Changelog

• chore: back-ports api base path fix #5341 @kleinfreund
• feat(kuma-cp): remove value of secret when logging Secret Resources (backport #5384) #5392 @mergify
• fix(kuma-cp): add option to disable sslsni in universal (backport #5318) #5322 @mergify
• fix(kuma-cp): change way of setting if resource is read only (backport #5345) #5348 @mergify
• fix(kuma-cp): kds deadlock (backport #5373) #5397 @mergify
• fix(kuma-cp): use sni to verify upstream certificate san when specified along with address (backport #5347) #5378 @mergify
• fix(xds): don't read metadata in ProxyBuilders (backport #5414) #5416 @mergify
• fix: sort resources when building MeshContext (backport #5391) #5409 @mergify

Changelog

• feat(kuma-cp): remove value of secret when logging Secret Resources (backport #5384) #5393 @mergify
• fix(kuma-cp): kds deadlock (backport #5373) #5398 @mergify
• fix: sort resources when building MeshContext (backport #5391) #5410 @mergify

We are excited to announce the release of Kuma 2.0! This new major release is super exciting as we announce the first availability of our next generation policies, in addition to new eBPF capabilities!

Notable changes

• 🚀 We have added support for eBPF into both our CNI and init container configurations. Using eBPF can improve the performance of traffic flow latency by up to 12%.
• 🚀 Added the first 3 next generation policy updates:
  • MeshTrafficPermission
  • MeshTrafficLog
  • MeshTrafficTrace
• 🚀 We have made multiple improvements to the UI as part of an ongoing effort to simplify and enrich the functionality of our admin dashboard. Specifically in 2.0 we’re releasing:
  • New YAML / JSON search and syntax highlighting for policies and Envoy configuration dumps
  • Filtering and column customization capabilities for Data Plane Proxies
  • Simplified, more intuitive navigation structure
• 🚀 Improved our Datadog integration to record ingress and egress requests as separate services, allowing for easier debugging.
• 🚀 It is now possible to configure the specific TLS versions and ciphers that are supported by the control-plane / API server.
• 🚀 Users are now able to configure multiple UIDs to be ignored by traffic redirection (useful to workaround some issues with systemd-resolver).
• 🚀 Increased logging capabilities when using iptables for traffic redirection.

Checkout the blog post about Kuma 2.0.0

Changelog

• chore(.github): remove old release workflow #4836 @lobkovilya
• chore(api): remove DENY_WITH_SHADOW_ALLOW #5220 @lobkovilya
• chore(api): remove unused method and types #5148 @lobkovilya
• chore(api): remove unused timestamp.proto import #4906 @michaelbeaumont
• chore(api): skip Compute when building inbound access logs #5181 @jakubdyszkiewicz
• chore(bootstrap): improve validator policy bootstrap #5014 @lahabana
• chore(deps): bump actions/setup-go from 2 to 3 #5024 @dependabot
• chore(deps): bump cirello.io/pglock from 1.9.0 to 1.10.0 #5239 @dependabot
• chore(deps): bump github.com/Masterminds/sprig to 3.2.2 #5190 @mmorel-35
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.13 #5023 #5067 #5131 @dependabot
• chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #4996 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.40.20 to 0.40.24 #4969 #4993 #5162 @dependabot
• chore(deps): bump github.com/kumahq/kuma-net from 0.8.1 to 0.8.2 #5188 @dependabot
• chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 #4995 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.4.0 #4939 #4949 #5021 #5145 #5204 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.20.0 to 1.23.0 #4933 #4970 #5133 #5146 #5240 @dependabot
• chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #5203 @dependabot
• chore(deps): bump github.com/prometheus/prometheus from 0.37.0 to 0.39.1 #4887 #5134 @dependabot
• chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 #5155 #5241 @dependabot
• chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #4994 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 #5020 #5205 @dependabot
• chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #4930 @dependabot
• chore(deps): bump golang.org/x/text from 0.3.7 to 0.4.0 #5147 #5163 @dependabot
• chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.50.1 #4927 #5132 #5156 @dependabot
• chore(deps): bump k8s.io dependencies from 0.24.3 to 0.25.3 #4934 #5026 #5153 @michaelbeaumont
• chore(deps): bump k8s.io/client-go from 0.25.1 to 0.25.2 #5062 @dependabot
• chore(deps): bump kumahq/kuma-gui to f3dba73d4c264b094b6b351a8b44f2d5a0dc4ecb #4842 #4925 #5092 #5106 #5109 #5139 #5141 #5167 #5179 #5197 #5214 #5232 #5234 #5248 #5251 @kleinfreund,@kumahq
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0 #4968 @dependabot
• chore(deps): bump sigs.k8s.io/controller-tools from 0.9.2 to 0.10.0 #5059 @dependabot
• chore(deps): update kuma-grafana-datasource #4856 @bartsmykla
• chore(gateway): remove invalid options for MeshGatewayRoute #4890 @michaelbeaumont
• chore(gui): removes update/gui command #4954 @kleinfreund
• chore(helm): remove unused critical-pod annotation #4952 @michaelbeaumont
• chore(helm): switch merbridge image registry to upstream #4838 @bartsmykla
• chore(kuma-cp): adjust timeout in cp probes #4983 @jakubdyszkiewicz
• chore(kuma-cp): config cleanup #4855 @jakubdyszkiewicz
• chore(kuma-cp): improve logging in K8S controllers #4982 @jakubdyszkiewicz
• chore(kuma-cp): improve test xds client #4976 @jakubdyszkiewicz
• chore(kuma-cp): remove disabling metrics from kuma-cp.defaults #4894 @lahabana
• chore(kuma-cp): resource manager wrapper #5057 @jakubdyszkiewicz
• chore(kuma-init): use iptables-legacy in kuma-init #5040 @bartsmykla
• chore(pkg/gc): don't rely on core.Now var for time #4918 @lahabana
• chore(plugins): remove some unecessary interfaces and methods #4997 @lahabana
• chore(proto): remove protos for new policies #5218 @lobkovilya
• chore(test): added resource builder #5123 #5195 @jakubdyszkiewicz
• chore(test): added support for GRPC to test-server #4904 @lobkovilya
• chore(test): make unit test compatible with IPV6 host #5198 @jakubdyszkiewicz
• chore(xds): drop deprecated envoy.config.route.v3.HeaderMatcher.exact_match #4953 @michaelbeaumont
• docs(MADR): new tracing policy proposal #4938 @michaelbeaumont
• docs(MADR): update MADR 007 #5129 @lobkovilya
• docs(gateway): explain the semantics of a PREFIX match #5013 @michaelbeaumont
• docs(gateway): explain the semantics of a prefix rewrite to / #5016 @michaelbeaumont
• docs(proto): fixed default serviceAddress and upgrade docs #5236 @lukidzi
• docs(proto): rewrite dataplane proto docs #5219 @jakubdyszkiewicz
• feat(ebpf): CNI uses libbpf CO:RE #5233 @lukidzi
• feat(ebpf): refactor merbridge using libbpf with CO:RE #5034 @bartsmykla
• feat(ebpf): transparent proxy with eBPF in init containers #4919 #5046 #5066 #5095 @bartsmykla
• feat(gateway): add MeshGateway support to MeshAccessLog #5101 @michaelbeaumont
• feat(gateway): add crossMesh to MeshGatewayConfig #5183 @michaelbeaumont
• feat(gateway): add service-upstream annotation for delegated nginx #4913 @michaelbeaumont
• feat(gateway): install kuma GatewayClass if gateway API CRDs present #5001 @michaelbeaumont
• feat(gateway): match new policies to MeshGateways #5110 @michaelbeaumont
• feat(inspect): implement rule-based view for new policies #5000 #5184 #5189 #5202 @jakubdyszkiewicz,@lobkovilya
• feat(kuma-cp): add flag to disable taint controller #4852 @jakubdyszkiewicz
• feat(kuma-cp): add possibility to restrict TLS version and ciphers #5186 @lahabana
• feat(kuma-cp): add possibility to run MADS on TLS #5210 @lahabana
• feat(kuma-cp): add possibility to split datadog services based on traffic direction and destination #5063 @Automaat
• feat(kuma-cp): added validation for backend name #5081 @Automaat
• feat(kuma-cp): created default control plane user #5064 @jakubdyszkiewicz
• feat(kuma-cp): extensible token issuers #5083 @jakubdyszkiewicz
• feat(kuma-cp): move Mesh Cache to runtime #5140 @Automaat
• feat(kuma-cp): universal resources schema validation #5107 @slonka
• feat(kuma-cp): use zone token to auth zone ingress #5103 @jakubdyszkiewicz
• feat(kuma-dp): publish metrics with text_readouts from envoy #5159 @Automaat
• feat(kumactl): add option to install with experimental transparent proxy #4958 @michaelbeaumont
• feat(kumactl): use exclude ports for uids from kuma-net #4975 @slonka
• feat(policy): Add MeshAccessLog policy #4908 #4998 #5035 #5168 #5177 @michaelbeaumont,@slonka
• feat(policy): Add MeshTrace policy #5069 #5085 #5243 @michaelbeaumont,@slonka
• feat(policy): Add MeshTrafficPermission policy #4835 #5009 #5075 @lobkovilya
• feat(policy): add interfaces for policy plugins #4909 @lahabana
• feat(policy): reimplemented matching for new policies #4780 #4950 #4957 #4977 #5068 #5084 #5166 #5172 #5174 @lahabana,@lobkovilya
• feat(service-insights): add external service in api #5119 @lahabana
• fix(.github): links in PR template #4905 @michaelbeaumont
• fix(.github): use github app in pr-comment action #5164 @lahabana
• fix(api): nil dereference in MeshAccessLog configurer #5258 @lobkovilya
• fix(cni): add empty registry to experimental cni #4847 @slonka
• fix(cni): hook up log level to cni #4849 @slonka
• fix(cni): make cni logs available via kubectl logs #4845 @slonka
• fix(cni): retry loading images #4860 @slonka
• fix(docs): fixed location of developer tools in DEVELOPER.md docs #4988 @Automaat
• fix(gateway): add support for retryOn #5091 @lahabana
• fix(gateway): cross-mesh gateways with same service #5247 @michaelbeaumont
• fix(gateway): don't create invalid envoy config when routes and listeners don't match #4837 @michaelbeaumont
• fix(gateway): route URL prefix rewriting #5006 @michaelbeaumont
• fix(gateway): skip ExternalService if none match #5207 @michaelbeaumont
• fix(gateway): sort routes #5007 @michaelbeaumont
• fix(gatewayapi): don't NPE if the GatewayClass ref doesn't exist #5187 @michaelbeaumont
• fix(gatewayapi): reconcile Gateways and HTTPRoutes on ReferenceGrant changes #4944 @michaelbeaumont
• fix(gatewayapi): update gateway-api and fix failing RouteKind tests #5175 @michaelbeaumont
• fix(helm): customize location of kuma-init repository for ebpf cleanup #5230 @lukidzi
• fix(helm): use podAnnotations everywhere possible #4991 @lahabana
• fix(kuma-cp): collapsed grafana dashboards #4839 @jakubdyszkiewicz
• fix(kuma-cp): deep copy tags when gen. outbounds #5070 @bartsmykla
• fix(kuma-cp): disable statsForAllMethods in grpc stats #5226 @jakubdyszkiewicz
• fix(kuma-cp): do not override source address when TP is not enabled #4951 @lukidzi
• fix(kuma-cp): multiple external services pointing to same address #5185 @slonka
• fix(kuma-cp): override grafana plugin files by default #5208 @slonka
• fix(kuma-cp): reissue admin tls cert on dp address change #5222 @jakubdyszkiewicz
• fix(kuma-cp): remove Dataplane for Pod without IP #4964 @jakubdyszkiewicz
• fix(kuma-cp): return content type of inspect endpoints #4965 @jakubdyszkiewicz
• fix(kuma-dp): resilient TCP access log streamer #4862 @jakubdyszkiewicz
• fix(kumactl): get APIVersions from k8s server #5182 @michaelbeaumont
• fix(tools): add 'v' prefix to preview version format #5004 @michaelbeaumont
• fix(tools): support both GitHub app tokens and PATs #4869 @michaelbeaumont
• perf(kuma-cp): avoid rebuilding endpoint map #4974 @jakubdyszkiewicz
• refactor(kuma-dp): add xds authentication customization #4990 @michaelbeaumont

