Feb 21, 2024: Announcing Linkerd 2.15 with support for VM workloads, native sidecars, and SPIFFE! Read more »

Announcing Linkerd 2.11: Policy, gRPC retries, performance improvements, and more!

William Morgan

William Morgan
September 30, 2021 • 5 min read

Lots of lock boxes at a bank

Today we’re very happy to announce the release of Linkerd 2.11. This release marks a major step forward for Linkerd by introducing policy, a long-awaited feature that allows users to control which services are allowed to connect and send requests to each other. This release also introduces a host of improvements and performance enhancements, including retries for gRPC calls, a general fix for container startup ordering issues, an even smaller proxy, an even smaller control plane, and lots more.

If you’re running Linkerd today and are curious about the upgrade process, Buoyant will be hosting a free Upgrading to Linkerd 2.11 workshop on Thursday, Oct 23rd, 9am PT.

This release includes a lot of hard work from over 30 contributors. A special thank you to Gustavo Fernandes de Carvalho, Oleg Vorobev, Bart Peeters, Stepan Rabotkin, LiuDui, Andrew Hemming, Ujjwal Goyal, Knut Götz, Sanni Michael, Brandon Sorgdrager, Gerald Pape, Alexey Kostin, rdileep13, Takumi Sue, Akshit Grover, Sanskar Jaiswal, Aleksandr Tarasov, Taylor, Miguel Ángel Pastor Olivar, wangchenglong01, Josh Soref, Carol Chen, Peter Smit, Tarvi Pillessaar, James Roper, Dominik Münch, Szymon Gibała, and Mitch Hulscher for all your hard work!

Authorization policy

Linkerd’s new server authorization policy feature gives you fine-grained control of which services are allowed to communicate with each other. These policies are built directly on the secure service identities provided by Linkerd’s automatic mTLS feature. In keeping with Linkerd’s design principles, authorization policies are expressed in a composable, Kubernetes-native way that requires a minimum of configuration but that can express a wide range of behaviors.

To accomplish this, Linkerd 2.11 introduces a set of default authorization policies that can be applied at the cluster, namespace, or pod level simply by setting a Kubernetes annotation, including:

  • all-authenticated (only allow requests from mTLS-validated services);
  • all-unauthenticated (allow all requests)
  • deny (deny all requests)
  • … and more.

Linkerd 2.11 additionally introduces two new CRDs, Server and ServerAuthorization, which together allow fine-grained policies to be applied across arbitrary sets of pods. For example, a Server can select across all admin ports on all pods in a namespace, and a ServerAuthorization can allow health check connection from kubelet, or mTLS connections for metrics collection.

Together, these annotations and CRDs allow you to easily specify a wide range of policies for your cluster, from “all traffic is allowed” to “port 8080 on service Foo can only receive mTLS traffic from services using the Bar service account”, to lots more. (See the full policy docs »)

Linkerd policy, as seen from Buoyant Cloud
Linkerd policy, as seen by Buoyant Cloud

Retries for HTTP requests with bodies

Retrying failed requests is a critical part of Linkerd’s ability to improve the reliability of Kubernetes applications. Until now, for reasons of performance, Linkerd has only allowed retries for body-less requests, e.g. HTTP GETs. In 2.11, Linkerd can also retry failed requests with bodies, including gRPC requests, with a maximum body size of 64KB.

Container startup ordering workaround

Linkerd 2.11 now ensures, by default, that the linkerd2-proxy container is ready before any other containers in the pod are initialized. This is a workaround for Kubernetes’s much-lamented lack of control over container startup ordering, and addresses a large class of tricky race conditions where application containers attempt to connect before the proxy is ready.

Even smaller, faster, and lighter

As usual, Linkerd 2.11 continues our goal of keeping Linkerd the lightest, fastest possible service mesh for Kubernetes. Relevant changes in 2.11 include:

  • The control plane is down to just 3 deployments.
  • Linkerd’s data plane “micro-proxy” is even smaller and faster thanks to the highly active Rust networking ecosystem.
  • SMI features have been mostly removed from the core control plane, and moved to an extension.
  • Linkerd images now use minimal “distroless” base images.

And lots more!

Linkerd 2.11 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:

  • New CLI tab completion for Kubernetes resources.
  • All config.linkerd.io annotations can now be set on Namespace resources and they will serve as defaults for pods created in that namespace.
  • A new linkerd check -o short command with, you know, short output.
  • A new Extensions page in the dashboard
  • Fuzz testing for the proxy!
  • The proxy now sets informational l5d-client-id and l5d-proxy-error headers
  • Lots of improvements to Helm configurability and to linkerd check
  • Experimental support for StatefulSets with linkerd-multicluster
  • And lots more!

See the full release notes for details.

What’s next for Linkerd?

2021 has been a incredible year for Linkerd. Recently, Linkerd became the only CNCF graduated service mesh, joining projects like Kubernetes, Prometheus, and Envoy at the foundation’s highest level of maturity. Linkerd’s benchmarks continue to show that it is dramatically faster and lighter than other service meshes. The Linkerd community also recently introduced the Linkerd Ambassador program, recognizing those community members who demonstrate passion, engagement, and a commitment to sharing Linkerd with the border community, and organizations around the world are adopting Linkerd, often while coming from other meshes.

In the next few Linkerd releases, we’ll be working on additional types of policy, including client-side policy, including circuit breaking), mesh expansion to allow the data plane to run outside of Kubernetes, and for the rest of the Linkerd roadmap. If you have feature requests, of course, we’d love to hear them!

Linkerd is for everyone

Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd is committed to open governance. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!

Photo credit

Photo by Tim Evans on Unsplash

Suggested Blog Posts