Telepresence OSS Release Notes

Version 2.15.1 (September 08, 2023)

Rebuild with go 1.21.1

Rebuild Telepresence with go 1.21.1 to address CVEs.

Set security context for traffic agent

Openshift users reported that the traffic agent injection was failing due to a missing security context.

Version 2.15.0 (August 28, 2023)

Add ASLR to telepresence binaries

ASLR hardens binary sercurity against fixed memory attacks.

Added client builds for arm64 architecture.

Updated the release workflow files in github actions to including building and publishing the client binaries for arm64 architecture.

KUBECONFIG env var can now be used with the docker mode.

If provided, the KUBECONFIG environment variable was passed to the kubeauth-foreground service as a parameter. However, since it didn't exist, the CLI was throwing an error when using telepresence connect --docker.

Fix deadlock while watching workloads

The telepresence list --output json-stream wasn't releasing the session's lock after being stopped, including with a telepresence quit. The user could be blocked as a result.

Change json output of telepresence list command

Replace deprecated info in the JSON output of the telepresence list command.

Version 2.14.4 (August 21, 2023)

Nil pointer exception when upgrading the traffic-manager.

Upgrading the traffic-manager using telepresence helm upgrade would sometimes result in a helm error message executing "telepresence/templates/intercept-env-configmap.yaml" at <.Values.intercept.environment.excluded>: nil pointer evaluating interface {}.excluded"

Version 2.14.2 (July 26, 2023)

Telepresence now use the OSS agent in its latest version by default.

The traffic manager admin was forced to set it manually during the chart installation.

Version 2.14.1 (July 07, 2023)

Envoy's http idle timout is now configurable.

A new agent.helm.httpIdleTimeout setting was added to the Helm chart that controls the proprietary Traffic agent's http idle timeout. The default of one hour, which in some situations would cause a lot of resource consuming and lingering connections, was changed to 70 seconds.

Add more gauges to the Traffic manager's Prometheus client.

Several gauges were added to the Prometheus client to make it easier to monitor what the Traffic manager spends resources on.

Agent Pull Policy

Add option to set traffic agent pull policy in helm chart.

Resource leak in the Traffic manager.

Fixes a resource leak in the Traffic manager caused by lingering tunnels between the clients and Traffic agents. The tunnels are now closed correctly when terminated from the side that created them.

Fixed problem setting traffic manager namespace using the kubeconfig extension.

Fixes a regression introduced in version 2.10.5, making it impossible to set the traffic-manager namespace using the kubeconfig extension.

Version 2.14.0 (June 12, 2023)

DNS configuration now supports excludes and mappings.

The DNS configuration now supports two new fields, excludes and mappings. The excludes field allows you to exclude a given list of hostnames from resolution, while the mappings field can be used to resolve a hostname with another.

Added the ability to exclude environment variables

Added a new config map that can take an array of environment variables that will then be excluded from an intercept that retrieves the environment of a pod.

Fixed traffic-agent backward incompatibility issue causing lack of remote mounts

A traffic-agent of version 2.13.3 (or 1.13.15) would not propagate the directories under /var/run/secrets when used with a traffic manager older than 2.13.3.

Fixed race condition causing segfaults on rare occasions when a tunnel stream timed out.

A context cancellation could sometimes be trapped in a stream reader, causing it to incorrectly return an undefined message which in turn caused the parent reader to panic on a nil pointer reference.

Routing conflict reporting.

Telepresence will now attempt to detect and report routing conflicts with other running VPN software on client machines. There is a new configuration flag that can be tweaked to allow certain CIDRs to be overridden by Telepresence.

test-vpn command deprecated

Running telepresence test-vpn will now print a deprecation warning and exit. The command will be removed in a future release. Instead, please configure telepresence for your VPN's routes.

Version 2.13.3 (May 25, 2023)

Add imagePullSecrets to hooks

Add .Values.hooks.curl.imagePullSecrets and .Values.hooks curl.imagePullSecrets to Helm values.

Change reinvocation policy to Never for the mutating webhook

The default setting of the reinvocationPolicy for the mutating webhook dealing with agent injections changed from Never to IfNeeded.

Fix mounting fail of IAM roles for service accounts web identity token

The volume injected by EKS is now exported and remotely mounted during an intercept.

Correct namespace selector for cluster versions with non-numeric characters

The mutating webhook now correctly applies the namespace selector even if the cluster version contains non-numeric characters. For example, it can now handle versions such as Major:"1", Minor:"22+".

Enable IPv6 on the telepresence docker network

The "telepresence" Docker network will now propagate DNS AAAA queries to the Telepresence DNS resolver when it runs in a Docker container.

Fix the crash when intercepting with --local-only and --docker-run

Running telepresence intercept --local-only --docker-run no longer results in a panic.

Fix incorrect error message with local-only mounts

Running telepresence intercept --local-only --mount false no longer results in an incorrect error message saying "a local-only intercept cannot have mounts".

specify port in hook urls

The helm chart now correctly handles custom agentInjector.webhook.port that was not being set in hook URLs.

Fix wrong default value for disableGlobal and agentArrival

Params .intercept.disableGlobal and .timeouts.agentArrival are now correctly honored.

Version 2.13.2 (May 12, 2023)

Authenticator Service Update

Replaced / characters with a - when the authenticator service creates the kubeconfig in the Telepresence cache.

Enhanced DNS Search Path Configuration for Windows (Auto, PowerShell, and Registry Options)

Configurable strategy (auto, powershell. or registry) to set the global DNS search path on Windows. Default is auto which means try powershell first, and if it fails, fall back to registry.

Configurable Traffic Manager Timeout in values.yaml

The timeout for the traffic manager to wait for traffic agent to arrive can now be configured in the values.yaml file using timeouts.agentArrival. The default timeout is still 30 seconds.

Enhanced Local Cluster Discovery for macOS and Windows

The automatic discovery of a local container based cluster (minikube or kind) used when the Telepresence daemon runs in a container, now works on macOS and Windows, and with different profiles, ports, and cluster names

FTP Stability Improvements

Multiple simultaneous intercepts can transfer large files in bidirectionally and in parallel.

Intercepted Persistent Volume Pods No Longer Cause Timeouts

Pods using persistent volumes no longer causes timeouts when intercepted.

Successful 'Telepresence Connect' Regardless of DNS Configuration

Ensure that `telepresence connect`` succeeds even though DNS isn't configured correctly.

Traffic-Manager's 'Close of Closed Channel' Panic Issue

The traffic-manager would sometimes panic with a "close of closed channel" message and exit.

Traffic-Manager's Type Cast Panic Issue

The traffic-manager would sometimes panic and exit after some time due to a type cast panic.

Login Friction

Improve login behavior by clearing the saved intermediary API Keys when a user logins to force Telepresence to generate new ones.

Version 2.13.1 (April 20, 2023)

Update ambassador-telepresence-agent to version 1.13.13

The malfunction of the Ambassador Telepresence Agent occurred as a result of an update which compressed the executable file.

Version 2.13.0 (April 18, 2023)

Better kind / minikube network integration with docker

The Docker network used by a Kind or Minikube (using the "docker" driver) installation, is automatically detected and connected to a Docker container running the Telepresence daemon.

New mapped namespace output

Mapped namespaces are included in the output of the telepresence status command.

Setting of the target IP of the intercept

There's a new --address flag to the intercept command allowing users to set the target IP of the intercept.

Multi-tenant support

The client will no longer need cluster wide permissions when connected to a namespace scoped Traffic Manager.

Cluster domain resolution bugfix

The Traffic Manager now uses a fail-proof way to determine the cluster domain.

Windows DNS

DNS on windows is more reliable and performant.

Agent injection with huge amount of deployments

The agent is now correctly injected even with a high number of deployment starting at the same time.

Self-contained kubeconfig with Docker

The kubeconfig is made self-contained before running Telepresence daemon in a Docker container.

Version command error

The version command won't throw an error anymore if there is no kubeconfig file defined.