Changelog

• fix(tools): support both GitHub app tokens and PATs (backport #4869) by @mergify in https://github.com/kumahq/kuma/pull/4872
• fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in https://github.com/kumahq/kuma/pull/4980
• fix(*): do not override source address when TP is not enabled (backport #4951) by @mergify in https://github.com/kumahq/kuma/pull/4961
• fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in https://github.com/kumahq/kuma/pull/5071
• fix(gateway): add support for retryOn (backport #5091) by @mergify in https://github.com/kumahq/kuma/pull/5098

Changelog

• fix(helm): always run Helm version update by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4604
• chore(helm): update to 1.7.1 by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4603
• Revert "fix(helm): always run Helm version update (#4604)" by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4609
• fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in https://github.com/kumahq/kuma/pull/5072
• fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in https://github.com/kumahq/kuma/pull/5096

Changelog

• fix(core): validate both old and new objects on Update (backport #4589) by @michaelbeaumont in https://github.com/kumahq/kuma/pull/4593
• fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in https://github.com/kumahq/kuma/pull/5090
• fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in https://github.com/kumahq/kuma/pull/5097

Notable changes

🚀 CNI v2 with lots of improvements 🚀 Production settings for Builtin Gateway 🚀 URL rewrite in Builtin Gateway 🚀 Stats and Clusters in the GUI 🚀 Extra retryOn options for Retry 🚀 Better support for TCP logging 🚀 Filtering Envoy metrics 🚀 Projected service account token

Checkout the blog post about Kuma 1.8.0

Changelog

New features:

CNI v2 with lots of improvements:

• taint controller to prevent race condition #4650 @slonka
• all logs are easily accessible via kubectl logs command which greatly simplifies observability #4845 @slonka
• it uses new transparent engine implemented in kuma-net #4481 @slonka

URL rewrite in Builtin Gateway:

• support URL rewriting #4638 @michaelbeaumont

Stats and Clusters in the GUI:

• execute stats and clusters from the control plane #4557 #333 @jakubdyszkiewicz

Extra retryOn options for Retry:

• add extra http retryOn options #4744 @johnharris85

Better support for TCP logging:

• resilient tcp TCP access log streamer #4511 @parkanzky #4862 @jakubdyszkiewicz

Filtering Envoy metrics:

• added option to define filter for Envoy metrics #4503 @lukidzi

Projected service account token:

• support for projected service account token #4453 @lukidzi

Fixes:

Helm:

• remove duplicate keys in resources #4681 @michaelbeaumont
• add containersecuritycontext to CNI daemonset #4677 @jakubdyszkiewicz
• fix extraConfigMap and cp labels #4531 @lahabana
• use image.global.registry for imageExperimental #4641 @jakubdyszkiewicz

Gateway:

• ListenerReason for unresolved certificate refs, enable ReferenceGrant conformance tests #4806 @michaelbeaumont
• check hostname intersection between HTTPRoute and Gateway listener #4537 @michaelbeaumont
• create MeshGatewayInstance in same Mesh as Gateway #4794 @michaelbeaumont
• don't create invalid envoy config when routes and listeners don't match (backport #4837) #4841 @mergify
• hostname intersections, use new RouteReasons #4544 @michaelbeaumont
• improve HTTPRoute statuses with unresolved BackendRefs #4635 @michaelbeaumont
• npe without any timeout #4548 @michaelbeaumont
• rbac permissions for ReferenceGrant #4628 @michaelbeaumont
• workaround label value max length with hash #4545 @michaelbeaumont

Control Plane:

• check if kuma annotation or label is set but ignore value #4731 @lukidzi
• delete an empty TimeoutConfigurer #4554 @lobkovilya
• do not modify external service tags #4591 @jakubdyszkiewicz
• don't deploy Pod/Service webhooks in global #4673 @michaelbeaumont
• don't fail generation if other mesh CAs are misconfigured #4501 @michaelbeaumont
• external service datasource validation #4652 @jakubdyszkiewicz
• fix builtdns annotations for kubernetes #4660 @lahabana
• generate cluster name hash based on tags not config #4598 @lukidzi
• grant delete Pods in kuma-system namespace to control plane #4571 @michaelbeaumont
• localhost exposed application shouldn't be reachable #4750 @lukidzi
• make options for policies simpler #4722 @lahabana
• protect sort from empty locality #4820 @jakubdyszkiewicz
• registering dp on reconnect #4647 @jakubdyszkiewicz
• support GC service account #4483 @lobkovilya
• validate both old and new objects on Update #4589 @michaelbeaumont
• validation error with user tokens #4507 @jakubdyszkiewicz

Data Plane:

• access log path on windows when cp is on linux #4518 @jakubdyszkiewicz
• fix multi OS build of accesslogs #4767 @lahabana
• have envoy version check always work #4564 @lahabana
• propagate context for metrics aggregate #4640 @lukidzi
• set prometheus content-type when returning metrics #4706 @lukidzi

Other:

• add operations now create non-existent path elements #4595 @michaelbeaumont

Docs:

• new policy matching proposal #4474 @lobkovilya

Other changes:

Gateway:

• mention mesh name in gateway instance status #4678 @lahabana
• add listener connection limits #4755 @michaelbeaumont
• add loadBalancerIP to MeshGatewayInstance #4519 @michaelbeaumont
• allow MeshGateway Dataplane Pods to bind privileged ports #4535 @michaelbeaumont
• configure overload_manager based on max memory #4694 @michaelbeaumont
• multi-zone cross-mesh MeshGateway #4443 @michaelbeaumont
• propagate x-kuma-tags from MeshGateways #4476 @michaelbeaumont
• send default static payload for empty gateway #4617 @tharun208
• set path_with_escaped_slashes_action #4719 @michaelbeaumont
• set cluster HTTP2 stream and connection window size #4779 @michaelbeaumont
• set cluster per_connection_buffer_limit_bytes #4696 @michaelbeaumont
• set global_downstream_max_connections to 50000 #4724 @michaelbeaumont
• update to Gateway API v0.5.0, support v1beta1 resources #4599 @michaelbeaumont
• validate listeners for collapsibility #4765 @michaelbeaumont
• add MeshGateway dashboard #4555 @michaelbeaumont

Control Plane:

• config cleanup (backport #4855) #4857 @mergify
• don't set deprecated dns_resolver_config #4702 @michaelbeaumont
• don't set deprecated known_suffixes #4701 @michaelbeaumont
• remove deprecated Cluster.Http2ProtocolOptions #4528 @michaelbeaumont
• remove versions_ws #4512 @lahabana
• replace deprecated admin_access_log_path #4552 @lahabana
• add /policies endpoint to list all registered policies #4708 @lahabana
• authenticate DP every time #4685 @jakubdyszkiewicz
• enrich policies endpoint #4791 @jakubdyszkiewicz
• identify gateway service by deployment #4703 @parkanzky
• separate CA for Envoy Admin communication #4676 @jakubdyszkiewicz
• use remote address for Gateway #4530 @jakubdyszkiewicz
• add operations now create non-existent path elements #4595 @michaelbeaumont

Data Plane:

• remove envoy admin port flag #4574 @tharun208
• detect memory limit only on linux #4715 @jakubdyszkiewicz

kumactl:

• add a limit to the prom TSDB size #4651 @lahabana
• remove old flags in install tp #4760 @lahabana
• add MeshGateway to install demo #4679 @michaelbeaumont
• add install control-plane --registry flag #4533 @michaelbeaumont

Documentation:

• create MADR for MeshTrafficPermission #4666 @lobkovilya
• new policy matching proposal #4474 @lobkovilya
• policy matching, replace 'conf' with 'default' #4693 @lobkovilya

CNI:

• add cni ebpf plugin #4810 @bartsmykla
• implement the cni plugin #4481 @slonka #4618 @slonka #4613 @slonka #4850 @mergify #4642 @slonka #4788 @slonka #4858 @mergify #4826 @slonka #4695 @slonka #4846 @mergify
• taint controller #4852 @jakubdyszkiewicz
• use our cni with calico #4801 @slonka

Dependency updates:

• update demo to latest version #4572 @lahabana
• update Kuma GUI #4815 @kleinfreund #4723 @lahabana
• use github.com/emicklei/go-restful/v3 #4665 @mmorel-35
• bump alpine from 3.16.0 to 3.16.2 in /tools/releases/dockerfiles #4670 #4827 @dependabot
• bump github.com/containerd/cgroups from 1.0.3 to 1.0.4 #4717 @dependabot
• bump github.com/containernetworking/cni from 0.8.1 to 1.1.2 #4632 #4716 @dependabot
• bump github.com/golang-jwt/jwt/v4 from 4.4.1 to 4.4.2 #4499 @dependabot
• bump github.com/golang-migrate/migrate/v4 from 4.15.0 to 4.15.2 #4672 @dependabot
• bump github.com/gruntwork-io/terratest from 0.40.15 to 0.40.20 #4469 #4480 @dependabot
• bump github.com/miekg/dns from 1.1.49 to 1.1.50 #4492 @dependabot
• bump github.com/onsi/gomega from 1.19.0 to 1.20.0 #4671 @dependabot
• bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 #4783 @dependabot
• bump github.com/prometheus/common from 0.34.0 to 0.37.0 #4489 #4627 @dependabot
• bump github.com/spf13/cobra from 1.4.0 to 1.5.0 #4491 @dependabot
• bump go.uber.org/zap from 1.21.0 to 1.22.0 #4829 @dependabot
• bump google.golang.org/grpc from 1.47.0 to 1.48.0 #4631 @dependabot
• bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #4718 @dependabot
• bump k8s.io/apiextensions-apiserver from 0.24.0 to 0.24.3 #4493 #4624 @dependabot
• bump sigs.k8s.io/controller-runtime from 0.12.1 to 0.12.3 #4498 #4581 @dependabot
• bump sigs.k8s.io/controller-tools from 0.9.0 to 0.9.2 #4549 @dependabot

Changelog

Fixes

Gateway

• Nil pinter exception without any timeout (#4550)
• Use remote address for Gateway (#4538)

kumactl

• Update demo to latest version (#4587)

Control plane

• Grant delete Pods in kuma-system namespace to control plane (#4575)
• Don't fail generation if other mesh CAs are misconfigured (#4517)
• Don't override timeout values for ExternalServices (#4568)

Data plane proxy

• Access log path on windows when cp is on linux (#4518)

Helm

• Fix extraConfigMap and cp labels (#4541)

General

• Avoid -<arch> in version of the binaries (#4527)

Notable changes

🚀 Streamlined cross-mesh communication through Kuma’s builtin gateway. There’s a bit to unpack here – details are in the following section. 🚀 Support for ARM-based Linux and MacOS environments. You can continue to connect services across your environment with Kuma as you modernize onto microservices with ARM architectures. 🚀 Observability implementation in one command. You can instrument metrics, traces, and logs with a single [observability] command line tool. 🚀 Simplified application metrics collection. You can now enable metrics collection from your services without deploying Prometheus inside the mesh. 🚀 Graceful Data Plane Proxy shutdowns. You won’t see occasional data plane proxy error metrics from your services and DPPs as they spin down. 🚀 Multiple Helm refinements. You can now use Helm charts to customize image tags, expose the control plane’s metrics for self-deployed Prometheus scraping, and more.

Checkout the blog post about Kuma 1.7.0

Changelog

New features:

Cross Mesh Communication:

• add cross-mesh MeshGateway listeners #4274#4405 @michaelbeaumont

ContainerPatch:

• allow custom configuration of Kubernetes' kuma-init and kuma-sidecar containers by introducing ContainerPatch CRD #4280 #4362 / #4366 #4369 / #4370 @parkanzky, @bartsmykla

Observability:

• hijack application metrics to enable scraping metrics from mTLSed applications without prometheus in the mesh #4286 #4388/#4406 @lukidzi
• unified installation of metrics/logging/tracing into one command observability #4308 #4411/#4418 @lukidzi, @lahabana

ARM64 support:

• added arm build and release pipeline #4231 @lukidzi
• release for arm64 now publish correct arch image #4276 @lukidzi
• upgrade kubectl to version with ARM support #4180 @lukidzi
• support ARM Linux/Darwin for dev/tools #4199 @lukidzi
• introduced map of arch for a specific build #4321 @lukidzi
• do not exclude arm64 files from docker #4265 @lukidzi

Gateway:

• add GatewayClass.Spec.ParametersRef support #4157 @michaelbeaumont
• cp annotations from gateway to svc #4327 @johnharris85
• only reconcile Gateway when GatewayClass is Ready #4162 @michaelbeaumont
• auto generate hostname for crossMesh listeners #4421/#4424 @michaelbeaumont

Helm:

• set host network var in helm/cp-deployment.yaml #4209 @SallyBlichWalkMe
• add resource management for jobs #4254 @gdasson
• option for automountSAT=false on cp #4309 @gdasson
• helm chart improvements #4337 @bartsmykla

CP:

• experimental transparent proxy annotation #4240 @parkanzky
• graceful shutdown on Universal using HDS #4246 @jakubdyszkiewicz
• intercept signal for different platforms #4283 @jakubdyszkiewicz
• XDS config dump on Global CP #4301 @jakubdyszkiewicz
• validate DP compat on kuma backend #4236 @parkanzky

