RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: LinkerdClear ×

Linkerd

Networking & MessagingJun 16, 2026

Linkerd edge-26.6.2 patches policy and profile validation bugs, tightens namespace restrictions on external workloads, and upgrades to Envoy proxy v2.357.0 with unified failure accrual tuning.

  • securityProfile validation now rejects nil configs

    The nil check in profile validation closes a path to crashes on malformed configs. No immediate action needed, but if your automation generates profiles programmatically, ensure they always have valid structure before applying them.

  • breakingNamespace-restricted external workloads may affect routing

    External workloads and endpoints now honor namespace boundaries. If you cross namespaces with external workloads in your Linkerd setup, verify routing still works after upgrade. Update any policies that rely on previous (unrestricted) cross-namespace access.

  • enhancementTune load balancing with unified failure accrual

    Unified failure accrual and response-penalty load biasing gives you finer control over how proxies handle slow or failing endpoints. Test this in a canary namespace first—adjust failure thresholds and penalty weights to match your SLOs. Check Linkerd docs for new policy knobs.

Key changes (5)
  • Policy validation: removed inappropriate AuthN policy check; corrected typos in outbound index rules.
  • Profile validation: added nil check to prevent crashes during validation.
  • Namespace isolation: external workloads and endpoints now respect namespace boundaries to prevent cross-namespace leakage.
  • Load balancing: unified failure accrual and response-penalty biasing in policy engine.
  • Proxy upgrade: Envoy v2.357.0; Go 1.25.11 for build.
Source

Linkerd

Networking & MessagingMay 15, 2026

Native sidecars promoted to GA and enabled by default, plus a security fix restricting Server resources from affecting workloads outside their namespace. Heavy dependency refresh across Rust and Go stacks.

  • securityServer namespace isolation fix — review cross-namespace Server resources immediately

    A fix was applied so that Server resources can no longer affect workloads in namespaces other than their own. If you have intentionally or accidentally created Server policies that were influencing workloads cross-namespace, those policies will silently stop applying after this upgrade. Audit your Server resources across all namespaces and verify that authorization policies still behave as expected post-upgrade. The risk of misconfigured over-broad policies is reduced, but any reliance on the previous behavior will break.

  • breakingNative sidecars are now on by default — audit your cluster before upgrading

    Native sidecar support (using Kubernetes init containers with restartPolicy: Always) is now GA and enabled by default. If your cluster runs Kubernetes < 1.29, native sidecars are unsupported and this will break injection. Even on supported versions, verify that any tooling, admission webhooks, or pod lifecycle assumptions in your workloads are compatible. Test in a staging environment before rolling out to production. If you need the old behavior, explicitly disable the feature flag during install/upgrade.

  • enhancementConfigure honorTimestamps on the linkerd-proxy PodMonitor

    If you're using the Prometheus Operator and have timestamp alignment issues in your Linkerd proxy metrics (e.g., stale or out-of-order samples), you can now set honorTimestamps in the Helm chart for the linkerd-proxy PodMonitor. This is a quality-of-life win for teams with strict metric ingestion pipelines. Set it explicitly during your next Helm upgrade rather than leaving it at the default.

Key changes (6)
  • Native sidecar injection promoted to GA and now enabled by default — no more feature gate needed
  • Security fix: Server resources are now restricted from affecting workloads in other namespaces
  • Gateway liveness synchronization improved for multi-cluster setups
  • rustls bumped to 0.23.40, openssl and aws-lc-rs updated — crypto stack refreshed
  • Proxy updated to v2.352.0, Go toolchain to 1.25.10, Helm to 3.21.0
  • PodMonitor honorTimestamps now configurable for linkerd-proxy metrics scraping
Source

Linkerd

Networking & MessagingMay 1, 2026

A routine edge release dominated by dependency bumps, with two meaningful bug fixes: multicluster service cleanup now respects namespaces, and a CLI gateway API version correction.

  • securityRust TLS stack updated — aws-lc-rs, rustls-webpki, rustls-pki-types all bumped

    Several TLS-adjacent crates were updated in one shot: aws-lc-rs 1.16.3, rustls-webpki 0.103.13, and rustls-pki-types 1.14.1. No CVEs are called out explicitly, but these are the cryptographic underpinnings of Linkerd's mTLS. If you're in a security-sensitive environment, this is a good reason to pull this edge over older ones.

  • breakingKubernetes 1.31 is now the minimum supported version

    The MSKV bump to 1.31 means clusters running 1.30 or older are no longer in the supported envelope. Check your cluster versions before adopting this edge release — if you're still on 1.30, upgrade Kubernetes first or hold on this Linkerd edge.

