Tags: linkerd/linkerd2-proxy-init
Tags
Fixed shutdown issue This release fixes an issue introduced in v1.6.0 where the linkerd-cni pod was failing to complete its cleanup tasks during shutdown, leaving the linkerd-cni active but potentially with revoked permissions, thus interfering with the proper startup of pods in the node.
Improved SA token rotation detection This release improves the service account token rotation detection introduced in the previous release.
SA token rotation detection, RHEL nodes support This release adds support for detecting whenever the service account token mounted as a projected volume into the linkerd-cni DaemonSet is rotated. Also, we add support for a new iptables mode "plain" that implies running the `iptables` command (instead of `iptables-legacy` or `iptables-nft`), useful for nodes running RHEL.
Don't ignore inotifywait failures This release fixes the issue that when the node had hit the inotify limit, deploying the linkerd-cni daemonset would silently fail. Now the problem is caught and the pod enters a crash loop until the limit is no longer surpassed.
Bump github.com/containernetworking/cni from 1.1.2 to 1.2.0 (#365) * Bump github.com/containernetworking/cni from 1.1.2 to 1.2.0 Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](containernetworking/cni@v1.1.2...v1.2.0) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * s/PluginMain/PluginMainFuncs * Bump go to v1.22 in Dockerfile-tester --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Fail container when ip6tables fails This release ensures that when IPv6 is enabled, the series of ip6tables commands succeed. If they fail, the linkerd-cni container should fail as well, instead of ignoring errors.
Fix linkerd-cni when using native sidecars (#362) Fixes linkerd/linkerd2#11597 When the cni plugin is triggered, it validates that the proxy has been injected into the pod before setting up the iptables rules. It does so by looking for the "linkerd-proxy" container. However, when the proxy is injected as a native sidecar, it gets added as an _init_ container, so it was being disregarded here. We don't have integration tests for validating native sidecars when using linkerd-cni because [Calico doesn't work in k3s since k8s 1.27](k3d-io/k3d#1375), and we require k8s 1.29 for using native sidecars. I did nevertheless successfully test this fix in an AKS cluster.
Fix linkerd-cni when using native sidecars (#362) Fixes linkerd/linkerd2#11597 When the cni plugin is triggered, it validates that the proxy has been injected into the pod before setting up the iptables rules. It does so by looking for the "linkerd-proxy" container. However, when the proxy is injected as a native sidecar, it gets added as an _init_ container, so it was being disregarded here. We don't have integration tests for validating native sidecars when using linkerd-cni because [Calico doesn't work in k3s since k8s 1.27](k3d-io/k3d#1375), and we require k8s 1.29 for using native sidecars. I did nevertheless successfully test this fix in an AKS cluster.
PreviousNext