DP:

• graceful shutdown of kuma-dp #4229 @jakubdyszkiewicz

Fixes:

Gateway:

• use MeshGatewayInstance mesh annotation when matching #4361/#4371 @michaelbeaumont

Helm:

• remove replica from cp-deployment.yaml when autoscaling enabled #4447/#4454 @gustoliv

CP:

• fix '/config_dump' request if Global CP is on Kubernetes #4363/#4372 @lobkovilya
• add the latest version to compatibility matrix #4232 @parkanzky

DP:

• clarify error log message when kuma-dp is wrongly connecting to global-cp #4269 @slonka

Kumactl:

• fix transparent proxy --skip-conntrack-zone-split flag value #4334 @bartsmykla

Other notable changes:

Gateway:

• add /finalizers permission for OwnerReferencesPermissionEnforcement plugin #4239 @michaelbeaumont
• don't match on ALPN in gateway (#4198) #4272 @wjrbetts

Helm:

• delete 'kubernetes.io/arch' node selector #4335 @lobkovilya

CP:

• don't always recompute mesh contexts #4267 @michaelbeaumont
• don't run dataplane gc in global #4184 @lahabana
• graceful components #4277 @jakubdyszkiewicz
• memory store cannot delete a parent #4194 @jakubdyszkiewicz
• protocol check should be case-insensitive #4248 @lukidzi
• remove dns server from control plane #4192 @lahabana
• automatically detect dns lookup family for cp cluster #4275 @slonka

ZoneIngress:

• graceful start of many ZoneIngresses #4305 @jakubdyszkiewicz

ZoneEgress:

• resolve zone-ingress advertized address #4219 @lahabana
• do not change ip to ZoneEgress address #4193 @lukidzi

Kumactl:

• remove flag '--experimental-meshgateway' #4315 @lobkovilya

Timeout Policy:

• deprecate 'timeout.grpc' section #4365/#4449 @lobkovilya

Other:

• delete dns-server 5653 port from configuration and helm files #4339/#4345 @lobkovilya
• support kube-linter tools to analyze Kubernetes YAML files #4294 @mangoGoForward

Dependency upgrades:

• upgrade envoy to 1.22.1 #4288 #4464/#4465 @lobkovilya
• upgrade kuma-cni to 0.0.10 #4313 @lobkovilya
• upgrade tproxy iptables to v0.2.2 #4328 @bartsmykla
• upgrade GUI to the latest version #4316 #4338 #4389/#4390 @jakubdyszkiewicz, @lahabana, @bartsmykla
• upgrade protoc and regenerate files #4169 @lukidzi
• bump github.com/golang-migrate/migrate/v4 from 4.15.1 to 4.15.2 #4234 @dependabot
• bump github.com/gruntwork-io/terratest from 0.40.6 to 0.40.10 #4178 #4260 #4322 @dependabot
• bump github.com/lib/pq from 1.10.5 to 1.10.6 #4299 @dependabot
• bump github.com/miekg/dns from 1.1.48 to 1.1.49 #4291 @dependabot
• bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 #4233 @dependabot
• bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 #4290 @dependabot
• bump github.com/prometheus/common from 0.33.0 to 0.34.0 #4235 @dependabot
• bump github.com/spf13/viper from 1.10.0 to 1.11.0 #4177 @dependabot
• bump google.golang.org/grpc from 1.45.0 to 1.46.2 #4213 #4289 @dependabot
• bump k8s.io/apiextensions-apiserver from 0.23.5 to 0.24.0 #4216 @dependabot #4302/#4378
• bump sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.1 #4302/#4378 @dependabot

Other:

• automate policy generation #4197 @lobkovilya

Changelog

Fixes:

CP:

• do not change ip to ZoneEgress address (backport #4193) #4195
• memory store cannot delete a parent (backport #4194) #4196

Dependency upgrades:

• upgrade envoy to 1.21.3 #4457 @lobkovilya

This is a patch release that everyone should update to. It includes an important security patch on Envoy.

Changelog

Dependency upgrades:

• upgrade envoy to 1.21.3 #4456 @lobkovilya

👉 Read the full announcement on the Kuma blog

We are happy to announce Kuma's latest release, which is packed with features and improvements. We strongly suggest upgrading, in order to take advantage of the latest and greatest when it comes to service mesh.

Notable Features

• 🚀 We provide a preview of Kubernetes Gateway API (opens new window)support for our builtin gateway. This makes it easier than to provide a gateway to lead traffic through your mesh.
• 🚀 Full support for the "inspect API" on builtin gateway resources. This enables users to see which policies impact which gateway routes.
• 🚀 ZoneEgress received many improvements like: support for Standalone, locality aware routing on external services and support for FaultInjection and RateLimit policies on external services.
• 🚀 A preview of the completely rewritten transparent proxy, this aims to make transparent proxy more stable and provide us with pathways for further innovation.
• Many improvements to the Helm charts like: exposing the CP with an ingress, providing resource limits to components, and customizing image tags and security context.
• A new metric to see how long configuration changes take to propagate to data plane proxies.

And a lot more!

Also check the upgrade path.

Changelog

New features:

Gateway:

• release K8s GatewayAPI as preview 4072 4022 4045 4014 3956 @jakubdyszkiewicz,@michaelbeaumont
• use MeshGatewayInstance name for generated objects 4097 @michaelbeaumont

Inspect api:

• add gateways to policy inspect 4125 4104 4092 4088 4077 4064 4065 3973 3966 @michaelbeaumont

ZoneEgress:

• Make zoneegress available in standalone mode 4100 @lahabana
• added locality aware lb for external service 4048 @lukidzi
• make zoneegress routing opt-in 4109 4013 @lukidzi
• support RateLimit and FaultInjections 4000 @lobkovilya

Helm:

• Allow customization of image tags in Helm chart 4068 @gdasson
• Expose kuma-cp's metric port so it can be scraped by self-deployed prometheus. 4047 @jbehrends
• add resource limits option for control plane deployment 4049 @gdasson
• fail if global.image.tag and appVersion incompatible 4085 @michaelbeaumont
• set version to track appVersion 4083 @michaelbeaumont
• expose kuma-cp gui through ingress 4101 @lukidzi
• allow specifying security context 4153 @gdasson @bartsmykla

Other:

• feat(k8s): ability to set custom service account token volume 4036 @johnharris85
• feat(k8s): shutdown kuma-dp container for any owner kind 4079 @lukidzi
• feat(k8s): support startupProbes 4090 @lahabana
• feat(kuma-cp): add uptime, policies, gateway dps to reports 3933 @parkanzky
• feat(kuma-cp): add metrics and timeouts to CA interface 4089 @parkanzky
• feat(kumactl): add --values and --set to kumactl install control-plane 4086 @lahabana
• feat(transparent-proxy): add experimental tproxy iptables generation 4114 @bartsmykla

Dependency upgrades:

• bump alpine from 3.15.0 to 3.15.2 in /tools/releases/dockerfiles 4060 4023 @dependabot
• bump github.com/envoyproxy/protoc-gen-validate from 0.6.3 to 0.6.7 3978 3976 @dependabot
• bump github.com/go-logr/logr from 1.2.2 to 1.2.3 4040 @dependabot
• bump github.com/golang-jwt/jwt/v4 from 4.3.0 to 4.4.1 4061 4025 @dependabot
• bump github.com/k8s/* from 0.23.4 to 0.23.5 4043 @lahabana
• bump github.com/miekg/dns from 1.1.46 to 1.1.47 3998 @dependabot
• bump github.com/onsi/gomega from 1.18.1 to 1.19.0 4062 @dependabot
• bump github.com/spf13/cobra from 1.3.0 to 1.4.0 3995 @dependabot
• bump go.uber.org/multierr from 1.7.0 to 1.8.0 3974 @dependabot
• bump google.golang.org/grpc from 1.44.0 to 1.45.0 3993 @dependabot
• bump google.golang.org/protobuf from 1.27.1 to 1.28.0 4046 @dependabot
• bump helm.sh/helm/v3 from 3.8.0 to 3.8.1 3994 @dependabot
• bump sigs.k8s.io/gateway-api from 0.4.1 to 0.4.2 3997 @dependabot
• remove dependency on spire 4044 @lahabana

Other notable changes:

