LTS
Kuma 2.7.0 focuses on improving your experience with observability, debugging, and policy migration. This release introduces new features and tools to help you gain deeper insights into your service mesh and streamline the transition from legacy policies.
Notable Changes
Boosted observability
-
Visual Clarity: The GUI now displays names, namespaces, and zones for policies and dataplanes, providing a clear understanding of resource placement in multi-zone environments.
-
Builtin Gateway: The GUI offers a dedicated view of routes managed by your built-in gateway.
-
Detailed Dataplane Insights: The dataplane view now displays policies applied to inbound and outbound traffic, simplifying proxy behavior comprehension.
-
Production-Ready MeshMetric: MeshMetric is now generally available and supports OpenTelemetry data collection. It also introduces profiles to significantly reduce metric volume, lowering observability storage costs.
Gateway API integration
Our Gateway API integration now uses MeshHTTPRoute, enabling us to retire MeshGatewayRoute which will be deprecated and removed in the future. Additionally, we're thrilled to announce that our entire Gateway API integration, including GAMMA support, is now Generally Available (GA) and no longer considered experimental.
Smoother policy migration
The introduction of shadow policies and additions to "inspect" policies eases the migration process from legacy policies to the recommended targetRef policies.
Upgrading
We strongly suggest upgrading to Kuma 2.7.0. Upgrading is straightforward through kumactl or Helm.
Be sure to carefully read the Upgrade Guide before upgrading Kuma.
Changelog
- chore(deps): bump Envoy from 1.28.0 to 1.29.3 #9134 #9222 #9600 #9853 @lukidzi
- chore(deps): bump Kong/public-shared-actions from 2.0.2 to 2.1.0 #9556 #9711 @dependabot
- chore(deps): bump actions/cache from 3 to 4.0.2 #9205 #9491 #9712 @dependabot
- chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 #9639 @dependabot
- chore(deps): bump actions/create-github-app-token from 1.8.0 to 1.9.3 #9416 #9490 #9772 #9873 @dependabot
- chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 #9306 @dependabot
- chore(deps): bump cirello.io/pglock from 1.14.1 to 1.14.2 #9562 @dependabot
- chore(deps): bump debian from
b16cef8 to b37bc25 #9139 #9304 #9642 #9900 @dependabot
- chore(deps): bump distroless/base-nossl-debian11 from
61c9d7a to 4cba3ac #9202 #9302 #9413 #9567 #9643 #9875 @dependabot
- chore(deps): bump distroless/static-debian11 from
1e5b9bb to 459f8ab #9203 #9303 #9414 #9566 #9644 #9874 @dependabot
- chore(deps): bump github.com/cilium/ebpf from 0.12.3 to 0.14.0 #9313 #9401 #9771 @dependabot
- chore(deps): bump github.com/containernetworking/plugins from 1.4.0 to 1.4.1 #9649 @dependabot
- chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible #9678 @dependabot
- chore(deps): bump github.com/emicklei/go-restful/v3 from 3.11.2 to 3.12.0 #9400 #9650 @dependabot
- chore(deps): bump github.com/exaring/otelpgx from 0.5.3 to 0.5.4 #9312 @dependabot
- chore(deps): bump github.com/golang/protobuf from 1.5.3 to 1.5.4 #9561 @dependabot
- chore(deps): bump github.com/gruntwork-io/terratest from 0.46.11 to 0.46.13 #9716 @dependabot
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.5 #9143 #9493 #9560 @dependabot
- chore(deps): bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.17.1 #9564 #9646 #9715 @dependabot
- chore(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0 #9651 @dependabot
- chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 #9467 @dependabot
- chore(deps): bump github.com/prometheus/client_model from 0.5.0 to 0.6.1 #9314 #9871 @dependabot
- chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.52.2 #9309 #9465 #9563 #9714 #9870 @dependabot
- chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 #9868 @dependabot
- chore(deps): bump github.com/testcontainers/testcontainers-go from 0.27.0 to 0.30.0 #9310 #9558 #9867 @dependabot
- chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.1 to 0.1.2 #9466 @dependabot
- chore(deps): bump github/codeql-action from 3.23.2 to 3.24.10 #9142 #9307 #9415 #9489 #9641 #9710 #9872 @dependabot
- chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 #9399 @dependabot
- chore(deps): bump golang.org/x/net from 0.20.0 to 0.24.0 #9210 #9869 @dependabot
- chore(deps): bump golang.org/x/sys from 0.17.0 to 0.19.0 #9492 #9865 @dependabot
- chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 #9204 @dependabot
- chore(deps): bump gonum.org/v1/gonum from 0.14.0 to 0.15.0 #9648 @dependabot
- chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.63.2 #9315 #9402 #9559 #9866 #9902 @dependabot
- chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.3 #9277 #9647 @dependabot
- chore(deps): bump iptables version #9200 @slonka
- chore(deps): bump kumahq/ubuntu-netools from
3f0fefb to 9eba4ba #9898 @dependabot
- chore(deps): bump peter-evans/create-pull-request from 5.0.2 to 6.0.2 #9141 #9488 #9640 @dependabot
- chore(deps): bump postgres from
49c276f to 5b06192 #9116 #9130 #9162 #9241 #9256 #9278 #9292 #9358 #9390 #9444 #9577 #9601 #9614 #9899 @dependabot
- chore(deps): bump prometheus/common to v0.48.0 #9462 @slonka
- chore(deps): bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.3 #9207 #9311 #9901 @dependabot
- chore(deps): bump sigs.k8s.io/gateway-api #9454 @michaelbeaumont
- chore(deps): bump slsa-framework/slsa-github-generator from 1.9.0 to 1.10.0 #9713 @dependabot
- chore(deps): bump the go-opentelemetry-io group with 1 update #9464 @dependabot
- chore(deps): bump the go-opentelemetry-io group with 10 updates #9864 @dependabot
- chore(deps): bump the go-opentelemetry-io group with 8 updates #9206 #9398 @dependabot
- chore(deps): bump the k8s-libs group with 5 updates #9308 #9645 @dependabot
- chore(deps): bump ubuntu from jammy-20240111 to jammy-20240227 #9140 #9305 #9565 @dependabot
- chore(deps): downgrade go-control-plane to v0.11.2-0.20231010133108-1dfbe83bcebc #9163 @lobkovilya
- chore(deps): downgrade to golang v1.21.7 #9443 @michaelbeaumont
- chore(deps): security update #9102 #9369 #9516 #9819 @kumahq
- chore(deps): update golang to v1.22, golangci-lint to v1.56.1 #9316 @michaelbeaumont
- chore(deps): upload sbom to gh release/tag assets #9966 @Automaat
- chore(deps): use latest kumahq/kuma-gui #9071 #9135 #9156 #9159 #9181 #9183 #9187 #9223 #9224 #9227 #9244 #9247 #9253 #9266 #9267 #9275 #9279 #9290 #9297 #9299 #9318 #9319 #9320 #9337 #9344 #9347 #9355 #9377 #9407 #9408 #9410 #9418 #9420 #9422 #9425 #9426 #9439 #9442 #9451 #9460 #9471 #9486 #9499 #9549 #9572 #9584 #9590 #9605 #9609 #9611 #9613 #9615 #9622 #9625 #9627 #9638 #9654 #9668 #9691 #9700 #9703 #9717 #9719 #9723 #9733 #9735 #9740 #9744 #9751 #9773 #9775 #9777 #9778 #9781 #9783 #9822 #9823 #9824 #9827 #9836 #9837 #9838 #9839 #9852 #9854 #9855 #9878 #9880 #9883 #9906 #9921 @kumahq
- feat(GatewayAPI): promote our Gateway API implementation to GA #9939 @bartsmykla
- feat(GatewayAPI): use MeshHTTPRoutes instead of MeshGatewayRoutes internally #9732 @bartsmykla
- feat(MeshGatewayInstance): deprecate kuma.io/service and generate serviceName #9504 @lukidzi
- feat(MeshHTTPRoute): set name of route action equal to hash of matches #9391 @lukidzi
- feat(MeshMetric) profiles #9579 #9624 @slonka
