With the massive adoption of microservices, operators and developers face far more complexity in their applications today. Service meshes can help you manage this problem by providing a unified control plane to secure, manage, and monitor your entire network. This practical guide shows you how the Linkerd service mesh enables cloud native developers—including platform and site reliability engineers—to solve the thorny issue of running distributed applications in Kubernetes.
Jason Morgan and Flynn draw on their years of experience at Buoyant—the creators of Linkerd—to demonstrate how this service mesh can help ensure that your applications are secure, observable, and reliable. You’ll understand why Linkerd, the original service mesh, can still claim the lowest time to value of any mesh option available today.
• Learn how Linkerd works and which tasks it can help you accomplish
• Install and configure Linkerd in an imperative and declarative manner
• Secure interservice traffic and set up secure multicluster links
• Create a zero trust authorization strategy in Kubernetes clusters
• Organize services in Linkerd to override error codes, set custom retries, and create timeouts
• Use Linkerd to manage progressive delivery and pair this service mesh with the ingress of your choice
Author(s): Jason Morgan, Flynn
Edition: 1
Publisher: O'Reilly Media
Year: 2024
Language: English
Commentary: Publisher's PDF
Pages: 259
City: Sebastopol, CA
Tags: Reliability; Clusters; Kubernetes; Observability; Service Mesh
Copyright
Table of Contents
Preface
Who Should Read This Book
Why We Wrote This Book
Navigating This Book
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Service Mesh 101
Basic Mesh Functionality
Security
Reliability
Observability
How Do Meshes Actually Work?
So Why Do We Need This?
Summary
Chapter 2. Intro to Linkerd
Where Does Linkerd Come From?
Linkerd1
Linkerd2
The Linkerd Proxy
Linkerd Architecture
mTLS and Certificates
Certifying Authorities
The Linkerd Control Plane
Linkerd Extensions
Summary
Chapter 3. Deploying Linkerd
Considerations
Linkerd Versioning
Workloads, Pods, and Services
TLS certificates
Linkerd Viz
Deploying Linkerd
Required Tools
Provisioning a Kubernetes Cluster
Installing Linkerd via the CLI
Installing Linkerd via Helm
Configuring Linkerd
Cluster Networks
Linkerd Control Plane Resources
Opaque and Skip Ports
Summary
Chapter 4. Adding Workloads to the Mesh
Workloads Versus Services
What Does It Mean to Add a Workload to the Mesh?
Injecting Individual Workloads
Injecting All Workloads in a Namespace
linkerd.io/inject Values
Why Might You Decide Not to Add a Workload to the Mesh?
Other Proxy Configuration Options
Protocol Detection
When Protocol Detection Goes Wrong
Opaque Ports Versus Skip Ports
Configuring Protocol Detection
Default Opaque Ports
Kubernetes Resource Limits
Summary
Chapter 5. Ingress and Linkerd
Ingress Controllers with Linkerd
The Ingress Controller Is Just Another Meshed Workload
Linkerd Is (Mostly) Invisible
Use Cleartext Within the Cluster
Route to Services, Not Endpoints
Ingress Mode
Specific Ingress Controller Examples
Emissary-ingress
NGINX
Envoy Gateway
Summary
Chapter 6. The Linkerd CLI
Installing the CLI
Updating the CLI
Installing a Specific Version
Alternate Ways to Install
Using the CLI
Selected Commands
linkerd version
linkerd check
linkerd inject
linkerd identity
linkerd diagnostics
Summary
Chapter 7. mTLS, Linkerd, and Certificates
Secure Communications
TLS and mTLS
mTLS and Certificates
Linkerd and mTLS
Certificates and Linkerd
The Linkerd Trust Anchor
The Linkerd Identity Issuer
Linkerd Workload Certificates
Certificate Lifetimes and Rotation
Certificate Management in Linkerd
Automatic Certificate Management with cert-manager
Summary
Chapter 8. Linkerd Policy: Overview and Server-Based Policy
Linkerd Policy Overview
Linkerd Default Policy
Linkerd Policy Resources
Server-Based Policy Versus Route-Based Policy
Server-Based Policy with the emojivoto Application
Configuring the Default Policy
Configuring Dynamic Policy
Summary
Chapter 9. Linkerd Route-Based Policy
Route-Based Policy Overview
The booksapp Sample Application
Installing booksapp
Configuring booksapp Policy
Infrastructure Policy
Read-Only Access
Enabling Write Access
Allowing Writes to books
Reenabling the Traffic Generator
Summary
Chapter 10. Observing Your Platform with Linkerd
Why Do We Need This?
How Does Linkerd Help?
Observability in Linkerd
Setting Up Your Cluster
Tap
Service Profiles
Topology
Linkerd Viz
Audit Trails and Access Logs
Access Logging: The Good, the Bad, and the Ugly
Enabling Access Logging
Summary
Chapter 11. Ensuring Reliability with Linkerd
Load Balancing
Retries
Retry Budgets
Configuring Retries
Configuring the Budget
Timeouts
Configuring Timeouts
Traffic Shifting
Traffic Shifting, Gateway API, and the Linkerd SMI Extension
Setting Up Your Environment
Weight-Based Routing (Canary)
Header-Based Routing (A/B Testing)
Traffic Shifting Summary
Circuit Breaking
Enabling Circuit Breaking
Tuning Circuit Breaking
Summary
Chapter 12. Multicluster Communication with Linkerd
Types of Multicluster Setups
Gateway-Based Multicluster
Pod-to-Pod Multicluster
Gateways Versus Pod-to-Pod
Multicluster Certificates
Cross-Cluster Service Discovery
Setting Up for Multicluster
Continuing with a Gateway-Based Setup
Continuing with a Pod-to-Pod Setup
Multicluster Gotchas
Deploying and Connecting an Application
Checking Traffic
Policy in Multicluster Environments
Summary
Chapter 13. Linkerd CNI Versus Init Containers
Kubernetes sans Linkerd
Nodes, Pods, and More
Networking in Kubernetes
The Role of the Packet Filter
The Container Networking Interface
The Kubernetes Pod Startup Process
Kubernetes and Linkerd
The Init Container Approach
The Linkerd CNI Plugin Method
Races and Ordering
Summary
Chapter 14. Production-Ready Linkerd
Linkerd Community Resources
Getting Help
Responsible Disclosure
Kubernetes Compatibility
Going to Production with Linkerd
Stable or Edge?
Preparing Your Environment
Configuring Linkerd for High Availability
Monitoring Linkerd
Certificate Health and Expiration
Control Plane
Data Plane
Metrics Collection
Linkerd Viz for Production Use
Accessing Linkerd Logs
Upgrading Linkerd
Upgrading via Helm
Upgrading via the CLI
Readiness Checklist
Summary
Chapter 15. Debugging Linkerd
Diagnosing Data Plane Issues
“Common” Linkerd Data Plane Failures
Setting Proxy Log Levels
Debugging the Linkerd Control Plane
Linkerd Control Plane and Availability
The Core Control Plane
Linkerd Extensions
Summary
Index
About the Authors
Colophon