• chore(k8s): replace cni registry 4070 @lobkovilya
• chore(k8s): use appProtocol from service by default 4015 @jakubdyszkiewicz
• chore(kuma-dp): cleanup bootstrap version field 3670 @tharun208
• fix(gateway): fix status updating in MeshGatewayInstance reconciliation 4051 @michaelbeaumont
• fix(gateway): gateway instance service reconciliation loops forever 4035 @jakubdyszkiewicz
• fix(gateway): gateway reconciliation loops forever 4034 @jakubdyszkiewicz
• fix(gateway): gateway tls listeners without hostnames 4093 @jakubdyszkiewicz
• fix(gateway): ignore non TCP protocol for provided gateway 4067 @lahabana
• fix(gateway): mesh gateway instance service target port 4071 @jakubdyszkiewicz
• fix(gateway): skip creating MeshGateways without proper attachment 4011 @jakubdyszkiewicz
• fix(helm): add prefix to app label in ingress/egress deployment 4123 @lahabana
• fix(helm): fix other template prefix in ingress/egress 4124 @lahabana
• fix(helm): remove wildcard rbac version 4148 @johnharris85
• fix(k8s): reconcile serviceMaps when using mesh namespace annotation 3815 @lahabana
• fix(kuma-cp): avoid generating excessive envoy clusters 3984 @lobkovilya
• fix(kuma-cp): default policy creation 4073 @lobkovilya
• fix(kuma-cp): guard the nil version in metadata 3969 @jakubdyszkiewicz
• fix(kuma-cp): provide better message when running with an in-memory database 3982 @lukidzi
• fix(kuma-dp): better error message when the token is invalid 3961 @lahabana
• fix(kumactl): add mesh flag to only commands that uses it 3788 @tharun208
• fix(kumactl): split yaml correctly in kumactl apply 4107 @lahabana
• fix(proxytemplate): avoid validation error 3937 @marcoferrer
• fix(proxytemplate): execute hooks before proxy template modifications 4055 @jakubdyszkiewicz
• perf(k8s): move outbounds from Dataplane to Config 3986 @jakubdyszkiewicz

This is a patch release that everyone should update. It includes fixes to important issues in Kuma 1.5.0,

Changelog

• chore(k8s): replace cni registry (backport #4070) 4076
• fix(kuma-cp): default policy creation (backport #4073) 4080
• fix(kuma-cp): guard the nil version in metadata (backport #3969) 3970

👉 Read the full announcement on the Kuma blog

We are happy to announce Kuma's first release in 2022, which is packed with features and improvements, including substantial performance improvements when running at scale. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Notable Features

• 🚀 A new Zone Egress resource to create a single egress point from a Zone, that goes in hand with the pre-existing Kuma Ingress. This new features has been added in addition to the pre-existing egress behavior, which means that Kuma now allows to configure two egress modes: centralized via Zone Egress, or decentralized from the sidecars.
• 🚀 A new builtin gateway mode in addition to delegated mode. Kuma now ships with an Envoy-based gateway implementation to expose services from within the service mesh to the outside world - or to other meshes - using an Envoy based ingress. This is currently a preview and can be enabled by starting the control-plane with --experimental-meshgateway.
• 🚀 This new version ships with a 90% decrease in memory consumption when running Kuma at scale, as part of our ongoing effort to make Kuma the fastest service mesh in the world.
• New troubleshooting tooling in the CLI and GUI to help identify issues faster.
• A new Mesh membership capability that determines, top-down, what DPPs should be part of a Mesh (in addition to the bottom-up membership mode that is already supported, where a DPP can choose what Mesh it belongs to).
• Helm chart improvements to provide custom imagePullSecrets.
• Updated Envoy proxy to v1.21.1.

Also check the upgrade path.

Changelog

• feat(*): zone egress #3809 #3757

• feat(kuma-cp) data plane proxy membership #3619

• feat(kuma-cp): reachable services in transparent proxying #3791

• feat(inspect-api): retrieve full XDS config #3768

• feat(*): inspect api support #3805 #3568 #3462

• feat(kuma-cp): add proxytemplate to matched policies for inspect poli… #3786 👍contributed by @tharun208

• feat(kuma-cp): enable traffic route for inspect endpoints #3735 👍contributed by @tharun208

• feat(*): move adminPort to DPP resource #3739

• feat(helm): add imagePullSecrets support #3755 👍contributed by @johnharris85

• feat(*): enable Gateway with runtime flag #3736

• feat(kumactl): add --api-timeout flag #3723

• feat: allow for ca/identity secrets for every mesh #3696

• feat(kuma-cp): allow extra cm in kuma cp chart #3671 👍contributed by @wjrbetts

• feat(kuma-cp): add gui link in index api response #3675 👍contributed by @tharun208

• feat(*): allow ca.crt to be in separate k8s secret #3638

• feat(kumactl): add type of logging and tracing backends with name in table output #3636 👍contributed by @tharun208

• feat(kuma-cp): enable client side gRPC keepalive #3574

• feat(gui): new onboarding view kumahq/kuma-gui#194

• feat(gui): link to documentation from policy view kumahq/kuma-gui#289

• fix(kuma-cp): do not update unchanged insights #3819

• fix(*): do not annotate gateway services with ingress upstream #3816

• fix(*): properly escape DB password when creating postgres connection string #3804

• fix(kuma-cp): fix missing label sidecar injection #3740

• fix(kuma-dp): fix conntrack collisions #3459 👍contributed by @johnharris85

• fix(conf): remove invalid health check fields from example #3697 👍contributed by @tharun208

• fix(kuma-dp): binary lookup function skips not available directories #3667

• fix(k8s): make sure controllers start after leader election #3666

• fix(build): fix gomega matchers for inspect resources command test #3660 #3651 👍contributed by @tharun208

• fix(kumactl): ignore any unregistered CRDs, not only from the root chart #3643

• fix(kumactl): print meta before spec for Kuma resources #3637

• fix(kuma-cp): add cp selector to global sync service #3579

• fix(kuma-cp) do not override other dataplane with dp lifecycle #3507

• fix(helm) Add support to customize nodeport #1944 👍contributed by @bhiravabhatla

• perf(kuma-cp): use mesh snapshot in proxy builder #3700

• perf(kuma-cp): use mesh snapshot in gateway #3710

• perf(kuma-cp): share mesh context #3659

• improvement(metadata): include name of annotation to parse error message #3677 👍contributed by @ChinYing-Li

• refactor(insights): delete method GetLatestSubscription for insights #3656 👍contributed by @tharun208

• refactor(kuma-cp): unify mesh determination for k8s objects #3708

• refactor(*): replace ensureDefaultXXX functions with a single generic function #3662 👍contributed by @tharun208

• chore(zone-ingress): delete deprecated env KUMA_DATAPLANE_ADMIN_PORT #3766

• chore(k8s): remove GetBool method and use GetEnabled #3698 👍contributed by @tharun208

• chore(*): generate CRD types #3453

• chore(dataplane)!: disallow using 0.0.0.0 in networking.address for dp #3691

• chore(kuma-cp): consolidate mesh defaults creation #3678

• chore(config): remove ability to disable insights #3501

• chore(*): remove old Ingress #3435

• chore(*): upgrade Envoy to v1.21.1 #3909

• chore(grafana): update to latest grafana plugin version #3812

• ci(*): release on every commit in master and release branches #3712

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma! Kuma 1.4.1 is a new n release that ships with 25+ new features and significant performance improvements at scale. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Notable Features:

• 🚀 Performance continues to be significantly improved. We’ve streamlined some JSON marshalling, which cuts memory consumption in half.
• 🚀 Authentication tokens are now simpler to manage.
• 🚀 Kubernetes Pods are automatically tagged to identify the Pod’s namespace, so you can easily build policies around the Pod.

And much more!

Also check the upgrade path.

Changelog

• feat: add kubernetes tags automatically #3439
• perf: update Mesh and ServiceInsights only when really needed #3463
• perf: eliminate uneccessary JSON marshalling #3483
• feat: sidecar injection webhook based on labels #3417
• chore: upgrade gui to new version #3454
• test: fix postgress tests permissions #3443
• feat: add affinity to CP and Ingress pods #3036 👍contributed by @andrey-dubnik
• chore: bump github.com/golang-jwt/jwt/v4 from 4.1.0 to 4.2.0 #3432
• feat: consolidate tokens logic to support expiration, rotation, revocation and RSA256 #3376
• fix: simplify cluster creation with endpoints #3403
• fix: enable metrics hijacker for current version of Kuma #3405
• fix: switch to mTLS when CP communicates with Envoy Admin #3353
• chore: bump github.com/spiffe/spire from 0.12.3 to 1.1.1 #3388
• chore: bump github.com/spf13/viper from 1.8.1 to 1.9.0 #3389
• fix: validate cp url in dp conf #3357
• chore: send reports to tls endpoint #3361
• chore: check explicit service account name #3228
• feat: inspect other dependencies versions #3352
• chore: add area/gateway label #3263
• chore: remove dp token from xds metadata #3282
• refactor: move from io/ioutil to io and os packages #3265 👍contributed by @Juneezee
• fix: validate newly generated xDS snapshots #3195
• chore: bump k8s.io/apiextensions-apiserver from 0.22.3 to 0.22.4 #3218
• chore: bump helm chart version to 0.8 #3202

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma! Kuma 1.4.1 ships with new features, more performance improvements, and bug fixes. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Notable Features:

• 🚀 Performance is significantly improved, with ability to load 2x more data plane proxies, and less CPU consumption.
• 🚀 The number of Postgres connections is now limited to 50 by default. The default value was previously unlimited; you can still configure the limit if needed.
• 🚀 You can now disable zones as needed.
• 🚀 You can now select a specific zone in the "Kuma Service" dashboard and in the "Service to Service" dashboard.
• Internal DNS now properly resolves AAAA records.
• Improvements to the GUI and its sidebar menu.

And much more!

Also check the upgrade path.

Changelog

• chore(*) scripts for build, publish and fetch Envoy binaries #3110 #3182
• chore(kuma-cp) upgrade gui to new version #3178 #3179
• chore(kuma-cp) Use go structs instead of gotemplate for bootstrap #3156 #3173
• chore(deps): bump github.com/slok/go-http-metrics from 0.9.0 to 0.10.0 #3170
• Disable reporting by default #3070 #3159
• chore(kumactl) remove install CRDs filter function #3139
• feat(kuma-dp) Add conf to disable service vip #3143
• chore(kuma-cp) update some TODO comments #3141
• feat(kuma-cp) Add kuma.io/ignore annotation #3142
• fix(kuma-dp) match gateway cluster names in the hijacker #3106
• feat: add ECDSA certificate generator support #3093
• feat: add more global resources to GlobalInsights #3094
• feat: allow creating secrets for the not yet existing mesh #3076 👍contributed by cloudwiz
• feat: don't add v6 in DNS when v6 is disabled #3089
• fix: explicitly disable dns in env when disabled in injector #3077
• feat: added support for https tracing endpoint #3057 👍contributed by sudeeptoroy
• fix: normalize generating TLS certificates #3027
• fix: zero downtime when enabling permissive mTLS #3019
• feat: add deprecation notice for kuma-prometheus-sd #2994
• feat: add GlobalInsights api endpoint #3018
• fix: duplicate TLS certificate usage #3008
• chore: add command argument count parameters #3010
• feat: aggregate dp stats by type in MeshInsight #2999
• chore: delete CLI flag '--bootstrap-version' #2965
• feat: show the effective Dataplane address #2977
• feat: aggregate services in MeshInsight #2974
• fix: allow only one healthcheck #2972
• feat: give CA managers all backends at once #2956
• chore: normalize timeout configurer API #2934
• fix: locality-aware lb for external-services #2903
• feat: add install control-plane --version flag for all components #2904
• feat: add zone selector to Kuma Mesh dashboard #2860
• fix: possible to delete resources on Zone CP #2665
• fix: make cluster names contextually unique #3098
• feat: automatically enable gzip content on gateways #3104
• feat: add Gateway TLS termination support #3044
• feat: add gateway support for external services #2990
• fix: enable secrets support for Gateway resources #2953
• feat: initial connection policy support for Gateway #2933
• feat: add access to generate zone ingress token #3075
• feat: user token with RSA256 #2992
• feat: prefix system users and groups with mesh-system #3013
• feat: localhost is not an admin on kubernetes #3003
• feat: user token enabled by default #2941
• feat: Admin User Token bootstrap #2923
• chore: refactor access control for individual access #2983
• feat: support plugin based authentication including user tokens #2895
• feat: User Token for API Server authentication #2892
• chore: refactor authz and authn to plugins #2837
• chore(kuma-cp) upgrade gui to new version #3148
• chore(*) upgrade to Go 1.17.3 #3147
• chore(deps): bump github.com/operator-framework/operator-lib #3158
• chore(deps): bump github.com/gruntwork-io/terratest #3130
• chore: update helm and controller-runtime #2764
• chore: bump github.com/lib/pq from 1.10.3 to 1.10.4 #3131
• chore: bump google.golang.org/grpc from 1.41.0 to 1.42.0 #3101
• chore: bump github.com/prometheus/common from 0.31.1 to 0.32.1 #3006
• chore: bump github.com/envoyproxy/protoc-gen-validate #3007
• chore: bump github.com/google/uuid from 1.2.0 to 1.3.0 #2839
• chore: bump sigs.k8s.io/controller-runtime from 0.10.2 to 0.10.3 #3132
• chore: bump k8s.io/client-go from 0.22.2 to 0.22.3 #3061
• chore: bump k8s.io/apiextensions-apiserver from 0.22.2 to 0.22.3 #3059
• chore: bump k8s.io/api from 0.22.2 to 0.22.3 #3058
• chore: bump github.com/golang-migrate/migrate/v4 #2970
• chore: bump helm.sh/helm/v3 from 3.6.1 to 3.7.1 #2968
• chore: bump github.com/miekg/dns from 1.0.14 to 1.1.43 in /pkg/transparentproxy/istio #2752

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma! Kuma 1.3.1 ships with new features, performance improvements, and bug fixes. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Improvements in 1.3.1:

• 🚀 You can now disable zones as needed.
• 🚀 You can now select a specific zone in the Kuma Service dashboard and in the Service to Service dashboard.
• 🚀 The number of Postgres connections is now limited to 50 by default. The default value was previously unlimited; you can still configure the limit if needed.
• Performance is significantly improved.
• Internal DNS now properly resolves AAAA records.

And much more!

Also check the upgrade path.

Changelog

• fix: disable zone #2884
• fix: limit number of postgres connection by default #2866
• feat: add zone selector to Kuma Service to Service dashboard #2876
• feat: add zone selector to Kuma Service dashboard #2865
• feat: add zone selector to Kuma Dataplane dashboard #2864
• fix: fix duplicates in dataplane list in Kuma Services dashboard #2845
• chore: migrate install resources from rbac API v1beta1 to v1 #2875
• fix: fault injection matching #2757
• fix: delete kuma.io/region and kuma.io/sub-zone #2824
• feat: print control plane version with version cmd #2834
• fix: Only warn about version compatibility where it makes sense #2828
• perf: remove insight update rate limit burst #2825
• perf: apply ratelimit to service insights #2815
• feat: adds support for specifying specific IP for cloud provider load balancers for ingress service #2779 👍contributed by @jamesdbloom
• fix: send tool output to stdout #2787
• fix: switch to a Kuma fork of go-control-plane #2771
• chore: parametrize label on the deployment #2765
• perf: set Node only on first DiscoveryRequest #2741
• feat: verify ServiceAccountToken bound to a Pod #2745
• feat: internal dns should resolve AAAA records #2760
• fix: Add FORMERR and NOTIMP in alternate default coredns conf #2756
• fix: virtual probes with query #2706
• fix: Avoid calling Send() from different goroutines #2573
• feat: automatically set proxy concurrency #2691
• feat: Improve builtin grafana setup to have traces and logs linked #2716
• fix: Show gateway services in service-insights #2711
• fix: Correct bad merging of duration #2700
• fix: Ensure outbounds are set when migrating from old to new #2698
• fix: get rid of regex for parsing IPs #2681
• feat: add CP config to ZoneInsights #2661
• feat: generate GatewayRoute clusters #2819
• feat: add GatewayRoute route generation #2782
• feat: match gateway routes #2758
• feat: initial gateway TrafficRoute support #2547
• feat: add a GatewayRoute resource #2591
• chore: update base image for kuma-dp #2881
• chore: change Go JWT version to fix security vunerability #2844
• chore: bump go.uber.org/zap from 1.17.0 to 1.19.1 #2768
• chore: bump google.golang.org/grpc from 1.38.0 to 1.40.0 #2737
• chore: bump github.com/miekg/dns from 1.1.42 to 1.1.43 #2769
• chore: upgrade github.com/spf13/cobra #2732
• chore: bump alpine in /tools/releases/dockerfiles #2705
• chore: bump github.com/onsi/gomega from 1.13.0 to 1.16.0 #2657
• chore: update envoy to 1.18.4 #2667

👉 Read the full announcement on the Kuma blog

We are happy to announce a new major release of Kuma! Kuma 1.3 ships with 10+ new features and countless improvements. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Improvements in 1.3.0:

• 🚀 We are finally shipping a service map topology view that will visualize all of our service traffic dependencies in a visual way, with information such as number of requests and error rates. This new feature ships as a new official Grafana dashboard and can be automatically installed by running kumactl install metrics.
• 🚀 Kuma finally supports mTLS in "permissive" mode, in addition to the traditional "strict" mode. This new mode allows for an easier migration of existing applications into the service mesh, by allowing more flexibility into how the data plane proxy certificates are being validated on incoming requests.
• 🚀 A new "Virtual Outbound" policy to customize hostnames and ports when communicating with data plane proxies.
• We have improved support for intermediate CAs when using mTLS.
• Improved SNI support for ExternalServices.

