Kuma Star
← Back to Blog

Kuma 2.11 Reduced Privileges, Incremental xDS more...

/ 3 min read
Featured image for a blog article titled Kuma 2.11 Reduced Privileges, Incremental xDS more....

We’re excited to announce the release of Kume 2.11!

Notable features

In Kuma 2.11.x we’ve focused on 3 main areas:

  • Incremental configuration propagation (Incremental xDS).
  • Reduction in RBAC scope for Mesh deployments.
  • Additional policy support for MeshHTTPRoute.

Feel free to check our release notes for the full list of changes.

Reduction in RBAC scope for Mesh deployments

By default, Kuma observes resources across an entire Kubernetes cluster. In production or shared clusters, this may not be desired as not all namespaces need to be monitored, or your teams do not have the cluster-wide scope to do this. When deploying Kuma using Helm, you can now specify the namespaces that it’s allowed to watch:

helm upgrade \ –install \ –create-namespace \ –namespace kuma-system \ –set “namespaceAllowList={my-namespace}” \ kuma kuma/kuma

This is achieved by taking the kuma-control-plane ClusterRole and binding it to only the allowed namespace via a RoleBinding, greatly reducing the RBAC permissions to allowed namespaces.

Incremental configuration propagation (Incremental xDS)

By default, Kuma will send the full configuration to the dataplane whenever updates are made. With Incremental configuration, only the differences (delta) of the configuration that has changed are sent to the dataplanes. This reduces CPU and memory utilization and is especially useful as the number of workloads increases.

This is an experimental feature, but can be enabled per dataplane with a Kubernetes annotation, or with an environment variable if using Universal:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-app
  namespace: kuma-demo
spec:
  ...
  template:
    metadata:
      ...
      annotations:
        kuma.io/xds-transport-protocol-variant: DELTA_GRPC

Additional policy support for MeshHTTPRoute

MeshHTTPRoute is a routing policy in Kuma that allows you to match and redirect HTTP traffic within the Mesh. This update gives you a much greater level of control over the HTTP protocol, the path, headers, and query parameters.

We’re releasing further policy support for MeshHTTPRoute in the following Mesh policies:

MeshTimeout: Specify explicit request timeouts for routes MeshAccessLog: Capture access logs for traffic that matches a specific route MeshRetry: Apply retry logic to specific routes based on HTTP error codes

Upgrading

We strongly suggest upgrading to Kuma 2.11.0. Upgrading is easy through kumactl or Helm.

Be sure to carefully read the upgrade guide and the version specific upgrade notes before upgrading Kuma.

Join the community

Join us on our community channels, including official Slack chat, to learn more about Kuma. The community channels are useful for getting up and running with Kuma, as well as for learning how to contribute to and discuss the project roadmap. Kuma is a CNCF Sandbox project: neutral, open and inclusive.

The community call is hosted on the second Wednesday of every Month at 8:30 AM PDT. And don’t forget to follow Kuma on Twitter and star it on GitHub!

Get Community Updates

Sign up for our Kuma community newsletter to get the most recent updates and product announcements.