Linkerd
edge-26.5.2Networking & MessagingNative sidecars promoted to GA and enabled by default, plus a security fix restricting Server resources from affecting workloads outside their namespace. Heavy dependency refresh across Rust and Go stacks.
breakingNative sidecars are now on by default — audit your cluster before upgrading
Native sidecar support (using Kubernetes init containers with restartPolicy: Always) is now GA and enabled by default. If your cluster runs Kubernetes < 1.29, native sidecars are unsupported and this will break injection. Even on supported versions, verify that any tooling, admission webhooks, or pod lifecycle assumptions in your workloads are compatible. Test in a staging environment before rolling out to production. If you need the old behavior, explicitly disable the feature flag during install/upgrade.
securityServer namespace isolation fix — review cross-namespace Server resources immediately
A fix was applied so that Server resources can no longer affect workloads in namespaces other than their own. If you have intentionally or accidentally created Server policies that were influencing workloads cross-namespace, those policies will silently stop applying after this upgrade. Audit your Server resources across all namespaces and verify that authorization policies still behave as expected post-upgrade. The risk of misconfigured over-broad policies is reduced, but any reliance on the previous behavior will break.
enhancementConfigure honorTimestamps on the linkerd-proxy PodMonitor
If you're using the Prometheus Operator and have timestamp alignment issues in your Linkerd proxy metrics (e.g., stale or out-of-order samples), you can now set honorTimestamps in the Helm chart for the linkerd-proxy PodMonitor. This is a quality-of-life win for teams with strict metric ingestion pipelines. Set it explicitly during your next Helm upgrade rather than leaving it at the default.
Key changes (6)
- Native sidecar injection promoted to GA and now enabled by default — no more feature gate needed
- Security fix: Server resources are now restricted from affecting workloads in other namespaces
- Gateway liveness synchronization improved for multi-cluster setups
- rustls bumped to 0.23.40, openssl and aws-lc-rs updated — crypto stack refreshed
- Proxy updated to v2.352.0, Go toolchain to 1.25.10, Helm to 3.21.0
- PodMonitor honorTimestamps now configurable for linkerd-proxy metrics scraping