Version 2.12.2 (April 04, 2023)

Update Golang build version to 1.20.3

Update Golang to 1.20.3 to address CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, and CVE-2023-24538

Version 2.12.1 (March 22, 2023)

Additions to gather-logs

Telepresence now includes the kubeauth logs when running the gather-logs command

Environment Variables are now propagated to kubeauth

Telepresence now propagates environment variables properly to the kubeauth-foreground to be used with cluster authentication

Version 2.12.0 (March 20, 2023)

Check for service connectivity independently from pod connectivity

Telepresence now enables you to check for a service and pod's connectivity independently, so that it can proxy one without proxying the other.

Fix cluster authentication when running the telepresence daemon in a docker container.

Authentication to EKS and GKE clusters have been fixed (k8s >= v1.26)

Fix panic when CNAME of kubernetes.default doesn't contain .svc

Telepresence will not longer panic when a CNAME does not contain the .svc in it

Version 2.11.1 (February 27, 2023)

Multiple architectures

The multi-arch build for the ambassador-telepresence-manager and ambassador-telepresence-agent now works for both amd64 and arm64.

Ambassador agent Helm chart duplicates

Some labels in the Helm chart for the Ambassador Agent were duplicated, causing problems for FluxCD.

Version 2.11.0 (February 22, 2023)

Support for arm64 (Apple Silicon)

The ambassador-telepresence-manager and ambassador-telepresence-agent are now distributed as multi-architecture images and can run natively on both linux/amd64 and linux/arm64.

Connectivity check can break routing in VPN setups

The connectivity check failed to recognize that the connected peer wasn't a traffic-manager. Consequently, it didn't proxy the cluster because it incorrectly assumed that a successful connect meant cluster connectivity,

VPN routes not detected by <code>telepresence test-vpn</code> on macOS

The telepresence test-vpn did not include routes of type link when checking for subnet conflicts.

Version 2.10.5 (February 06, 2023)

Daemon reconnection fix

Fixed a bug that prevented the local daemons from automatically reconnecting to the traffic manager when the network connection was lost.

Version 2.10.4 (January 20, 2023)

Backward compatibility restored

Telepresence can now create intercepts with traffic-managers of version 2.9.5 and older.

Version 2.10.2 (January 16, 2023)

version consistency in helm commands

Ensure that CLI and user-daemon binaries are the same version when running telepresence helm install or telepresence helm upgrade.

Release Process

Fixed an issue that prevented the --use-saved-intercept flag from working.

Version 2.10.1 (January 11, 2023)

Release Process

Fixed a regex in our release process that prevented 2.10.0 promotion.

Version 2.10.0 (January 11, 2023)

Added `insert` and `upgrade` Subcommands to `telepresence helm`

The `telepresence helm` sub-commands `insert` and `upgrade` now accepts all types of helm `--set-XXX` flags.

Added Image Pull Secrets to Helm Chart

Image pull secrets for the traffic-agent can now be added using the Helm chart setting `agent.image.pullSecrets`.

Rename Configmap

The configmap `traffic-manager-clients` has been renamed to `traffic-manager`.

Webhook Namespace Field

If the cluster is Kubernetes 1.21 or later, the mutating webhook will find the correct namespace using the label `` rather than ``.

Rename Webhook

The name of the mutating webhook now contains the namespace of the traffic-manager so that the webhook is easier to identify when there are multiple namespace scoped telepresence installations in the cluster.

OSS Binaries

The OSS Helm chart is no longer pushed to the datawire Helm repository. It will instead be pushed from the telepresence proprietary repository. The OSS Helm chart is still what's embedded in the OSS telepresence client.

Fix Panic Using `--docker-run`

Telepresence no longer panics when `--docker-run` is combined with `--name ` instead of `--name=`.

Stop assuming cluster domain

Telepresence traffic-manager extracts the cluster domain (e.g. "cluster.local") using a CNAME lookup for "kubernetes.default" instead of "kubernetes.default.svc".

Uninstall hook timeout

A timeout was added to the pre-delete hook `uninstall-agents`, so that a helm uninstall doesn't hang when there is no running traffic-manager.

Uninstall hook check

The `Helm.Revision` is now used to prevent that Helm hook calls are served by the wrong revision of the traffic-manager.

Version 2.9.5 (December 08, 2022)

Update to golang v1.19.4

Apply security updates by updating to golang v1.19.4

GCE authentication

Fixed a regression, that was introduced in 2.9.3, preventing use of gce authentication without also having a config element present in the gce configuration in the kubeconfig.

Version 2.9.4 (December 02, 2022)

Subnet detection strategy

The traffic-manager can automatically detect that the node subnets are different from the pod subnets, and switch detection strategy to instead use subnets that cover the pod IPs.

Fix `--set` flag for `telepresence helm install`

The `telepresence helm` command `--set x=y` flag didn't correctly set values of other types than `string`. The code now uses standard Helm semantics for this flag.

Fix `agent.image` setting propigation

Telepresence now uses the correct `agent.image` properties in the Helm chart when copying agent image settings from the `config.yml` file.

Delay file sharing until needed

Initialization of FTP type file sharing is delayed, so that setting it using the Helm chart value `intercept.useFtp=true` works as expected.

Cleanup on `telepresence quit`

The port-forward that is created when Telepresence connects to a cluster is now properly closed when `telepresence quit` is called.

Watch `config.yml` without panic

The user daemon no longer panics when the `config.yml` is modified at a time when the user daemon is running but no session is active.

Thread safety

Fix race condition that would occur when `telepresence connect` `telepresence leave` was called several times in rapid succession.

Version 2.9.3 (November 23, 2022)

Helm options for `livenessProbe` and `readinessProbe`

The helm chart now supports `livenessProbe` and `readinessProbe` for the traffic-manager deployment, so that the pod automatically restarts if it doesn't respond.

Improved network communication

The root daemon now communicates directly with the traffic-manager instead of routing all outbound traffic through the user daemon.

Root daemon debug logging

Using `telepresence loglevel LEVEL` now also sets the log level in the root daemon.

Multivalue flag value propagation

Multi valued kubernetes flags such as `--as-group` are now propagated correctly.

Root daemon stability

The root daemon would sometimes hang indefinitely when quit and connect were called in rapid succession.

Base DNS resolver

Don't use `systemd.resolved` base DNS resolver unless cluster is proxied.

Version 2.9.2 (November 16, 2022)

Fix panic

Fix panic when connecting to an older traffic-manager.

Fix header flag

Fix an issue where the `http-header` flag sometimes wouldn't propagate correctly.

Version 2.9.1 (November 16, 2022)

Connect failures due to missing auth provider.

The regression in 2.9.0 that caused a `no Auth Provider found for name “gcp”` error when connecting was fixed.

Version 2.9.0 (November 15, 2022)

New command to view client configuration.

A new telepresence config view was added to make it easy to view the current client configuration.

Configure Clients using the Helm chart.

The traffic-manager can now configure all clients that connect through the client: map in the values.yaml file.

The Traffic manager version is more visible.

The command telepresence version will now include the version of the traffic manager when the client is connected to a cluster.

Command output in YAML format.

The global --output flag now accepts both yaml and json.

Deprecated status command flag

The telepresence status --json flag is deprecated. Use telepresence status --output=json instead.

Unqualified service name resolution in docker.

Unqualified service names now resolves OK from the docker container when using telepresence intercept --docker-run.

Output no longer mixes plaintext and json.

Informational messages that don't really originate from the command, such as "Launching Telepresence Root Daemon", or "An update of telepresence ...", are discarded instead of being printed as plain text before the actual formatted output when using the --output=json.

No more panic when invalid port names are detected.

A `telepresence intercept` of services with invalid port no longer causes a panic.

Proper errors for bad output formats.

An attempt to use an invalid value for the global --output flag now renders a proper error message.

Remove lingering DNS config on macOS.

Files lingering under /etc/resolver as a result of ungraceful shutdown of the root daemon on macOS, are now removed when a new root daemon starts.

Version 2.8.5 (November 2, 2022)


Updated Golang to 1.19.3 to address CVE-2022-41716.

Version 2.8.4 (November 2, 2022)

Release Process

This release resulted in changes to our release process.

Version 2.8.3 (October 27, 2022)

Ability to disable global intercepts.

Global intercepts (a.k.a. TCP intercepts) can now be disabled by using the new Helm chart setting intercept.disableGlobal.

Configurable mutating webhook port

The port used for the mutating webhook can be configured using the Helm chart setting agentInjector.webhook.port.

Mutating webhook port defaults to 443

The default port for the mutating webhook is now 443. It used to be 8443.

Agent image configuration mandatory in air-gapped environments.

The traffic-manager will no longer default to use the tel2 image for the traffic-agent when it is unable to connect to Ambassador Cloud. Air-gapped environments must declare what image to use in the Helm chart.

Can now connect to non-helm installs

telepresence connect now works as long as the traffic manager is installed, even if it wasn't installed via >code>helm install

check-vpn crash fixed

telepresence check-vpn no longer crashes when the daemons don't start properly.

Version 2.8.2 (October 15, 2022)

Reinstate 2.8.0

There was an issue downloading the free enhanced client. This problem was fixed, 2.8.0 was reinstated

Version 2.8.1 (October 14, 2022)

Rollback 2.8.0

Rollback 2.8.0 while we investigate an issue with ambassador cloud.

Version 2.8.0 (October 14, 2022)

Improved DNS resolver

The Telepresence DNS resolver is now capable of resolving queries of type A, AAAA, CNAME, MX, NS, PTR, SRV, and TXT.

New `client` structure in Helm chart

A new client struct was added to the Helm chart. It contains a connectionTTL that controls how long the traffic manager will retain a client connection without seeing any sign of life from the client.

Include and exclude suffixes configurable using the Helm chart.

A dns element was added to the client struct in Helm chart. It contains an includeSuffixes and an excludeSuffixes value that controls what type of names that the DNS resolver in the client will delegate to the cluster.

Configurable traffic-manager API port

The API port used by the traffic-manager is now configurable using the Helm chart value apiPort. The default port is 8081.

Envoy server and admin port configuration.

An new agent struct was added to the Helm chart. It contains an `envoy` structure where the server and admin port of the Envoy proxy running in the enhanced traffic-agent can be configured.

Helm chart `dnsConfig` moved to `client.routing`.

The Helm chart dnsConfig was deprecated but retained for backward compatibility. The fields alsoProxySubnets and neverProxySubnets can now be found under routing in the client struct.

Helm chart `agentInjector.agentImage` moved to `agent.image`.

The Helm chart agentInjector.agentImage was moved to agent.image. The old value is deprecated but retained for backward compatibility.

Helm chart `agentInjector.appProtocolStrategy` moved to `agent.appProtocolStrategy`.

The Helm chart agentInjector.appProtocolStrategy was moved to agent.appProtocolStrategy. The old value is deprecated but retained for backward compatibility.

Helm chart `dnsServiceName`, `dnsServiceNamespace`, and `dnsServiceIP` removed.

The Helm chart dnsServiceName, dnsServiceNamespace, and dnsServiceIP has been removed, because they are no longer needed. The TUN-device will use the traffic-manager pod-IP on platforms where it needs to dedicate an IP for its local resolver.

Quit daemons with `telepresence quit -s`

The former options `-u` and `-r` for `telepresence quit` has been deprecated and replaced with one option `-s` which will quit both the root daemon and the user daemon.

Environment variable interpolation in pods now works.

Environment variable interpolation now works for all definitions that are copied from pod containers into the injected traffic-agent container.

Early detection of namespace conflict

An attempt to create simultaneous intercepts that span multiple namespace on the same workstation is detected early and prohibited instead of resulting in failing DNS lookups later on.

Annoying log message removed

Spurious and incorrect ""!! SRV xxx"" messages will no longer appear in the logs when the reason is normal context cancellation.

Single name DNS resolution in Docker on Linux host

Single label names now resolves correctly when using Telepresence in Docker on a Linux host

Misnomer `appPortStrategy` in Helm chart renamed to `appProtocolStrategy`.

The Helm chart value appProtocolStrategy is now correctly named (used to be appPortStategy)

Version 2.7.6 (September 16, 2022)

Helm chart resource entries for injected agents

The resources for the traffic-agent container and the optional init container can be specified in the Helm chart using the resources and initResource fields of the agentInjector.agentImage

Cluster event propagation when injection fails

When the traffic-manager fails to inject a traffic-agent, the cause for the failure is detected by reading the cluster events, and propagated to the user.

FTP-client instead of sshfs for remote mounts

Telepresence can now use an embedded FTP client and load an existing FUSE library instead of running an external sshfs or sshfs-win binary. This feature is experimental in 2.7.x and enabled by setting intercept.useFtp to true> in the config.yml.

Upgrade of winfsp

Telepresence on Windows upgraded winfsp from version 1.10 to 1.11

Removal of invalid warning messages

Running CLI commands on Apple M1 machines will no longer throw warnings about /proc/cpuinfo and /proc/self/auxv.

Version 2.7.5 (September 14, 2022)

Rollback of release 2.7.4

This release is a rollback of the changes in 2.7.4, so essentially the same as 2.7.3

Version 2.7.4 (September 14, 2022)

This release was broken on some platforms. Use 2.7.6 instead.

Version 2.7.3 (September 07, 2022)

PTY for CLI commands

CLI commands that are executed by the user daemon now use a pseudo TTY. This enables docker run -it to allocate a TTY and will also give other commands like bash read the same behavior as when executed directly in a terminal.

Traffic Manager useless warning silenced

The traffic-manager will no longer log numerous warnings saying Issuing a systema request without ApiKey or InstallID may result in an error.

Traffic Manager useless error silenced

The traffic-manager will no longer log an error saying Unable to derive subnets from nodes when the podCIDRStrategy is auto and it chooses to instead derive the subnets from the pod IPs.

Version 2.7.2 (August 25, 2022)

Autocompletion scripts

Autocompletion scripts can now be generated with telepresence completion SHELL where SHELL can be bash, zsh, fish or powershell.

Connectivity check timeout

The timeout for the initial connectivity check that Telepresence performs in order to determine if the cluster's subnets are proxied or not can now be configured in the config.yml file using timeouts.connectivityCheck. The default timeout was changed from 5 seconds to 500 milliseconds to speed up the actual connect.

gather-traces feedback

The command telepresence gather-traces now prints out a message on success.

upload-traces feedback

The command telepresence upload-traces now prints out a message on success.

gather-traces tracing

The command telepresence gather-traces now traces itself and reports errors with trace gathering.

CLI log level

The cli.log log is now logged at the same level as the connector.log

Telepresence --help fixed

telepresence --help now works once more even if there's no user daemon running.

Stream cancellation when no process intercepts

Streams created between the traffic-agent and the workstation are now properly closed when no interceptor process has been started on the workstation. This fixes a potential problem where a large number of attempts to connect to a non-existing interceptor would cause stream congestion and an unresponsive intercept.

List command excludes the traffic-manager

The telepresence list command no longer includes the traffic-manager deployment.

Version 2.7.1 (August 10, 2022)

Reinstate telepresence uninstall

Reinstate telepresence uninstall with --everything depreciated

Reduce telepresence helm uninstall

telepresence helm uninstall will only uninstall the traffic-manager helm chart and no longer accepts the --everything, --agent, or --all-agents flags.

Auto-connect for telepresence intercpet

telepresence intercept will attempt to connect to the traffic manager before creating an intercept.

Version 2.7.0 (August 07, 2022)

Distributed Tracing

The Telepresence components now collect OpenTelemetry traces. Up to 10MB of trace data are available at any given time for collection from components. telepresence gather-traces is a new command that will collect all that data and place it into a gzip file, and telepresence upload-traces is a new command that will push the gzipped data into an OTLP collector.

Helm install

A new telepresence helm command was added to provide an easy way to install, upgrade, or uninstall the telepresence traffic-manager.