And much more! Also check the upgrade path.

Changelog

• feat: remove provided ca cert validation #2663 👍contributed by Nikita Pande (@nikita15p)
• feat: Use kuma-sd in kumactl install metrics #2654
• feat: Add new datasource to kumactl install metrics #2640
• fix: remove extra endline in traffic log default template #2514
• fix: TLSInspector is causing tcp healthcheck failures #2639
• feat: Add rate-limit to outbound interfaces #2435
• fix: print a newline with transparent proxy setup message #2634
• chore: bump alpine in /tools/releases/dockerfiles #2531
• chore: annotate required fields in proto files #2556
• chore: remove MADS v1alpha1 #2632
• chore: parametrize kuma tracing in ZipkinCollectorURL #2635
• chore: Add the number of services to usage stats #2628
• feat: Add the permissive mTLS mode #2579
• chore: open CAProvider and MeshValidator for extensions #2618
• feat: Add entity for virtual-outbound #2576
• fix: Don't set zap.Development() in debug log #2608
• chore(kuma-cp) upgrade gui to new version #2611, #2452, #2554, #2528, #2497, #2490, #2481
• feat: Build kuma on Windows #2597, #2606, #2559
• feat: Add CA backend stats in Dataplane and Mesh Insights #2562
• fix: missing key for kv in reports logging #2598
• chore: split listener configurers across source files #2592
• feat: add simple HTTP connection configurers #2593
• feat: add virtual host domain name configurer #2590
• feat: return instance and cluster IDs in kuma-cp API statuses #2589
• tests: allow kuma-specific const to be overridden #2582
• feat: Intermediate CA support #2575
• fix: Avoid nil dereferencing in dp validator #2578
• chore: consistently use utils package for protobuf wrappers #2570
• fix: subscription finalizer, rev 2 #2526
• tests: fix flaky test for locality aware loadbalancing #2564
• fix: DP tracking lock consistency fix #2567
• chore: Certificates over ADS #2558
• chore: migrate DiscoveryRequest/Response in KDS to V3 #2541
• feat: Rewrite dns persistence to allow virtual-outbound to be added #2484
• fix: deleted default policy is created on Kuma CP restart #2507
• chore: Move kumactl logging arguments to where they can be parameterized #2544
• chore: add route and virtual host configuration helpers #2517
• chore: fix kumactl generate dataplane proxy-type flag deprecation message #2522 👍contributed by Tharun Rajendran
• chore: Simplify resource-gen.go by generating ResourceDescriptor #2511
• chore: Replace netcat with test server #2510
• feat: configure SNI on ExternalService #2467
• chore: add importas to golangci-lint #2516 👍contributed by Tharun Rajendran
• chore: add to resource-gen.go generation of kds options #2487
• chore: add to resource-gen.go generation of kumactl options #2469
• fix: add owner when create ZoneIngressInsight #2456
• fix: hijacker merge labels #2476
• chore: improve resource-gen by auto generating ws code #2466
• fix: clarify invalid resource type message #2473
• fix: implement TextMarshaler for JSON keys #2475
• chore: simplify resourceWsDefinition and server init #2477
• fix: Stop adding outbounds to dp for vips #2421
• chore(*) make port validation consistent #2448

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma! Kuma 1.2.3 ships with fast-follow fixes and improvements to the previous version. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Improvements in 1.2.3:

• 🚀 kumactl now always warns when the client and server versions cannot be confirmed to match.
• The data plane proxy type is now checked for a valid value (one of ingress or dataplane).
• Improvements to the control plane.

And much more!

Also check the upgrade path.

Changelog

• fix(kumactl) warn about fail to check the CP version #2438
• fix(kuma-cp) handle missing connection info #2439
• chore(xds) rename logger to have consistent naming style #2375 👍contributed by burntcarrot
• fix(kuma-cp) set better keep-alive for bootstrap #2432
• fix(kuma-dp) validate the DP proxy type #2186
• fix(kuma-cp) use the typed config for TLS Inspector #2373

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma! Kuma 1.2.2 ships with fast-follow fixes and improvements to the previous version. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Improvements in 1.2.2:

• 🚀 Datadog is now available as a traffic tracing option.
• 🚀 Message limit for gRPC stream is increased to better support Kuma discovery service (KDS)
• Improved leader election during unexpected failures.
• Improved SDS and XDS on rapid DP restarts.
• Fixed HDS on the dpserver when bootstrapping an ingress.

And much more!

Also check the upgrade path.

Changelog

• feat: add datadog traffic tracing #2269
• refactor: add kumactl install tracing context #2343
• chore: improve kumactl install transparent-proxy flags description, add extra validation #2352
• fix: broken SDS auth and XDS generation on rapid DP restarts #2342
• fix: allow verbose log levels #2351
• chore: use resource types for DataplaneInsight tracking #2324
• chore: improve resource manager initialization readability #2316
• chore: upgrade gui to new version #2340, #2325, #2315
• fix: allocate a new VIP for ExternalService host #2302
• fix: stop components on leader election lost #2318
• chore: generate system resource wrappers #2282, #2311
• chore: remove access log V2 #2301
• chore: generate DeepCopy interfaces #2222
• chore: disable log sampling #2273
• chore: upgrade Protocol Buffers #2244
• chore: change default number of insights subscriptions #2266
• chore: make the authentication interface type oblivious #2271
• fix: fix hds disabled on dpserver #2268 👍contributed by Bastien Chatelard
• chore: refactor xDS metadata to store a generic resource #2264
• feat: change KDS max message limit #2265

👉 Read the full announcement on the Kuma blog

We are happy to announce a new major release of Kuma! Kuma 1.2.1 ships with fast-follow fixes and improvements to the previous version. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Improvements in 1.2.1:

• 🚀 The data plane proxy now provides an advertised address to the control plane for communication in cases where the address is not directly reachable.
• 🚀 SNI header now added when TLS is enabled, to permit communication with external services that require it.

Plus important bug fixes and memory footprint improvements.

Also check the upgrade path.

Changelog

• fix: Dataplane/ZoneIngress/Zone status problem when control plane forcefully exits #2246
• chore: reduce memory usage by reducing cache key size #2214 #2230 👍contributed by nhamlh
• fix: ZoneIngress always shows up as 'offline' #2209
• feat: dataplane use advertise address to add a routable ip if address is not public ip #2116 👍contributed by sudeeptoroy
• fix: builtin DNS resolve alias with dots #2208
• feat: add SNI to TLSed ExternalServices #2211
• fix: fix race condition in cache #2202 👍contributed by nhamlh
• fix: supported versions of Kuma DP in the GUI #2193

👉 Read the full announcement on the Kuma blog

We are happy to announce a new major release of Kuma! Kuma 1.2 ships with 20 new features and countless improvements. We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.

Improvements in 1.2.0:

• 🚀 New L7 Traffic Routing policy to route - and modify - HTTP traffic per path, method, header or any other combination, with support for regex. Traffic can be modified before reaching the final destination too.
• 🚀 New Rate-Limit policy to protect our services from aggressive traffic, therefore protecting them from downtimes and improving the overall reliability of the applications.
• 🚀 The "Remote" control planes have been renamed to "Zone" control planes, and by doing so we have renamed the "Ingress" resource into "ZoneIngress". This change was made after hearing the feedback of many users in the community that wanted more clarity in the naming of this resource.
• 🚀 Traffic Permissions now work with External Services.
• 🚀 Improved performance of our DNS resolution.
• Countless improvements, including a fix for GCP/GKE's erratic IPv6 support.
• Updated to Envoy 1.18.3.

Also check the upgrade path.

