stable 2.13.7 (#11398)

This stable releases addresses backports two fixes that address security
vulnerabilities. The proxy's dependency on the webpki library has been updated
to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the
runtime image's libcap library. Finally, the release contains a backported fix
for service discovery on endpoints that use hostPorts which could potentially
disrupt connections on pod restarts.

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts [#11328]

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] [#11389]

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin [#11348]

[#11328]: #11328
[#11348]: #11348
[#11389]: #11389
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5


Signed-off-by: Matei David <[email protected]>
Signed-off-by: Eliza Weisman <[email protected]>
Co-authored-by: Alejandro Pedraza <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>

CHANGES.md

@@ -1,5 +1,37 @@
 # Changes
 
+## stable-2.13.7
+
+This stable release backports two fixes that address security
+vulnerabilities. The proxy's dependency on the webpki library has been updated
+to patch [RUSTSEC-2023-0052], a potential CPU usage denial-of-service attack
+when accepting a TLS handshake from an untrusted peer. In addition, the CNI and
+proxy-init images have been updated to patch [CVE-2023-2603] surfaced in the
+runtime image's `libcap` library. Finally, the release contains a backported fix
+for service discovery on endpoints that use hostPorts which could potentially
+disrupt connections on pod restarts.
+
+* Control Plane
+  * Changed how hostPort lookups are handled in the destination service.
+    Previously, when doing service discovery for an endpoint bound on a
+    hostPort, the destination service would return the corresponding pod IP. On
+    pod restart, this could lead to loss of connectivity on the client's side.
+    The destination service now always returns host IPs for service discovery
+    on an endpoint that uses hostPorts ([#11328])
+
+* Proxy
+  * Addressed security vulnerability [RUSTSEC-2023-0052] ([#11389])
+
+* CNI
+  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
+    plugin ([#11348])
+
+[#11328]: https://github.com/linkerd/linkerd2/pull/11328
+[#11348]: https://github.com/linkerd/linkerd2/pull/11348
+[#11389]: https://github.com/linkerd/linkerd2/pull/11389
+[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
+[CVE-2023-2603]: https://github.com/advisories/GHSA-wp54-pwvg-rqq5
+
 ## stable-2.13.6
 
 This stable release fixes a regression introduced in stable-2.13.0 which

charts/linkerd-control-plane/Chart.yaml

@@ -16,7 +16,7 @@ dependencies:
 - name: partials
   version: 0.1.0
   repository: file://../partials
-version: 1.12.6
+version: 1.12.7
 icon: https://linkerd.io/images/logo-only-200h.png
 maintainers:
   - name: Linkerd authors

charts/linkerd-control-plane/README.md

@@ -3,7 +3,7 @@
 Linkerd gives you observability, reliability, and security
 for your microservices — with no code change required.
 
-![Version: 1.12.6](https://img.shields.io/badge/Version-1.12.6-informational?style=flat-square)
+![Version: 1.12.7](https://img.shields.io/badge/Version-1.12.7-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 
@@ -222,6 +222,7 @@ Kubernetes: `>=1.21.0-0`
 | profileValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
 | profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one. |
 | profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook |
+| prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) |
 | proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready |
 | proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. |
 | proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod.  One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" |
@@ -255,7 +256,7 @@ Kubernetes: `>=1.21.0-0`
 | proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
 | proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
 | proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container Docker image |
-| proxyInit.image.version | string | `"v2.2.1"` | Tag for the proxy-init container Docker image |
+| proxyInit.image.version | string | `"v2.2.3"` | Tag for the proxy-init container Docker image |
 | proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
 | proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
 | proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |

charts/linkerd-control-plane/values.yaml

@@ -217,7 +217,7 @@ proxyInit:
     # @default -- imagePullPolicy
     pullPolicy: ""
     # -- Tag for the proxy-init container Docker image
-    version: v2.2.1
+    version: v2.2.3
   resources:
     cpu:
       # -- Maximum amount of CPU units that the proxy-init container can use

charts/linkerd2-cni/Chart.yaml

@@ -9,4 +9,4 @@ description: |
 kubeVersion: ">=1.21.0-0"
 icon: https://linkerd.io/images/logo-only-200h.png
 name: "linkerd2-cni"
-version: 30.8.4
+version: 30.8.5

charts/linkerd2-cni/README.md

@@ -6,7 +6,7 @@ Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting
 up your pod's network so  incoming and outgoing traffic is proxied through the
 data plane.
 
-![Version: 30.8.4](https://img.shields.io/badge/Version-30.8.4-informational?style=flat-square)
+![Version: 30.8.5](https://img.shields.io/badge/Version-30.8.5-informational?style=flat-square)
 
 ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
 
@@ -31,7 +31,7 @@ Kubernetes: `>=1.21.0-0`
 | ignoreOutboundPorts | string | `""` | Default set of outbound ports to skip via iptables |
 | image.name | string | `"cr.l5d.io/linkerd/cni-plugin"` | Docker image for the CNI plugin |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linkerd-cni container |
-| image.version | string | `"v1.2.0"` | Tag for the CNI container Docker image |
+| image.version | string | `"v1.2.2"` | Tag for the CNI container Docker image |
 | imagePullSecrets | list | `[]` |  |
 | inboundProxyPort | int | `4143` | Inbound port for the proxy container |
 | logLevel | string | `"info"` | Log level for the CNI plugin |

charts/linkerd2-cni/values.yaml

@@ -53,7 +53,7 @@ image:
   # -- Docker image for the CNI plugin
   name: "cr.l5d.io/linkerd/cni-plugin"
   # -- Tag for the CNI container Docker image
-  version: "v1.2.0"
+  version: "v1.2.2"
   # -- Pull policy for the linkerd-cni container
   pullPolicy: IfNotPresent
 

cli/cmd/install-cni-plugin_test.go

@@ -16,7 +16,7 @@ func TestRenderCNIPlugin(t *testing.T) {
 
 	image := cniPluginImage{
 		name:       "my-docker-registry.io/awesome/cni-plugin-test-image",
-		version:    "v1.2.0",
+		version:    "v1.2.2",
 		pullPolicy: nil,
 	}
 	fullyConfiguredOptions := &cniPluginOptions{

cli/cmd/install_cni_helm_test.go

@@ -35,7 +35,7 @@ func TestRenderCniHelm(t *testing.T) {
   			"logLevel": "debug",
 			"image": {
 				"name": "cr.l5d.io/linkerd/cni-plugin",
-				"version": "v1.2.0"
+				"version": "v1.2.2"
 			},
   			"proxyUID": 1111,
   			"destCNINetDir": "/etc/cni/net.d-test",

cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml

@@ -171,7 +171,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.1
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml

@@ -171,7 +171,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.1
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:
@@ -384,7 +384,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.1
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources:

cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml

@@ -171,7 +171,7 @@ spec:
         - 4190,4191,4567,4568
         - --outbound-ports-to-ignore
         - 4567,4568
-        image: cr.l5d.io/linkerd/proxy-init:v2.2.1
+        image: cr.l5d.io/linkerd/proxy-init:v2.2.3
         imagePullPolicy: IfNotPresent
         name: linkerd-init
         resources: