2.6.0

Get ready to elevate your Kuma experience with the release of Kuma 2.6.0, a jam-packed update that brings a myriad of exciting features to the table. From introducing a new MeshMetric policy to expanding policy targeting capabilities for MeshGateways, this minor release is packed with enhancements that will transform your network connectivity.

Check out the blog post for more details!

Upgrading

We strongly suggest upgrading to Kuma 2.6.0. Upgrading is straightforward through kumactl or Helm.
Be sure to carefully read the Upgrade Guide before upgrading Kuma.

Notable Changes

• 🚀 Expanded Policy Targeting

  Kuma now allows a wider range of policies, including MeshCircuitBreaker, MeshFaultInjection, and MeshAccessLog, to target MeshGateways. This expands the granularity of policy enforcement and enables more fine-grained control over network traffic at the gateway level.

• 🚀 MeshMetric Policy for Comprehensive Traffic Metrics

  Kuma introduces the new MeshMetric policy, which provides a centralized and consistent approach to collecting traffic metrics across all data plane proxies in a mesh. This policy simplifies the management of metrics configurations and ensures that all traffic data is captured uniformly.

• 🚀 Streamlined MeshGateway Routing

  MeshHTTPRoute and MeshTCPRoute can now replace MeshGatewayRoute for configuring how a MeshGateway should process network traffic. This change provides greater flexibility and control over gateway routing rules.

• 🚀 Modernized Default Policies

  The default legacy policies automatically created during mesh creation have been replaced with new, targetRef style policies.

• 🚀 Enhanced Traffic Flow without mTLS

  When mTLS is not enabled for a mesh, traffic now flows by default, eliminating the need for a TrafficRoute policy.

• 🚀 Improved GUI Experience

  Kuma 2.6.0 introduces a number of enhancements to the graphical user interface (GUI), making it more user-friendly and intuitive.

• 🚀 Effortless Single-Zone to Multi-Zone Migration

  Kuma's zone federation allows you to effortlessly migrate from a single-zone deployment to a multi-zone configuration. This means you can start small with a single zone and gradually federate additional zones as your network grows, ensuring a smooth and controlled scaling process.

Changelog

• chore(deps): bump actions/cache from 3.3.2 to 4.0.0 #8865 #8985 @dependabot
• chore(deps): bump actions/checkout from 3.1.0 to 4.1.1 #8862 @dependabot
• chore(deps): bump actions/download-artifact and actions/upload-artifact from 3 to 4 #8701 @michaelbeaumont
• chore(deps): bump actions/github-script from 6 to 7 #8422 #8530 @dependabot
• chore(deps): bump actions/setup-go from 4 to 5 #8586 @dependabot
• chore(deps): bump actions/upload-artifact from 3.1.0 to 4.2.0 #8863 #8986 @dependabot
• chore(deps): bump debian from fab22df to b16cef8 #8465 #8685 #8853 @dependabot
• chore(deps): bump distroless/base-nossl-debian11 from 1ae8df5 to 61c9d7a #8659 @dependabot
• chore(deps): bump distroless/static-debian11 from cdb2034 to 1e5b9bb #8657 @dependabot
• chore(deps): bump github.com/bakito/go-log-logr-adapter from v0.0.2 to latest #8646 @michaelbeaumont
• chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 #8693 @dependabot
• chore(deps): bump github.com/containernetworking/plugins from 1.3.0 to 1.4.0 #8588 @dependabot
• chore(deps): bump github.com/emicklei/go-restful/v3 from 3.11.0 to 3.11.2 #8791 @dependabot
• chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 #8738 @dependabot
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 #8857 #8971 @dependabot
• chore(deps): bump github.com/evanphx/json-patch/v5 from 5.7.0 to 5.8.1 #8883 @dependabot
• chore(deps): bump github.com/exaring/otelpgx from 0.5.2 to 0.5.3 #8975 @dependabot
• chore(deps): bump github.com/go-logr/logr from 1.3.0 to 1.4.1 #8726 @dependabot
• chore(deps): bump github.com/golang-migrate/migrate/v4 from 4.16.2 to 4.17.0 #8724 @dependabot
• chore(deps): bump github.com/google/uuid from 1.4.0 to 1.6.0 #8644 #9018 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.46.7 to 0.46.11 #8589 #8790 #8968 @dependabot
• chore(deps): bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.2 #8587 #8860 @dependabot
• chore(deps): bump github.com/miekg/dns from 1.1.56 to 1.1.58 #8421 #8970 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.15.0 #8520 #8859 #8973 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.30.0 to 1.31.1 #8976 @dependabot
• chore(deps): bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 #8728 @dependabot
• chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 #8858 @dependabot
• chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.6 to 2.1.7 #8974 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.26.0 to 0.27.0 #8725 @dependabot
• chore(deps): bump github/codeql-action from 2 to 3.23.1 #8662 #8864 #8984 @dependabot
• chore(deps): bump golang from 1.21.4 to 1.21.6 #8616 #8944 @jakubdyszkiewicz,@michaelbeaumont
• chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 #8665 @dependabot
• chore(deps): bump golang.org/x/net from 0.18.0 to 0.20.0 #8519 #8789 @dependabot
• chore(deps): bump golang.org/x/sys from 0.14.1-0.20231108175955-e4099bfacb8c to 0.16.0 #8521 #8774 @dependabot
• chore(deps): bump google.golang.org/grpc from 1.59.0 to 1.61.0 #8645 #8686 #9017 @dependabot
• chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 #8727 @dependabot
• chore(deps): bump helm.sh/helm/v3 from 3.13.2 to 3.14.0 #8643 #8969 @dependabot
• chore(deps): bump ossf/scorecard-action from 2.1.2 to 2.3.1 #8861 @dependabot
• chore(deps): bump postgres from e213539 to 49c276f #8785 #8842 #8866 @dependabot
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.16.3 to 0.17.0 #8972 @dependabot
• chore(deps): bump sigs.k8s.io/controller-tools from 0.13.0 to 0.14.0 #8856 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 3 updates #8420 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 5 updates #8967 @dependabot
• chore(deps): bump the k8s-libs group from 0.28.3 to 0.28.4 #8419 @dependabot
• chore(deps): bump the k8s-libs group with 1 update #8854 @dependabot
• chore(deps): bump the k8s-libs group with 3 updates #8642 @dependabot
• chore(deps): bump the k8s-libs group with 4 updates #8966 @dependabot
• chore(deps): bump ubuntu from 2b7412e to 6042500 #8518 #8658 @dependabot
• chore(deps): fix updat...

2.5.2

This is a patch release that every user should upgrade to.

Changelog

• chore(deps): security update #8678 #8694 #9103 @kumahq
• chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8962 @kumahq
• chore(deps): update go to 1.21.5 (backport of #8616) #8627 @kumahq
• fix(kds): race condition on fill metadata (backport of #8872) #8999 @kumahq
• fix(kuma-cp): assign extensions in ZoneInsightSink constructor (backport of #8940) #8956 @kumahq
• fix(vips): skip ignored listeners (backport of #8937) #8982 @kumahq

2.2.6

This is a patch release that every user should upgrade to.

Changelog

• chore(deps): security update #8202 #8673 #8698 #9105 @kumahq
• chore(deps): update go from 1.21.5 to 1.21.6 (backport of #8944) #8960 @kumahq
• chore(deps): update go to 1.21.4 (backport of #8341) #8346 @kumahq
• chore(deps): update go to 1.21.5 (backport of #8616) #8623 @kumahq
• chore(deps): upgrade envoy to 1.25.11 #8163 @lukidzi
• fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8178 @kumahq
• fix(k8s): don't temporarily remove all AvailableServices on ZoneIngress Pod reconciliations (backport of #8301) #8305 @kumahq
• fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8195 @kumahq

2.5.1

This is a patch release that every user should upgrade to.

Changelog

• feat(dataplane): ignored listeners with ignored labels in selector (backport of #8463) #8544 @kumahq
• fix(ZoneIngress): subset routing when tag is present on all subsets (backport of #8443) #8475 @kumahq
• fix(metrics): fix kds metrics for simple watchdog (backport of #8428) #8430 @kumahq

2.5.0

We’re excited to announce the release of Kuma 2.5, a new minor release packed with exciting features such as advanced locality-aware load balancing, auto-reachable services, and targetRef based policies becoming GA.

Upgrading

We strongly suggest upgrading to Kuma 2.5.0. Upgrading is easy through kumactl or Helm.
Be sure to carefully read the Upgrade Guide before upgrading Kuma.

Notable features:

• 🚀 Advanced locality-aware load balancing inside and across zones helps you achieve cost savings and high reliability, even in the most constrained environments.
• 🚀 Reachable services can now be derived from MeshTrafficPermissions to get performance improvements for free.
• 🚀 Support for Gateway API v1 following Gateway APIs first GA release!
• 🚀 Delta KDS is now enabled by default. This greatly reduces the resource consumption of the Global CP / Zone CP protocol.
• 🚀 Many improvements to the GUI.
• 🚀 Upgrade to Envoy 1.28.