Changelog

• feat: Introduce ZoneIngress #2147 #2169

• feat: enable dataplane dns by default #2152

• feat: add --verbose flag to kuma-init #2156

• feat: log rotation #2100 👍contributed by @nikita15p

• feat: mads, allow specifying fetch-timeout via query param #2148 👍contributed by @austince

• feat: mads, add support for HTTP long polling #2121 👍contributed by @austince

• feat(mads) implement v1 API #1753 👍contributed by @austince

• feat: add RateLimit policy #2083

• feat: TrafficRoute L7 #2013 #2042 #2062 #2072 #2168

• feat: allow renegotiation for TLS in ExternalServices #2135

• feat: pass header when communicating with CP #2049 👍contributed by sudeeptoroy

• feat: change default traffic route policy #2075

• feat: command to install kong enterprise ingress #1999

• feat: add postgres max idle connections configuration #2020 👍contributed by @nikita15p

• feat: add kumactl --no-config flag #2048

• feat: nodeselector across all pods with HELM #2012

• feat: enable forwarding XFCC header #1941 👍contributed by @jewertow

• feat: TrafficPermission for ExternalServices #1957

• feat: metrics hijacker #1899

• feat: extend CircuitBreaker #1655

• chore: remove API V2 #2119

• chore: bump webhooks version #2126

• chore: drop deprecated Envoy options #2143

• chore: dockerfiles, add a user for kuma-cp #2129

• chore: bump cni version to 0.0.9 #2137

• chore: rename remote cp to zone cp #2125

• chore: bump versions of logging, metrics, tracing #2178

• chore: parametrize bitnami/kubectl #2151

• chore: backwards compatible metrics #2173

• chore: upgrade Envoy version to 1.18.3 #2145

• chore updated go-control-plane #2082 👍contributed by @sudeeptoroy

• chore: fix misspelled words #1984 👍contributed by @tharun208

• chore: upgrade GUI #2157

• chore namespace source names for v1 API #1896 👍contributed by @austince

• chore: use cmux for MADS server #1887

• chore: Add internal support for outbound UDP listeners #1618 👍contributed by @lahabana

• chore: Avoid generating duplicate subsets in ingress 👍contributed by @lahabana

• chore: upgrade to apiextensions.k8s.io/v1 #1108 👍contributed by @austince

• fix: Clear snapshots from cache on disconnect #2172 👍contributed by @lahabana

• fix: use service account name to identify sync #2127

• fix: raise the regex program size limit #2139

• fix: pass query parameters through the metrics hijacker #2124

• fix: matching endpoints by tags #2096

• fix: manage and warn on control plane file limits #2057 #2106

• fix: fix transparent-proxy for GCP/GKE #2051

• fix: set death signal on child processes #2045

• fix: TrafficRoute in multizone issue #1979

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.1.6 -- that ships with new features and bug fixes. We highly suggest to upgrade to this new version.

Improvements in 1.1.6:

• 🚀 You can now specify any and all tags in a TrafficPermission policy.
• 🚀 You can now specify TCP and HTTP health checks at the same time in the same policy. The health check policy also now includes a reuse_connection option.
• 🚀 The --gateway flag is now available in the CLI.
• 🚀 We have added support for ingress controller installation from kumactl. The first ingress controller supported is Kong Gateway.
• You can now install the Kuma demo application with the CLI.

For a complete list of features and updates, take a look at the full changelog. Also check the upgrade path.

Changelog

• feat: expose reuse_connection in healthchecks #1952
• feat: allow tcp/http healthchecks together #1951
• feat: kumactl option to install gateway types #1950
• feat: kumactl option to install kuma demo app #1932
• feat: kumactl option to install Kong ingress #1929
• feat: support all tags in traffic permission #1902
• fix: gateway status was always reporting offline #1946
• fix: don't cache failed calls #1894 👍contributed by @lahabana
• chore: add hostname when sending traces to the collector #1962
• docs: prepare api docs generation #1741
• test: azure aks and e2e improvements for the CI #1880 #1871 #1933 #1953 #1972

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.1.5 -- that ships with a new location for installation scripts, improvements to transparent proxying and the GUI, and bug fixes. We highly suggest to upgrade to this new version.

Also check the upgrade path.

Changelog

• feat: generate outbounds for itself #1900
• chore: migrate from bintray #1901
• chore: GUI updates and fixes #1897
• chore: kumactl check version after loading config #1879
• chore: transparent proxy improvements #1852
• chore upgrade Go to 16.3 and use go embed #1864 #1865
• fix: always set locality in multizone #1863
• fix: Envoy config is created based on old Dataplane #1848

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.1.34 -- that ships with important bug fixes. We highly suggest to upgrade to this new version.

Also check the upgrade path.

Changelog

• chore: force all DNS traffic capture #1842

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.1.3 -- that ships with a major new feature and bug fixes. We highly suggest to upgrade to this new version.

Improvements in 1.1.3

• 🚀 Built-in DNS provides support for specifying external services by original hostname and port
• 🚀 Ingress annotations are now supported for Helm charts
• V3-specific configuration in ProxyTemplate now passes validation

Also check the upgrade path.

Changelog

• feat: support External Services with original hostname and port (built-in DNS) #1807 #1811 #1817 #1812 #1821 #1824 #1828 #1822
• fix: pass validation of V3 specific configs in ProxyTemplate #1819
• chore: support ingress annotations (kuma.io/ingress-public-address and kuma.io/ingress-public-port) in HELM #1796

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.1.2 -- that ships with new features and some important bug fixes. We highly suggest to upgrade to this new version.

Improvements in 1.1.2

• 🚀 Added 19 new observability charts and "golden metrics".
• 🚀 IPv6 support across the service mesh.
• 🚀 New threshold configuration in the Circuit Breaker policy.
• Performance improvements, especially when using External Services.
• Stability improvements to kuma-cp and DNS resolving.
• And much more.

Also check the upgrade path.

Changelog

• feat: extend CircuitBreaker policy with Thresholds #1688
• feat: enable IPv6 support and tests #1726 #1734
• feat: unuversal mode transparent-proxy firewalld support #1702
• feat: new Grafana charts for golden signals and L7 metrics #1739 #1786
• chore: verify e2e tests run in EKS #1684 #1685 #1744
• chore: upgrade CRDS to apiextensions.k8s.io/v1 #1108
• fix: helm cp service annotations #1767 👍contributed by nbrink91
• fix: gui fixes #1773
• fix: KDS may delete ConfigMaps on Control Plane restarts #1769
• fix: Kuma CP restart may cause stale Envoy configs on Universal #1749
• fix: use EnvoyGRPC to fix DNS resolving #1740
• fix: fix ingress-enabled #1725
• fix: pick HTTP health checker version depending on outbound's protocol #1714
• fix: improve the DNS server bind message #1701
• fix: validate --name and --mesh when dataplane is provided #1771
• fix: better error messages when there is problem with pod dataplane convertion #1743
• fix: crashes under load #1694 #1695

This patch release adds features and fixes issues in the previous release, 1.1.0:

Features

• zipkin config now includes a shared span context option #1660 :+1: contributed by @ericmustin
• changed check was removed #1663

Fixes

• All types are now enumerated in kumactl #1673
• Annnotations are appropriately applied to all services with ingress (fixes an issue with ingress services without annotations) #1671
• Error message improved for the case where $HOME is not defined #1664

Also check the upgrade path.

Changelog

• fix: make sure we enumerate all types in kumactl #1673
• fix: annnotate service with ingress that has no annotations #1671
• fix: improve err message if $HOME is not defined #1664
• feat: zipkin config add shared span context option #1660 👍contributed by @ericmustin
• feat: get rid of 'changed' check #1663

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.1.0 - that ships with more than 10 new features, a new timeout policy, and new health-checking and load-balancing modes!! We highly suggest to upgrade to this new version.

Improvements in 1.1.0

• 🚀 New timeout policy configurable per service and traffic path
• 🚀 More features in both the health check and load balancing policies
• 🚀 New default retry policy that's created when the mesh is provisioned
• auto_host_rewrite is enabled by default in external services
• Requirement removed for ingress.kubernetes.io/service-upstream for Kong Gateway
• Improvements to transparent proxying on VMs
• Support for UPD listeners
• Built on the new version of Envoy, v1.17.1
• And more!

For a complete list of features and updates, take a look at the full changelog. Also check the upgrade path.

👉 Read the full announcement on the Kuma blog

We are happy to announce a new release of Kuma - v1.0.8 - that ships with new health checking features and several improvements! We highly suggest to upgrade to this new version.

Notable Features:

• 🚀 Support for jitter and custom strings in health checks.
• Fixed charts in the GUI in multi-zone.
• CNI and VM improvements.
• And much more!

For a complete list of features and updates, take a look at the full changelog. Also check the upgrade path.

Download and Run:

• Try Kuma 1.0.8