Kubernetes Service Mesh with Linkerd
Linkerd es un ligero, ultrafast servicio mesh built specifically for Kubernetes. It provides traffic management, seguridad, and observability with minimal resource overhead. Esta guía cubre Linkerd installation via CLI, automatic sidecar injection, traffic splitting, retry and timeout policies, mutual TLS, and the built-in dashboard for monitoreo your VPS and baremetal Kubernetes infrastructure.
Tabla de contenidos
- Linkerd Overview
- Instalaation
- Sidecar Injection
- Traffic Management
- Security with mTLS
- Linkerd Dashboard
- Debugging and Observability
- Practical Examples
- Conclusion
Linkerd Overview
Why Linkerd?
Linkerd está diseñado para production Kubernetes with:
- Lightweight: Minimal resource usage compared to Istio
- Fast: Written in Rust, ultrafast proxy
- Kubernetes-native: Leverages Kubernetes conventions
- Simple: Easy to understand and operate
- Observable: Built-in metrics and visualization
Arquitectura
Data Plane: Linkerd proxies (micro-proxies)
Control Plane: destination, identity, tap services
Observability: Live tap, metrics, dashboards
Linkerd vs Istio
| Feature | Linkerd | Istio |
|---|---|---|
| Resource Usage | Low | High |
| Proxy Size | 10MB | 100+MB |
| Learning Curve | Easy | Complex |
| Features | Core | Comprehensive |
| Best For | Simple meshes | Complex implementacións |
Instalación
Requisitos previos
- Kubernetes v1.20+
- kubectl configured
- Helm 3+
Instalaing linkerd CLI
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
# Add to PATH
export PATH=$PATH:$HOME/.linkerd2/bin
# Verify installation
linkerd version
Pre-Instalaation Checks
linkerd check --pre
Instalaing Linkerd Control Plane
# Install Linkerd
linkerd install | kubectl apply -f -
# Wait for control plane
kubectl rollout status -n linkerd deployment/linkerd-controller --timeout=5m
# Verify installation
linkerd check
Helm Instalaation
# Add Helm repository
helm repo add linkerd https://helm.linkerd.io
helm repo update
# Install Linkerd
helm install linkerd-crds linkerd/linkerd-crds \
-n linkerd-crds \
--create-namespace
helm install linkerd linkerd/linkerd-control-plane \
-n linkerd \
--create-namespace
# Verify
linkerd check
Instala Linkerd Viz (Dashboard)
linkerd viz install | kubectl apply -f -
kubectl rollout status -n linkerd-viz deployment/web --timeout=5m
Sidecar Injection
Automatic Injection
Label espacio de nombres for automatic injection:
kubectl annotate namespace production linkerd.io/inject=enabled
Verifica annotation:
kubectl get namespace production -o yaml | grep inject
Manual Injection
For non-annotated espacio de nombress:
linkerd inject deployment.yaml | kubectl apply -f -
Verifica Injection
# Check if proxy is running
kubectl get pods -n production -o jsonpath='{.items[0].spec.containers[*].name}'
# Should show: app linkerd-proxy
Disabling Injection per Pod
apiVersion: v1
kind: Pod
metadata:
name: no-mesh
spec:
annotations:
linkerd.io/inject: disabled
containers:
- name: app
image: myapp:1.0
Traffic Management
Service Profile
Define traffic policies with ServiceProfile:
apiVersion: linkerd.io/v1alpha1
kind: ServiceProfile
metadata:
name: api
namespace: production
spec:
service:
name: api
port: 8080
routes:
- name: GET /api/users
condition:
method: GET
pathRegex: /api/users
timeoutMs: 5000
retries:
limit: 3
backoff:
minMs: 10
maxMs: 1000
jitterFraction: 0.1
isRetryable: true
- name: POST /api/users
condition:
method: POST
pathRegex: /api/users
timeoutMs: 10000
retries:
limit: 1
backoff:
minMs: 10
maxMs: 100
jitterFraction: 0.1
isRetryable: false
Create ServiceProfile:
kubectl apply -f service-profile.yaml
Traffic Split
Distribute traffic between servicio versions:
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: api-split
namespace: production
spec:
service: api
backends:
- service: api-v1
weight: 80
- service: api-v2
weight: 20
Retries and Timeouts
Configura in ServiceProfile:
routes:
- name: api-call
condition:
method: GET
pathRegex: /api/.*
retries:
limit: 3
backoff:
minMs: 10
maxMs: 1000
jitterFraction: 0.1
timeoutMs: 5000
isRetryable: true
Automatic Retries
Retries are automatically configured for safe operations:
- GET requests: Retried by default
- POST requests: Not retried unless explicitly marked
Security with mTLS
Automatic mTLS
Linkerd automatically enables mTLS between servicios:
# Verify mTLS is enabled
linkerd check
# Should show: "mTLS" status
Checking mTLS Status
# Tap into traffic to see encryption
linkerd tap deployment/api -n production
# Output will show encrypted connections
Certificate Management
Linkerd manages certificates automatically. View certificate details:
# Get identity certificate
kubectl get secret -n linkerd-identity linkerd-identity-issuer -o yaml
# Check certificate expiration
kubectl get secret -n linkerd-identity linkerd-identity-issuer -o json | \
jq '.data."tls.crt"' -r | base64 -d | openssl x509 -text -noout | grep -A 2 "Validity"
Policy Server (Authorization)
Instala policy server for advanced authorization:
linkerd policy install | kubectl apply -f -
