Announcing Linkerd stable-2.5.0

Andrew Seigner

Hello Linkerd community!¬†ūüĎč

We are thrilled to announce that¬†Linkerd stable-2.5.0¬†has been released!¬†ūüéą

This release adds Helm support, tap authentication and authorization via RBAC, traffic split stats, dynamic logging levels, a new cluster monitoring dashboard, and countless performance enhancements and bug fixes.

For more details, see the announcement blog post:

To install this release, run: curl | sh

Upgrade notes: Use the linkerd upgrade command to upgrade the control plane. This command ensures that all existing control plane's configuration and mTLS secrets are retained. For more details, please see the upgrade instructions.

Special thanks to: @alenkacz, @codeman9, @ethan-daocloud, @jonathanbeber, and @Pothulapati!

Full release notes:
  • CLI
    • New¬†Updated linkerd tap, linkerd top and linkerd profile --tap¬†to require¬†RBAC privileges. See for more info
    • New¬†Added traffic split metrics via linkerd stat trafficsplits¬†subcommand
    • Made the linkerd routes¬†command traffic split aware
    • Introduced the linkerd --as¬†flag which allows users to impersonate another user for Kubernetes operations
    • Introduced the --all-namespaces¬†(-A) option to the linkerd get, linkerd edges¬†and linkerd stat¬†commands to retrieve resources across all namespaces
    • Improved the installation report produced by the linkerd check command to include the control plane pods' live status
    • Fixed bug in the linkerd upgrade config¬†command that was causing it to crash
    • Introduced --use-wait-flag¬†to the linkerd install-cni¬†command, to configure the CNI plugin to use the -w¬†flag for iptables¬†commands
    • Introduced --restrict-dashboard-privileges¬†flag to linkerd install¬†command, to disallow tap in the dashboard
    • Fixed linkerd uninject¬†not removing enabled¬†annotations
    • Fixed linkerd stat -h¬†example commands (thanks @ethan-daocloud!)
    • Fixed incorrect "meshed" count in linkerd stat¬†when resources share the same label selector for pods (thanks @jonathanbeber!)
    • Added pod status to the output of the linkerd stat¬†command (thanks @jonathanbeber!)
    • Added namespace information to the linkerd edges¬†command output and a new -o wide¬†flag that shows the identity of the client and server if known
    • Added a check to the linkerd check¬†command to validate the user has privileges necessary to create CronJobs
    • Added a new check to the linkerd check --pre¬†command validating that if PSP is enabled, the NET_RAW capability is available
  • Controller
    • New¬†Disabled all unauthenticated tap endpoints. Tap requests now require RBAC authentication and authorization
    • The l5d-require-id¬†header is now set on tap requests so that a connection is established over TLS
    • Introduced a new RoleBinding in the kube-system¬†namespace to provide access to tap
    • Added HTTP security headers on all dashboard responses
    • Added support for namespace-level proxy override annotations (thanks @Pothulapati!)
    • Added resource limits when HA is enabled (thanks @Pothulapati!)
    • Added pod anti-affinity rules to the control plane pods when HA is enabled (thanks @Pothulapati!)
    • Fixed a crash in the destination service when an endpoint does not have a TargetRf
    • Updated the destination service to return InvalidArgument¬†for external name services so that the proxy does not immediately fail the request
    • Fixed an issue with discovering StatefulSet pods via their unique hostname
    • Fixed an issue with traffic split where outbound proxy stats are missing
    • Upgraded the service profile CRD to v1alpha2. No changes required for users currently using v1alpha1
    • Updated the control plane's pod security policy to restrict workloads from running as root¬†in the CNI mode (thanks @codeman9!)
    • Introduced optional cluster heartbeat cron job
    • Bumped Prometheus to 2.11.1
    • Bumped Grafana to 6.2.5
  • Proxy
    • New¬†Added a new /proxy-log-level¬†endpoint to update the log level at runtime
    • New¬†Updated the tap server to only admit requests from the control plane's tap controller
    • Added request_handle_us¬†histogram to measure proxy overhead
    • Fixed gRPC client cancellations getting recorded as failures rather than as successful
    • Fixed a bug where tap would stop streaming after a short amount of time
    • Fixed a bug that could cause the proxy to leak service discovery resolutions to the Destination controller
  • Web UI
    • New¬†Added "Kubernetes cluster monitoring" Grafana dashboard with cluster and containers metrics
    • Updated the web server to use the new tap APIService. If the linkerd-web¬†service account is not authorized to tap resources, users will see a link to documentation to remedy the error

Join to automatically receive all group messages.