Announcing Linkerd 2.11: Policy, gRPC retries, performance improvements, and more!

Today we’re very happy to announce the release of Linkerd 2.11. This release marks a major step forward for Linkerd by introducing policy, a long-awaited feature that allows users to control which services are allowed to connect and send requests to each other. This release also introduces a host of improvements and performance enhancements, including retries for gRPC calls, a general fix for container startup ordering issues, an even smaller proxy, an even smaller control plane, and lots more.
If you’re running Linkerd today and are curious about the upgrade process, Buoyant will be hosting a free Upgrading to Linkerd 2.11 workshop on Thursday, Oct 23rd, 9am PT.
This release includes a lot of hard work from over 30 contributors. A special thank you to Gustavo Fernandes de Carvalho, Oleg Vorobev, Bart Peeters, Stepan Rabotkin, LiuDui, Andrew Hemming, Ujjwal Goyal, Knut Götz, Sanni Michael, Brandon Sorgdrager, Gerald Pape, Alexey Kostin, rdileep13, Takumi Sue, Akshit Grover, Sanskar Jaiswal, Aleksandr Tarasov, Taylor, Miguel Ángel Pastor Olivar, wangchenglong01, Josh Soref, Carol Chen, Peter Smit, Tarvi Pillessaar, James Roper, Dominik Münch, Szymon Gibała, and Mitch Hulscher for all your hard work!
Authorization policy
Linkerd’s new server authorization policy feature gives you fine-grained control of which services are allowed to communicate with each other. These policies are built directly on the secure service identities provided by Linkerd’s automatic mTLS feature. In keeping with Linkerd’s design principles, authorization policies are expressed in a composable, Kubernetes-native way that requires a minimum of configuration but that can express a wide range of behaviors.
To accomplish this, Linkerd 2.11 introduces a set of default authorization policies that can be applied at the cluster, namespace, or pod level simply by setting a Kubernetes annotation, including:
all-authenticated
(only allow requests from mTLS-validated services);all-unauthenticated
(allow all requests)deny
(deny all requests)- … and more.
Linkerd 2.11 additionally introduces two new CRDs, Server
and
ServerAuthorization
, which together allow fine-grained policies to be applied
across arbitrary sets of pods. For example, a Server can select across all
admin ports on all pods in a namespace, and a ServerAuthorization can allow
health check connection from kubelet, or
mTLS connections for metrics
collection.
Together, these annotations and CRDs allow you to easily specify a wide range of policies for your cluster, from “all traffic is allowed” to “port 8080 on service Foo can only receive mTLS traffic from services using the Bar service account”, to lots more. (See the full policy docs »)

Retries for HTTP requests with bodies
Retrying failed requests is a critical part of Linkerd’s ability to improve the reliability of Kubernetes applications. Until now, for reasons of performance, Linkerd has only allowed retries for body-less requests, e.g. HTTP GETs. In 2.11, Linkerd can also retry failed requests with bodies, including gRPC requests, with a maximum body size of 64KB.
Container startup ordering workaround
Linkerd 2.11 now ensures, by default, that the linkerd2-proxy
container is
ready before any other containers in the pod are initialized. This is a
workaround for Kubernetes’s much-lamented lack of control over container
startup ordering, and addresses a large class of tricky race conditions where
application containers attempt to connect before the proxy is ready.
Even smaller, faster, and lighter
As usual, Linkerd 2.11 continues our goal of keeping Linkerd the lightest, fastest possible service mesh for Kubernetes. Relevant changes in 2.11 include:
- The control plane is down to just 3 deployments.
- Linkerd’s data plane “micro-proxy” is even smaller and faster thanks to the highly active Rust networking ecosystem.
- SMI features have been mostly removed from the core control plane, and moved to an extension.
- Linkerd images now use minimal “distroless” base images.
And lots more!
Linkerd 2.11 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:
- New CLI tab completion for Kubernetes resources.
- All
config.linkerd.io
annotations can now be set onNamespace
resources and they will serve as defaults for pods created in that namespace. - A new
linkerd check -o short
command with, you know, short output. - A new Extensions page in the dashboard
- Fuzz testing for the proxy!
- The proxy now sets informational
l5d-client-id
andl5d-proxy-error
headers - Lots of improvements to Helm configurability and to
linkerd check
- Experimental support for
StatefulSets
withlinkerd-multicluster
- And lots more!
See the full release notes for details.
What’s next for Linkerd?
2021 has been a incredible year for Linkerd. Recently, Linkerd became the only CNCF graduated service mesh, joining projects like Kubernetes, Prometheus, and Envoy at the foundation’s highest level of maturity. Linkerd’s benchmarks continue to show that it is dramatically faster and lighter than other service meshes. The Linkerd community also recently introduced the Linkerd Ambassador program, recognizing those community members who demonstrate passion, engagement, and a commitment to sharing Linkerd with the border community, and organizations around the world are adopting Linkerd, often while coming from other meshes.
In the next few Linkerd releases, we’ll be working on additional types of policy, including client-side policy, including circuit breaking), mesh expansion to allow the data plane to run outside of Kubernetes, and for the rest of the Linkerd roadmap. If you have feature requests, of course, we’d love to hear them!
Linkerd is for everyone
Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd is committed to open governance. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!