Project blog, cross-posted from Linkerd, written by William Morgan
We’re very happy to announce the release of Linkerd 2.9, the best Linkerd version yet! This release extends Linkerd’s zero-config mutual TLS (mTLS) support to all TCP connections, allowing Linkerd to transparently encrypt and authenticate all TCP connections in the cluster the moment it’s installed. The 2.9 release also adds ARM support, introduces a new multi-core proxy runtime for higher throughput, adds support for Kubernetes service topologies, and lots, lots more.
This release includes a lot of hard work from over 50 contributors. A special thank you to Abereham G Wodajie, Alexander Berger, Ali Ariff, Arthur Silva Sens, Chris Campbell, Daniel Lang, David Tyler, Desmond Ho, Dominik Münch, George Garces, Herrmann Hinz, Hu Shuai, Jeffrey N. Davis, Joakim Roubert, Josh Soref, Lutz Behnke, MaT1g3R, Marcus Vaal, Markus, Matei David, Matt Miller, Mayank Shah, Naseem, Nil, OlivierB, Olukayode Bankole, Paul Balogh, Rajat Jindal, Raphael Taylor-Davies, Simon Weald, Steve Gray, Suraj Deshmukh, Tharun Rajendran, Wei Lun, Zhou Hao, ZouYu, aimbot31, iohenkies, memory, and tbsoares for all your hard work!
Zero trust with zero-config, on-by-default mutual TLS
Linkerd has featured transparent, on-by-default mutual TLS for several releases—but only for HTTP traffic. In this release, we’ve removed that caveat. Now, Linkerd will automatically encrypt and validate all TCP connections between meshed endpoints, including automatically rotating the pod certificates every 24 hours and automatically tying TLS identity to the pod’s Kubernetes ServiceAccount. As always, this is 100% transparent to the application and requires no code changes or even developer awareness.
This automatic mTLS is a massive step towards zero trust security for Kubernetes users. By performing encryption and authentication to the pod boundary (the smallest unit of execution in Kubernetes), Linkerd provides “encryption in transit” in a modern, zero-trust form. In upcoming releases, we’ll extend this security-first featureset to include policy and enforcement, based on the strong cryptographic guarantees of identity and confidentiality provided by mTLS.
New multi-core proxy runtime
Linkerd’s blazing speed and ultra-low memory footprint compared to other service meshes like Istio are primarily due to its underlying Rust “micro-proxy”, Linkerd2-proxy (learn more about Linkerd2-proxy in Eliza Weisman’s “under the hood “post). This speed has made it possible to get by with a single-core runtime—but ultimately, a single core can only take you so far. In Linkerd 2.9 we’ve upgraded the proxy to a multi-core runtime, which allows for greater throughput and concurrency for individual pods.
This change has resulted in further performance improvements over Linkerd’s already lightning-fast latency profile. Over the next few weeks we’ll publish some benchmarks showing just how much you can expect from Linkerd 2.9.
Linkerd 2.9 also introduces the oft-requested support for ARM! Whether you’re focused on cost reduction with ARM-based compute such as AWS Graviton or simply want to run Linkerd on your Raspberry Pi cluster, now you can! A huge thanks to GSoC student Ali Ariff for this feature.
Support for Kubernetes service topologies
Linkerd 2.9 introduces support for Kubernetes’s new service topology feature! This means that you can now introduce routing preferences such as “requests should stay in this node” or “requests should stay in this region”. This can provide significant performance improvements and cost savings, especially for larger applications. A huge thanks thanks to CommunityBridge participant Matei David for this feature.
And lots more!
Linkerd 2.9 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:
- A new bring-your-own-Prometheus option, for users who want to skip Linkerd’s Prometheus cluster and use their own directly.
- New support for Kubernetes 1.19
- New support for authenticated Docker registries
- New support for Ingress-level load balancing decisions, e.g. session stickiness
- New fish shell completions for the CLI
- New Spanish translations for the dashboard (please help us translate into your language!)
- And lots, lots more.
See the full release notes for details.
What’s next for Linkerd?
The momentum behind Linkerd continues to astound us. Companies like HP, H-E-B, Microsoft, Clover Health, Mercedes Benz, Purdue University Global, PriceKinetics, and many more have recently adopted Linkerd to power their mission-critical infrastructure. And we’re just getting started. Over the next few releases we’ll continue to double down on what many of these engineers have told us are Linkerd’s two biggest value props: security and simplicity.
- Security: Our many security-conscious users tell us that Linkerd’s zero-config, on-by-default mTLS is the most powerful tool in their Kubernetes toolbox for zero-trust security. Over the next few releases we’ll continue to extend Linkerd’s capabilities here, especially in the realms of authorization and policy.
- Simplicity: We hear time and time again that users arrive at Linkerd after navigating a mind-boggling service mesh landscape riddled with overly complex, checklist-driven projects. Over the next few releases, we’ll strive to make Linkerd even smaller and even simpler by improving control plane modularity and reducing the set of mandatory components.
In short: the service mesh doesn’t have to be complex, and security doesn’t have to be hard. The future of Linkerd is built around these beliefs, and we hope they resonate with you as well.
Try it today!
Ready to try Linkerd? Those of you who have been tracking the 2.x branch via our weekly edge releases will already have seen these features in action. Either way, you can download the stable 2.9 release by running:
curl https://run.linkerd.io/install | sh
Using Helm? See our guide to installing Linkerd with Helm. Upgrading from a previous release? We’ve got you covered: see our Linkerd upgrade guide for how to use the linkerd upgrade command.
Linkerd is for everyone
Linkerd is a community project and is hosted by the Cloud Native Computing Foundation. Linkerd is committed to open governance. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!