Buoyant’s Linkerd Production Runbook
A guide to running the world's most advanced service mesh in production

Last update: August 31, 2023 / Linkerd 2.14.0

Appendix: Upgrade notes

2.10.2

Release summary: This stable release fixes a proxy task leak that could be triggered when clients disconnect when a service is in failfast. It also fixed an issue where the opaque ports annotation on a namespace would overwrite the annotations on services in that namespace.

Who should upgrade: anyone on 2.10.1 who is experiencing issues with unbounded proxy memory usage, or with overridden service annotations in the presence of an opaque-ports annotation in the namespace.

Before upgrading: Please review the 2.10.2 release notes.

2.10.1

Release summary: This release adds CLI support for Apple Silicon M1 chips and support for SMI’s TrafficSplit v1alpha2. It fixes several proxy issues, including handling FailedPrecondition errors gracefully, inbound TLS detection from non-meshed workloads, and using the correct cached client when the proxy is in ingress mode. The logging infrastructure has also been improved to reduce memory pressure in high-connection environments. Finally, it includes several improvements to control plane, including as support for Host IP lookups in the destination service, updating the proxy-injector to add opaque ports annotation to pods if their namespace has it set.

On the CLI side, the linkerd repair command is now aware of the control plane version, and various bugs have been fixed around the linkerd identity command.

Who should upgrade: all 2.10.0 users.

Before upgrading: Please review the 2.9.5 release notes.

2.10.0

Release summary: This release introduces Linkerd extensions. The default control plane no longer includes Prometheus, Grafana, the dashboard, or tap, which have been moved to a linkerd-viz extension. Similarly, cross-cluster communication is now in the linkerd-multicluster extension and distributed tracing functionality is in the linkerd-jaeger extension.

This release also introduces the ability to mark certain ports as “opaque”, indicating that the proxy should treat the traffic as opaque TCP instead of attempting protocol detection. This allows the proxy to provide TCP metrics and mTLS for server-speaks-first protocols. Finally, it adds support for TCP traffic in multicluster communication.

Who should upgrade: This is a feature release.

Before upgrading: Please review the 2.10.0 upgrade notice and release notes. Pay special attention to the 2.10 ports and protocols upgrade guide as it is very likely you will have to update some of your configuration.

2.9.5

Release summary: This stable release fixes an issue where the destination service is throttled after overwhelming the Kubernetes API server with node topology queries. This results in the destination service failing requests and spiking in latency. By moving to a shared informer for these queries, the information is now fetched asynchronously.

Who should upgrade: anyone on 2.9.4 who is experiencing issues with spiking destination service latency, or failing requests.

Before upgrading: Please review the 2.9.5 release notes.

2.9.4

Release summary: This release fixes an issue that prevented the proxy from being able to speak HTTP/1 with older versioned proxies. This fix was announced in 2.9.3 but wasn’t actually included in the release.

This release also fixed the linkerd install command so that it can properly detect and avoid overwriting already installed linkerd instances from versions previous to 2.9.

Who should upgrade: Several classes of users should upgrade to this release. First, all users who upgraded from 2.8.x to 2.9.x should upgrade to this release prior to upgrading to future 2.10 releases. Second, 2.8.x users who were unable to upgrade to 2.9.x due to errors with communication between 2.9.x and 2.8.x proxies over HTTP/1 should upgrade. Finally, users who used cert-manager to automatically rotate webhook certificates should upgrade.

Before upgrading: Please review the upgrade notice for the earlier point release, 2.9.3 and the 2.9.3 release notes and 2.9.4 release notes.

2.9.3

Users should upgrade to 2.9.4 instead of this release.

This stable release was an attempt to fix an issue that prevented the proxy from being able to speak HTTP/1 with older versioned proxies. Unfortunately, the fix was not actually included int he release!

It also fixed an issue where the linkerd-config-overrides secret would be deleted during upgrade and provides a linkerd repair command for restoring it if it has been deleted.

2.9.2

Release summary: This stable release fixes an issue that stops traffic to a pod when there is an IP address conflict with another pod that is not in a running state.

It also fixes an upgrade issue when using HA that would lead to values being overridden.

Who should upgrade: Users who are experiencing unexpected traffic stops with Linkerd 2.9.1.

Before upgrading: Please review the 2.9.2 release notes.

2.9.1

Release summary: This stable release contains a number of proxy enhancements: better support for high-traffic workloads, improved performance by eliminating unnecessary endpoint resolutions for TCP traffic and properly tearing down serverside connections when errors occur, and reduced memory consumption on proxies which maintain many idle connections (such as Prometheus’ proxy).

On the CLI and control plane sides, it relaxes checks on root and intermediate certificates (following X509 best practices), and fixes two issues: one that prevented installation of the control plane into a custom namespace and one which failed to update endpoint information when a headless service was modified.

Who should upgrade: Users with high-traffic workloads or who are experiencing issues with the 2.9 release.

Before upgrading: Please review the 2.9.1 release notes.

2.9.0

Release summary: This release extends Linkerd’s zero-config mutual TLS (mTLS) support to all TCP connections, allowing Linkerd to transparently encrypt and authenticate all TCP connections in the cluster the moment it’s installed. Other notable features in this release are: support for ARM architectures, a new multi-core proxy runtime for higher throughput, and support for Kubernetes service topologies.

Who should upgrade: This is a feature release.

Before upgrading: Please review the 2.9.0 upgrade notice and release notes.

2.8.1

Release summary: This release fixes multicluster gateways support on EKS.

Who should upgrade: EKS users who desire cross-cluster connectivity.

Before upgrading: Please review the 2.8.1 release notes.

2.8.0

Release summary: This release introduces a new multi-cluster extension to Linkerd, allowing it to establish connections across Kubernetes clusters that are secure, transparent to the application, and work with any network topology.

Who should upgrade: This is a feature release. However, support for multi-cluster connectivity in EKS is a known issue. Users who desire this feature on EKS should delay upgrading until 2.8.1, expected within a few weeks.

Pleaes review the 2.8.0 upgrade notice and release notes.

2.7.1

Release summary: This release introduces substantial proxy improvements, resulting from continued profiling & performance analysis. Also support for Kubernetes 1.17 was improved.

Who should upgrade: Users of Kubernetes 1.17, and users who are experiencing missing updates from service discovery (often manifesting as 503 errors).

Before upgrading: Please review the 2.7.1 release notes.

2.7.0

Release summary: This release adds support for integrating Linkerd’s PKI with an external certificate issuer such as cert-manager as well as streamlining the certificate rotation process in general. For more details about cert-manager and certificate rotation, see the documentation. This release also includes performance improvements to the dashboard, reduced memory usage of the proxy, various improvements to the Helm chart, and much much more.

Who should upgrade: This is a feature release.

Before upgrading: Please review the 2.7.0 upgrade notice and release notes.