- feat(MeshMetric): add possibility to configure multiple opentelemetry backends #9445 @Automaat
- feat(MeshMetric): add possibility to configure refresh interval for open telemetry backend in meshmetric #9452 @Automaat
- feat(MeshMetric): disable rollup of clusters #9768 @slonka
- feat(MeshMetric): filter out internal clusters #9754 @slonka
- feat(MeshMetric): manually remove regex #9793 @slonka
- feat(MeshMetric): properly handle
appendProfiles #9915 @slonka
- feat(MeshMetric): usedonly filters #9406 @slonka
- feat(MeshRateLimit): support targetRef: MeshHTTPRoute for Gateway #9396 @lukidzi
- feat(MeshRetry): allow configuration for MeshHTTPRoute #9365 @lukidzi
- feat(MeshService): add first iteration of resource #9510 @michaelbeaumont
- feat(MeshService): backend ref outbound to mesh service on Dataplane #9653 @jakubdyszkiewicz
- feat(MeshService): k8s controller to convert service #9702 @jakubdyszkiewicz
- feat(MeshService): xds generation #9583 @michaelbeaumont
- feat(MeshTimeout): added possibility to target MeshHTTPRoute for MeshGateway #9446 @lukidzi
- feat(MeshTrafficPermission): apply default deny #9110 @jakubdyszkiewicz
- feat(ServiceInsight): add zones to service insights #9677 @jakubdyszkiewicz
- feat(ZoneIngress): generate an empty direct response listener for empty zone ingress gateway #9745 @jijiechen
- feat(api-server): add format and include_eds to admin api #9814 @lahabana
- feat(api-server): add type filter to service-insights #9212 @lahabana
- feat(api-server): return
config_dump response in the same format as envoy admin #9519 @lukidzi
- feat(auth): add possibility to restrict /config access #9826 @lahabana
- feat(components): exponential backoff for resilient components #9767 @jakubdyszkiewicz
- feat(k8s): add
experimental.sidecarContainers to Helm chart #9626 @michaelbeaumont
- feat(k8s): add drain when using native sidecars #9904 @michaelbeaumont
- feat(k8s): add possibility to not add owner reference #9794 @lahabana
- feat(k8s): add sidecar startup probe with sidecar feature #9494 @michaelbeaumont
- feat(k8s): copy node topology labels #9690 @lukidzi
- feat(k8s): do not set mesh owner reference on synced resources #9882 @jakubdyszkiewicz
- feat(k8s): enable init container mesh access by default when using native sidecars #9746 @michaelbeaumont
- feat(k8s): sidecar containers #9321 @michaelbeaumont
- feat(kds): add kds client version to outgoing context #9501 @slonka
- feat(kds): add span for admin requests to zone CPs #9411 @michaelbeaumont
- feat(kds): stats of kds client versions #9749 @jakubdyszkiewicz
- feat(kuma-cni): add a init container to validate that iptables rules are applied #9699 @jijiechen
- feat(kuma-cp): add a helper function to get all kuma targetRef kinds to be used in child repos #9687 @jijiechen
- feat(kuma-cp): add ability to selectively enable core resources #9555 @michaelbeaumont
- feat(kuma-cp): add plugin policy toggles #8828 @slonka
- feat(kuma-cp): remove grpc support from mads #9527 @Automaat
- feat(kuma-cp): resilient component backoff config #9892 @Automaat
- feat(kuma-dp): migrate to prometheus otel sdk when using meshmetric #9424 @Automaat
- feat(kuma-dp): use Envoy
--drain-strategy immediate #9741 @michaelbeaumont
- feat(kumactl): support for new Inspect API endpoint
_config #9887 @lobkovilya
- feat(pgx): configure idle timeout #9675 @lukidzi
- feat(policies): deprecated
from[].targetRef.kind: MeshService #9881 @lobkovilya
- feat(policies): shadow mode for policies #9850 @lobkovilya
- feat(resources): add status #9676 @jakubdyszkiewicz
- feat(resources): generate core resource #9405 @jakubdyszkiewicz
- feat(tracing): add tracing to intercp gRPC server and client #9383 @michaelbeaumont
- feat(transparent-proxy): add automatic iptables type detection #9750 @bartsmykla
- feat(transparent-proxy): deprecate argument 'redirect-inbound-port-v6' and introduce 'ip-family-mode' #8939 @jijiechen
- feat(transparent-proxy): drop all capabilities for sidecar containers #9656 @jijiechen
- feat(transparent-proxy): init container scc hardening #9688 @jijiechen
- fix(GatewayAPI): add missing Name param to query params matcher on MeshHTTPRoute #9662 @bartsmykla
- fix(GatewayAPI): don't add HTTPRoute status if Kuma isn't the controller #9228 @michaelbeaumont
- fix(GatewayAPI): make MeshHTTPRoute conversion port redirect gapi conformant #9669 @bartsmykla
- fix(GatewayAPI): set mesh properly during owned object reconciliation #9664 @bartsmykla
- fix(MeshGateway): don't rewrite / with trailing slash #9243 @michaelbeaumont
- fix(MeshGateway): fix MeshTCPRoute on MeshGateway #9167 @lahabana
- fix(MeshHTTPRoute): allow "kuma.io/unresolved-backend" service name for GAMMA compliance #9670 @bartsmykla
- fix(MeshHTTPRoute): allow no backendRefs when RequestRedirect filter present #9671 @bartsmykla
- fix(MeshHTTPRoute): fix response headers filter in gateway route generation #9652 @bartsmykla
- fix(MeshHTTPRoute): order rules by match priority #9472 @michaelbeaumont
- fix(MeshHTTPRoute): trim "/" path match suffix when converting HTTPRoute #9686 @bartsmykla
- fix(MeshHealthCheck): isolate MeshGateway config based on hostname #9612 @michaelbeaumont
- fix(MeshLoadBalancingStrategy): configure builtin gateway #9877 @lukidzi
- fix(MeshMetric): otel endpoint validation #9634 @Automaat
- fix(MeshTCPRoute): allow MeshGateway listener tags #9240 @michaelbeaumont
- fix(api-server): return 404 when a mesh doesn't exist #9175 @lahabana
- fix(defaults): change meshsubset to mesh for gateway's meshtimeout #9192 @lukidzi
- fix(helm): missing postgres tls mode when it is set to verifyNone #9665 @AyushSenapati
- fix(helm): use kuma name in ingress and egress pdb selectors #9211 @slavogiez
- fix(k8s): create builtin CA once #9124 @jakubdyszkiewicz
- fix(kds): fix memory leak on kds error #9742 @Automaat
- fix(kds): fix retry on NACK and add backoff #9736 @slonka
- fix(kds): run filters before ZoneWatcher #9119 @lukidzi
- fix(kuma-cni): fix the subject namespace reference in Helm Chart #9933 @jijiechen
- fix(kuma-cp): change the "direction" of the diff in inspect shadow responses #9914 @lobkovilya
- fix(kuma-cp): clone outbound tags #9592 @lukidzi
- fix(kuma-cp): copy annotations when adding/update k8s object #9254 @lukidzi
- fix(kuma-cp): fix long polling issues in mads #9586 @Automaat
- fix(kuma-cp): ignore shadow policies on ZoneEgress #9930 @lobkovilya
- fix(kuma-cp): kds sync on upgrade doubles the number of policies #9259 @lobkovilya
- fix(kuma-cp): prevent violating kubernetes label limit #9191 @jakubdyszkiewicz
- fix(kuma-cp): return wrapped forward KDS client errors #9160 @lukidzi
- fix(kuma-cp): use display-name label to check if resource is referenced #9962 @lobkovilya
- fix(kumactl): correctly print new style resources #9779 @lahabana
- fix(kumactl): npe when creating new core resources #9593 @michaelbeaumont
- fix(pgx): use default MaxConnLifetimeJitter value for jitter #9674 @lukidzi
- fix(policies): don't set empty kuma.io service when using MeshHTTPRoute #9394 @lukidzi
- fix(policies): fix metrics labels #9913 @Automaat
- fix(transparent-proxy): make iptables mode detection more defensive #9776 @bartsmykla
- fix(xds): duplicated listeners #9542 @jakubdyszkiewicz
- perf(k8s): ignore serviceless pods from vips list #9907 @jakubdyszkiewicz
- perf(vips): group DB calls for CreateOrUpdateVIPConfigs #9062 @nicoche