Linkerd edge-26.6.3 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗Releases
AI-analyzed release notes for CNCF graduated and incubating projects.
Linkerd edge-26.6.2 patches policy and profile validation bugs, tightens namespace restrictions on external workloads, and upgrades to Envoy proxy v2.357.0 with unified failure accrual tuning.
securityProfile validation now rejects nil configs
The nil check in profile validation closes a path to crashes on malformed configs. No immediate action needed, but if your automation generates profiles programmatically, ensure they always have valid structure before applying them.
breakingNamespace-restricted external workloads may affect routing
External workloads and endpoints now honor namespace boundaries. If you cross namespaces with external workloads in your Linkerd setup, verify routing still works after upgrade. Update any policies that rely on previous (unrestricted) cross-namespace access.
enhancementTune load balancing with unified failure accrual
Unified failure accrual and response-penalty load biasing gives you finer control over how proxies handle slow or failing endpoints. Test this in a canary namespace first—adjust failure thresholds and penalty weights to match your SLOs. Check Linkerd docs for new policy knobs.
Key changes (5)
- Policy validation: removed inappropriate AuthN policy check; corrected typos in outbound index rules.
- Profile validation: added nil check to prevent crashes during validation.
- Namespace isolation: external workloads and endpoints now respect namespace boundaries to prevent cross-namespace leakage.
- Load balancing: unified failure accrual and response-penalty biasing in policy engine.
- Proxy upgrade: Envoy v2.357.0; Go 1.25.11 for build.
Mostly a dependency maintenance release with two proxy bumps (v2.355.0, v2.356.0) and a fix for ReadAllLimit byte boundary handling.
enhancementTwo proxy versions in one release — check proxy changelogs separately
This edge release packages proxy v2.355.0 and v2.356.0 together, meaning two rounds of proxy changes landed at once. If you track proxy behavior closely (traffic policy, retries, protocol detection), pull the proxy-specific changelogs before rolling this out to staging. The combined nature makes it harder to bisect if you hit regressions.
enhancementReadAllLimit fix may affect request body handling edge cases
The ReadAllLimit fix allows inputs that hit the exact byte boundary to pass through correctly. If you have services where request bodies are crafted to exactly match a configured limit — common in API gateways or body-size validation scenarios — this corrects previously incorrect rejection behavior. No config changes needed, but worth validating if you saw unexpected 413-style rejections.
Key changes (5)
- Proxy updated twice: v2.355.0 and v2.356.0 — both included in this single edge release
- Fixed ReadAllLimit to correctly accept inputs exactly at the byte limit (off-by-one style bug)
- hyper HTTP library bumped to 1.10.1 (Rust proxy dependency)
- prometheus/common updated to 0.68.1 across two incremental bumps
- Frontend deps updated: webpack-cli 7.0.3, query-string 9.4.0, launch-editor 2.14.1
Linkerd edge-26.5.5 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗Linkerd edge-26.5.4 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗Linkerd edge-26.5.3 was released, but the published notes are too brief to summarize. See the original release notes for details.
Source ↗Native sidecars promoted to GA and enabled by default, plus a security fix restricting Server resources from affecting workloads outside their namespace. Heavy dependency refresh across Rust and Go stacks.
securityServer namespace isolation fix — review cross-namespace Server resources immediately
A fix was applied so that Server resources can no longer affect workloads in namespaces other than their own. If you have intentionally or accidentally created Server policies that were influencing workloads cross-namespace, those policies will silently stop applying after this upgrade. Audit your Server resources across all namespaces and verify that authorization policies still behave as expected post-upgrade. The risk of misconfigured over-broad policies is reduced, but any reliance on the previous behavior will break.
breakingNative sidecars are now on by default — audit your cluster before upgrading
Native sidecar support (using Kubernetes init containers with restartPolicy: Always) is now GA and enabled by default. If your cluster runs Kubernetes < 1.29, native sidecars are unsupported and this will break injection. Even on supported versions, verify that any tooling, admission webhooks, or pod lifecycle assumptions in your workloads are compatible. Test in a staging environment before rolling out to production. If you need the old behavior, explicitly disable the feature flag during install/upgrade.
enhancementConfigure honorTimestamps on the linkerd-proxy PodMonitor
If you're using the Prometheus Operator and have timestamp alignment issues in your Linkerd proxy metrics (e.g., stale or out-of-order samples), you can now set honorTimestamps in the Helm chart for the linkerd-proxy PodMonitor. This is a quality-of-life win for teams with strict metric ingestion pipelines. Set it explicitly during your next Helm upgrade rather than leaving it at the default.
Key changes (6)
- Native sidecar injection promoted to GA and now enabled by default — no more feature gate needed
- Security fix: Server resources are now restricted from affecting workloads in other namespaces
- Gateway liveness synchronization improved for multi-cluster setups
- rustls bumped to 0.23.40, openssl and aws-lc-rs updated — crypto stack refreshed
- Proxy updated to v2.352.0, Go toolchain to 1.25.10, Helm to 3.21.0
- PodMonitor honorTimestamps now configurable for linkerd-proxy metrics scraping
A routine edge release dominated by dependency bumps, with two meaningful bug fixes: multicluster service cleanup now respects namespaces, and a CLI gateway API version correction.
securityRust TLS stack updated — aws-lc-rs, rustls-webpki, rustls-pki-types all bumped
Several TLS-adjacent crates were updated in one shot: aws-lc-rs 1.16.3, rustls-webpki 0.103.13, and rustls-pki-types 1.14.1. No CVEs are called out explicitly, but these are the cryptographic underpinnings of Linkerd's mTLS. If you're in a security-sensitive environment, this is a good reason to pull this edge over older ones.
breakingKubernetes 1.31 is now the minimum supported version
The MSKV bump to 1.31 means clusters running 1.30 or older are no longer in the supported envelope. Check your cluster versions before adopting this edge release — if you're still on 1.30, upgrade Kubernetes first or hold on this Linkerd edge.
enhancementFix multicluster namespace-scoped service cleanup before upgrading
If you run Linkerd multicluster and have services spread across multiple namespaces, the previous cleanup logic could operate beyond its intended namespace scope. This fix is a correctness improvement — after upgrading, verify your mirrored services are in the expected state, especially if you've seen unexpected service deletions or stale mirrors in non-default namespaces.
Key changes (6)
- Multicluster service cleanup logic now correctly scopes to namespaces, preventing cross-namespace service deletion bugs
- CLI user instructions now reference the correct Gateway API version
- New Helm value `gateway.healthCheckNodePort` added for gateway deployments
- Destination controller refactored to use shared-filtering logic
- Minimum supported Kubernetes version (MSKV) bumped to 1.31
- Multiple Rust dependency updates: hyper 1.9.0, tokio 1.52.1, aws-lc-rs 1.16.3, rustls-webpki 0.103.13
Maintenance-heavy edge release with OpenSSL/rustls security bumps, a policy admission fix for Gateway routes, and a more robust annotation-to-metric-label conversion in the injector.
securityPick up OpenSSL and rustls-webpki patches now
Two OpenSSL crate bumps landed in this release, plus a rustls-webpki update. These sit in the proxy's TLS stack. If you're running any Linkerd edge build in a security-sensitive environment, upgrade to edge-26.4.4 to get the patched cryptographic dependencies rather than waiting for the next stable.
breakingVerify Gateway route policies after the admission webhook fix
The admission webhook previously ran full validation on Gateway routes even when they contained fields Linkerd doesn't support, causing legitimate routes to be rejected. That's fixed now — but if you worked around this by restructuring routes, review whether those workarounds are still needed or are now masking misconfigurations.
enhancementTest chart override behavior if you use custom install values
The fix to apply overrides to chart values on install closes a gap where certain Helm value overrides weren't being applied. If you have installation automation that relies on specific override patterns, run a dry-run install against this version to confirm the resulting values match expectations before rolling to production.
Key changes (5)
- OpenSSL crates bumped twice (0.10.76→0.10.78) and rustls-webpki updated — relevant for Rust-based proxy TLS surface
- Policy admission webhook now skips validation for Gateway routes with unsupported fields, preventing false rejections
- Injector uses more robust logic to convert annotations to metric labels, reducing edge-case label corruption
- Chart install now applies overrides to chart values correctly, fixing a long-standing install customization gap
- proxy-init updated to v2.4.8 and cni-plugin to v1.6.7 alongside proxy v2.350.0
edge-26.4.3 adds per-pod proxy env var injection via annotation, bumps proxy to v2.349.0, and validates Kubernetes 1.35 compatibility across policy tests.
