Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.
v1.66.3
All platforms
Fixed: Login URLs did not always appear in the console when running tailscale up.
Android
Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.
Kubernetes operator
Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019gh-tailscale-pull-11019.
New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD.
Refer to [ProxyClass API][gh-tailscale-proxy-class-api].
New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to [ProxyClass API][gh-tailscale-proxy-class-api].
New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to [ProxyClass API][gh-tailscale-proxy-class-api].
Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867gh-tailscale-pull-11867.
Containers
Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #11326gh-tailscale-pull-11326.
Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #11326gh-tailscale-pull-11326.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
5 months ago
Bumps tailscale.com from 1.64.2 to 1.66.4.
Release notes
Sourced from tailscale.com's releases.
... (truncated)
Commits
e64efe4VERSION.txt: this is v1.66.41d76a3evarious: disable stateful filtering by default (#12197)c7a51aenet/tstun: do SNAT after filterPacketOutboundToWireGuard (#12140)eae73f8VERSION.txt: this is v1.66.38ff13e9version: fix macOS uploads by increasing build number prefix (#12134)78566fdVERSION.txt: this is v1.66.29d2768autil/linuxfw: fix IPv6 availability check for nftables (#12009) (#12123)32cb8a3ipn/ipnlocal: simplify authURL vs authURLSticky, remove interact fieldc88abffcmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off stateful filter...88e23b6VERSION.txt: this is v1.66.1Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show