This release includes some fixes in the `linkerd check`, along with a

bunch of dependency updates across the dashboard, Go components, and
others. On the proxy side, Support for `TLSv1.2` has been dropped
(Only `TLSv1.3` cipher suite will be used), `h2` crate has been updated
to support HTTP/2 messages with larger header values.

* Updated `linkerd check` to avoid multiline errors with retryable checks
* Fixed incorrect opaque ports warning in `linkerd check --proxy` with
  un-named ports
* Bumped proxy-init to `1.4.1` which adds support for `--log-level`
  and `--log-format` flags (thanks @gusfcarvalho)
* Removed the use of `TLSv1.2` in the proxy
* Updated the `h2` crate in the proxy to support HTTP/2 messages with
  larger header values.
* Updated various dependencies across the dashboard, policy-controller, etc
  (thanks @dependabot!)

## stable-2.11.0

This release introduces access control policies. Default policies may be
configured at the cluster- and workspace-levels; and fine grained policies may
be instrumented via the new `policy.linkerd.io/v1beta1` CRDs: `Server` and
`ServerAuthorization`. These resources may be created to define how individual
ports accept connections; and the `Server` resource will be a building block for
future features that configure inbound proxy behavior.

Furthermore, `ServiceProfile` retry configurations can now instrument retries
for requests with bodies. This unlocks retry behavior for gRPC services.

**Upgrade notes**: Please see the [upgrade instructions][upgrade-2110].

* Proxy
  * Reduced CPU & Memory usage by up to 30% in some load tests
  * Updated retries to support requests with bodies up to 64KB. ServiceProfiles
    may now configure retries for gRPC services
  * The proxy's container image is now based on `gcr.io/distroless/cc` to
    contain a minimal OS footprint that should not trigger unnecessary alerts in
    security scanners
  * Added the `inbound_http_errors_total` and `outbound_http_errors_total`
    metrics to reflect errors that caused the proxy to respond with errors
  * Added an `l5d-proxy-error` header that is included on responses on trusted
    connections for debugging purposes
  * Added a `l5d-client-id` header on mutually-authenticated inbound requests so
    that applications can discover the client's identity
  * Added metrics to reflect TCP and HTTP authorization decisions
  * Added `srv_name` and `saz_name` labels to inbound HTTP metrics
  * Fixed an issue that could cause the proxy to continually reconnect to
    defunct service endpoints
  * Dropped support for non-HTTP outbound services when `linkerd.io/inject:
    ingress` is used
  * Instrumented fuzz testing to help guard against unexpected panics

* Control Plane
  * Added a new `policy-controller` container to the `linkerd-destination`
    pod--the first control plane component implemented in Rust
  * Added a new admission controller to validate that multiple `Server`
    resources do not reference the same port
  * Added a `linkerd-identity-trust-roots` ConfigMap which configures the trust
    root bundle for all pods in the core control plane namespace
  * Eliminated the `linkerd-controller` deployment so that Linkerd's core
    control plane now consists of only 3 deployments
  * Updated the proxy injector to configure the `proxy-init` container with
    `NET_RAW` and `NET_ADMIN` capabilities so that the container does not fail
    when the pod drops these capabilities

* CLI
  * Enhanced `linkerd completion` to expand Kubernetes resources from the current
    kubectl context
  * Added an `authz` subcommand to display the authorization policies that
    impact a workload
  * Added a _short_ output mode for `linkerd check` that only prints failed
    checks
  * Added support for `ReplicaSets` to `linkerd stat` so that pods created by
    Argo `Rollout` resources can be inspected

* Helm: please see the [upgrade instructions][upgrade-2110].

* Extensions:
  * Introduced a new (optional) SMI extension responsible for reading
    `specs.smi-spec.io` resources and converting them to Linkerd resources
  * In `stable-2.12`, this extension will be required to use `TrafficSplit`
    resources with Linkerd
  * Added an extensions page to the Linkerd Web UI

  * Viz
    * Added `Server` and `ServerAuthorization` resources for all ports
    * Added JSON log formatting

  * Jaeger
    * Added OpenTelemetry collector instead of OpenCensus

  * Multicluster
    * Added experimental support for `StatefulSet` workloads

This release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible:

Gustavo Fernandes de Carvalho @gusfcarvalho
Oleg Vorobev @olegy2008
Bart Peeters @bartpeeters
Stepan Rabotkin @EpicStep
LiuDui @xichengliudui
Andrew Hemming @drewhemm
Ujjwal Goyal @importhuman
Knut Götz @knutgoetz
Sanni Michael @sannimichaelse
Brandon Sorgdrager @bsord
Gerald Pape @ubergesundheit
Alexey Kostin @rumanzo
rdileep13 @rdileep13
Takumi Sue @mikutas
Akshit Grover @akshitgrover
Sanskar Jaiswal @aryan9600
Aleksandr Tarasov @aatarasoff
Taylor @SkinN
Miguel Ángel Pastor Olivar @migue
wangchenglong01 @wangchenglong01
Josh Soref @jsoref
Carol Chen @kipply
Peter Smit @psmit
Tarvi Pillessaar @tarvip
James Roper @jroper
Dominik Münch @muenchdo
Szymon Gibała @Szymongib
Mitch Hulscher @mhulscher

[upgrade-2110]: https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2110

## edge-21.9.5

This edge is a release candidate for `stable-2.11.0`, containing a couple of
improvements to `linkerd check`, some final tweaks before the stable release,
and a couple of contributions from the community.