Crea unuthorization policy:
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: api-auth
namespace: production
spec:
targetRef:
group: ""
kind: Service
name: api
rules:
- from:
- podSelector:
matchLabels:
app: frontend
to:
- ports: ["8080"]
Linkerd Dashboard
Accessing Dashboard
Port-forward to dashboard:
linkerd viz dashboard &
Automatically opens at http://localhost:50750
Or manually:
kubectl port-forward -n linkerd-viz svc/web 50750:8084
Dashboard Features
- Overview: Cluster health and metrics
- Namespaces: Namespace details and traffic
- Deployments: Deployment metrics and status
- Pods: Pod-level metrics and logs
- Traffic: Live traffic visualization
- Tap: Real-time traffic inspection
Golden Metrics
Linkerd automatically tracks four golden signals:
- Latency: Response time
- Success Rate: Percentage of successful requests
- Traffic: Requests per second
- Errors: Error rate
View via dashboard or CLI:
linkerd stat deployment -n production
linkerd stat service -n production
Debugging and Observability
Tap Feature
Inspect live traffic:
# Tap all traffic to a pod
linkerd tap pod/api-0 -n production
# Tap with filters
linkerd tap deployment/api -n production --to pod/frontend -n production
# Tap specific paths
linkerd tap deploy/api -n production --path /api/users
Metrics
View metrics for implementacións:
# Get metrics
linkerd stat deployment -n production
# Show success rates
linkerd stat deploy -n production --show-tls
# With detailed metrics
linkerd stat pod -n production -o json
Logs
View Linkerd control plane logs:
# Destination controller
kubectl logs -n linkerd deployment/linkerd-destination
# Identity service
kubectl logs -n linkerd deployment/linkerd-identity
# Proxy logs
kubectl logs -n production <pod-name> -c linkerd-proxy
Debugging Connectivity
# Check service discovery
linkerd endpoints service api -n production
# Validate traffic routing
linkerd routes deploy/web -n production
# Check TLS status
linkerd check --proxy
Practical Examples
Ejemplo: Service Profile with Multiple Routes
---
# Create two services
apiVersion: v1
kind: Service
metadata:
name: api
namespace: production
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: api
---
# ServiceProfile with routes and policies
apiVersion: linkerd.io/v1alpha1
kind: ServiceProfile
metadata:
name: api
namespace: production
spec:
service:
name: api
port: 8080
routes:
- name: GET /health
condition:
method: GET
pathRegex: /health
timeoutMs: 1000
retries:
limit: 2
isRetryable: true
- name: GET /api/data
condition:
method: GET
pathRegex: /api/data
timeoutMs: 5000
retries:
limit: 3
backoff:
minMs: 10
maxMs: 100
jitterFraction: 0.1
isRetryable: true
- name: POST /api/data
condition:
method: POST
pathRegex: /api/data
timeoutMs: 10000
retries:
limit: 1
isRetryable: false
- name: DELETE /api/data
condition:
method: DELETE
pathRegex: /api/data.*
timeoutMs: 15000
isRetryable: false
Ejemplo: Canary Deployment with Traffic Split
---
# Current version
apiVersion: v1
kind: Service
metadata:
name: web-stable
namespace: production
spec:
selector:
app: web
version: stable
ports:
- port: 80
targetPort: 8080
---
# Canary version
apiVersion: v1
kind: Service
metadata:
name: web-canary
namespace: production
spec:
selector:
app: web
version: canary
ports:
- port: 80
targetPort: 8080
---
# Traffic split: 95% stable, 5% canary
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: web-canary
namespace: production
spec:
service: web
backends:
- service: web-stable
weight: 950
- service: web-canary
weight: 50
---
# ServiceProfile for web
apiVersion: linkerd.io/v1alpha1
kind: ServiceProfile
metadata:
name: web
namespace: production
spec:
service:
name: web
port: 80
routes:
- name: GET /
condition:
method: GET
pathRegex: /
timeoutMs: 5000
retries:
limit: 3
isRetryable: true
Ejemplo: Production Configuration
#!/bin/bash
# Install and configure Linkerd
# 1. Check prerequisites
linkerd check --pre
# 2. Install control plane
linkerd install | kubectl apply -f -
# 3. Wait for control plane
kubectl rollout status -n linkerd deployment/linkerd-controller --timeout=5m
# 4. Install viz
linkerd viz install | kubectl apply -f -
# 5. Enable namespace for automatic injection
kubectl annotate namespace production linkerd.io/inject=enabled --overwrite
# 6. Verify everything
linkerd check
# 7. Get dashboard access
linkerd viz dashboard
Conclusión
Linkerd provides a lightweight, production-ready servicio mesh for Kubernetes implementacións on VPS and baremetal infrastructure. By leveraging automatic mTLS, implementing ServiceProfiles for traffic management, and using the built-in dashboard for observability, you create a resilient microservicios platform with minimal operational complexity. Start with basic installation and automatic injection, add ServiceProfiles for traffic policies, and gradually implement advanced features like traffic splitting and authorization policies. Linkerd's simplicity and low resource overhead make it ideal for organizations looking to adopt a servicio mesh without excessive complexity.