Announcing Linkerd2 edge-19.8.1

Kevin Leimkuhler
 

Hello Linkerd fans!

This is an edge release of Linkerd! The latest stable release is stable-2.4.0.

To install this edge release, run: curl https://run.linkerd.io/install-edge | sh

This edge release introduces a new tap APIService. The Kubernetes apiserver
authenticates the requesting tap user and then forwards tap requests to the new
tap APIServer. The linkerd tap command now makes requests against the
APIService.

With this release, users must be authorized via RBAC to use the linkerd tap
command. Specifically linkerd tap requires the watch verb on all resources
in the tap.linkerd.io/v1alpha1 APIGroup. More granular access is also
available via sub-resources such as deployments/tap and pods/tap.

  • CLI
    • Added a check to the linkerd check command to validate the user has privileges necessary to create CronJobs
    • Introduced the linkerd --as flag which allows users to impersonate another user for Kubernetes operations
    • The linkerd tap command now makes requests against the tap APIService
  • Controller
    • Added HTTP security headers on all dashboard responses
    • Fixed nil pointer dereference in the destination service when an endpoint does not have a TargetRef
    • Added resource limits when HA is enabled
    • Added RSA support to TLS libraries
    • Updated the destination service to return InvalidArgument for external name services so that the proxy does not immediately fail the request
    • The l5d-require-id header is now set on tap requests so that a connection is established over TLS
    • Introduced the APIService/v1alpha1.tap.linkerd.io global resource
    • Introduced the ClusterRoleBinding/linkerd-linkerd-tap-auth-delegator global resource
    • Introduced the Secret/linkerd-tap-tls resource into the linkerd namespace
    • Introduced the RoleBinding/linkerd-linkerd-tap-auth-reader resource into the kube-system namespace
  • Proxy
    • Added the LINKERD2_PROXY_TAP_SVC_NAME environment variable so that the tap server attempts to authorize client identities
  • Internal
    • Replaced dep with Go modules for dependency management

As always, we're excited to hear your feedback. Please try the new release and 
send questions/comments to this mailing list, and report bugs via GitHub.

Kevin

Join cncf-linkerd-announce@lists.cncf.io to automatically receive all group messages.