* Had `linkerd check --proxy` stop failing on pods that are in Shutdown status
  (thanks @olegy2008!)
* Lowered from error to warning a failed check on misconfigured opaque ports
  annotations, given that doesn't imply the installation is broken
* Added log level and format settings to all the viz components (thanks
  @gusfcarvalho!)
* Removed label from the multicluster gateway and service-mirror pods to allow
  them to be properly rolled out when upgrading

This edge is a release candidate for `stable-2.11.0`! It introduces a…

… new

`linkerd viz auth` command which shows metrics for server authorizations broken
down by server for a given resource. It also shows the rate of unauthorized
requests to each server.  This is helpful for seeing a breakdown of which
authorizations are being used and what proportion of traffic is being rejected.

It also fixes an issue in the proxy where  HTTP load balancers could continue
trying to establish connections to endpoints that were removed from service
discovery. In addition it improves the proxy's error handling so that it can
signal to an inbound proxy when its peers outbound connections should be torn
down.

* Changed destination watch updates from `info` to `debug` to reduce the amount
  of logs (thanks @bartpeeters!)
* Added the `linkerd viz auth` command which shows metrics for server
  authorizations broken down by server for a given resource
* Fixed an issue where the policy controller's validating admission webhook
  attempted to validate ServerAuthorizations when it should only be validating
  Servers
* Removed `omitWebhookSideEffects` setting now that we no longer support
  Kubernetes 1.12
* Improved proxy error handling so that it can signal to its peers that their
  outbound connections should be torn down
* Fixed an issue where after upgrades there would be a mismatch in certs used by
  the policy controller validator; the destination pod is now restarted similar
  to the injector
* Fixed a field reference in the Helm template to properly refer to
  `profileValidator.namespaceSelector`
* Updated policy CRD versions to `v1beta1`
* Added support for `stat`'s `-o json` option to Server resources
* Fixed an issue in the proxy where HTTP load balancers could continue trying to
  establish connections to endpoints that were removed from service discovery
* Added JSON output format to `linkerd viz authz` command

This edge is a release candidate for `stable-2.11.0`! It features a n…

…ew `linkerd

authz` CLI command to list servers and authorizations for a workload, as well as
policy resources support for `linkerd viz stat`. Furthermore, this edge release
adds support for JSON log formatting, enables TLS detection on port 443
(previously marked as opaque), and further improves policy features.

* Removed port 443 from the default list of opaque ports, this will allow the
  proxy to report metadata (such as the connection's SNI value) on TLS
  connections to port 443
* Added default policies for core Linkerd extensions
* Added support for JSON log formatting to the policy controller
* Added support for new policy resources to `viz stat` command
* Added default policy annotation to `linkerd-identity`
* Added a new `linkerd authz` command to the CLI to list all server and
  authorization resources that apply to a specific resource
* Added TLS labels (including client identity) to authorization metrics in the
  proxy
* Changed the opaque ports CLI check to consider service and pod ports when
  checking annotation values; previously, the check would naively issue warnings
  when the service annotation values were different from the pod it selected
* Changed how the proxy forwards inbound connections to a pod locally; the proxy
  now targets the original address instead of a port bound on localhost to
  protect services that are only bound on loopback from being exposed to other
  pods
* Improved memory utilization in the proxy, especially for TCP forwarding, where
  the memory allocated was reduced from 128KB to 16KB
* Updated the inbound policy system for the proxies to always allow connections
  from localhost
* Fixed an issue where the policy controller would not detect changes to the
  `proxyProtocol` field of `Server` resources
* Fixed an issue where the policy admission controller would log a `WARN`
  message when deserializing `Server` structs

## edge-21.9.2

This edge release gets us closer to 2.11 by further polishing the policy
feature. Also the proxy received a noticeable resource consumption improvement.

* Stopped creating the default authorizations for the kubelet
* Added missing ports to the destination controller's default list of ports, to
  allow the sp-validator to start properly when using a default-deny policy
* Set the destination and proxy-injector pods default policy to
  `all-unauthenticated` to allow the webhooks to be called from the kube-api
  when using a default-deny policy
* Extended inbound policies to cover the proxy's admin server
* Improved the proxy's error handling so that HTTP metrics include 5XX responses
  for common errors
* The proxy's outbound tap has been fixed to include route labels when service
  profiles are configured
* Enabled link-time optimizations in the Rust components (proxy and policy
  controller), resulting in noticeable RSS and CPU consumption improvements
* Made the admin servers in the control plane components properly shut down
  (thanks @EpicStep!)
* Updated linkerd-await, suppressing the error emitted when linkerd-await was
  disabled

This release includes various improvements and feature additions acro…

…ss the policy

feature i.e, New validating webhook for policy resources. This also includes changes
in the proxy i.e, terminating TCP connections when a authorization is revoked, improvements
in the proxy authorization metrics. In addition, proxy injector has also been updated
to set the right `opaque-ports` annotation on services with default opaque ports.

