buoyant.io

Buoyant Enterprise for Linkerd

enterprise-2.17.0

December 5, 2024

Linkerd 2.17 is a new major release that adds rate limiting, federated services, and monitoring and control of egress traffic from the cluster. See our Linkerd 2.17 announcement blog post for more details.

Who should upgrade?

This is a feature release. We recommend upgrading to BEL 2.17.0 for customers who want to make use of the new features introduced.

Supported Kubernetes versions

For this release, the minimum supported Kubernetes version is 1.22, and the maximum supported Kubernetes version is 1.31.

Upgrade guidance

To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.33.2 or later.

There are several important notes before upgrading.

Breaking changes to Helm upgrades

If you use Helm to manage BEL, we’ve changed the way that the BEL Helm charts work to better align with Linkerd OSS charts. As of Linkerd 2.17, BEL Helm charts no longer depend on the open source Linkerd charts as subcharts, but instead incorporate the keys and values directly.

Note: IF you manage BEL upgrades via the CLI or the lifecycle automation operator, you are not affected by this change.

If you use Helm to manage BEL, any Helm values previously set on the Linkerd open source subchart keys must be moved up one level. For example, a Helm value prior to BEL 2.17.0 that was set like this:

license: xxx
linkerd-control-plane:
  foo: bar

Must now become:

license: xxx
foo: bar

With this change, the BEL charts now align with the OSS charts, simplifying transition between the two.

For more details on how to upgrade BEL using Helm, including how to automate this change, please see our Upgrading BEL documentation.

Changelog

New features

  • Introduce an EgressNetwork CRD, used to configure traffic that is destined outside the cluster and enable metrics (linkerd2#13181). See egress docs.
  • Introduce http local rate limiting support (linkerd2#13231). See rate limiting docs.
  • Add support for federated services, which assemble multiple services with the same name and namespace across multiple different clusters into a single logical service. See federated services docs.

Other changes and bug fixes

Control plane

  • Add a flag to enable the service mirror controller to create namespaces which do not already exist when necessary to create a mirror service (linkerd2#13137)
  • Avoid panic on missing managed fields timestamp (linkerd2#13378)
  • Check Service port in admission controller (linkerd2#13325)
  • Ensure status controller honors leader expiry (linkerd2#13392)
  • Fix a bug where route changes could be ignored when the route’s parent_refs change (linkerd2#13315)
  • Fix policy readiness probe delay (linkerd2#13380)
  • Polish policy controller logging (linkerd2#13379)
  • Run status reconciliation at fixed interval (linkerd2#13384)
  • Set parent and profile references (linkerd2#13292)
  • Set the control plane to run with automountServiceAccountToken: false (linkerd2#13186)

Proxy

  • Add a wall clock gauge to the proxy’s prometheus metrics, which allows for more accurate calculation of certificate timeouts, etc (linkerd2-proxy#3176)
  • Add new request_frame_size and response_frame_size Prometheus metrics, instrumenting request and response bodies. These observe (a) the number of frames yielded by a body, (b) the total number of frames, and (c) a coarse distribution of frame sizes. These histograms are labeled by route and backend, for requests and responses, respectively.
  • Add support for outbound policy configuration based on TLSRoutes and SNI detection (linkerd2-proxy#3160)
  • Add support for outbound policy configuration for opaque connections (linkerd2-proxy#3306)
  • Add support for the OpenTelemetry protocol for traces exported from the proxy. When installing the Jaeger extension, set the webhook.collectorTraceProtocol to opentelemetry to enable this. Example: linkerd jaeger install --set webhook.collectorTraceProtocol=opentelemetry | kubectl apply -f (linkerd2#13099, linkerd2-proxy#3221)
  • Add transport level metrics for both TLS and Opaque connections (linkerd2-proxy#3355)
  • Allow configuration of the service name used by the proxy when exporting traces. Defaults to linkerd-proxy. (linkerd2#13130, linkerd2-proxy#3245)
  • Export the zone locality of cluster traffic as a dedicated outbound_tcp_zone_locality prometheus metric (linkerd2#13129, linkerd2-proxy#3262)
  • Fix a panic in the proxy when the destination controller provides multiple identical endpoints linkerd2-proxy#3319
  • Handle timeouts with a DeadlineExceeded error (linkerd2-proxy#3302)
  • Improve linkerd-cni behavior when a node’s inotify limit is reached, by not failing silently (linkerd2-proxy-init#424)
  • Log the absolute timestamp when using the JSON log format (linkerd2-proxy#3186)

External workload automation

  • Add support for dual-stack networking to the ExternalWorkloads CRD (linkerd2#12965)

Multi-cluster extension

  • Improve configurability of the health probes for the multicluster gateway. After applying a Link CR, just tweak the new failureThreshold and timeout fields (Backported to enterprise-2.16.1)

Jaeger extension

  • Fix the Jaeger extension’s injector incorrectly propagating annotations in some cases linkerd2#13165

Viz extension

  • Add viz stat-inbound and viz stat-outbound commands which are easier to use replacements for the viz stat command (linkerd2#12994)
  • Add the ability to Linkerd-viz to connect to a Prometheus which is configured with basic auth by allowing the user to provide a secret from which Linkerd-viz will read the basic auth credentials (linkerd2#13035)

CVE remediations and updates

  • Update libssl3 in extension-init and policy-controller for FIPS, and in proxy for both non-FIPS and FIPS to remediate CVE-2024-5535, and CVE-2024-9143 (Backported to enterprise-2.16.2-1)
  • Update libcrypto3 and libssl3 in proxy-init for both non-FIPS and FIPS to remediate CVE-2024-9143 (Backported to enterprise-2.16.2-1)
  • Bump kubert from 0.21.2 to 0.22.0 (linkerd2#13399)
  • Update latest k8s version to 1.31 (linkerd2#13374)