Read the blog post for details!

Changelog

• chore(deps): bump actions/checkout from 3 to 4 #7639 @dependabot
• chore(deps): bump actions/setup-node from 3 to 4 #8109 @dependabot
• chore(deps): bump cirello.io/pglock from 1.14.0 to 1.14.1 #7914 @dependabot
• chore(deps): bump debian from b91baba to 7d3e881 #7697 #7852 #8053 @dependabot
• chore(deps): bump distroless/base-nossl-debian11 from 6579e1f to 1ae8df5 #7635 #7985 @dependabot
• chore(deps): bump distroless/static-debian11 from 312a533 to cdb2034 #7636 #7987 @dependabot
• chore(deps): bump envoy from 1.27.0 to 1.27.1 #8023 @lahabana
• chore(deps): bump github.com/cilium/ebpf from 0.11.0 to 0.12.2 #8093 @dependabot
• chore(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 #7712 @dependabot
• chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible #8183 @dependabot
• chore(deps): bump github.com/evanphx/json-patch/v5 from 5.6.0 to 5.7.0 #7786 @dependabot
• chore(deps): bump github.com/exaring/otelpgx from 0.5.1 to 0.5.2 #7857 @dependabot
• chore(deps): bump github.com/go-logr/logr from 1.2.4 to 1.3.0 #8184 @dependabot
• chore(deps): bump github.com/google/uuid from 1.3.0 to 1.4.0 #7609 #8188 @dependabot
• chore(deps): bump github.com/gruntwork-io/terratest from 0.43.13 to 0.46.1 #7792 #7993 #8090 @dependabot
• chore(deps): bump github.com/miekg/dns from 1.1.55 to 1.1.56 #7785 @dependabot
• chore(deps): bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.13.0 #7611 #7854 #7991 @dependabot
• chore(deps): bump github.com/onsi/gomega from 1.27.10 to 1.29.0 #7917 #8094 #8185 @dependabot
• chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 #7916 @dependabot
• chore(deps): bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 #7992 @dependabot
• chore(deps): bump github.com/slok/go-http-metrics from 0.10.0 to 0.11.0 #8091 @dependabot
• chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.17.0 #7989 @dependabot
• chore(deps): bump github.com/testcontainers/testcontainers-go from 0.23.0 to 0.26.0 #7791 #7945 #8186 @dependabot
• chore(deps): bump github.com/tonglil/opentelemetry-go-datadog-propagator from 0.1.0 to 0.1.1 #7641 @dependabot
• chore(deps): bump go from 1.20.7 to 1.21.1 #7799 @lukidzi
• chore(deps): bump go version to 1.21.3 #8001 @slonka
• chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 #7789 @dependabot
• chore(deps): bump golang.org/x/net from 0.14.0 to 0.16.0 #7699 #7988 @dependabot
• chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.58.3 #8034 @michaelbeaumont
• chore(deps): bump golang.org/x/sys from 0.11.0 to 0.12.0 #7642 @dependabot
• chore(deps): bump golang.org/x/text from 0.12.0 to 0.13.0 #7640 @dependabot
• chore(deps): bump golangci-lint from v1.53.3 to v1.54.1 #7837 @michaelbeaumont
• chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.59.0 #7698 #7788 #7856 #8097 @dependabot
• chore(deps): bump helm.sh/helm/v3 from 3.12.3 to 3.13.1 #7915 #8089 @dependabot
• chore(deps): bump k8s.io/apiextensions-apiserver from v0.28.1 to v0.28.2 #7918 @michaelbeaumont
• chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.16.3 #7643 #7787 #8095 @dependabot
• chore(deps): bump sigs.k8s.io/gateway-api from 0.8.0-rc1 to v1.0.0 #7644 #7781 #8150 @dependabot,@michaelbeaumont
• chore(deps): bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 #8187 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 3 updates #7784 #7920 @dependabot
• chore(deps): bump the go-opentelemetry-io group with 3 updates #8347 @slonka
• chore(deps): bump the go-opentelemetry-io-contrib group with 2 updates #7613 @dependabot
• chore(deps): bump the go-opentelemetry-io-otel group with 2 updates #7607 @dependabot
• chore(deps): bump the k8s-libs group with 3 updates #7606 #7790 #8088 @dependabot
• chore(deps): bump tibdex/github-app-token from 1.8.0 to 2.1.0 #7638 #7731 #7853 @dependabot
• chore(deps): bump ubuntu from ec050c3 to 2b7412e #7637 #7986 #8052 @dependabot
• chore(deps): downgrade testcontainers-go from v0.24.0 to v0.23.0 #7800 @jakubdyszkiewicz
• chore(deps): update gateway-api #8270 @michaelbeaumont
• chore(deps): update go to 1.21.4 #8341 @slonka
• chore(deps): upgrade envoy to 1.28.0 #8158 @lukidzi
• chore(deps): upgrade github.com/gruntwork-io/terratest to v0.43.13 #7706 @lukidzi
• chore(deps): use latest kumahq/kuma-gui #7603 #7604 #7605 #7612 #7614 #7617 #7619 #7620 #7622 #7626 #7627 #7628 #7629 #7631 #7646 #7647 #7648 #7650 #7653 [#7658](https://github.c...

