We’re very happy to announce the release of Linkerd 2.8! This release introduces a new multi-cluster extension to Linkerd, allowing it to establish connections across Kubernetes clusters that are secure, transparent to the application, and work with any network topology. We believe this is the simplest option for secure Kubernetes multi-cluster connectivity available today. The 2.8 release also makes Linkerd more modular with the beginnings of an add-on system, and introduces a variety of other features and stability improvements.
This release includes changes from a massive list of contributors. A special thank you to Arthur Silva Sens, Matei David, Ali Ariff,amariampolskiy,arminbuerkle, Christian Hüning, Christy Jacob, Lutz Behnke, Dax McDonald, Saurav Tiwary, drholmie, EMEHINOLA Idowu, Joakim Roubert, jpresky, Kohsheen Tiku, Lewis Cowper, Alex Lundberg, Mayank Shah, mmiller1, Naseem Ullah, Sanni Michael, and Supratik Das for your hard work.
Multi-cluster Kubernetes the Kubernetes way
Linkerd 2.8’s new multi-cluster feature means that Linkerd can now connect Kubernetes services across cluster boundaries in a way that’s secure, fully transparent to the application, and independent of network topology. As discussed in our earlier posts, this multi-cluster feature is designed to meet some critical goals:
- Providing a unified trust domain. The identity of source and destination workloads must be validated at every step, both in and across cluster boundaries.
- Separating failure domains. A cluster outage should still allow the remaining clusters to function.
- Supporting heterogeneous networks. Since clusters can span clouds, VPCs, on-premises data centers, and combinations thereof, Linkerd should not introduce any L3/L4 requirements other than gateway connectivity.
- Providing a unified model with in-cluster communication. The same observability, reliability, and security features that Linkerd provides for in-cluster communication should extend to this new cross-cluster communication.
Just as with in-cluster connections, Linkerd’s cross-cluster connections are
transparent to the application code. A service A on cluster west can talk to
a service C on cluster east simply by addressing it directly as
by addressing it as
C and having Linkerd automatically route (or even shift
just a portion of) traffic for that service to cluster east. Regardless of
whether that communication happens within a cluster, across clusters within a
datacenter or VPC, or across the public Internet, Linkerd will establish a
connection between clusters that’s encrypted and authenticated on both sides
This new multi-cluster functionality unlocks a whole host of use cases for Linkerd, including failover (transitioning traffic across datacenters or cloud in the presence of failure); “inverted multi-tenancy” (each tenant gets their own cluster); hybrid cloud (workloads can move between on-premises and cloud environments without affecting the rest of the application); and more.
Finally, like all Linkerd features, Linkerd’s “service mirroring” approach to multi-cluster leverages as much existing Kubernetes functionality as possible and adds the bare minimum of additional machinery. Remote services are represented directly as Kubernetes services; no new CRDs are introduced; and configuration complexity is kept to a bare minimum.
Ambassador support for Multi-cluster
We’re happy to report that our friends at the Ambassador project have already created a multi-cluster integration, allowing Ambassador users to leverage Ambassador deployments as Linkerd’s multi-cluster gateway! Learn more in the Ambassador blog post.
The 2.8 release also introduces a simple add-on system for adding (or removing!) bundles of functionality from Linkerd. Linkerd 2.8 ships with two addons:
- A Jaeger add-on, which adds the Jaeger and oc-collector components for collecting and displaying distributed tracing to your cluster.
- A Grafana add-on (enabled by default) which adds Grafana graphs to Linkerd’s dashboard.
In the future we’ll be moving more functionality into add-ons, allowing you to, for example, remove the default Prometheus installation and replace it with your own–or potentially with none at all.
And lots more
Linkerd 2.8 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:
- The Helm chart is more flexible and modular, with new Prometheus configuration options.
- The proxy now labels emitted distributed tracing spans with pod metadata.
- Various performance improvements to the proxy to reduce contention, improving latency, and reduce spurious timeouts.
- Automatic prevention of common traffic-loop scenarios.
See the full release notes for details.
Linkerd’s upcoming roadmap
We believe that Linkerd’s core value is connectivity–and that in a cloud native world, connectivity doesn’t just mean “A and B can exchange packets”, but rather “A and B can exchange packets in a way that validates the identity on both sides; has clear authorization semantics; is confidential to third parties; and is measurable and inspectable”.
As we look ahead, we see Linkerd’s ability to create this connectivity transforming it into the security plane for your Kubernetes infra. The 2.8 release marks a major step forward in that direction, and the next several releases will flesh out Linkerd’s featureset, including by extending mTLS to all connections; introducing policy; and much more. Stay tuned for lots more on this topic.
Try it today!
Ready to try Linkerd? Those of you who have been tracking the 2.x branch via our weekly edge releases will already have seen these features in action. Either way, you can download the stable 2.8 release by running:
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
Linkerd is for everyone
Linkerd is a community project and is hosted by the Cloud Native Computing Foundation. Linkerd is committed to open governance. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!