Linkerd has announced a new version of its service mesh. It adds three major new features: egress traffic visibility and control; per-service rate limiting; and federated services.

The developers say Linkerd 2.17 is their first major release after their announcement earlier this year that they were changing the way the project is published with the goal of ensuring Linkerd could become a truly sustainable project, without relicensing, without violating CNCF (Cloud Native Computing Foundation) rules, and without changing Linkerd's fundamental open source nature.

Created, supported and maintained by Buoyant, the company founded in 2015 by Twitter infrastructure engineers William Morgan and Oliver Gould, Linkerd is a service mesh, a tool for adding security, reliability, and observability features to cloud native applications, particularly those that use Kubernetes. It works by transparently inserting its functionality at the platform layer rather than the application layer. The new features added to this version of Linkerd have been made to meet the changing nature of Kubernetes use, according to Linkerd, who say that recent mature adoptions of Kubernetes is planned and explicit, and can involve deploying across hundreds or thousands of clusters. Introducing Linkerd features such as federated services is a direct response to this demand.

The improvements to this release start with the addition of egress visibility and control for egress traffic leaving the Kubernetes cluster from meshed pods. Kubernetes egress traffic is data that leaves a cluster and goes to another part of the network such as an application or service outsite the cluster, or an external endpoint. The Linkerd team says Kubernetes itself provides no mechanisms for understanding egress traffic, and only rudimentary ones for restricting it (limited to IP ranges and ports).

This release of Linkerd provides the ability to view the source, destination, and traffic levels of all traffic leaving a cluster, including the hostnames (and with configuration, the full HTTP paths or gRPC methods). Users also can deploy egress security policies that allow or disallow that traffic with that same level of granularity by setting up allowlist or blocklist egress by DNS domain rather than IP range and port.

The second improvement to this version is the addition of rate limiting to protect services from being overloaded. This is server-side behavior that is enforced by the service receiving the traffic and designed to protect it from misbehaving clients, and users can set per-client rate limit policies.

Another addition is support for federated services for multiclusters. A federated service is a union of the replicas of the same service across multiple clusters, meaning meshed clients talking to a federated service automatically load balance across all endpoints in all clusters. The Linkerd team says this means that application code is decoupled from cluster deployment decisions. It also means failure handling is transparent and automatic, as should a cluster be down entirely, or the service on that cluster is down, or failing in any way; Linkerd will load balance across other endpoints; similarly, if a cluster is distant, slow, or the service is bogged down, Linkerd's latency-aware load balancing will prefer other endpoints.

Linkerd 2.17 is available now.

More Information

Linkerd on GitHub

Linkerd Website

Related Articles

Exposing the Kubernetes Dashboard with Istio Service Mesh

Improving Kubernetes Security

Kubernetes on Edge Training From Linux Foundation & CNCF

Open Service Mesh To Join Cloud Native Computing Foundation

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info