1.8.3

Changelog

• chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5598 @mergify
• chore(deps): update coreDNS to 1.10.0 (backport #5626) #5656 @mergify
• chore: remove Apache license header from generated files (backport #5565) #5617 @mergify
• chore: upgrade golang to 1.18.9 (backport #5607) #5610 @mergify
• fix(kuma-cp): don't cache filtered data (backport #5574) #5633 @mergify

1.7.4

Changelog

• chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5599 @mergify
• chore(deps): update coreDNS to 1.10.0 (backport #5626) #5657 @mergify
• chore(helm): remove duplicate keys in resources (backport #4681) #5640 @mergify
• chore: remove Apache license header from generated files (backport #5565) #5618 @mergify
• chore: upgrade golang to 1.18.9 (backport #5607) #5611 @mergify
• fix(kuma-cp): don't cache filtered data (backport #5574) #5634 @mergify

1.6.4

Changelog

• chore(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.10.3 #5601 @mergify
• chore(deps): update coreDNS to 1.10.0 (backport #5626) #5658 @mergify
• chore(helm): remove duplicate keys in resources (backport #4681) #5641 @mergify
• chore: remove Apache license header from generated files (backport #5565) #5620 @mergify
• chore: upgrade golang to 1.18.9 (backport #5607) #5612 @mergify
• fix(kuma-cp): don't cache filtered data (backport #5574) #5635 @mergify

2.0.1

Changelog

• chore: back-ports api base path fix #5341 @kleinfreund
• feat(kuma-cp): remove value of secret when logging Secret Resources (backport #5384) #5392 @mergify
• fix(kuma-cp): add option to disable sslsni in universal (backport #5318) #5322 @mergify
• fix(kuma-cp): change way of setting if resource is read only (backport #5345) #5348 @mergify
• fix(kuma-cp): kds deadlock (backport #5373) #5397 @mergify
• fix(kuma-cp): use sni to verify upstream certificate san when specified along with address (backport #5347) #5378 @mergify
• fix(xds): don't read metadata in ProxyBuilders (backport #5414) #5416 @mergify
• fix: sort resources when building MeshContext (backport #5391) #5409 @mergify

1.8.2

Changelog

• feat(kuma-cp): remove value of secret when logging Secret Resources (backport #5384) #5393 @mergify
• fix(kuma-cp): kds deadlock (backport #5373) #5398 @mergify
• fix: sort resources when building MeshContext (backport #5391) #5410 @mergify

2.0.0

We are excited to announce the release of Kuma 2.0! This new major release is super exciting as we announce the first availability of our next generation policies, in addition to new eBPF capabilities!

Notable changes

• 🚀 We have added support for eBPF into both our CNI and init container configurations. Using eBPF can improve the performance of traffic flow latency by up to 12%.
• 🚀 Added the first 3 next generation policy updates:
  • MeshTrafficPermission
  • MeshTrafficLog
  • MeshTrafficTrace
• 🚀 We have made multiple improvements to the UI as part of an ongoing effort to simplify and enrich the functionality of our admin dashboard. Specifically in 2.0 we’re releasing:
  • New YAML / JSON search and syntax highlighting for policies and Envoy configuration dumps
  • Filtering and column customization capabilities for Data Plane Proxies
  • Simplified, more intuitive navigation structure
• 🚀 Improved our Datadog integration to record ingress and egress requests as separate services, allowing for easier debugging.
• 🚀 It is now possible to configure the specific TLS versions and ciphers that are supported by the control-plane / API server.
• 🚀 Users are now able to configure multiple UIDs to be ignored by traffic redirection (useful to workaround some issues with systemd-resolver).
• 🚀 Increased logging capabilities when using iptables for traffic redirection.

