +* Fixed an issue in the destination controller's cache that could result in + stale endpoints when using EndpointSlice objects +* Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!) +* Added support for Pod Security Admission (Pod Security Policy resources are + still supported but disabled by default) +* Changed routes to be initialized lazily. Service Profile routes will no + longer show up in metrics until the route is used (default routes are always + available when no Service Profile is defined for a service) +* Changed the proxy's behavior when traffic splitting so that only services + that are not in failfast are used. This will enable the proxy to manage + failover without external coordination +* Updated tokio (async runtime) in the proxy which should reduce CPU usage, + especially for proxy's pod local (i.e in the same network namespace) + communication +* Fixed an issue where `linkerd viz tap` would display wrong latency/duration + value (thanks @olegy2008!) + ## edge-22.12.1 This edge release introduces static and dynamic port overrides for CNI eBPF diff --git a/charts/linkerd-control-plane/Chart.yaml b/charts/linkerd-control-plane/Chart.yaml index b8d7fa8ac..9e34c48c0 100644 --- a/charts/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd-control-plane/Chart.yaml @@ -16,7 +16,7 @@ dependencies: - name: partials version: 0.1.0 repository: file://../partials -version: 1.11.0-edge +version: 1.11.1-edge icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index a19538109..9c6a74674 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 1.11.0-edge](https://img.shields.io/badge/Version-1.11.0--edge-informational?style=flat-square) +![Version: 1.11.1-edge](https://img.shields.io/badge/Version-1.11.1--edge-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/charts/linkerd2-cni/Chart.yaml b/charts/linkerd2-cni/Chart.yaml index 9f2344ecd..b2dee0dd8 100644 --- a/charts/linkerd2-cni/Chart.yaml +++ b/charts/linkerd2-cni/Chart.yaml @@ -9,4 +9,4 @@ description: | kubeVersion: ">=1.21.0-0" icon: https://linkerd.io/images/logo-only-200h.png name: "linkerd2-cni" -version: 30.5.1-edge +version: 30.6.0-edge diff --git a/charts/linkerd2-cni/README.md b/charts/linkerd2-cni/README.md index d26018cde..564cd1f51 100644 --- a/charts/linkerd2-cni/README.md +++ b/charts/linkerd2-cni/README.md @@ -6,7 +6,7 @@ Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting up your pod's network so incoming and outgoing traffic is proxied through the data plane. -![Version: 30.5.1-edge](https://img.shields.io/badge/Version-30.5.1--edge-informational?style=flat-square) +![Version: 30.6.0-edge](https://img.shields.io/badge/Version-30.6.0--edge-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/jaeger/charts/linkerd-jaeger/Chart.yaml b/jaeger/charts/linkerd-jaeger/Chart.yaml index 777455dec..d82306821 100644 --- a/jaeger/charts/linkerd-jaeger/Chart.yaml +++ b/jaeger/charts/linkerd-jaeger/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0" name: linkerd-jaeger sources: - https://github.com/linkerd/linkerd2/ -version: 30.6.0-edge +version: 30.6.1-edge icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/jaeger/charts/linkerd-jaeger/README.md b/jaeger/charts/linkerd-jaeger/README.md index 8db1963fa..d3bff6f6d 100644 --- a/jaeger/charts/linkerd-jaeger/README.md +++ b/jaeger/charts/linkerd-jaeger/README.md @@ -3,7 +3,7 @@ The Linkerd-Jaeger extension adds distributed tracing to Linkerd using OpenCensus and Jaeger. -![Version: 30.6.0-edge](https://img.shields.io/badge/Version-30.6.0--edge-informational?style=flat-square) +![Version: 30.6.1-edge](https://img.shields.io/badge/Version-30.6.1--edge-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/multicluster/charts/linkerd-multicluster/Chart.yaml b/multicluster/charts/linkerd-multicluster/Chart.yaml index f94fc3042..adbaa84f8 100644 --- a/multicluster/charts/linkerd-multicluster/Chart.yaml +++ b/multicluster/charts/linkerd-multicluster/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0" name: "linkerd-multicluster" sources: - https://github.com/linkerd/linkerd2/ -version: 30.3.6-edge +version: 30.3.7-edge icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/multicluster/charts/linkerd-multicluster/README.md b/multicluster/charts/linkerd-multicluster/README.md index ae0310a71..206374a3d 100644 --- a/multicluster/charts/linkerd-multicluster/README.md +++ b/multicluster/charts/linkerd-multicluster/README.md @@ -3,7 +3,7 @@ The Linkerd-Multicluster extension contains resources to support multicluster linking to remote clusters -![Version: 30.3.6-edge](https://img.shields.io/badge/Version-30.3.6--edge-informational?style=flat-square) +![Version: 30.3.7-edge](https://img.shields.io/badge/Version-30.3.7--edge-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/viz/charts/linkerd-viz/Chart.yaml b/viz/charts/linkerd-viz/Chart.yaml index 8861c18f1..dcb557a08 100644 --- a/viz/charts/linkerd-viz/Chart.yaml +++ b/viz/charts/linkerd-viz/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0" name: "linkerd-viz" sources: - https://github.com/linkerd/linkerd2/ -version: 30.4.6-edge +version: 30.4.7-edge icon: https://linkerd.io/images/logo-only-200h.png maintainers: - name: Linkerd authors diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index 61105ecbc..5b2191ad0 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -3,7 +3,7 @@ The Linkerd-Viz extension contains observability and visualization components for Linkerd. -![Version: 30.4.6-edge](https://img.shields.io/badge/Version-30.4.6--edge-informational?style=flat-square) +![Version: 30.4.7-edge](https://img.shields.io/badge/Version-30.4.7--edge-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)