Ignore Volume Mounts

The agent injector now supports a new annotation,, that can be used to make the injector ignore specified volume mounts denoted by a comma-separated string.

telepresence pod-daemon

The Docker image now contains a new program in addition to the existing traffic-manager and traffic-agent: the pod-daemon. The pod-daemon is a trimmed-down version of the user-daemon that is designed to run as a sidecar in a Pod, enabling CI systems to create preview deploys.

Prometheus support for traffic manager

Added prometheus support to the traffic manager.

No install on telepresence connect

The traffic manager is no longer automatically installed into the cluster. Connecting or creating an intercept in a cluster without a traffic manager will return an error.

Helm Uninstall

The command telepresence uninstall has been moved to telepresence helm uninstall.

readOnlyRootFileSystem mounts work

Add an emptyDir volume and volume mount under /tmp on the agent sidecar so it works with `readOnlyRootFileSystem: true`

Version 2.6.8 (June 23, 2022)

Specify Your DNS

The name and namespace for the DNS Service that the traffic-manager uses in DNS auto-detection can now be specified.

Specify a Fallback DNS

Should the DNS auto-detection logic in the traffic-manager fail, users can now specify a fallback IP to use.

Intercept UDP Ports

It is now possible to intercept UDP ports with Telepresence and also use --to-pod to forward UDP traffic from ports on localhost.

Additional Helm Values

The Helm chart will now add the nodeSelector, affinity and tolerations values to the traffic-manager's post-upgrade-hook and pre-delete-hook jobs.

Agent Injection Bugfix

Telepresence no longer fails to inject the traffic agent into the pod generated for workloads that have no volumes and `automountServiceAccountToken: false`.

Version 2.6.7 (June 22, 2022)

Persistant Sessions

The Telepresence client will remember and reuse the traffic-manager session after a network failure or other reason that caused an unclean disconnect.

DNS Requests

Telepresence will no longer forward DNS requests for "wpad" to the cluster.

Graceful Shutdown

The traffic-agent will properly shut down if one of its goroutines errors.

Version 2.6.6 (June 9, 2022)


The propagation of the TELEPRESENCE_API_PORT environment variable now works correctly.

Double Printing `--output json`

The --output json global flag no longer outputs multiple objects

Version 2.6.5 (June 03, 2022)

Helm Option -- `reinvocationPolicy`

The reinvocationPolicy or the traffic-agent injector webhook can now be configured using the Helm chart.

Helm Option -- Proxy Certificate

The traffic manager now accepts a root CA for a proxy, allowing it to connect to ambassador cloud from behind an HTTPS proxy. This can be configured through the helm chart.

Helm Option -- Agent Injection

A policy that controls when the mutating webhook injects the traffic-agent was added, and can be configured in the Helm chart.

Windows Tunnel Version Upgrade

Telepresence on Windows upgraded wintun.dll from version 0.12 to version 0.14.1

Helm Version Upgrade

Telepresence upgraded its embedded Helm from version 3.8.1 to 3.9

Kubernetes API Version Upgrade

Telepresence upgraded its embedded Kubernetes API from version 0.23.4 to 0.24.1

Flag `--watch` Added to `list` Command

Added a --watch flag to telepresence list that can be used to watch interceptable workloads in a namespace.

Depreciated `images.webhookAgentImage`

The Telepresence configuration setting for `images.webhookAgentImage` is now deprecated. Use `images.agentImage` instead.

Default `reinvocationPolicy` Set to Never

The reinvocationPolicy or the traffic-agent injector webhook now defaults to Never insteadof IfNeeded so that LimitRanges on namespaces can inject a missing resources element into the injected traffic-agent container.


UDP based communication with services in the cluster now works as expected.

Telepresence `--help`

The command help will only show Kubernetes flags on the commands that supports them

Error Count

Only the errors from the last session will be considered when counting the number of errors in the log after a command failure.

Version 2.6.4 (May 23, 2022)

Upgrade RBAC Permissions

The traffic-manager RBAC grants permissions to update services, deployments, replicatsets, and statefulsets. Those permissions are needed when the traffic-manager upgrades from versions < 2.6.0 and can be revoked after the upgrade.

Version 2.6.3 (May 20, 2022)

Relative Mount Paths

The --mount intercept flag now handles relative mount points correctly on non-windows platforms. Windows still require the argument to be a drive letter followed by a colon.

Traffic Agent Config

The traffic-agent's configuration update automatically when services are added, updated or deleted.

Container Injection for Numeric Ports

Telepresence will now always inject an initContainer when the service's targetPort is numeric

Matching Services

Workloads that have several matching services pointing to the same target port are now handled correctly.

Unexpected Panic

A potential race condition causing a panic when closing a DNS connection is now handled correctly.

Mount Volume Cleanup

A container start would sometimes fail because and old directory remained in a mounted temp volume.

Version 2.6.2 (May 17, 2022)

Argo Injection

Workloads controlled by workloads like Argo Rollout are injected correctly.

Agent Port Mapping

Multiple services appointing the same container port no longer result in duplicated ports in an injected pod.

GRPC Max Message Size

The telepresence list command no longer errors out with "grpc: received message larger than max" when listing namespaces with a large number of workloads.

Version 2.6.1 (May 16, 2022)

KUBECONFIG environment variable

Telepresence will now handle multiple path entries in the KUBECONFIG environment correctly.

Version 2.6.0 (May 13, 2022)

Intercept multiple containers in a pod, and multiple ports per container

Telepresence can now intercept multiple services and/or service-ports that connect to the same pod.

The Traffic Agent sidecar is always injected by the Traffic Manager's mutating webhook

The client will no longer modify deployments, replicasets, or statefulsets in order to inject a Traffic Agent into an intercepted pod. Instead, all injection is now performed by a mutating webhook. As a result, the client now needs less permissions in the cluster.

Automatic upgrade of Traffic Agents

When upgrading, all workloads with injected agents will have their agent "uninstalled" automatically. The mutating webhook will then ensure that their pods will receive an updated Traffic Agent.

No default image in the Helm chart

The helm chart no longer has a default set for the, and unless it's set, the traffic-manager will ask Ambassador Could for the preferred image.

Upgrade to Helm version 3.8.1

The Telepresence client now uses Helm version 3.8.1 when auto-installing the Traffic Manager.

Remote mounts will now function correctly with custom securityContext

The bug causing permission problems when the Traffic Agent is in a Pod with a custom securityContext has been fixed.

Improved presentation of flags in CLI help

The help for commands that accept Kubernetes flags will now display those flags in a separate group.

Better termination of process parented by intercept

Occasionally an intercept will spawn a command using -- on the command line, often in another console. When you use telepresence leave or telepresence quit while the intercept with the spawned command is still active, Telepresence will now terminate that the command because it's considered to be parented by the intercept that is being removed.

Version 2.5.8 (April 27, 2022)

Folder creation on `telepresence login`

Fixed a bug where the telepresence config folder would not be created if the user ran telepresence login before other commands.

Version 2.5.7 (April 25, 2022)

RBAC requirements

A namespaced traffic-manager will no longer require cluster wide RBAC. Only Roles and RoleBindings are now used.

Windows DNS

The DNS recursion detector didn't work correctly on Windows, resulting in sporadic failures to resolve names that were resolved correctly at other times.

Session TTL and Reconnect

A telepresence session will now last for 24 hours after the user's last connectivity. If a session expires, the connector will automatically try to reconnect.

Version 2.5.6 (April 18, 2022)

Less Watchers

Telepresence agents watcher will now only watch namespaces that the user has accessed since the last connect.

More Efficient `gather-logs`

The gather-logs command will no longer send any logs through gRPC.

Version 2.5.5 (April 08, 2022)

Traffic Manager Permissions

The traffic-manager now requires permissions to read pods across namespaces even if installed with limited permissions

Linux DNS Cache

The DNS resolver used on Linux with systemd-resolved now flushes the cache when the search path changes.

Automatic Connect Sync

The telepresence list command will produce a correct listing even when not preceded by a telepresence connect.

Disconnect Reconnect Stability

The root daemon will no longer get into a bad state when a disconnect is rapidly followed by a new connect.

Limit Watched Namespaces

The client will now only watch agents from accessible namespaces, and is also constrained to namespaces explicitly mapped using the connect command's --mapped-namespaces flag.

Limit Namespaces used in `gather-logs`

The gather-logs command will only gather traffic-agent logs from accessible namespaces, and is also constrained to namespaces explicitly mapped using the connect command's --mapped-namespaces flag.

Version 2.5.4 (March 29, 2022)

Linux DNS Concurrency

The DNS fallback resolver on Linux now correctly handles concurrent requests without timing them out

Non-Functional Flag

The ingress-l5 flag will no longer be forcefully set to equal the --ingress-host flag

Automatically Remove Failed Intercepts

Intercepts that fail to create are now consistently removed to prevent non-working dangling intercepts from sticking around.

Agent UID

Agent container is no longer sensitive to a random UID or an UID imposed by a SecurityContext.

Gather-Logs Output Filepath

Removed a bad concatenation that corrupted the output path of telepresence gather-logs.

Remove Unnecessary Error Advice

An advice to "see logs for details" is no longer printed when the argument count is incorrect in a CLI command.

Garbage Collection

Client and agent sessions no longer leaves dangling waiters in the traffic-manager when they depart.

Limit Gathered Logs

The client's gather logs command and agent watcher will now respect the configured grpc.maxReceiveSize

In-Cluster Checks

The TUN device will no longer route pod or service subnets if it is running in a machine that's already connected to the cluster

Expanded Status Command

The status command includes the install id, user id, account id, and user email in its result, and can print output as JSON

List Command Shows All Intercepts

The list command, when used with the --intercepts flag, will list the users intercepts from all namespaces

Version 2.5.3 (February 25, 2022)

TCP Connectivity

Fixed bug in the TCP stack causing timeouts after repeated connects to the same address

Linux Binaries

Client-side binaries for the arm64 architecture are now available for linux

Version 2.5.2 (February 23, 2022)

DNS server bugfix

Fixed a bug where Telepresence would use the last server in resolv.conf

Version 2.5.1 (February 19, 2022)

Fix GKE auth issue

Fixed a bug where using a GKE cluster would error with: No Auth Provider found for name "gcp"

Version 2.5.0 (February 18, 2022)

Intercept metadata

The flag --http-meta can be used to declare metadata key value pairs that will be returned by the Telepresence rest API endpoint /intercept-info

Client RBAC watch

The verb "watch" was added to the set of required verbs when accessing services and workloads for the client RBAC ClusterRole

Dropped backward compatibility with versions <=2.4.4

Telepresence is no longer backward compatible with versions 2.4.4 or older because the deprecated multiplexing tunnel functionality was removed.

No global networking flags

The global networking flags are no longer used and using them will render a deprecation warning unless they are supported by the command. The subcommands that support networking flags are connect, current-cluster-id, and genyaml.

Output of status command

The also-proxy and never-proxy subnets are now displayed correctly when using the telepresence status command.

SETENV sudo privilege no longer needed

Telepresence longer requires SETENV privileges when starting the root daemon.

Network device names containing dash

Telepresence will now parse device names containing dashes correctly when determining routes that it should never block.

Linux uses cluster.local as domain instead of search

The cluster domain (typically "cluster.local") is no longer added to the DNS search on Linux using systemd-resolved. Instead, it is added as a domain so that names ending with it are routed to the DNS server.

Version 2.4.11 (February 10, 2022)

Add additional logging to troubleshoot intermittent issues with intercepts

We've noticed some issues with intercepts in v2.4.10, so we are releasing a version with enhanced logging to help debug and fix the issue.

Version 2.4.10 (January 13, 2022)

New --http-plaintext option

The flag --http-plaintext can be used to ensure that an intercept uses plaintext http or grpc when communicating with the workstation process.

Configure the default intercept port

The port used by default in the telepresence intercept command (8080), can now be changed by setting the intercept.defaultPort in the config.yml file.

Change: Telepresence CI now uses Github Actions

Telepresence now uses Github Actions for doing unit and integration testing. It is now easier for contributors to run tests on PRs since maintainers can add an "ok to test" label to PRs (including from forks) to run integration tests.
Telepresence CI now uses Github Actions
Telepresence CI now uses Github Actions

Check conditions before asking questions

User will not be asked to log in or add ingress information when creating an intercept until a check has been made that the intercept is possible.

Fix invalid log statement

Telepresence will no longer log invalid: "unhandled connection control message: code DIAL_OK" errors.

Log errors from sshfs/sftp

Output to stderr from the traffic-agent's sftp and the client's sshfs processes are properly logged as errors.

Don't use Windows path separators in workload pod template

Auto installer will no longer not emit backslash separators for the /tel-app-mounts paths in the traffic-agent container spec when running on Windows.

Version 2.4.9 (December 09, 2021)

Helm upgrade nil pointer error

A helm upgrade using the --reuse-values flag no longer fails on a "nil pointer" error caused by a nil telpresenceAPI value.

Version 2.4.8 (December 03, 2021)

Feature: VPN diagnostics tool

There is a new subcommand, test-vpn, that can be used to diagnose connectivity issues with a VPN. See the VPN docs for more information on how to use it.
VPN diagnostics tool
VPN diagnostics tool

Feature: RESTful API service

A RESTful service was added to Telepresence, both locally to the client and to the traffic-agent to help determine if messages with a set of headers should be consumed or not from a message queue where the intercept headers are added to the messages.
RESTful API service
RESTful API service

TELEPRESENCE_LOGIN_CLIENT_ID env variable no longer used

You could previously configure this value, but there was no reason to change it, so the value was removed.

Tunneled network connections behave more like ordinary TCP connections.

When using Telepresence with an external cloud provider for extensions, those tunneled connections now behave more like TCP connections, especially when it comes to timeouts. We've also added increased testing around these types of connections.

Version 2.4.7 (November 24, 2021)

Injector service-name annotation

The agent injector now supports a new annotation,, that can be used to set the name of the service to be intercepted. This will help disambiguate which service to intercept for when a workload is exposed by multiple services, such as can happen with Argo Rollouts

Skip the Ingress Dialogue

You can now skip the ingress dialogue by setting the ingress parameters in the corresponding flags.

Never proxy subnets

The kubeconfig extensions now support a never-proxy argument, analogous to also-proxy, that defines a set of subnets that will never be proxied via telepresence.

Daemon versions check

Telepresence now checks the versions of the client and the daemons and asks the user to quit and restart if they don't match.

No explicit DNS flushes

Telepresence DNS now uses a very short TTL instead of explicitly flushing DNS by killing the mDNSResponder or doing resolvectl flush-caches

Legacy flags now work with global flags

Legacy flags such as --swap-deployment can now be used together with global flags.

Outbound connection closing

Outbound connections are now properly closed when the peer closes.

Prevent DNS recursion

The DNS-resolver will trap recursive resolution attempts (may happen when the cluster runs in a docker-container on the client).

Prevent network recursion

The TUN-device will trap failed connection attempts that results in recursive calls back into the TUN-device (may happen when the cluster runs in a docker-container on the client).

Traffic Manager deadlock fix

The Traffic Manager no longer runs a risk of entering a deadlock when a new Traffic agent arrives.

webhookRegistry config propagation

The configured webhookRegistry is now propagated to the webhook installer even if no webhookAgentImage has been set.

Login refreshes expired tokens

When a user's token has expired, telepresence login will prompt the user to log in again to get a new token. Previously, the user had to telepresence quit and telepresence logout to get a new token.

Version 2.4.6 (November 02, 2021)

Manually injecting Traffic Agent

Telepresence now supports manually injecting the traffic-agent YAML into workload manifests. Use the genyaml command to create the sidecar YAML, then add the "true" annotation to your pods to allow Telepresence to intercept them.

Telepresence CLI released for Apple silicon

Telepresence is now built and released for Apple silicon.

Change: Telepresence help text now links to

We now include a link to our documentation when you run telepresence --help. This will make it easier for users to find this page whether they acquire Telepresence through Brew or some other mechanism.
Telepresence help text now links to
Telepresence help text now links to

Fixed bug when API server is inside CIDR range of pods/services

If the API server for your kubernetes cluster had an IP that fell within the subnet generated from pods/services in a kubernetes cluster, it would proxy traffic to the API server which would result in hanging or a failed connection. We now ensure that the API server is explicitly not proxied.

Version 2.4.5 (October 15, 2021)

Feature: Get pod yaml with gather-logs command

Adding the flag --get-pod-yaml to your request will get the pod yaml manifest for all kubernetes components you are getting logs for ( traffic-manager and/or pods containing a traffic-agent container). This flag is set to false by default.
Get pod yaml with gather-logs command
Get pod yaml with gather-logs command

Feature: Anonymize pod name + namespace when using gather-logs command

Adding the flag --anonymize to your command will anonymize your pod names + namespaces in the output file. We replace the sensitive names with simple names (e.g. pod-1, namespace-2) to maintain relationships between the objects without exposing the real names of your objects. This flag is set to false by default.
Anonymize pod name + namespace when using gather-logs command
Anonymize pod name + namespace when using gather-logs command

Support for intercepting headless services

Intercepting headless services is now officially supported. You can request a headless service on whatever port it exposes and get a response from the intercept. This leverages the same approach as intercepting numeric ports when using the mutating webhook injector, mainly requires the initContainer to have NET_ADMIN capabilities.

Use one tunnel per connection instead of multiplexing into one tunnel

We have changed Telepresence so that it uses one tunnel per connection instead of multiplexing all connections into one tunnel. This will provide substantial performance improvements. Clients will still be backwards compatible with older managers that only support multiplexing.

Added checks for Telepresence kubernetes compatibility

Telepresence currently works with Kubernetes server versions 1.17.0 and higher. We have added logs in the connector and traffic-manager to let users know when they are using Telepresence with a cluster it doesn't support.

Traffic Agent security context is now only added when necessary

When creating an intercept, Telepresence will now only set the traffic agent's GID when strictly necessary (i.e. when using headless services or numeric ports). This mitigates an issue on openshift clusters where the traffic agent can fail to be created due to openshift's security policies banning arbitrary GIDs.

Version 2.4.4 (September 27, 2021)

Numeric ports in agent injector

The agent injector now supports injecting Traffic Agents into pods that have unnamed ports.

Feature: New subcommand to gather logs and export into zip file

Telepresence has logs for various components (the traffic-manager, traffic-agents, the root and user daemons), which are integral for understanding and debugging Telepresence behavior. We have added the telepresence gather-logs command to make it simple to compile logs for all Telepresence components and export them in a zip file that can be shared to others and/or included in a github issue. For more information on usage, run telepresence gather-logs --help .
New subcommand to gather logs and export into zip file
New subcommand to gather logs and export into zip file

Pod CIDR strategy is configurable in Helm chart

Telepresence now enables you to directly configure how to get pod CIDRs when deploying Telepresence with the Helm chart. The default behavior remains the same. We've also introduced the ability to explicitly set what the pod CIDRs should be.

Compute pod CIDRs more efficiently

When computing subnets using the pod CIDRs, the traffic-manager now uses less CPU cycles.

Prevent busy loop in traffic-manager

In some circumstances, the traffic-manager's CPU would max out and get pinned at its limit. This required a shutdown or pod restart to fix. We've added some fixes to prevent the traffic-manager from getting into this state.

Added a fixed buffer size to TUN-device

The TUN-device now has a max buffer size of 64K. This prevents the buffer from growing limitlessly until it receies a PSH, which could be a blocking operation when receiving lots of TCP-packets.

Fix hanging user daemon

When Telepresence encountered an issue connecting to the cluster or the root daemon, it could hang indefintely. It now will error correctly when it encounters that situation.

Improved proprietary agent connectivity

To determine whether the environment cluster is air-gapped, the proprietary agent attempts to connect to the cloud during startup. To deal with a possible initial failure, the agent backs off and retries the connection with an increasing backoff duration.

Telepresence correctly reports intercept port conflict

When creating a second intercept targetting the same local port, it now gives the user an informative error message. Additionally, it tells them which intercept is currently using that port to make it easier to remedy.

Version 2.4.3 (September 15, 2021)

Environment variable TELEPRESENCE_INTERCEPT_ID available in interceptor's environment

When you perform an intercept, we now include a TELEPRESENCE_INTERCEPT_ID environment variable in the environment.

Improved daemon stability

Fixed a timing bug that sometimes caused a "daemon did not start" failure.

Complete logs for Windows

Crash stack traces and other errors were incorrectly not written to log files. This has been fixed so logs for Windows should be at parity with the ones in MacOS and Linux.

Log rotation fix for Linux kernel 4.11+

On Linux kernel 4.11 and above, the log file rotation now properly reads the birth-time of the log file. Older kernels continue to use the old behavior of using the change-time in place of the birth-time.

Improved error messaging

When Telepresence encounters an error, it tells the user where they should look for logs related to the error. We have refined this so that it only tells users to look for errors in the daemon logs for issues that are logged there.

Stop resolving localhost

When using the overriding DNS resolver, it will no longer apply search paths when resolving localhost, since that should be resolved on the user's machine instead of the cluster.

Variable cluster domain

Previously, the cluster domain was hardcoded to cluster.local. While this is true for many kubernetes clusters, it is not for all of them. Now this value is retrieved from the traffic-manager.

Improved cleanup of traffic-agents

Telepresence now uninstalls traffic-agents installed via mutating webhook when using telepresence uninstall --everything.

More large file transfer fixes

Downloading large files during an intercept will no longer cause timeouts and hanging traffic-agents.

Setting --mount to false when intercepting works as expected

When using --mount=false while performing an intercept, the file system was still mounted. This has been remedied so the intercept behavior respects the flag.

Traffic-manager establishes outbound connections in parallel

Previously, the traffic-manager established outbound connections sequentially. This resulted in slow (and failing) Dial calls would block all outbound traffic from the workstation (for up to 30 seconds). We now establish these connections in parallel so that won't occur.

Status command reports correct DNS settings

Telepresence status now correctly reports DNS settings for all operating systems, instead of Local IP:nil, Remote IP:nil when they don't exist.

Version 2.4.2 (September 01, 2021)

New subcommand to temporarily change log-level

We have added a new telepresence loglevel subcommand that enables users to temporarily change the log-level for the local demons, the traffic-manager and the traffic-agents. While the logLevels settings from the config will still be used by default, this can be helpful if you are currently experiencing an issue and want to have higher fidelity logs, without doing a telepresence quit and telepresence connect. You can use telepresence loglevel --help to get more information on options for the command.

All components have info as the default log-level

We've now set the default for all components of Telepresence (traffic-agent, traffic-manager, local daemons) to use info as the default log-level.

Updating RBAC in helm chart to fix cluster-id regression

In 2.4.1, we enabled the traffic-manager to get the cluster ID by getting the UID of the default namespace. The helm chart was not updated to give the traffic-manager those permissions, which has since been fixed. This impacted users who use licensed features of the Telepresence extension in an air-gapped environment.

Timeouts for Helm actions are now respected

The user-defined timeout for Helm actions wasn't always respected, causing the daemon to hang indefinitely when failing to install the traffic-manager.

Version 2.4.1 (August 30, 2021)

Feature: External cloud variables are now configurable

We now support configuring the host and port for the cloud in your config.yml. These are used when logging in to utilize features provided by an extension, and are also passed along as environment variables when installing the traffic-manager. Additionally, we now run our testsuite with these variables set to localhost to continue to ensure Telepresence is fully fuctional without depeneding on an external service. The SYSTEMA_HOST and SYSTEMA_PORT environment variables are no longer used.
External cloud variables are now configurable
External cloud variables are now configurable

Helm chart can now regenerate certificate used for mutating webhook on-demand.

You can now set agentInjector.certificate.regenerate when deploying Telepresence with the Helm chart to automatically regenerate the certificate used by the agent injector webhook.

Traffic Manager installed via helm

The traffic-manager is now installed via an embedded version of the Helm chart when telepresence connect is first performed on a cluster. This change is transparent to the user. A new configuration flag, timeouts.helm sets the timeouts for all helm operations performed by the Telepresence binary.

traffic-manager gets cluster ID itself instead of via environment variable

The traffic-manager used to get the cluster ID as an environment variable when running telepresence connnect or via adding the value in the helm chart. This was clunky so now the traffic-manager gets the value itself as long as it has permissions to "get" and "list" namespaces (this has been updated in the helm chart).

Telepresence now mounts all directories from /var/run/secrets

In the past, we only mounted secret directories in /var/run/secrets/ We now mount *all* directories in /var/run/secrets, which, for example, includes directories like used for IRSA tokens.

Max gRPC receive size correctly propagates to all grpc servers

This fixes a bug where the max gRPC receive size was only propagated to some of the grpc servers, causing failures when the message size was over the default.

Updated our Homebrew packaging to run manually

We made some updates to our script that packages Telepresence for Homebrew so that it can be run manually. This will enable maintainers of Telepresence to run the script manually should we ever need to rollback a release and have latest point to an older verison.

Telepresence uses namespace from kubeconfig context on each call

In the past, Telepresence would use whatever namespace was specified in the kubeconfig's current-context for the entirety of the time a user was connected to Telepresence. This would lead to confusing behavior when a user changed the context in their kubeconfig and expected Telepresence to acknowledge that change. Telepresence now will do that and use the namespace designated by the context on each call.

Idle outbound TCP connections timeout increased to 7200 seconds

Some users were noticing that their intercepts would start failing after 60 seconds. This was because the keep idle outbound TCP connections were set to 60 seconds, which we have now bumped to 7200 seconds to match Linux's tcp_keepalive_time default.

Telepresence will automatically remove a socket upon ungraceful termination

When a Telepresence process terminates ungracefully, it would inform users that "this usually means that the process has terminated ungracefully" and implied that they should remove the socket. We've now made it so Telepresence will automatically attempt to remove the socket upon ungraceful termination.

Fixed user daemon deadlock

Remedied a situation where the user daemon could hang when a user was logged in.

Fixed agentImage config setting

The config setting images.agentImages is no longer required to contain the repository, and it will use the value at images.repository.

Version 2.4.0 (August 04, 2021)

Feature: Windows Client Developer Preview

There is now a native Windows client for Telepresence that is being released as a Developer Preview. All the same features supported by the MacOS and Linux client are available on Windows.
Windows Client Developer Preview
Windows Client Developer Preview

Feature: CLI raises helpful messages from Ambassador Cloud

Telepresence can now receive messages from Ambassador Cloud and raise them to the user when they perform certain commands. This enables us to send you messages that may enhance your Telepresence experience when using certain commands. Frequency of messages can be configured in your config.yml.
CLI raises helpful messages from Ambassador Cloud
CLI raises helpful messages from Ambassador Cloud

Improved stability of systemd-resolved-based DNS

When initializing the systemd-resolved-based DNS, the routing domain is set to improve stability in non-standard configurations. This also enables the overriding resolver to do a proper take over once the DNS service ends.

Fixed an edge case when intercepting a container with multiple ports

When specifying a port of a container to intercept, if there was a container in the pod without ports, it was automatically selected. This has been fixed so we'll only choose the container with "no ports" if there's no container that explicitly matches the port used in your intercept.

$(NAME) references in agent's environments are now interpolated correctly.

If you had an environment variable $(NAME) in your workload that referenced another, intercepts would not correctly interpolate $(NAME). This has been fixed and works automatically.

Telepresence no longer prints INFO message when there is no config.yml

Fixed a regression that printed an INFO message to the terminal when there wasn't a config.yml present. The config is optional, so this message has been removed.

Telepresence no longer panics when using --http-match

Fixed a bug where Telepresence would panic if the value passed to --http-match didn't contain an equal sign, which has been fixed. The correct syntax is in the --help string and looks like --http-match=HTTP2_HEADER=REGEX

Improved subnet updates

The traffic-manager used to update subnets whenever the Nodes or Pods changed, even if the underlying subnet hadn't changed, which created a lot of unnecessary traffic between the client and the traffic-manager. This has been fixed so we only send updates when the subnets themselves actually change.

Version 2.3.7 (July 23, 2021)

Also-proxy in telepresence status

An also-proxy entry in the Kubernetes cluster config will show up in the output of the telepresence status command.

Feature: Non-interactive telepresence login

telepresence login now has an --apikey=KEY flag that allows for non-interactive logins. This is useful for headless environments where launching a web-browser is impossible, such as cloud shells, Docker containers, or CI.
Non-interactive telepresence login
Non-interactive telepresence login

Mutating webhook injector correctly hides named ports for probes.

The mutating webhook injector has been fixed to correctly rename named ports for liveness and readiness probes

telepresence current-cluster-id crash fixed

Fixed a regression introduced in 2.3.5 that caused telepresence current-cluster-id to crash.

Better UX around intercepts with no local process running

Requests would hang indefinitely when initiating an intercept before you had a local process running. This has been fixed and will result in an Empty reply from server until you start a local process.

Bug Fix: API keys no longer show as "no description"

New API keys generated internally for communication with Ambassador Cloud no longer show up as "no description" in the Ambassador Cloud web UI. Existing API keys generated by older versions of Telepresence will still show up this way.
API keys no longer show as "no description"
API keys no longer show as "no description"

Fix corruption of user-info.json

Fixed a race condition that logging in and logging out rapidly could cause memory corruption or corruption of the user-info.json cache file used when authenticating with Ambassador Cloud.

Improved DNS resolver for systemd-resolved

Telepresence's systemd-resolved-based DNS resolver is now more stable and in case it fails to initialize, the overriding resolver will no longer cause general DNS lookup failures when telepresence defaults to using it.

Faster telepresence list command

The performance of telepresence list has been increased significantly by reducing the number of calls the command makes to the cluster.

Version 2.3.6 (July 20, 2021)

Fix subnet discovery

Fixed a regression introduced in 2.3.5 where the Traffic Manager's RoleBinding did not correctly appoint the traffic-manager Role, causing subnet discovery to not be able to work correctly.

Fix root-user configuration loading

Fixed a regression introduced in 2.3.5 where the root daemon did not correctly read the configuration file; ignoring the user's configured log levels and timeouts.

Fix a user daemon crash

Fixed an issue that could cause the user daemon to crash during shutdown, as during shutdown it unconditionally attempted to close a channel even though the channel might already be closed.

Version 2.3.5 (July 15, 2021)

Feature: traffic-manager in multiple namespaces

We now support installing multiple traffic managers in the same cluster. This will allow operators to install deployments of telepresence that are limited to certain namespaces.
traffic-manager in multiple namespaces
traffic-manager in multiple namespaces

No more dependence on kubectl

Telepresence no longer depends on having an external kubectl binary, which might not be present for OpenShift users (who have oc instead of kubectl).

Feature: Max gRPC receive size now configurable

The default max size of messages received through gRPC (4 MB) is sometimes insufficient. It can now be configured.
Max gRPC receive size now configurable
Max gRPC receive size now configurable

Feature: CLI can be used in air-gapped environments

While Telepresence will auto-detect if your cluster is in an air-gapped environment, we've added an option users can add to their config.yml to ensure the cli acts like it is in an air-gapped environment. Air-gapped environments require a manually installed licence.
CLI can be used in air-gapped environments
CLI can be used in air-gapped environments

Version 2.3.4 (July 09, 2021)

Bug Fix: Improved IP log statements

Some log statements were printing incorrect characters, when they should have been IP addresses. This has been resolved to include more accurate and useful logging.
Improved IP log statements
Improved IP log statements

Bug Fix: Improved messaging when multiple services match a workload

If multiple services matched a workload when performing an intercept, Telepresence would crash. It now gives the correct error message, instructing the user on how to specify which service the intercept should use.
Improved messaging when multiple services match a workload
Improved messaging when multiple services match a workload

Traffic-manger creates services in its own namespace to determine subnet

Telepresence will now determine the service subnet by creating a dummy-service in its own namespace, instead of the default namespace, which was causing RBAC permissions issues in some clusters.

Telepresence connect respects pre-existing clusterrole

When Telepresence connects, if the traffic-manager's desired clusterrole already exists in the cluster, Telepresence will no longer try to update the clusterrole.

Helm Chart fixed for clientRbac.namespaced

The Telepresence Helm chart no longer fails when installing with --set clientRbac.namespaced=true.

Version 2.3.3 (July 07, 2021)

Feature: Traffic Manager Helm Chart

Telepresence now supports installing the Traffic Manager via Helm. This will make it easy for operators to install and configure the server-side components of Telepresence separately from the CLI (which in turn allows for better separation of permissions).
Traffic Manager Helm Chart
Traffic Manager Helm Chart

Feature: Traffic-manager in custom namespace

As the traffic-manager can now be installed in any namespace via Helm, Telepresence can now be configured to look for the Traffic Manager in a namespace other than ambassador. This can be configured on a per-cluster basis.
Traffic-manager in custom namespace
Traffic-manager in custom namespace

Feature: Intercept --to-pod

telepresence intercept now supports a --to-pod flag that can be used to port-forward sidecars' ports from an intercepted pod.
Intercept --to-pod
Intercept --to-pod

Change in migration from edgectl

Telepresence no longer automatically shuts down the old api_version=1 edgectl daemon. If migrating from such an old version of edgectl you must now manually shut down the edgectl daemon before running Telepresence. This was already the case when migrating from the newer api_version=2 edgectl.

Fixed error during shutdown

The root daemon no longer terminates when the user daemon disconnects from its gRPC streams, and instead waits to be terminated by the CLI. This could cause problems with things not being cleaned up correctly.

Intercepts will survive deletion of intercepted pod

An intercept will survive deletion of the intercepted pod provided that another pod is created (or already exists) that can take over.

Version 2.3.2 (June 18, 2021)

Feature: Service Port Annotation

The mutator webhook for injecting traffic-agents now recognizes a annotation to specify which port to intercept; bringing the functionality of the --port flag to users who use the mutator webook in order to control Telepresence via GitOps.
Service Port Annotation
Service Port Annotation

Outbound Connections

Outbound connections are now routed through the intercepted Pods which means that the connections originate from that Pod from the cluster's perspective. This allows service meshes to correctly identify the traffic.

Inbound Connections

Inbound connections from an intercepted agent are now tunneled to the manager over the existing gRPC connection, instead of establishing a new connection to the manager for each inbound connection. This avoids interference from certain service mesh configurations.

Traffic Manager needs new RBAC permissions

The Traffic Manager requires RBAC permissions to list Nodes, Pods, and to create a dummy Service in the manager's namespace.

Reduced developer RBAC requirements

The on-laptop client no longer requires RBAC permissions to list the Nodes in the cluster or to create Services, as that functionality has been moved to the Traffic Manager.

Bug Fix: Able to detect subnets

Telepresence will now detect the Pod CIDR ranges even if they are not listed in the Nodes.
Able to detect subnets
Able to detect subnets

Dynamic IP ranges

The list of cluster subnets that the virtual network interface will route is now configured dynamically and will follow changes in the cluster.

No duplicate subnets

Subnets fully covered by other subnets are now pruned internally and thus never superfluously added to the laptop's routing table.

Change in default timeout

The trafficManagerAPI timeout default has changed from 5 seconds to 15 seconds, in order to facilitate the extended time it takes for the traffic-manager to do its initial discovery of cluster info as a result of the above bugfixes.

Removal of DNS config files on macOS

On macOS, files generated under /etc/resolver/ as the result of using include-suffixes in the cluster config are now properly removed on quit.

Large file transfers

Telepresence no longer erroneously terminates connections early when sending a large HTTP response from an intercepted service.

Race condition in shutdown

When shutting down the user-daemon or root-daemon on the laptop, telepresence quit and related commands no longer return early before everything is fully shut down. Now it can be counted on that by the time the command has returned that all of the side-effects on the laptop have been cleaned up.

Version 2.3.1 (June 14, 2021)

Feature: DNS Resolver Configuration

Telepresence now supports per-cluster configuration for custom dns behavior, which will enable users to determine which local + remote resolver to use and which suffixes should be ignored + included. These can be configured on a per-cluster basis.
DNS Resolver Configuration
DNS Resolver Configuration

Feature: AlsoProxy Configuration

Telepresence now supports also proxying user-specified subnets so that they can access external services only accessible to the cluster while connected to Telepresence. These can be configured on a per-cluster basis and each subnet is added to the TUN device so that requests are routed to the cluster for IPs that fall within that subnet.
AlsoProxy Configuration
AlsoProxy Configuration

Feature: Mutating Webhook for Injecting Traffic Agents

The Traffic Manager now contains a mutating webhook to automatically add an agent to pods that have the enabled annotation. This enables Telepresence to work well with GitOps CD platforms that rely on higher level kubernetes objects matching what is stored in git. For workloads without the annotation, Telepresence will add the agent the way it has in the past
Mutating Webhook for Injecting Traffic Agents
Mutating Webhook for Injecting Traffic Agents

Change: Traffic Manager Connect Timeout

The trafficManagerConnect timeout default has changed from 20 seconds to 60 seconds, in order to facilitate the extended time it takes to apply everything needed for the mutator webhook.
Traffic Manager Connect Timeout
Traffic Manager Connect Timeout

Bug Fix: Fix for large file transfers

Fix a tun-device bug where sometimes large transfers from services on the cluster would hang indefinitely
Fix for large file transfers
Fix for large file transfers

Change: Brew Formula Changed

Now that the Telepresence rewrite is the main version of Telepresence, you can install it via Brew like so: brew install datawire/blackbird/telepresence.
Brew Formula Changed
Brew Formula Changed

Version 2.3.0 (June 01, 2021)

Feature: Brew install Telepresence

Telepresence can now be installed via brew on macOS, which makes it easier for users to stay up-to-date with the latest telepresence version. To install via brew, you can use the following command: brew install datawire/blackbird/telepresence2.
Brew install Telepresence
Brew install Telepresence

Feature: TCP and UDP routing via Virtual Network Interface

Telepresence will now perform routing of outbound TCP and UDP traffic via a Virtual Network Interface (VIF). The VIF is a layer 3 TUN-device that exists while Telepresence is connected. It makes the subnets in the cluster available to the workstation and will also route DNS requests to the cluster and forward them to intercepted pods. This means that pods with custom DNS configuration will work as expected. Prior versions of Telepresence would use firewall rules and were only capable of routing TCP.
TCP and UDP routing via Virtual Network Interface
TCP and UDP routing via Virtual Network Interface

Change: SSH is no longer used

All traffic between the client and the cluster is now tunneled via the traffic manager gRPC API. This means that Telepresence no longer uses ssh tunnels and that the manager no longer have an sshd installed. Volume mounts are still established using sshfs but it is now configured to communicate using the sftp-protocol directly, which means that the traffic agent also runs without sshd. A desired side effect of this is that the manager and agent containers no longer need a special user configuration.
SSH is no longer used
SSH is no longer used

Feature: Running in a Docker container

Telepresence can now be run inside a Docker container. This can be useful for avoiding side effects on a workstation's network, establishing multiple sessions with the traffic manager, or working with different clusters simultaneously.
Running in a Docker container
Running in a Docker container

Feature: Configurable Log Levels

Telepresence now supports configuring the log level for Root Daemon and User Daemon logs. This provides control over the nature and volume of information that Telepresence generates in daemon.log and connector.log.
Configurable Log Levels
Configurable Log Levels

Version 2.2.2 (May 17, 2021)

Feature: Legacy Telepresence subcommands

Telepresence is now able to translate common legacy Telepresence commands into native Telepresence commands. So if you want to get started quickly, you can just use the same legacy Telepresence commands you are used to with the new Telepresence binary.
Legacy Telepresence subcommands
Legacy Telepresence subcommands

For a detailed list of all the changes in past releases, please consult the CHANGELOG.