Checkout the blog post about Kuma 2.0.0

Changelog

• chore(.github): remove old release workflow #4836 @lobkovilya
• chore(api): remove DENY_WITH_SHADOW_ALLOW #5220 @lobkovilya
• chore(api): remove unused method and types #5148 @lobkovilya
• chore(api): remove unused timestamp.proto import #4906 @michaelbeaumont
• chore(api): skip Compute when building inbound access logs #5181 @jakubdyszkiewicz
• chore(bootstrap): improve validator policy bootstrap #5014 @lahabana
• chore(deps): bump actions/setup-go from 2 to 3 #5024 @dependabot
• chore(deps): bump cirello.io/pglock from 1.9.0 to 1.10.0 #5239 @dependabot
• chore(deps): bump github.com/Masterminds/sprig to 3.2.2 #5190 @mmorel-35
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.13 #5023 #5067 #5131 @dependabot
• chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #4996 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.40.20 to 0.40.24 #4969 #4993 #5162 @dependabot
• chore(deps): bump github.com/kumahq/kuma-net from 0.8.1 to 0.8.2 #5188 @dependabot
• chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 #4995 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.1.4 to 2.4.0 #4939 #4949 #5021 #5145 #5204 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.20.0 to 1.23.0 #4933 #4970 #5133 #5146 #5240 @dependabot
• chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #5203 @dependabot
• chore(deps): bump github.com/prometheus/prometheus from 0.37.0 to 0.39.1 #4887 #5134 @dependabot
• chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 #5155 #5241 @dependabot
• chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #4994 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.13.0 to 0.15.0 #5020 #5205 @dependabot
• chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #4930 @dependabot
• chore(deps): bump golang.org/x/text from 0.3.7 to 0.4.0 #5147 #5163 @dependabot
• chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.50.1 #4927 #5132 #5156 @dependabot
• chore(deps): bump k8s.io dependencies from 0.24.3 to 0.25.3 #4934 #5026 #5153 @michaelbeaumont
• chore(deps): bump k8s.io/client-go from 0.25.1 to 0.25.2 #5062 @dependabot
• chore(deps): bump kumahq/kuma-gui to f3dba73d4c264b094b6b351a8b44f2d5a0dc4ecb #4842 #4925 #5092 #5106 #5109 #5139 #5141 #5167 #5179 #5197 #5214 #5232 #5234 #5248 #5251 @kleinfreund,@kumahq
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.12.3 to 0.13.0 #4968 @dependabot
• chore(deps): bump sigs.k8s.io/controller-tools from 0.9.2 to 0.10.0 #5059 @dependabot
• chore(deps): update kuma-grafana-datasource #4856 @bartsmykla
• chore(gateway): remove invalid options for MeshGatewayRoute #4890 @michaelbeaumont
• chore(gui): removes update/gui command #4954 @kleinfreund
• chore(helm): remove unused critical-pod annotation #4952 @michaelbeaumont
• chore(helm): switch merbridge image registry to upstream #4838 @bartsmykla
• chore(kuma-cp): adjust timeout in cp probes #4983 @jakubdyszkiewicz
• chore(kuma-cp): config cleanup #4855 @jakubdyszkiewicz
• chore(kuma-cp): improve logging in K8S controllers #4982 @jakubdyszkiewicz
• chore(kuma-cp): improve test xds client #4976 @jakubdyszkiewicz
• chore(kuma-cp): remove disabling metrics from kuma-cp.defaults #4894 @lahabana
• chore(kuma-cp): resource manager wrapper #5057 @jakubdyszkiewicz
• chore(kuma-init): use iptables-legacy in kuma-init #5040 @bartsmykla
• chore(pkg/gc): don't rely on core.Now var for time #4918 @lahabana
• chore(plugins): remove some unecessary interfaces and methods #4997 @lahabana
• chore(proto): remove protos for new policies #5218 @lobkovilya
• chore(test): added resource builder #5123 #5195 @jakubdyszkiewicz
• chore(test): added support for GRPC to test-server #4904 @lobkovilya
• chore(test): make unit test compatible with IPV6 host #5198 @jakubdyszkiewicz
• chore(xds): drop deprecated envoy.config.route.v3.HeaderMatcher.exact_match #4953 @michaelbeaumont
• docs(MADR): new tracing policy proposal #4938 @michaelbeaumont
• docs(MADR): update MADR 007 #5129 @lobkovilya
• docs(gateway): explain the semantics of a PREFIX match #5013 @michaelbeaumont
• docs(gateway): explain the semantics of a prefix rewrite to / #5016 @michaelbeaumont
• docs(proto): fixed default serviceAddress and upgrade docs #5236 @lukidzi
• docs(proto): rewrite dataplane proto docs #5219 @jakubdyszkiewicz
• feat(ebpf): CNI uses libbpf CO:RE #5233 @lukidzi
• fea...

