KUBEE ROUTER Files

Security Notice

This release contains an important security fix. A GitHub Security Advisory (GHSA) & CVE with full details will be published soon. We are releasing the fix ahead of the advisory to give operators time to upgrade.

We strongly recommend that all users upgrade to v2.8.0 as soon as possible. This is especially critical for multi-tenant clusters or clusters where untrusted users have the ability to create or modify Service resources.

If you have questions or concerns, please reach out via the #kube-router channel on Kubernetes Slack or email admin@kube-router.io.

Breaking Changes

Service IP Range Validation on by Default

This release introduces a new command-line flag which is by default enabled:

• --strict-external-ip-validation (default: true) -- When enabled, externalIPs and loadBalancerIPs on Service resources are validated against the configured --service-external-ip-range and --loadbalancer-ip-range flags. IPs that fall outside the allowed ranges or that conflict with the cluster IP range are rejected. When no ranges are configured and strict mode is enabled, all externalIPs and loadBalancerIPs are rejected (default-deny). We recommend enabling this flag on all clusters.

See the user guide for configuration details.

For this release the kube-router team STRONGLY recommends that you either:

• Have all of your service ranges defined correctly via the --service-external-ip-range and --loadbalancer-ip-range flags and ensure that all of your current services have VIPs that are contained in the ranges defined before upgrading to v2.8.0
• Set --strict-external-ip-validation=false as one of your options to kube-router before upgrading to v2.8.0. Note doing this in a multi-tenant cluster is not recommended by the project.

Prometheus Metric Changes

kube_router_controller_bgp_peers has been replaced with the new metric kube_router_bgp_peer_info which contains more information about the peer's state as well as includes externally configured peers (whereas the previous metric only showed kube-router based peering info).

Summary

v2.8.0 brings a security hardening release focused on service IP validation, along with SCTP support, a new BGP peer info metric, and extensive documentation improvements.

Additionally, with this release the kube-router project officially welcomes @catherinetcai to our small maintainer group! Big thanks for all of the support she's already provided and we look forward to seeing how she improves kube-router in the months / years to come. :)

SCTP Support

kube-router now supports the SCTP protocol in Service resources, extending the existing TCP and UDP support. This includes proper handling in IPVS service proxy, iptables rules, and node port specifications.

BGP Peer Info Metric

A new Prometheus metric kube_router_bgp_peer_info has been added, providing detailed information about BGP peer state. The previous controller_bgp_peers metric name has been replaced.

Documentation Overhaul

This release includes a significant documentation refresh:

• Updated and modernized the user guide, architecture docs, and troubleshooting guide
• Added table of contents to long-form documentation
• Corrected spelling and grammar throughout
• Added a code of conduct and pull request template
• Added AI agent guidelines for contributors
• Added a supported versions statement
• Updated the architecture diagram to include the Load Balancer Allocator controller

Contributions

Thanks to the community members who contributed to this release:

• SCTP support: @damex
• BGP peer info metric: @damex

Changelog

• 0e94d43d - doc(user-guide.md): add service IP validation to table of contents <Aaron U'Ren>
• a1f0b2ee - fix: validate external IPs and LB IPs against configured ranges <Aaron U'Ren>
• 06cff2e4 - doc: remove slashes from headings to fix website generation <Aaron U'Ren>
• 193bef9f - doc: update architecture diagram with lbc <Aaron U'Ren>
• dec6b7d7 - chore(.gitignore): add a place for personal scripts <Aaron U'Ren>
• 4ff7c860 - doc: add a statement about supported versions of kube-router <Aaron U'Ren>
• 070d9565 - feat(lint): add basic typos checker to ensure less spelling mistakes in the future <Aaron U'Ren>
• 1df7ecde - doc: add table of contents to long markdown files <Aaron U'Ren>
• 2f26e67e - doc(troubleshoot.md): add content to the guide <Aaron U'Ren>
• 3e193a74 - doc: correct spelling and grammar mistakes <Aaron U'Ren>
• 06b0b746 - doc: update and modernize documentation <Aaron U'Ren>
• e4b356cb - doc(CODE_OF_CONDUCT.md): add a basic code of conduct <Aaron U'Ren>
• b5b10816 - doc(development): update / clarify development / contribution practices <Aaron U'Ren>
• f5668227 - chore: add Cat C (catherinetcai) to maintainer list <Aaron U'Ren>
• 39efb923 - feat: add support for SCTP <Roman Kuzmitskii>
• 62d1788c - chore(PULL_REQUEST_TEMPLATE.md): add a pull request template to help guide users towards adhering to the AI policy <Aaron U'Ren>
• ac57ed5f - doc(ai): add AI documentation and usage guidelines with AGENTS file <Aaron U'Ren>
• f05ae5a1 - doc(metrics.md): replace controller_bgp_peers -> bgp_peer_info <Aaron U'Ren>
• b1a34ed4 - feat(gobgp): add kube_router_bgp_peer_info metric <Roman Kuzmitskii>
• b40e9472 - build(deps): bump golang.org/x/net from 0.49.0 to 0.51.0 <dependabot[bot]>
• 5cee14cc - build(deps): bump goreleaser/goreleaser-action from 6 to 7 <dependabot[bot]>