  • enhancementFix multicluster namespace-scoped service cleanup before upgrading

    If you run Linkerd multicluster and have services spread across multiple namespaces, the previous cleanup logic could operate beyond its intended namespace scope. This fix is a correctness improvement — after upgrading, verify your mirrored services are in the expected state, especially if you've seen unexpected service deletions or stale mirrors in non-default namespaces.

Key changes (6)
  • Multicluster service cleanup logic now correctly scopes to namespaces, preventing cross-namespace service deletion bugs
  • CLI user instructions now reference the correct Gateway API version
  • New Helm value `gateway.healthCheckNodePort` added for gateway deployments
  • Destination controller refactored to use shared-filtering logic
  • Minimum supported Kubernetes version (MSKV) bumped to 1.31
  • Multiple Rust dependency updates: hyper 1.9.0, tokio 1.52.1, aws-lc-rs 1.16.3, rustls-webpki 0.103.13
Source

Linkerd

Networking & MessagingApr 24, 2026

Maintenance-heavy edge release with OpenSSL/rustls security bumps, a policy admission fix for Gateway routes, and a more robust annotation-to-metric-label conversion in the injector.

  • securityPick up OpenSSL and rustls-webpki patches now

    Two OpenSSL crate bumps landed in this release, plus a rustls-webpki update. These sit in the proxy's TLS stack. If you're running any Linkerd edge build in a security-sensitive environment, upgrade to edge-26.4.4 to get the patched cryptographic dependencies rather than waiting for the next stable.

  • breakingVerify Gateway route policies after the admission webhook fix

    The admission webhook previously ran full validation on Gateway routes even when they contained fields Linkerd doesn't support, causing legitimate routes to be rejected. That's fixed now — but if you worked around this by restructuring routes, review whether those workarounds are still needed or are now masking misconfigurations.

  • enhancementTest chart override behavior if you use custom install values

    The fix to apply overrides to chart values on install closes a gap where certain Helm value overrides weren't being applied. If you have installation automation that relies on specific override patterns, run a dry-run install against this version to confirm the resulting values match expectations before rolling to production.

Key changes (5)
  • OpenSSL crates bumped twice (0.10.76→0.10.78) and rustls-webpki updated — relevant for Rust-based proxy TLS surface
  • Policy admission webhook now skips validation for Gateway routes with unsupported fields, preventing false rejections
  • Injector uses more robust logic to convert annotations to metric labels, reducing edge-case label corruption
  • Chart install now applies overrides to chart values correctly, fixing a long-standing install customization gap
  • proxy-init updated to v2.4.8 and cni-plugin to v1.6.7 alongside proxy v2.350.0
Source

Linkerd

Networking & MessagingApr 2, 2026

Mostly a dependency maintenance release with two proxy bumps (v2.346.0, v2.347.0), a multicluster RBAC fix, and a Prometheus config correction for viz admin port names.

  • securityCrypto dependency updates — low urgency but keep your upgrade cadence

    openssl, rustls-webpki, aws-lc-rs, and aws-lc-sys all received patch bumps this cycle. None carry disclosed CVEs, but these are core cryptographic libraries in the proxy. Stay on a regular edge upgrade cadence rather than skipping multiple releases, so these patches don't accumulate.

  • breakingCheck Prometheus metrics after upgrading if you use Linkerd Viz

    The Prometheus config was corrected to match new admin port names. If you're running Linkerd Viz and upgraded from an earlier edge build, verify your dashboards still show expected metrics after the upgrade. Gaps in scraping could have silently existed before this fix — cross-check your Prometheus targets to confirm scrape health.

  • enhancementMulticluster users: review Server/AuthorizationPolicy coverage

    Missing Server and AuthorizationPolicy resources were added for the multicluster extension. If you use Linkerd multicluster, upgrade and audit your cross-cluster authorization posture. The previous gap meant some traffic paths lacked proper policy objects, which could have caused unexpected allow/deny behavior depending on your default policy.

Key changes (5)
  • Proxy updated twice to v2.346.0 and v2.347.0 — pick up any fixes included in those proxy releases
  • Multicluster: missing Server/AuthorizationPolicy resources added, closing a gap in RBAC coverage for cross-cluster traffic
  • Viz: Prometheus scrape config corrected to match renamed admin port names — previously mismatched names could cause missing metrics
  • openssl (0.10.76), rustls-webpki (0.103.10), aws-lc-rs (1.16.2), and zerocopy (0.8.48) all bumped — routine but relevant for supply-chain hygiene
  • Oliver Gould (@olix0r) moved to emeritus; MAINTAINERS.md updated
Source