2.4.4

This is a patch release that every user should upgrade to.

Changelog

• chore(deps): security update #8054 #8205 @kumahq
• fix(MeshTrafficPermission): support permissive mtls (backport of #8171) #8176 @kumahq
• fix(k8s): fix VIPs configmap entries with invalid keys for ExternalName services (backport of #8168) #8198 @kumahq
• fix(kuma-cp): fix ZoneIngress/ZoneEgress sync when no mesh (backport of #8129) #8134 @kumahq

2.4.3

This is a patch release that every user should upgrade to.

Addresses: CVE-2023-44487 see: GHSA-9wmc-rg4h-28wv for details

Changelog

• chore(deps): bump envoy from 1.27.0 to 1.27.1 #8025 @lahabana
• chore(deps): bump go version to 1.21.3 (backport of #8001) #8012 @kumahq
• chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8032 @michaelbeaumont

2.3.3

This is a patch release that every user should upgrade to.

Addresses: CVE-2023-44487 see: GHSA-9wmc-rg4h-28wv for details

Changelog

• chore(deps): bump envoy from 1.26.4 to 1.26.5 #8024 @lahabana
• chore(deps): bump go from 1.20.7 to 1.21.1 #7825 @kumahq
• chore(deps): bump go version to 1.21.3 (backport of #8001) #8016 @kumahq
• chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8033 @michaelbeaumont
• chore(deps): bump golangci-lint from v1.53.3 to v1.53.3 #7838 #7848 @kumahq
• chore(deps): security update #7734 @kumahq
• chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7529 @kumahq
• fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7833 @kumahq
• fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7927 @kumahq
• fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7576 @kumahq

2.2.5

This is a patch release that every user should upgrade to.

Addresses: CVE-2023-44487 see: GHSA-9wmc-rg4h-28wv for details

Changelog

• chore(deps): bump envoy from 1.25.9 to 1.25.10 #8026 @lahabana
• chore(deps): bump go from 1.20.7 to 1.21.1 #7827 @kumahq
• chore(deps): bump go version to 1.21.3 (backport of #8001) #8013 @kumahq
• chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8031 @michaelbeaumont
• chore(deps): bump golangci-lint from v1.53.3 to v1.53.3 #7842 #7844 @kumahq
• chore(deps): security update #7718 @kumahq
• chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7531 @kumahq
• fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7832 @kumahq
• fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7928 @kumahq
• fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7579 @kumahq

2.1.7

This is a patch release that every user should upgrade to.

Addresses: CVE-2023-44487 see: GHSA-9wmc-rg4h-28wv for details

Changelog

• chore(deps): bump envoy from 1.24.10 to 1.24.11 #8027 @lahabana
• chore(deps): bump go from 1.20.7 to 1.21.1 #7829 @kumahq
• chore(deps): bump go version to 1.21.3 (backport of #8001) #8015 @kumahq
• chore(deps): bump golang.org/x/net to v0.17.0, google.golang.org/grpc to v1.57.1 #8030 @michaelbeaumont
• chore(deps): security update #7716 @kumahq
• chore(deps): update CoreDNS to v1.11.1 (backport of #7523) #7532 @kumahq
• fix(kuma-cp): set error when KDS clients fails in goroutine (backport of #7725) #7830 @kumahq
• fix(kuma-cp): specifying IPv6 Envoy Admin address breaks readiness/liveness probes (backport of #7909) #7926 @kumahq
• fix(metrics): hijacker should not pass accept-encoding (backport of #7572) #7577 @kumahq