enterprise-2.15.4
June 12, 2024
The 2.15.4 stable point release includes a variety of bug fixes and some minor diagnostic and configuration features.
Previous release: enterprise-2.15.3.
Who should upgrade?
- Users who are seeing OOMKills in the linkerd-destination service at scale should upgrade. This release improves memory of the destination controller at scale.
- Users who are using
HTTPRoutes
should upgrade. This release fixes several issues, including issues that may cause routing to fail sporadically. - Users who have to unset an existing
ENVIRONMENT
environment variable to use the Linkerd CLI may upgrade to avoid this issue.
All other users may upgrade at their convenience or skip this release.
How to upgrade
Please see the instructions in Upgrading BEL.
To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.29.0 or later.
Full Changelog
CLI changes
- Fix an issue where
linkerd install-cni
was outputting an invalid image URL - Fix an issue where the CLI was reading configuration information from an
ENVIRONMENT
envvar, which was sometimes already set in customer environments. The CLI no longer uses this variable. - Add a new
--token
flag to thelinkerd diagnostics policy
command, to allow users to see the policy from the perspective of a a specific Kubernetes context (backported from linkerd2#12613)
Control plane changes
- Remove unnecessary stream concurrency limits (backported from linkerd2#12598)
- Allow control plane components to specify concurrency (backported from linkerd2#12643)
- Fix issue where initial outbound policy did not contain producer routes (backported from linkerd2#12619)
- Set
backend_not_found
route status when any backends are not found (backported from linkerd2#12565) - Reindex outbound policy backends when a service changes (backported from linkerd2#12635)
CVE remediations and updates
- Update busybox in proxy-init Docker image to remediate CVE-2023-42364
- Update busybox in proxy-init Docker image to remediate CVE-2023-42365
- Update the default Docker image user to be non-root, which was occasionally being flagged by overly pedantic vulnerability scanners
- Update Go from 1.22.3 to 1.22.4