* Added a new validating admission controller to validate the policy resources
* Updated the proxy-init to remove a rule which caused the packets from the proxy
  with destination != 127.0.0.1 on localhost to be sent to the inbound proxy
* Updated inbound policy enforcement to interrupt TCP forwarding if a previously
  established authorization is revoked
* Added new proxy metrics to expose authorization decisions
* Updated inbound TCP metrics to only include a `srv_name` label
* Updated the proxy to export route-oriented metrics only when a ServiceProfile
  is enabled
* Updated the proxy's release build configuration to improve CPU and memory
  utilization
* Added DNS name validation to the `proxy-identity` binary which creates the
  read-only private key required by the proxy (thanks @yorkijr!)
* Updated the identity controller's default policy to be `cluster-unauthenticated`
* Updated the proxy injector to include the correct default ports as opaque with
  services
* Deprecated the usage of `vis stat ts` and print a warning about the SMI extension
* Updated various dependencies across the dashboard, policy-controller
  (thanks @dependabot!)

This edge release continues to build on the policy feature by adding …

…support for

cluster-scoped default policies and exposing policy labels on various prometheus
metrics. The proxy has been updated to return HTTP-level authorization errors
at the time that the request is processed, instead of when the connection is
established.

In addition, the proxy-injector has been updated to set the `opaque-ports`
annotation on a workload to make sure that controllers can discover how the
workload was configured. Also, the `sleep` binary has been added to the proxy
image in order to restore the functionality required for `waitBeforeExitSeconds`
to work.

* Added `default-inbound-policy` annotation to the proxy-injector
* Updated the proxy-injector to always add the `opaque-ports` annotation
* Added `sleep` binary to proxy image
* Updated inbound traffic metrics to include server and authorization labels
* Updated the policy-controller to honor pod level port annotations when a
  `Server` resource definition does not match the ports defined for the workload
* Updated the point at which the proxy returns HTTP-level authorization errors
* Exposed permit and policy labels on HTTP metrics
* Added support for cluster-scoped default policies
* Dropped `nonroot` variant from the policy-controller's distroless base image
  to avoid erroring in some environments.

This release adds support for dynamic inbound policies. The proxy now…

… discovers

policies from the policy-controller API for all application ports documented in a
pod spec. Rejected connections are logged. Policies are not yet reflected in the
proxy's metrics.

These policies also allow the proxy to skip protocol detection when a server is
explicitly annotated as HTTP/2 or when the server is documented to be opaque or
application-terminated TLS.

* Added a new section to linkerd-viz's dashboard that lists installed extensions
  (thanks @sannimichaelse!)
* Added the `enableHeadlessServices` Helm flag to the `linkerd multicluster
  link` command for enabling headless service mirroring (thanks @knutgoetz!)
* Removed some unused and duplicate constants in the codebase (thanks
  @xichengliudui!)
* Added support for exposing service metadata from exported to mirrored services
  in multicluster installations (thanks @importhuman!)
* Fixed an issue where the policy controller's liveness checks would fail after
  the controller was disconnected but had successfully resumed its watches
* Fixed the `linkerd-policy` service selector to properly select `destination`
  control plane components
* Added additional environment variables to the proxy container to allow support
  for dynamic policy configuration

This edge release continues the policy work by adding a new controlle…

…r, written

in Rust, to expose a discovery API for inbound server policies. Apart from
that, this release includes a number of changes from external contributors; the
`linkerd-jaeger` helm chart now supports passing arguments to the Jaeger
container through the chart's values file. A number of unused functions and
variables have been also removed to improve the quality of the codebase.
Finally, this release also comes with changes to the proxy's outbound behavior,
a new extensions page on the dashboard, and support for querying service
metrics using the `authority` label in `linkerd viz stat`.

* Introduced new `linkerd-policy-controller`; the new controller is written in
  Rust and implements discovery APIs for inbound server policies, the container
  has been added to the `linkerd-destination` pod
* Updated `linkerd-jaeger` helm chart to support passing arguments to the
  Jaeger container (thanks @bsord!)
* Added support for querying service metrics using the `authority` label in
  `linkerd viz stat`
* Improved code hygiene by removing unused constants and functions throughout
  the codebase (thanks @xichengliudui!)
* Added a new extensions page to the dashboard to list all known built-in and
  third party extensions that can be used with Linkerd
* Changed outbound behavior in the proxy to tear down server-side connections
  when the remote proxy returns responses that indicate proxy errors; the
  connection in this case will be reset to allow clients to connect to a new
  endpoint