1.8.1

Changelog

• fix(tools): support both GitHub app tokens and PATs (backport #4869) by @mergify in #4872
• fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in #4980
• fix(*): do not override source address when TP is not enabled (backport #4951) by @mergify in #4961
• fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in #5071
• fix(gateway): add support for retryOn (backport #5091) by @mergify in #5098

1.7.2

Changelog

• fix(helm): always run Helm version update by @michaelbeaumont in #4604
• chore(helm): update to 1.7.1 by @michaelbeaumont in #4603
• Revert "fix(helm): always run Helm version update (#4604)" by @michaelbeaumont in #4609
• fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in #5072
• fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in #5096

1.6.2

Changelog

• fix(core): validate both old and new objects on Update (backport #4589) by @michaelbeaumont in #4593
• fix(kuma-cp): deep copy tags when gen. outbounds (backport #5070) by @mergify in #5090
• fix(kuma-cp): remove Dataplane for Pod without IP (backport #4964) by @mergify in #5097

1.8.0

Notable changes

🚀 CNI v2 with lots of improvements
🚀 Production settings for Builtin Gateway
🚀 URL rewrite in Builtin Gateway
🚀 Stats and Clusters in the GUI
🚀 Extra retryOn options for Retry
🚀 Better support for TCP logging
🚀 Filtering Envoy metrics
🚀 Projected service account token

Checkout the blog post about Kuma 1.8.0

Changelog

New features:

CNI v2 with lots of improvements:

• taint controller to prevent race condition #4650 @slonka
• all logs are easily accessible via kubectl logs command which greatly simplifies observability #4845 @slonka
• it uses new transparent engine implemented in kuma-net #4481 @slonka

URL rewrite in Builtin Gateway:

• support URL rewriting #4638 @michaelbeaumont

Stats and Clusters in the GUI:

• execute stats and clusters from the control plane #4557 #333 @jakubdyszkiewicz

Extra retryOn options for Retry:

• add extra http retryOn options #4744 @johnharris85

Better support for TCP logging:

• resilient tcp TCP access log streamer #4511 @parkanzky #4862 @jakubdyszkiewicz

Filtering Envoy metrics:

• added option to define filter for Envoy metrics #4503 @lukidzi

Projected service account token:

• support for projected service account token #4453 @lukidzi

Fixes:

Helm:

• remove duplicate keys in resources #4681 @michaelbeaumont
• add containersecuritycontext to CNI daemonset #4677 @jakubdyszkiewicz
• fix extraConfigMap and cp labels #4531 @lahabana
• use image.global.registry for imageExperimental #4641 @jakubdyszkiewicz

Gateway:

• ListenerReason for unresolved certificate refs, enable ReferenceGrant conformance tests #4806 @michaelbeaumont
• check hostname intersection between HTTPRoute and Gateway listener #4537 @michaelbeaumont
• create MeshGatewayInstance in same Mesh as Gateway #4794 @michaelbeaumont
• don't create invalid envoy config when routes and listeners don't match (backport #4837) #4841 @mergify
• hostname intersections, use new RouteReasons #4544 @michaelbeaumont
• improve HTTPRoute statuses with unresolved BackendRefs #4635 @michaelbeaumont
• npe without any timeout #4548 @michaelbeaumont
• rbac permissions for ReferenceGrant #4628 @michaelbeaumont
• workaround label value max length with hash #4545 @michaelbeaumont

Control Plane:

• check if kuma annotation or label is set but ignore value #4731 @lukidzi
• delete an empty TimeoutConfigurer #4554 @lobkovilya
• do not modify external service tags #4591 @jakubdyszkiewicz
• don't deploy Pod/Service webhooks in global #4673 @michaelbeaumont
• don't fail generation if other mesh CAs are misconfigured #4501 @michaelbeaumont
• external service datasource validation #4652 @jakubdyszkiewicz
• fix builtdns annotations for kubernetes #4660 @lahabana
• generate cluster name hash based on tags not config #4598 @lukidzi
• grant delete Pods in kuma-system namespace to control plane #4571 @michaelbeaumont
• localhost exposed application shouldn't be reachable #4750 @lukidzi
• make options for policies simpler #4722 @lahabana
• protect sort from empty locality #4820 @jakubdyszkiewicz
• registering dp on reconnect #4647 @jakubdyszkiewicz
• support GC service account #4483 @lobkovilya
• validate both old and new objects on Update #4589 @michaelbeaumont
• validation error with user tokens #4507 @jakubdyszkiewicz

Data Plane:

• access log path on windows when cp is on linux #4518 @jakubdyszkiewicz
• fix multi OS build of accesslogs #4767 @lahabana
• have envoy version check always work #4564 @lahabana
• propagate context for metrics aggregate #4640 @lukidzi
• set prometheus content-type when returning metrics #4706 @lukidzi

Other:

• add operations now create non-existent path elements #4595 @michaelbeaumont

Docs:

• new policy matching proposal #4474 @lobkovilya

Other changes:

Gateway:

• mention mesh name in gateway instance status #4678 @lahabana
• add listener connection limits #4755 @michaelbeaumont
• add loadBalancerIP to MeshGatewayInstance #4519 @michaelbeaumont
• allow MeshGateway Dataplane Pods to bind privileged ports #4535 @michaelbeaumont
• configure overload_manager based on max memory #4694 @michaelbeaumont
• multi-zone cross-mesh MeshGateway #4443 @michaelbeaumont
• propagate x-kuma-tags from MeshGateways #4476 @michaelbeaumont
• send default static payload for empty gateway #4617 @tharun208
• set path_with_escaped_slashes_action #4719 @michaelbeaumont
• set cluster HTTP2 stream and connection window size #4779 @michaelbeaumont
• set cluster per_connection_buffer_limit_bytes #4696 @michaelbeaumont
• set global_downstream_max_connections to 50000 #4724 @michaelbeaumont
• update to Gateway API v0.5.0, support v1beta1 resources #4599 @michaelbeaumont
• validate listeners for collapsibility #4765 @michaelbeaumont
• add MeshGateway dashboard #4555 @michaelbeaumont

Control Plane:

• config cleanup (backport #4855) #4857 @mergify
• don't set deprecated dns_resolver_config #4702 @michaelbeaumont
• don't set deprecated known_suffixes #4701 @michaelbeaumont
• remove deprecated Cluster.Http2ProtocolOptions #4528 @michaelbeaumont
• remove versions_ws #4512 @lahabana
• replace deprecated admin_access_log_path #4552 @lahabana
• add /policies endpoint to list all registered policies #4708 @lahabana
• authenticate DP every time #4685 @jakubdyszkiewicz
• enrich policies endpoint #4791 @jakubdyszkiewicz
• identify gateway service by deployment #4703 @parkanzky
• separate CA for Envoy Admin communication #4676 @jakubdyszkiewicz
• use remote address for Gateway #4530 @jakubdyszkiewicz
• add operations now create non-existent path elements #4595 @michaelbeaumont

Data Plane:

• remove envoy admin port flag #4574 @tharun208
• detect memory limit only on linux #4715 @jakubdyszkiewicz

kumactl:

• add a limit to the prom TSDB size #4651 @lahabana
• remove old flags in install tp #4760 @lahabana
• add MeshGateway to install demo #4679 @michaelbeaumont
• add install control-plane --registry flag #4533 @michaelbeaumont

Documentation:

• create MADR for MeshTrafficPermission #4666 @lobkovilya
• new policy matching proposal #4474 @lobkovi...