Today we’re very happy to announce the release of Linkerd 2.11. This release marks a major step forward for Linkerd by introducing policy, a long-awaited feature that allows users to control which services are allowed to connect and send requests to each other. This release also introduces a host of improvements and performance enhancements, including retries for gRPC calls, a general fix for container startup ordering issues, an even smaller proxy, an even smaller control plane, and lots more.
If you’re running Linkerd today and are curious about the upgrade process, Buoyant will be hosting a free Upgrading to Linkerd 2.11 workshop on Thursday, Oct 23rd, 9am PT.
This release includes a lot of hard work from over 30 contributors. A special thank you to Gustavo Fernandes de Carvalho, Oleg Vorobev, Bart Peeters, Stepan Rabotkin, LiuDui, Andrew Hemming, Ujjwal Goyal, Knut Götz, Sanni Michael, Brandon Sorgdrager, Gerald Pape, Alexey Kostin, rdileep13, Takumi Sue, Akshit Grover, Sanskar Jaiswal, Aleksandr Tarasov, Taylor, Miguel Ángel Pastor Olivar, wangchenglong01, Josh Soref, Carol Chen, Peter Smit, Tarvi Pillessaar, James Roper, Dominik Münch, Szymon Gibała, and Mitch Hulscher for all your hard work!
Linkerd’s new server authorization policy feature gives you fine-grained control of which services are allowed to communicate with each other. These policies are built directly on the secure service identities provided by Linkerd’s automatic mTLS feature. In keeping with Linkerd’s design principles, authorization policies are expressed in a composable, Kubernetes-native way that requires a minimum of configuration but that can express a wide range of behaviors.
To accomplish this, Linkerd 2.11 introduces a set of default authorization policies that can be applied at the cluster, namespace, or pod level simply by setting a Kubernetes annotation, including:
all-authenticated(only allow requests from mTLS-validated services);
all-unauthenticated(allow all requests)
deny(deny all requests)
- … and more.
Linkerd 2.11 additionally introduces two new CRDs,
ServerAuthorization, which together allow fine-grained policies to be applied
across arbitrary sets of pods. For example, a Server can select across all
admin ports on all pods in a namespace, and a ServerAuthorization can allow
health check connection from kubelet, or
mTLS connections for metrics
Together, these annotations and CRDs allow you to easily specify a wide range of policies for your cluster, from “all traffic is allowed” to “port 8080 on service Foo can only receive mTLS traffic from services using the Bar service account”, to lots more. (See the full policy docs »)
Retries for HTTP requests with bodies
Retrying failed requests is a critical part of Linkerd’s ability to improve the reliability of Kubernetes applications. Until now, for reasons of performance, Linkerd has only allowed retries for body-less requests, e.g. HTTP GETs. In 2.11, Linkerd can also retry failed requests with bodies, including gRPC requests, with a maximum body size of 64KB.
Container startup ordering workaround
Linkerd 2.11 now ensures, by default, that the
linkerd2-proxy container is
ready before any other containers in the pod are initialized. This is a
workaround for Kubernetes’s much-lamented lack of control over container
startup ordering, and addresses a large class of tricky race conditions where
application containers attempt to connect before the proxy is ready.
Even smaller, faster, and lighter
As usual, Linkerd 2.11 continues our goal of keeping Linkerd the lightest, fastest possible service mesh for Kubernetes. Relevant changes in 2.11 include:
- The control plane is down to just 3 deployments.
- Linkerd’s data plane “micro-proxy” is even smaller and faster thanks to the highly active Rust networking ecosystem.
- SMI features have been mostly removed from the core control plane, and moved to an extension.
- Linkerd images now use minimal “distroless” base images.
And lots more!
Linkerd 2.11 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:
- New CLI tab completion for Kubernetes resources.
config.linkerd.ioannotations can now be set on
Namespaceresources and they will serve as defaults for pods created in that namespace.
- A new
linkerd check -o shortcommand with, you know, short output.
- A new Extensions page in the dashboard
- Fuzz testing for the proxy!
- The proxy now sets informational
- Lots of improvements to Helm configurability and to
- Experimental support for
- And lots more!
See the full release notes for details.
What’s next for Linkerd?
2021 has been a incredible year for Linkerd. Recently, Linkerd became the only CNCF graduated service mesh, joining projects like Kubernetes, Prometheus, and Envoy at the foundation’s highest level of maturity. Linkerd’s benchmarks continue to show that it is dramatically faster and lighter than other service meshes. The Linkerd community also recently introduced the Linkerd Ambassador program, recognizing those community members who demonstrate passion, engagement, and a commitment to sharing Linkerd with the border community, and organizations around the world are adopting Linkerd, often while coming from other meshes.
In the next few Linkerd releases, we’ll be working on additional types of policy, including client-side policy, including circuit breaking), mesh expansion to allow the data plane to run outside of Kubernetes, and for the rest of the Linkerd roadmap. If you have feature requests, of course, we’d love to hear them!
Linkerd is for everyone
Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd is committed to open governance. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!