Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

edge-23.9.1 #11350

Merged
merged 6 commits into from
Sep 11, 2023
Merged

edge-23.9.1 #11350

merged 6 commits into from
Sep 11, 2023

Conversation

mateiidavid
Copy link
Member

This edge release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP for the discovery request which could break connectivity on pod restart. To fix this, direct pod communication for a pod bound on a hostPort will always return the hostIP. In addition, this change fixes a security vulnerability (CVE-2023-2603) detected in the CNI plugin and proxy-init images and includes a number of other fixes and small improvements.

  • Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin (11296)
  • Introduced resource requests/limits for the policy controller resource in the control plane helm chart (11301)
  • Fixed an issue where an empty remoteDiscoverySelector field in a multicluster link would cause all services to be mirrored (11309)
  • Removed time out from linkerd multicluster gateways command; when no metrics exist the command will return instantly (11265)
  • Improved help messaging for linkerd multicluster link (11265)
  • Changed hostPort lookup behaviour in the destination service; previously, endpoint lookups for pods bound on a hostPort would return the Pod IP which would result in loss of connectivity on pod restart, hostIPs are now always returned when a pod uses a hostPort (11328)
  • Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) (11149)
  • Fixed erroneous skipped messages when injecting namespaces with linkerd inject (thanks @mikutas!) (10231)

This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this change fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([11265])
* Improved help messaging for `linkerd multicluster link` ([11265])
* Changed hostPort lookup behaviour in the destination service; previously,
  endpoint lookups for pods bound on a hostPort would return the Pod IP which
  would result in loss of connectivity on pod restart, hostIPs are now always
  returned when a pod uses a hostPort ([11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([10231])

[11309]: #11309
[11296]: #11296
[11328]: #11328
[11301]: #11301
[11265]: #11265
[11149]: #11149
[10231]: #10231

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid requested a review from a team as a code owner September 7, 2023 15:04
@mateiidavid
Copy link
Member Author

Depends on #11348 and #11344

Signed-off-by: Matei David <[email protected]>
@@ -11,7 +11,7 @@ kubeVersion: ">=1.21.0-0"
name: linkerd-jaeger
sources:
- https://github.com/linkerd/linkerd2/
version: 30.11.0
version: 30.11.0-edge
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You do need to bump the patch at least, because according to semver any version with a suffix comes before the same one without.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

crying in semver

Signed-off-by: Matei David <[email protected]>
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢 👍

CHANGES.md Outdated Show resolved Hide resolved
CHANGES.md Outdated Show resolved Hide resolved
CHANGES.md Outdated Show resolved Hide resolved
CHANGES.md Outdated Show resolved Hide resolved
@@ -9,4 +9,4 @@ description: |
kubeVersion: ">=1.21.0-0"
icon: https://linkerd.io/images/logo-only-200h.png
name: "linkerd2-cni"
version: 30.11.0
version: 30.11.1-edge
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We always bump the minor and reset the patch for the first edge after a stable (to make room for point releases)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto throughout

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what I initially did (based on the release notes), however @alpeb pointed out that we should instead bump the patch and leave the minor as is. #11350 (comment)

mateiidavid and others added 2 commits September 11, 2023 13:15
Signed-off-by: Matei David <[email protected]>
Signed-off-by: Matei David <[email protected]>
Copy link
Contributor

@hawkw hawkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me!

@mateiidavid mateiidavid merged commit a9f845c into main Sep 11, 2023
35 checks passed
@mateiidavid mateiidavid deleted the matei/edge-23.9.1 branch September 11, 2023 17:48
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([linkerd#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([linkerd#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([linkerd#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([linkerd#11265])
* Improved help messaging for `linkerd multicluster link` ([linkerd#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([linkerd#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([linkerd#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([linkerd#10231])

[linkerd#11309]: linkerd#11309
[linkerd#11296]: linkerd#11296
[linkerd#11328]: linkerd#11328
[linkerd#11301]: linkerd#11301
[linkerd#11265]: linkerd#11265
[linkerd#11149]: linkerd#11149
[linkerd#10231]: linkerd#10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([linkerd#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([linkerd#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([linkerd#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([linkerd#11265])
* Improved help messaging for `linkerd multicluster link` ([linkerd#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([linkerd#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([linkerd#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([linkerd#10231])

[linkerd#11309]: linkerd#11309
[linkerd#11296]: linkerd#11296
[linkerd#11328]: linkerd#11328
[linkerd#11301]: linkerd#11301
[linkerd#11265]: linkerd#11265
[linkerd#11149]: linkerd#11149
[linkerd#10231]: linkerd#10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants