v0.3.0

Breaking changes

service.kubernetes.io/service-proxy-name: cozy-proxy label is now the sole selector. Services that relied on the networking.cozystack.io/wholeIP annotation alone (without the label) are no longer managed.

Port-filter is now the default ingress mode. A managed service without the wholeIP annotation only forwards the ports declared in Service.spec.ports. Whole-IP passthrough (the previous default) is opt-in via networking.cozystack.io/wholeIP: "true".

How to upgrade from v0.2.x

For every Service you want cozy-proxy to manage:

1. Add the label service.kubernetes.io/service-proxy-name: cozy-proxy. Without it, cozy-proxy will ignore the Service after the upgrade and traffic will fall back to whatever kube-proxy / Cilium configures.
2. If you want whole-IP passthrough (all ports forwarded), keep or add networking.cozystack.io/wholeIP: "true". Without this annotation the Service falls into per-port filtering and only spec.ports reach the backend pod.
3. If you need ICMP (ping, PMTU discovery, ICMP unreachable) in port-filter mode, add networking.cozystack.io/allowICMP: "true".

In Cozystack, the vm-instance chart already emits the label for external VM Services (cozystack/cozystack#2357), so VM workloads upgrade transparently as long as you update the cozy-proxy image alongside the chart.

New features

• Per-service ingress port filtering (#11). With networking.cozystack.io/wholeIP: "false", cozy-proxy drops ingress traffic to the LoadBalancer IP on ports not listed in Service.spec.ports. The datapath was split into egress_snat (raw, -300), ingress_dnat (mangle, -150), and port_filter (filter, 0) chains so conntrack can match return packets correctly. Thanks @mattia-eleuteri.
• allowICMP annotation (#12). networking.cozystack.io/allowICMP: "true" accepts ICMP toward a pod IP that is otherwise port-filtered. Without this opt-in, ICMP to a port-filtered pod is dropped — which also breaks ping, PMTU discovery (ICMP "fragmentation needed"), and ICMP unreachable signalling.
• Label-based selector (#9). The standard Kubernetes service.kubernetes.io/service-proxy-name: cozy-proxy label now selects services for cozy-proxy management. It also makes kube-proxy ignore the service, eliminating rule conflicts in plain kube-proxy (iptables / IPVS) clusters such as RKE2 with Calico — which previously broke outbound SNAT in v0.2.0.

Fixes

• Probe and metrics endpoints disabled by default (#10, fixes #5). The --health-probe-bind-address and --metrics-bind-address flags defaulted to :0, which in controller-runtime means "bind to a random free port" rather than "disabled". Combined with hostNetwork: true in the chart, this surfaced two unexpected high-port listeners on every node. Defaults are now 0 (disabled). Pass an explicit address via flag to opt in.

Other

• Internal: controller wiring consolidated into reconcilePortFilter / clearPortFilter helpers (#12).

Full changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

• Proofread the readme.md by @NickVolynkin in #4
• Move SNAT/DNAT to raw table early_snat chain by @kvaps in #6

New Contributors

• @NickVolynkin made their first contribution in #4

Full Changelog: v0.1.4...v0.2.0

v0.1.4

What's Changed

• Move project from aenix-io to cozystack repository by @kvaps in #3

New Contributors

• @kvaps made their first contribution in #3

Full Changelog: v0.1.3...v0.1.4

v0.1.3

Full Changelog: v0.1.2...v0.1.3

v0.1.2

Full Changelog: v0.1.1...v0.1.2

v0.1.1

Full Changelog: v0.1.0...v0.1.1

v0.1.0

Full Changelog: https://github.com/aenix-io/cozy-proxy/commits/v0.1.0