Security-focused service mesh Linkerd 2.10 is now available with the promise of bringing the default control plane down to 200MB at startup. The change is down to the Linkerd team stripping the CNCF incubating project’s default control plane from all non-critical components, putting them into extensions instead.
The first iteration of the extension set sees Prometheus, Grafana, the dashboard and other on-cluster metrics components slipping into an extension called viz. Cross-cluster communication features can meanwhile be found in multicluster, and the distributed tracing collector and UI have been placed into a jaeger extension. Extensions can be added as needed via the install command, and allow developers to come up with operators and controllers for Linkerd “without having to modify the core Linkerd CLI”.
In a blog post explaining the architectural change, maintainer William Morgan wrote that the set of use cases is growing and putting stress on the simplicity focused project. “Thus far, we’ve tackled this in a somewhat ad-hoc manner, including a custom install flow for the multi-cluster components, a specialized ‘Bring Your Own Prometheus’ feature, and so on. Moving all this machinery to the extensions framework allows for consistency: each of these feature extensions can now be treated exactly the same way.”
Other than that the control plane’s identity controller has been changed to receive trust anchors through an environment variable so that certificates can now be loaded from secrets or config maps. PodDisruptionBudgets have made their way into control plane components so that they can’t be terminated at the same time.
Users who often work with server-speaks-first protocols like MySQL and SMTP can mark these now as opaque ports. The new feature stops the mesh from trying to detect the protocol, showing the proxy that it should just treat the traffic as opaque TCP instead. Earlier versions would bypass the proxy for certain ports depending on the traffic type, which resulted in Linkerd losing the means to capture port metrics or apply mTLS.
The proxy has been updated to use TLS 1.3, though TLS 1.2 is still supported for backwards compatibility, and comes with a new /shutdown admin endpoint “that may only be accessed over the loopback network allowing batch jobs to gracefully terminate the proxy on completion.” TLS certificates for injected pods can be fetched through a new linkerd identity command.
More details can be found in the release notes. For the next stable release the Linkerd team plans to look into adding policy support into the service mesh.