Default role-based access control (RBAC) for zone control planes is now restricted to the admin role.
Performance continues to be significantly improved.
Authentication tokens are now more secure.
Before you upgrade from 1.5.0 make sure to review your RBAC configuration for zone control planes. In 1.5.1,
RBAC for zone control planes is restricted by default. For information on how to secure access to resources, see
the RBAC documentation.
Upgrades from 1.5.0 are otherwise seamless and no further steps are needed.
Role-based Access Control (RBAC) is now available.
Support for Windows installation on Universal (VMs) is now available.
Renewable tokens in Vault are now supported.
Starting with this version, the default API server authentication method is user
tokens. To continue using client certificates (the previous default
method), you’ll need to explicitly set the authentication method to client
certificates. This can be done by setting the KUMA_API_SERVER_AUTHN_TYPE variable to
A service map topology view is available that provides visualization of service traffic dependencies.
Support for mutual TLS in permissive mode is available, to support migrating applications into the service mesh.
You can now customize hostnames and ports for data plane proxies with a new virtual outbound policy.
You can more easily specify intermediate CAs with mTLS.
Upgrades from 1.3.0 are seamless, but note the following:
Outbounds generated internally are no longer listed in dataplane.network.outbound. On Kubernetes, they are automatically removed.
On Universal, to remove them you must recreate your Dataplane resources with kumactl apply. Or, if the proxy lifecycle is
managed by Kuma, restart the services.
You may notice some proxies or zones indicated as Offline in the GUI when you upgrade the control plane. This can happen if
upgrading all instances of the control plane takes more than five (5) minutes. It’s temporary, and occurs because of a new mechanism for
better tracking proxy and zone status. A heartbeat periodically increments the generation counter for Insights. The offline status
should disappear after all control plane instances are upgraded to 1.4.0.
New L7 Traffic Routing policy to route and modify HTTP traffic per path, method, header, or any other combination, with support for regex. Traffic can be modified before reaching the final destination.
New Rate-Limit policy to protect services from aggressive traffic. This policy can protect from downtime and improve the overall reliability of your applications.
The “Remote” control plane is renamed to “Zone” control plane. This means the “Ingress” resource is renamed “ZoneIngress”. Thanks to community users for providing the feedback that drove this effort.
Traffic Permissions now work with external services.
Improved performance of our DNS resolution.
More improvements, including a fix for GCP/GKE’s erratic IPv6 support.
The IP address or hostname that provides the KDS address when you install the control planes can change. Make sure that you update the address when you upgrade the remote control planes to the latest version.
Changes in values in Kong Mesh’s Helm chart:
kuma.controlPlane.mode now accepts the values standalone, zone, and global. zone replaces remote, which is still available in earlier versions.
kuma.controlPlane.globalRemoteSyncService is renamed to kuma.controlPlane.globalZoneSyncService.
kuma.controlPlane.tls.kdsRemoteClient is renamed to kuma.controlPlane.tls.kdsZoneClient.
⚠️ All installation scripts are updated to a new location, because Bintray is shutting down. If you’ve written automation scripts that refer to the Bintray location, you need to update your scripts to point to the new location.
Transparent proxying is improved.
The GUI is improved.
The locality is now always set in a multi-zone deployment.
If you previously installed Kong Mesh with kumactl install control-plane --license-path=... | kubectl apply -f -,
you must first uninstall the previous version and then install the new version. All policies are removed when you uninstall,
so make sure to back up all related CRDs before you start. Then:
Install Kong Mesh for Kubernetes using kumactl install control-plane ... with any additional command-line arguments you require.
Delete the old Deployment, Service, Webhooks, and Validation hooks: