Linkerd opens up for external PKI providers

Linkerd opens up for external PKI providers
istio

The team behind service mesh Linkerd just dropped their security-focussed 2.7 release, improving usability and performance along the way.

The most noteworthy change in the new version has to be the added support for external public key infrastructure providers. Amongst other things this measure has the potential to make Linkerd usage a bit more secure, since it allows the creation of secret-free manifests and automation of mTLS credential rotation.

It also reduces some initial hurdles, since admins can for example keep using familiar tools like Vault to provide Linkerd with credentials for signing. Another change that could help with the adoption of the project is the improved dashboard. It finally gives insight into CronJob and ReplicaSet resources and features the tap headers introduced in version 2.6.

The team also looked into the dashboard’s security, adding functionality to protect it from DNS rebinding attacks. Speaking of protection, linkerd check has been enhanced to make sure the CNI plugin is installed, the kube-system namespace has admission-webhooks disabled, and TLS certificates are verified.

Performance has been on the todo list for the current release, as well, which some might notice when using linkerd install –ignore-cluster, –skip-checks, or the dashboard. Meanwhile problem management has been slightly improved by including some detailed contextual information in the proxy’s error logging and better error classifications and responses for gRPC services.

Before upgrading, users should make sure to read through the upgrade instructions, since Linkerd’s Helm charts saw some breaking changes which are supposed to make it adhere to the cloud native community’s best practices. Additional information can be found in the release notes.