A routine edge release dominated by dependency bumps, with two meaningful bug fixes: multicluster service cleanup now respects namespaces, and a CLI gateway API version correction.
securityRust TLS stack updated — aws-lc-rs, rustls-webpki, rustls-pki-types all bumped
Several TLS-adjacent crates were updated in one shot: aws-lc-rs 1.16.3, rustls-webpki 0.103.13, and rustls-pki-types 1.14.1. No CVEs are called out explicitly, but these are the cryptographic underpinnings of Linkerd's mTLS. If you're in a security-sensitive environment, this is a good reason to pull this edge over older ones.
breakingKubernetes 1.31 is now the minimum supported version
The MSKV bump to 1.31 means clusters running 1.30 or older are no longer in the supported envelope. Check your cluster versions before adopting this edge release — if you're still on 1.30, upgrade Kubernetes first or hold on this Linkerd edge.
enhancementFix multicluster namespace-scoped service cleanup before upgrading
If you run Linkerd multicluster and have services spread across multiple namespaces, the previous cleanup logic could operate beyond its intended namespace scope. This fix is a correctness improvement — after upgrading, verify your mirrored services are in the expected state, especially if you've seen unexpected service deletions or stale mirrors in non-default namespaces.
Key changes (6)
- Multicluster service cleanup logic now correctly scopes to namespaces, preventing cross-namespace service deletion bugs
- CLI user instructions now reference the correct Gateway API version
- New Helm value `gateway.healthCheckNodePort` added for gateway deployments
- Destination controller refactored to use shared-filtering logic
- Minimum supported Kubernetes version (MSKV) bumped to 1.31
- Multiple Rust dependency updates: hyper 1.9.0, tokio 1.52.1, aws-lc-rs 1.16.3, rustls-webpki 0.103.13