UDS Core 1.4

Note

For general upgrade procedures, see the Upgrade Overview.

UDS Core 1.4 adds UDP support to Package Allow entries for generating NetworkPolicies, opt-in PROXY protocol v2 parsing for Istio gateways behind an upstream NLB, and bumps uds-identity-config to 0.27.0 to disable authenticated Dynamic Client Registration in the uds realm. Existing clusters require a one-time manual realm change to apply the new max-clients policy (see below); new installs pick it up automatically.

Notable features

• UDP support in Allow entries: Allow entries on the Package CR can now generate NetworkPolicies for UDP workloads. UDP traffic does not flow through the Istio mesh, so it does not get the same encryption and security guarantees as TCP traffic in the mesh. Apps using UDP must handle their own transport encryption (e.g. DTLS, QUIC) (#2641)
• Opt-in PROXY protocol v2 for Istio gateways: adds a per-gateway proxyProtocol.enabled value on the uds-istio-config chart that installs an EnvoyFilter to parse PROXY protocol v2 in permissive mode. Permissive parsing lets external NLB traffic with a PP2 header coexist with in-cluster mesh traffic (e.g. Grafana → Keycloak) that does not carry a header. Use this instead of the global meshConfig.defaultConfig.gatewayTopology.proxyProtocol setting, which is strict-only and breaks intra-mesh SSO flows. See Configure NLB proxy protocol and #2660
• Authenticated Dynamic Client Registration disabled by default for new installs: Identity Config 0.27.0 ships with a max-clients policy that blocks authenticated Dynamic Client Registration in the uds realm. Existing clusters require a one-time manual realm change (see below).
• Kubernetes 1.35 in CI: EKS, AKS, RKE2, and k3d test matrices now run against Kubernetes 1.35 (#2626).
• AKS admissions-enforcer conflict fix on Pepr webhooks: Pepr 1.2.0 adds support for webhook annotations and labels (pepr#3107). UDS Core sets admissions.enforcer/disabled: "true" on the Pepr admission webhook so the AKS admissionsenforcer controller no longer mutates namespaceSelector on pepr-uds-core.pepr.dev and pepr-uds-core-istio-system.pepr.dev. Without this annotation, Helm and Zarf upgrades on AKS failed with server-side apply conflicts against the admissionsenforcer field manager. See upstream pepr#3105 and Azure/AKS#4002.

Dependency updates

Package	Previous	Updated
Keycloak	26.5.7	26.6.1
UDS Identity Config	0.26.1	0.27.0
Pepr	1.1.7	1.2.0
Prometheus	v3.11.2	v3.11.3
Alertmanager	v0.32.0	v0.32.1
Vector	0.54.0	0.55.0
Falco	0.43.0	0.43.1
Falcosidekick	2.32.0	2.33.0
kube-prometheus-stack Helm chart	84.0.0	84.5.0
Blackbox Exporter Helm chart	11.9.1	11.9.2

Upgrade considerations

Identity Config updates (0.27.0)

Identity Config 0.27.0 hardens the uds realm by disabling authenticated Dynamic Client Registration. New installs apply this automatically. Existing clusters need a one-time manual change in the Keycloak admin console.

Manual realm changes (Identity Config 0.27.0)

Apply the following steps once per cluster after upgrading to UDS Core 1.4:

1. Open the Keycloak admin console and switch to the uds realm

   Sign in with an admin account, then select the uds realm from the realm selector.

2. Navigate to the authenticated client registration policies

   In the left sidebar click Clients, select the Client registration tab, then select the Authenticated access policies tab.

3. Create a max-clients policy that blocks new client registrations

   Click Create client policy, choose max-clients as the provider, set the policy Name to max-clients, and set Max Clients Per Realm to 0. Save the policy.

Tip

Setting Max Clients Per Realm to 0 prevents authenticated callers from registering new clients through the Dynamic Client Registration endpoint. UDS Core continues to manage clients through the Pepr operator and the Package CR, so this restriction does not affect normal application onboarding.

Defense in depth: Istio AuthorizationPolicy

In addition to the realm-level max-clients policy, UDS Core ships an Istio AuthorizationPolicy (keycloak-block-admin-access-from-public-gateway) on the Keycloak waypoint that denies all traffic to /realms/<realm>/clients-registrations/* from the public (tenant) gateway. This is a defense-in-depth control layered on top of the Keycloak policy, so a misconfigured realm policy still leaves the endpoint blocked at the mesh.

Related documentation

• Upgrade Overview - general upgrade procedures and checklists
• Configure NLB proxy protocol - enable PROXY protocol v2 on a UDS Core gateway
• Define network access - configure TCP/UDP Allow entries
• UDS Core 1.4.0 Changelog - full changelog
• UDS Identity Config 0.27.0 Changelog - identity-config changes
• Full diff (1.3.1…1.4.0) - all changes between versions