securityrustls-webpki patch — verify if you vendor Rust dependencies
rustls-webpki was bumped to 0.103.11. This library is part of Linkerd's mTLS stack. No CVE is listed, but if your organization audits or vendors Rust dependencies, update your lockfiles and re-run your SBOM scans to stay current.
enhancementUse proxy-additional-env to inject custom env vars without custom images
The new `proxy-additional-env` annotation lets you set environment variables on injected proxies at the pod or namespace scope. This is useful for tuning proxy behavior (e.g., log levels, feature flags) in specific workloads without modifying global Helm values or building custom proxy images. Start using it on non-critical workloads first to validate behavior before rolling out broadly.
enhancementPlan for Kubernetes 1.35 if you're on the upgrade path
Linkerd's test suite now covers k8s 1.35, including policy tests. If your team is evaluating or scheduling a cluster upgrade to 1.35, this edge release gives you reasonable confidence that core Linkerd functionality and policy enforcement will hold. Run your own smoke tests against a 1.35 staging cluster before committing to a production upgrade.
Key changes (5)
- New `proxy-additional-env` annotation enables per-scope environment variable overrides for injected proxies without rebuilding images
- Proxy bumped to v2.349.0 — check upstream proxy changelog for behavioral changes
- Kubernetes 1.35 added to test matrix; policy tests confirmed passing on 1.35
- rustls-webpki updated from 0.103.10 to 0.103.11 — routine security-adjacent dependency update in the Rust TLS stack
- Helm v3.20.2 and golang.org/x/tools 0.44.0 dependency updates in build toolchain
Pure dependency maintenance release — proxy bumped to v2.348.0, multiple Go/Rust/JS deps updated. No feature changes or bug fixes to speak of.
securitylodash updated in web dashboard — low urgency, but worth knowing
lodash went from 4.17.23 to 4.18.1. The Linkerd dashboard is typically internal-facing, so exposure is limited. Still, if your team audits frontend dependency CVEs, confirm this resolves any open advisories in your SBOM tooling.
enhancementProxy v2.348.0 — check the proxy changelog if you're chasing specific behavior
The proxy is the only component here with potentially meaningful runtime changes. The release notes don't surface proxy-level details directly, so if you're tracking a specific fix or behavior change, pull up the linkerd2-proxy v2.348.0 release notes separately before promoting this edge build to production.
enhancementSkip this edge unless you need the proxy bump
This is a housekeeping release. If you're already tracking edge builds for the proxy, upgrading is straightforward. For anyone evaluating edge-26.4.x for broader testing, there's no functional regression risk here, but also nothing compelling enough to rush an upgrade from edge-26.4.1.
Key changes (5)
- Proxy updated to v2.348.0 (details in proxy changelog)
- tokio runtime bumped from 1.50.0 to 1.51.1 (two hops in one release cycle)
- gRPC-Go updated to 1.80.0
- lodash bumped to 4.18.1 in the web dashboard
- New destination controller API tests added for better regression coverage
Mostly a dependency maintenance release with two proxy bumps (v2.346.0, v2.347.0), a multicluster RBAC fix, and a Prometheus config correction for viz admin port names.
securityCrypto dependency updates — low urgency but keep your upgrade cadence
openssl, rustls-webpki, aws-lc-rs, and aws-lc-sys all received patch bumps this cycle. None carry disclosed CVEs, but these are core cryptographic libraries in the proxy. Stay on a regular edge upgrade cadence rather than skipping multiple releases, so these patches don't accumulate.
breakingCheck Prometheus metrics after upgrading if you use Linkerd Viz
The Prometheus config was corrected to match new admin port names. If you're running Linkerd Viz and upgraded from an earlier edge build, verify your dashboards still show expected metrics after the upgrade. Gaps in scraping could have silently existed before this fix — cross-check your Prometheus targets to confirm scrape health.
enhancementMulticluster users: review Server/AuthorizationPolicy coverage
Missing Server and AuthorizationPolicy resources were added for the multicluster extension. If you use Linkerd multicluster, upgrade and audit your cross-cluster authorization posture. The previous gap meant some traffic paths lacked proper policy objects, which could have caused unexpected allow/deny behavior depending on your default policy.
