Today we’re very happy to announce the release of Linkerd 2.12. This massive release introduces route-based policy to Linkerd, allowing users to define and enforce authorization policies based on HTTP routes in a fully zero-trust way. These policies are built on Linkerd's strong workload identities, secured by mutual TLS, and configured using types from Kubernetes' s new Gateway API.
Linkerd 2.12 is a first step towards adopting the Gateway API as a core configuration mechanism. While this API isn't yet perfect for the service mesh use case, it provides a powerful starting point for this release and we're optimistic they will evolve over time to meet Linkerd's needs. Importantly, building on the Gateway API will allow us to keep the number of Linkerd-specific configuration objects to a bare minimum, even as we introduce new functionality—a big part of our goal of being the simplest and lightest service mesh possible for Kubernetes.
The 2.12 release also introduces access logging, a long-awaited feature that allows Linkerd to produce Apache-style request logs. It adds support for iptables-nft and introduces a host of other improvements and performance enhancements.
Finally, Buoyant Cloud customers can now do fully automated upgrades of their 2.10+ or later clusters to Linkerd 2.12, including the data plane proxies. (Business and Enterprise tiers only.)
If you want to learn more about Linkerd 2.12 and the upgrade process, we'll be hosting a free Upgrading to Linkerd 2.12 webinar on September 1st at 9 am PDT / 12pm PDT / 6pm CEST. Register here!
This release includes a lot of hard work from over 50 contributors, including engineers at Timescale, Adidas, Sourcegraph, Intel, Shopify, Red Hat, and more. A special thank you to Agrim Prasad, Ahmed Al-Hulaibi, Aleksandr Tarasov, Alexander Berger, Ao Chen, Badis Merabet, Crevil (Bjørn), Brian Dunnigan, Christian Schlotter, Dani Baeyens, David Symons, Dmitrii Ermakov, Elvin Efendi, Eng Zer Jun, Gustavo Fernandes de Carvalho, Harry Walter, Israel Miller, Jack Gill, Jacob Henner, Jacob Lorenzen, Joakim Roubert, Josh Ault, João Soares, Kim Christensen, Krzysztof Dryś, Lior Yantovski, Martin Anker Have, Michael Lin, Michał Romanowski, Naveen Nalam, Nick Calibey, Nikola Brdaroski, Or Shachar, Pål-Magnus Slåtto, Raman Gupta, Ricardo Gândara Pinto, Roberth Strand, Sankalp Rangare, Sascha Grunert, Steve Gray, Steve Zhang, Takumi Sue, Tanmay Bhat, Táskai Dominik, Ujjwal Goyal, Weichung Shaw, Wim de Groot, Yannick Utard, Yurii Dzobak, and 罗泽轩 for all your hard work!
Linkerd’s new per-route policies extend the existing port-based policies with even finer-grained control of how services are allowed to communicate with each other. These policies are designed for organizations that are taking a zero trust approach to security that requires not just encryption but strong workload identity and explicit authorization everywhere Linkerd's authorization policies:
Default deny setups can be tricky to accomplish in Kubernetes due to the fact that health and readiness probes need to pass without authorization. In Linkerd 2.12, health and readiness probes are now authorized by default, but can also be explicitly authorized while still locking down other application endpoints. (See the full policy docs »)
Linkerd 2.12 provides a first step towards supporting the Kubernetes Gateway API. While the Gateway API was originally designed as a richer and more flexible alternative to the long-standing Ingress resource in Kubernetes, it provides a great foundation for describing service mesh traffic and allows Linkerd to keep its added configuration machinery to a minimum.
In Linkerd 2.12 the first step is a cautious one: Linkerd provides a partial implementation of parts of the Gateway API (e.g. CRDs such as HTTPRoute) to configure Linkerd's route-based policies. This approach allows us to start using Gateway API types without implementing the portions of the spec that don't make sense for Linkerd. As the Gateway API evolves to better fit Linkerd's needs, our intention is to switch to the source types in a way that minimizes friction to our users.
See our blog post about the Linkerd and the Gateway API for more details.
Linkerd 2.12 also introduces access logging, which allows the proxy to optionally emit Apache-style request logs. This feature is off by default for reasons of performance and resource utilization—especially for high-traffic workloads—but can easily be enabled for situations that require it. (See the access logging docs »)
Alongside the Linkerd 2.12 release, Buoyant Cloud, our managed Linkerd service, now supports automatic upgrades to Linkerd 2.12 for (almost) any cluster running 2.10.0 and beyond. This upgrade process covers both the control plane and the data plane, allowing you to keep your Linkerd deployment up to date across any number of clusters with just a CRD change.
As before, Buoyant Cloud works with (almost) any Linkerd cluster running on your infrastructure. Just deploy the Buoyant Cloud agent alongside your existing open source Linkerd installation and get automated health alerts, upgrades and rollbacks, policy analysis, and lots more. Schedule a demo with our team today!
Linkerd 2.12 also has a tremendous list of other improvements, performance enhancements, and bug fixes, including:
See the full release notes for details.
2022 has been another incredible year for Linkerd. Last year, Linkerd became the first and only service mesh to achieve graduated status in the CNCF, joining projects like Kubernetes, Prometheus, and Envoy at the foundation’s highest level of maturity. Earlier this year, we announced the availability of cross-cluster failover for Linkerd; the results of the CNCF survey showing Linkerd surpassing Istio adoption in the US and EU, and the competition of Linkerd's 2022 security audit.
In the next few Linkerd releases, we’ll be working on exciting client-side policy features like circuit breaking and header-based routing as well as on longer-term features such as mesh expansion to allow the data plane to run outside of Kubernetes, If you have feature requests, of course, we’d love to hear them!
Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd was created by Buoyant and is 100% open source. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!
(Photo by Boba Jaglicic on Unsplash)