Changed: Stateful filtering is now off by default. Stateful filtering was introduced in 1.66.0 as a mitigation for a vulnerability described in TS-2024-005, and inadvertently broke DNS resolution from containers running on the host. Most vulnerable setups are protected by other mitigations already, except when autogroup:danger-all is used in ACLs.
v1.66.3
All platforms
Fixed: Login URLs did not always appear in the console when running tailscale up.
Android
Changed: Reintroduced the Quick Settings title that v1.66.0 temporarily removed.
Changed: Improved the VPN service connection logic, especially when rebooting the device with Always-On VPN enabled.
Changed: The persistent VPN status notification now informs the user with a muted icon when the VPN is disconnected. VPN status notifications can be disabled in the system notification settings.
Fixed: The "Enable" button in the exit node selector banner now renders with the correct background color.
Kubernetes operator
Breaking change: Starting with v1.66, the Kubernetes operator must always run the same or later version as the proxies it manages.
New: Expose cloud services on cluster network to the tailnet, using Kubernetes ExternalName Services. This allows exposing cloud services, such as RDS instances, to tailnet by their DNS names.
New: Cluster workloads can now refer to Tailscale Ingress resources by their MagicDNS names. Refer to #11019gh-tailscale-pull-11019.
New: Configure environment variables for Tailscale Kubernetes operator proxies using ProxyClass CRD.
Refer to [ProxyClass API][gh-tailscale-proxy-class-api].
New: Expose tailscaled metrics endpoint for Tailscale Kubernetes operator proxies through ProxyClass CRD. Note that the tailscaled metrics are unstable and will likely change in the future. Refer to [ProxyClass API][gh-tailscale-proxy-class-api].
New: Configure labels for the Kubernetes operator Pods with Helm chart values. Refer to Helm chart values.
New: Configure affinity rules for Kubernetes operator proxy Pods with ProxyClass. Refer to [ProxyClass API][gh-tailscale-proxy-class-api].
Fixed: Kubernetes operator proxy init container no longer attempts to enable IPv6 forwarding on systems that don't have IPv6 module loaded. Refer to #11867gh-tailscale-pull-11867.
Containers
Fixed: Tailscale containers running on Kubernetes no longer error if an empty Kubernetes Secret is pre-created for the tailscaled state. Refer to #11326gh-tailscale-pull-11326.
Fixed: Improved the ambiguous error messages when Tailscale running on Kubernetes does not have the right permissions to perform actions against the tailscaled state Secret. Refer to #11326gh-tailscale-pull-11326.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps tailscale.com from 1.64.2 to 1.66.4.
Release notes
Sourced from tailscale.com's releases.
... (truncated)
Commits
e64efe4VERSION.txt: this is v1.66.41d76a3evarious: disable stateful filtering by default (#12197)c7a51aenet/tstun: do SNAT after filterPacketOutboundToWireGuard (#12140)eae73f8VERSION.txt: this is v1.66.38ff13e9version: fix macOS uploads by increasing build number prefix (#12134)78566fdVERSION.txt: this is v1.66.29d2768autil/linuxfw: fix IPv6 availability check for nftables (#12009) (#12123)32cb8a3ipn/ipnlocal: simplify authURL vs authURLSticky, remove interact fieldc88abffcmd/k8s-operator,cmd/containerboot,ipn,k8s-operator: turn off stateful filter...88e23b6VERSION.txt: this is v1.66.1Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show