028a68265e
This edge release introduces a number of different fixes changes to the proxy. The proxy has been updated to initialize routes lazily, which means service profile routes will now only show up in the metrics when a route is used. In the extensions, old (`ServerAuthorization`) resources have been converted to `AuthorizationPolicy` -- as part of this change, redundant policy resources have been cleaned up. A bug in the destination controller that could potentially lead to stale pods being considered in the load balancer has been fixed; operations that could previously result in this behavior are now infallible. Support has been added for `Pod Security Admission`, used instead of `Pod Security Policy`, as part of this change, some of the extension charts have been modified to include a `cniEnabled` flag that will impact the policy used. Finally, this edge release contains a number of fixes and improvements from our contributors. * Converted `ServerAuthorization` resources to `AuthorizationPolicy` resources in Linkerd extensions * Removed policy resources bound to admin servers in extensions (previously these resources were used to authorize probes but now are authorized by default) * Added a `resources` field in the linkerd-cni chart (thanks @jcogilvie!) * Fixed an issue in the CLI where `--identity-external-ca` would set an incorrect field (thanks @anoxape!) * Fixed an issue in the destination controller that could result in stale endpoints when using EndpointSlice objects. Logic that previously resulted in undefined behavior is now infallible and endpoints will no longer be skipped during removal * Added namespace to namespace-metadata resources in Helm (thanks @joebowbeer!) * Added support for Pod Security Admission (superseedes PSPs); through this change extensions now have a `cniEnabled` value in their charts that will directly influence which PSA policy to use * Changed routes to be initialized lazily. Service Profile routes will no longer show up in metrics until the route is used (default routes are always available when no Service Profile is defined for a service) * Changed the proxy's behavior when traffic splitting so that only services that are not in failfast are used. This will enable the proxy to manage failover without external coordination * Updated tokio (async runtime) in the proxy which should reduce CPU usage, especially for proxy's pod local (i.e in the same network namespace) communication Signed-off-by: Matei David <matei@buoyant.io> Co-authored-by: Kevin Leimkuhler <kleimkuhler@icloud.com> |
||
|---|---|---|
| .devcontainer | ||
| .github | ||
| audits | ||
| bin | ||
| charts | ||
| cli | ||
| cni-plugin | ||
| controller | ||
| grafana | ||
| jaeger | ||
| multicluster | ||
| pkg | ||
| policy-controller | ||
| policy-test | ||
| proto | ||
| proxy-identity | ||
| test | ||
| testutil | ||
| viz | ||
| web | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| .helmdocsignore | ||
| .markdownlint.yaml | ||
| .proxy-version | ||
| ADOPTERS.md | ||
| BUILD.md | ||
| CHANGES.md | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| Cargo.lock | ||
| Cargo.toml | ||
| DCO | ||
| Dockerfile-debug | ||
| Dockerfile-proxy | ||
| EXTENSIONS.md | ||
| GOVERNANCE.md | ||
| LICENSE | ||
| MAINTAINERS.md | ||
| README.md | ||
| RELEASE.md | ||
| ROADMAP.md | ||
| SECURITY.md | ||
| STEERING.md | ||
| TEST.md | ||
| deny.toml | ||
| go.mod | ||
| go.sum | ||
| justfile | ||
| rust-toolchain | ||
| tools.go | ||
README.md
Linkerd
🎈 Welcome to Linkerd! 👋
Linkerd is an ultralight, security-first service mesh for Kubernetes. Linkerd adds critical security, observability, and reliability features to your Kubernetes stack with no code change required.
Linkerd is a Cloud Native Computing Foundation (CNCF) project.
Repo layout
This is the primary repo for the Linkerd 2.x line of development.
The complete list of Linkerd repos is:
- linkerd2: Main Linkerd 2.x repo, including control plane and CLI
- linkerd2-proxy: Linkerd 2.x data plane proxy
- linkerd2-proxy-api: Linkerd 2.x gRPC API bindings
- linkerd: Linkerd 1.x
- website: linkerd.io website (including docs for 1.x and 2.x)
Quickstart and documentation
You can run Linkerd on any modern Kubernetes cluster in a matter of seconds. See the Linkerd Getting Started Guide for how.
For more comprehensive documentation, start with the Linkerd docs. (The doc source code is available in the website repo.)
Working in this repo
BUILD.md includes general information on how to work in this repo.
We ❤️ pull requests! See CONTRIBUTING.md for info on
contributing changes.
Get involved
- Join Linkerd's user mailing list, developer mailing list, and announcements mailing list.
- Follow @Linkerd on Twitter.
- Join the Linkerd Slack.
- Join us in the regular online community meetings!
Community meetings
We host regular online meetings for contributors, adopters, maintainers, and anyone else interested to connect in a synchronous fashion. These meetings usually take place the last Thursday of the month at 9am Pacific / 4pm UTC.
We're a friendly group, so please feel free to join us!
Steering Committee meetings
We host regular online meetings for the Linkerd Steering Committee. All are welcome to attend, but audio and video participation is limited to Steering Committee members and maintainers. These meetings are currently scheduled on an ad-hoc basis and announced on the linkerd-users mailing list.
Code of Conduct
This project is for everyone. We ask that our users and contributors take a few minutes to review our Code of Conduct.
Security
See SECURITY.md for our security policy, including how to report vulnerabilities.
A third party security audit was performed by Cure53 in June 2019. You can see the full report here.
License
Copyright 2021 the Linkerd Authors. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.