Linkerd
edge-26.4.3Networking & Messagingedge-26.4.3 adds per-pod proxy env var injection via annotation, bumps proxy to v2.349.0, and validates Kubernetes 1.35 compatibility across policy tests.
enhancementUse proxy-additional-env to inject custom env vars without custom images
The new `proxy-additional-env` annotation lets you set environment variables on injected proxies at the pod or namespace scope. This is useful for tuning proxy behavior (e.g., log levels, feature flags) in specific workloads without modifying global Helm values or building custom proxy images. Start using it on non-critical workloads first to validate behavior before rolling out broadly.
enhancementPlan for Kubernetes 1.35 if you're on the upgrade path
Linkerd's test suite now covers k8s 1.35, including policy tests. If your team is evaluating or scheduling a cluster upgrade to 1.35, this edge release gives you reasonable confidence that core Linkerd functionality and policy enforcement will hold. Run your own smoke tests against a 1.35 staging cluster before committing to a production upgrade.
securityrustls-webpki patch — verify if you vendor Rust dependencies
rustls-webpki was bumped to 0.103.11. This library is part of Linkerd's mTLS stack. No CVE is listed, but if your organization audits or vendors Rust dependencies, update your lockfiles and re-run your SBOM scans to stay current.
Key changes (5)
- New `proxy-additional-env` annotation enables per-scope environment variable overrides for injected proxies without rebuilding images
- Proxy bumped to v2.349.0 — check upstream proxy changelog for behavioral changes
- Kubernetes 1.35 added to test matrix; policy tests confirmed passing on 1.35
- rustls-webpki updated from 0.103.10 to 0.103.11 — routine security-adjacent dependency update in the Rust TLS stack
- Helm v3.20.2 and golang.org/x/tools 0.44.0 dependency updates in build toolchain