website - github

Agenda

 

What is a Service Mesh?

What is Linkerd?

How it works?

Architecture

Install the CLI

Demo Application

Uninstall the Application and Linkerd

Frequently Asked Questions

References

What is a Service Mesh

 

Where did the service mesh come from

Google SRE - Stubby

Monzo Bank - 1600 Microservice

What is Linkerd?

 

Linkerd is an ultralight, security-first service mesh for Kubernetes. Linkerd adds critical security, observability, and reliability features to your Kubernetes stack with no code change required.

 

Created by Buoyant (a company started by two ex-Twitter engineers)

 

Linkerd is a Cloud Native Computing Foundation (CNCF) project (Incubating).

How it works?

 

Linkerd works by installing a set of ultralight, transparent proxies next to each service instance. These proxies automatically handle all traffic to and from the service. Because they’re transparent, these proxies act as highly instrumented out-of-process network stacks, sending telemetry to, and receiving control signals from, the control plane. This design allows Linkerd to measure and manipulate traffic to and from your service without introducing excessive latency.

 

In order to be as small, lightweight, and safe as possible, Linkerd’s proxies are written in Rust and specialized for Linkerd.

Architecture

 

At a high level, Linkerd consists of a control plane and a data plane.

The control plane is a set of services that run in a dedicated namespace. These services accomplish various things—aggregating telemetry data, providing a user-facing API, providing control data to the data plane proxies, etc. Together, they drive the behavior of the data plane.

The data plane consists of transparent proxies that are run next to each service instance. These proxies automatically handle all traffic to and from the service. Because they’re transparent, these proxies act as highly instrumented out-of-process network stacks, sending telemetry to, and receiving control signals from, the control plane.

Control Plane

The Linkerd control plane is a set of services that run in a dedicated Kubernetes namespace (linkerd by default).

Controller
The controller deployment consists of the public-api container that provides an API for the CLI and dashboard to interface with.

Destination

Each proxy in the data plane uses this component to lookup where to send requests. The destination deployment is also used to fetch service profile information used for per-route metrics, retries and timeouts.

Identity
This component provides a Certificate Authority that accepts CSRs from proxies and returns certificates signed with the correct identity. These certificates are fetched by the proxy on start and must be issued before the proxy becomes ready. They are subsequently used for any connection between Linkerd proxies to implement mTLS.

Proxy Injector
The injector is an admission controller, which receives a webhook request every time a pod is created. This injector inspects resources for a Linkerd-specific annotation (linkerd.io/inject: enabled). When that annotation exists, the injector mutates the pod’s specification and adds both an initContainer as well as a sidecar containing the proxy itself.

Service Profile Validator
The validator is also an admission controller, which validates new service profiles before they are saved.

Tap
The tap deployment receives requests from the CLI and dashboard to watch requests and responses in real time. It establishes stream to watch these requests and responses in specific proxies associated with the requested applications.

Web
The web deployment provides the Linkerd dashboard. This does not require running linkerd dashboard and can be exposed to others.

Heartbeat
This CronJob runs once a day and records some analytics that help with the development of Linkerd. It is optional and can be disabled.

Data Plane

Proxy
An ultralight transparent proxy written in Rust, the proxy is installed into each pod of a service and becomes part of the data plane. It receives all incoming traffic for a pod and intercepts all outgoing traffic via an initContainer that configures iptables to forward the traffic correctly. Because it is a sidecar and intercepts all the incoming and outgoing traffic for a service, there are no code changes required and it can even be added to a running service.

The proxy’s features include:

1. Transparent, zero-config proxying for HTTP, HTTP/2, and arbitrary TCP protocols.
2. Automatic Prometheus metrics export for HTTP and TCP traffic.
3. Transparent, zero-config WebSocket proxying.
4. Automatic, latency-aware, layer-7 load balancing.
5. Automatic layer-4 load balancing for non-HTTP traffic.
6. Automatic TLS.
7. An on-demand diagnostic tap API.

Install the CLI

kubectl version --short

rm alias:curl (for Windows)

curl -sL run.linkerd.io/install | sh

-- Add the linkerd CLI to your path and convert to .exe file (C:\Users\Muhtalip.Dede\.linkerd2\bin)

linkerd

linkerd check --pre

linkerd install | kubectl apply -f -

linkerd check

linkerd viz install | kubectl apply -f -

linkerd viz dashboard

Demo Application

 

curl -sL https://run.linkerd.io/emojivoto.yml | kubectl apply -f -

kubectl -n emojivoto port-forward svc/web-svc 8080:80

http://localhost:8080

kubectl get -n emojivoto deploy -o yaml | linkerd inject - | kubectl apply -f -

linkerd -n emojivoto check --proxy

linkerd -n emojivoto viz stat deploy

linkerd -n emojivoto viz top deploy

linkerd -n emojivoto viz tap deploy/web

Uninstall the Application and Linkerd

 

kubectl delete ns emojivoto

linkerd viz uninstall | kubectl delete -f -

linkerd uninstall | kubectl delete -f -

Frequently Asked Questions

How do I pronounce Linkerd?

Linkerd rhymes with “Cardi B”. The “d” is pronounced separately, as in “Linker-DEE”.

What's the difference between Linkerd and Istio?
Linkerd is significantly lighter and simpler than Istio. Linkerd is built for security from the ground up, ranging from features like on-by-default mTLS, a data plane that is built in a Rust, memory-safe language, and regular security audits. Finally, Linkerd has publicly committed to open governance and is hosted by the CNCF.

What's the difference between Linkerd and Envoy?
Envoy is a proxy; Linkerd is a service mesh. Linkerd has a control plane and a data plane, and uses a proxy is a component of the data plane. While Envoy can be used as a component of a service mesh, Linkerd uses an ultralight “micro-proxy” called Linkerd2-proxy, which is built in Rust for safety and performance.

Why doesn't Linkerd use Envoy?
Envoy is a complex general-purpose proxy. Linkerd uses a simple and ultralight “micro-proxy” called Linkerd2-proxy that is built specifically for the service mesh sidecar use case. This allows Linkerd to be significantly smaller and simpler than Envoy-based service meshes. The choice of Rust also allows Linkerd to avoid a whole class of CVEs and vulnerabilities that can impact proxies written in non-memory-safe languages like C++.

References

 

- linkerd.io

- buoyant.io

Muhtalip Dede

15.04.2021