Key changes (5)
- Proxy updated twice to v2.346.0 and v2.347.0 — pick up any fixes included in those proxy releases
- Multicluster: missing Server/AuthorizationPolicy resources added, closing a gap in RBAC coverage for cross-cluster traffic
- Viz: Prometheus scrape config corrected to match renamed admin port names — previously mismatched names could cause missing metrics
- openssl (0.10.76), rustls-webpki (0.103.10), aws-lc-rs (1.16.2), and zerocopy (0.8.48) all bumped — routine but relevant for supply-chain hygiene
- Oliver Gould (@olix0r) moved to emeritus; MAINTAINERS.md updated
A routine dependency-heavy edge release: two proxy bumps (v2.343.0, v2.344.0), Go 1.25.8 upgrade, rustls update, and proxy-init 2.4.6 — no feature additions or breaking changes.
securityrustls patch update — pull this into your proxy builds
rustls went from 0.23.35 to 0.23.37 in the proxy. Two patch versions in one release suggests active bug or security fixes in the TLS layer. If you're running older edge releases, this is a good reason to roll forward. No CVE was cited, but TLS library patches should never be delayed in a service mesh context.
enhancementTwo proxy versions landed — check the proxy changelog separately
This release ships proxy v2.343.0 and v2.344.0 in sequence, meaning two rounds of proxy changes are bundled in. The release notes don't detail what changed in each proxy version. If you're tracking proxy behavior closely (routing, observability, protocol detection), check the linkerd2-proxy repo's changelog for these two versions before deploying.
enhancementGo 1.25.8 in the control plane — standard maintenance upgrade
The control plane is now on Go 1.25.8. This is a patch release of Go and likely includes minor runtime fixes. No action required unless you're building custom tooling against Linkerd's Go modules — in that case, align your toolchain accordingly.
Key changes (5)
- Proxy bumped twice to v2.343.0 then v2.344.0 within this release cycle
- Go runtime upgraded to 1.25.8 across the control plane
- rustls updated from 0.23.35 to 0.23.37 — patch-level TLS library update in the proxy
- proxy-init bumped from 2.4.5 to 2.4.6
- openssl-sys and grpc dependencies updated (0.9.112 and 1.79.3 respectively)
Linkerd edge-26.3.2 delivers routine dependency updates across Rust, Go, and Node.js components, plus a metrics improvement that prevents scraping from failed pods and completed jobs.
enhancementMonitor metrics collection improvements
The update excludes failed pods and completed jobs from proxy metrics scraping, reducing noise in your monitoring data. Review your current metrics dashboards to see if you notice cleaner data patterns after upgrading, and consider adjusting any alerting thresholds that may have been accounting for this noise.
enhancementTest edge release in non-production first
This edge release bundles many dependency updates at once. Deploy to staging environments first to validate that the combined changes don't introduce unexpected behavior in your specific workload patterns before rolling to production clusters.
Key changes (4)
- Updated proxy to v2.342.0 with latest improvements
- Comprehensive dependency updates across Rust (pin-project-lite, ryu, anyhow), Go (gRPC, klog), and JavaScript (webpack, babel-loader) components
- Enhanced metrics collection by excluding failed pods and completed jobs from proxy scraping
- Upgraded Docker build actions to v4.0.0 and v7.0.0 for improved CI/CD workflows
Edge release focused on dependency maintenance with proxy updates to v2.341.0. Notable addition of extra attributes in Kubernetes SubjectAccessReview for improved authorization handling.
enhancementEvaluate SubjectAccessReview improvements for RBAC
The addition of extra attributes in SubjectAccessReview requests improves authorization evaluation accuracy. Review your current RBAC policies to ensure they handle additional context properly, especially if using custom authorization webhooks or detailed access controls.
enhancementMonitor proxy performance after v2.341.0 update
Three proxy version bumps indicate active development. Test performance and connection handling in your environment, particularly if you've experienced proxy-related issues. The incremental updates suggest gradual improvements rather than breaking changes.
Key changes (5)
- Proxy updated from v2.339.0 to v2.341.0 across multiple incremental releases
- Major dependency updates including Tokio v1.50.0, axum v0.8.8, and Kubernetes client libraries
- SubjectAccessReview now includes extra attributes for enhanced RBAC evaluation
- Security framework updates including aws-lc-rs to v1.16.0 and rustls-pki-types to v1.14.0
- GitHub Actions updated to newer versions (upload-artifact v7.0.0, download-artifact v8.0.0)