Announcing Linkerd 2.12: Zero-trust route-based policy, Gateway API, access logging, and more!

Announcing Linkerd 2.12: Zero-trust route-based policy, Gateway API, access logging, and more!

William Morgan

Aug 24, 2022

Today we’re very happy to announce the release of Linkerd 2.12. This massive release introduces route-based policy to Linkerd, allowing users to define and enforce authorization policies based on HTTP routes in a fully zero-trust way. These policies are built on Linkerd's strong workload identities, secured by mutual TLS, and configured using types from Kubernetes' s new Gateway API.

Linkerd 2.12 is a first step towards adopting the Gateway API as a core configuration mechanism. While this API isn't yet perfect for the service mesh use case, it provides a powerful starting point for this release and we're optimistic they will evolve over time to meet Linkerd's needs. Importantly, building on the Gateway API will allow us to keep the number of Linkerd-specific configuration objects to a bare minimum, even as we introduce new functionality—a big part of our goal of being the simplest and lightest service mesh possible for Kubernetes.

The 2.12 release also introduces access logging, a long-awaited feature that allows Linkerd to produce Apache-style request logs. It adds support for iptables-nft and introduces a host of other improvements and performance enhancements.

Finally, Buoyant Cloud customers can now do fully automated upgrades of their 2.10+ or later clusters to Linkerd 2.12, including the data plane proxies. (Business and Enterprise tiers only.)

If you want to learn more about Linkerd 2.12 and the upgrade process, we'll be hosting a free Upgrading to Linkerd 2.12 webinar on September 1st at 9 am PDT / 12pm PDT / 6pm CEST. Register here!

This release includes a lot of hard work from over 50 contributors, including engineers at Timescale, Adidas, Sourcegraph, Intel, Shopify, Red Hat, and more.  A special thank you to Agrim Prasad, Ahmed Al-Hulaibi, Aleksandr Tarasov, Alexander Berger, Ao Chen, Badis Merabet, Crevil (Bjørn), Brian Dunnigan, Christian Schlotter, Dani Baeyens, David Symons, Dmitrii Ermakov, Elvin Efendi, Eng Zer Jun, Gustavo Fernandes de Carvalho, Harry Walter, Israel Miller, Jack Gill, Jacob Henner, Jacob Lorenzen, Joakim Roubert, Josh Ault, João Soares, Kim Christensen, Krzysztof Dryś, Lior Yantovski, Martin Anker Have, Michael Lin, Michał Romanowski, Naveen Nalam, Nick Calibey, Nikola Brdaroski, Or Shachar, Pål-Magnus Slåtto, Raman Gupta, Ricardo Gândara Pinto, Roberth Strand, Sankalp Rangare, Sascha Grunert, Steve Gray, Steve Zhang, Takumi Sue, Tanmay Bhat, Táskai Dominik, Ujjwal Goyal, Weichung Shaw, Wim de Groot, Yannick Utard, Yurii Dzobak, and 罗泽轩 for all your hard work!

Per-route policies

Linkerd’s new per-route policies extend the existing port-based policies with even finer-grained control of how services are allowed to communicate with each other. These policies are designed for organizations that are taking a zero trust approach to security that requires not just encryption but strong workload identity and explicit authorization everywhere Linkerd's authorization policies:

  • Treat the network as adversarial. They do not rely on IP addresses, nor do they require that the CNI layer or any other aspect of the underlying network is secure.
  • Use secure workload identity. Linkerd's workload identities are derived automatically from ServiceAccounts and are cryptographically validated at connection time via mutual TLS.
  • Are enforced at the pod level. Every connection and every request is validated.
  • Easily allow for default deny patterns. Security-conscious adopters can easily disallow access to sensitive resources by default unless explicitly allowed (the "principle of least privilege").

Default deny setups can be tricky to accomplish in Kubernetes due to the fact that health and readiness probes need to pass without authorization. In Linkerd 2.12, health and readiness probes are now authorized by default, but can also be explicitly authorized while still locking down other application endpoints. (See the full policy docs »)

Gateway API

Linkerd 2.12 provides a first step towards supporting the Kubernetes Gateway API. While the Gateway API was originally designed as a richer and more flexible alternative to the long-standing Ingress resource in Kubernetes, it provides a great foundation for describing service mesh traffic and allows Linkerd to keep its added configuration machinery to a minimum.

In Linkerd 2.12 the first step is a cautious one: Linkerd provides a partial implementation of parts of the Gateway API (e.g. CRDs such as HTTPRoute) to configure Linkerd's route-based policies. This approach allows us to start using Gateway API types without implementing the portions of the spec that don't make sense for Linkerd. As the Gateway API evolves to better fit Linkerd's needs, our intention is to switch to the source types in a way that minimizes friction to our users.

See our blog post about the Linkerd and the Gateway API for more details.

Access logging

Linkerd 2.12 also introduces access logging, which allows the proxy to optionally emit Apache-style request logs. This feature is off by default for reasons of performance and resource utilization—especially for high-traffic workloads—but can easily be enabled for situations that require it.  (See the access logging docs »)

Fully automated upgrades and rollbacks with Buoyant Cloud

Alongside the Linkerd 2.12 release, Buoyant Cloud, our managed Linkerd service, now supports automatic upgrades to Linkerd 2.12 for (almost) any cluster running 2.10.0 and beyond. This upgrade process covers both the control plane and the data plane, allowing you to keep your Linkerd deployment up to date across any number of clusters with just a CRD change.

As before, Buoyant Cloud works with (almost) any Linkerd cluster running on your infrastructure. Just deploy the Buoyant Cloud agent alongside your existing open source Linkerd installation and get automated health alerts, upgrades and rollbacks, policy analysis, and lots more. Schedule a demo with our team today!

And lots more!

Linkerd 2.12 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:

  • A new `config.linkerd.io/shutdown-grace-period` annotation to configure the proxy's maximum grace period for graceful shutdown
  • A new `iptables-nft` mode for iptables-nft support in Linkerd's init container
  • A fix for certain control plane components that were not restarting as necessary after a trust root rotation
  • A fix for the `linkerd check` command crashing when unexpected pods are found in a Linkerd namespace
  • A change to the `proxy.await` Helm value so that users can now disable `linkerd-await` on control plane components
  • Annotations that allow Linkerd extension deployments to be evicted by the autoscaler when necessary
  • The ability to run the Linkerd CNI plugin in non-chained (stand-alone) mode
  • A ServiceAccount token Secret in the multicluster extension to support Kubernetes versions >= v1.24
  • And lots more!

See the full release notes for details.

What’s next for Linkerd?

2022 has been another incredible year for Linkerd. Last year, Linkerd became the first and only service mesh to achieve graduated status in the CNCF, joining projects like Kubernetes, Prometheus, and Envoy at the foundation’s highest level of maturity. Earlier this year, we announced the availability of cross-cluster failover for Linkerd; the results of the CNCF survey showing Linkerd surpassing Istio adoption in the US and EU, and the competition of Linkerd's 2022 security audit.

In the next few Linkerd releases, we’ll be working on exciting client-side policy features like circuit breaking and header-based routing as well as on longer-term features such as mesh expansion to allow the data plane to run outside of Kubernetes, If you have feature requests, of course, we’d love to hear them!

Linkerd is for everyone

Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd was created by Buoyant and is 100% open source. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!

(Photo by Boba Jaglicic on Unsplash)

book
Further reading
book
Further reading
book
Further reading
book
Further reading
book
Further reading