Skill

SkillsDevOps & Infrastructure › Containers & orchestration

linkerd-patterns

Implement Linkerd service mesh patterns for lightweight, security-focused service mesh deployments. Use when setting up Linkerd, configuring traffic policies, or implementing zero-trust networking with minimal overhead.

Freerisk: medium
linkerdpatternskubernetes

The full skill

— name: linkerd-patterns description: Implement Linkerd service mesh patterns for lightweight, security-focused service mesh deployments. Use when setting up Linkerd, configuring traffic policies, or implementing zero-trust networking with minimal overhead. — # Linkerd Patterns Production patterns for Linkerd service mesh – the lightweight, security-first service mesh for Kubernetes. ## When to Use This Skill – Setting up a lightweight service mesh – Implementing automatic mTLS – Configuring traffic splits for canary deployments – Setting up service profiles for per-route metrics – Implementing retries and timeouts – Multi-cluster service mesh ## Core Concepts ### 1. Linkerd Architecture “` ┌─────────────────────────────────────────────┐ │ Control Plane │ │ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │ │ │ destiny │ │ identity │ │ proxy-inject │ │ │ └─────────┘ └──────────┘ └──────────────┘ │ └─────────────────────────────────────────────┘ │ ┌─────────────────────────────────────────────┐ │ Data Plane │ │ ┌─────┐ ┌─────┐ ┌─────┐ │ │ │proxy│────│proxy│────│proxy│ │ │ └─────┘ └─────┘ └─────┘ │ │ │ │ │ │ │ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │ │ │ app │ │ app │ │ app │ │ │ └─────┘ └─────┘ └─────┘ │ └─────────────────────────────────────────────┘ “` ### 2. Key Resources | Resource | Purpose | | ———————– | ———————————— | | **ServiceProfile** | Per-route metrics, retries, timeouts | | **TrafficSplit** | Canary deployments, A/B testing | | **Server** | Define server-side policies | | **ServerAuthorization** | Access control policies | ## Templates ### Template 1: Mesh Installation “`bash # Install CLI curl –proto '=https' –tlsv1.2 -sSfL https://run.linkerd.io/install | sh # Validate cluster linkerd check –pre # Install CRDs linkerd install –crds | kubectl apply -f – # Install control plane linkerd install | kubectl apply -f – # Verify installation linkerd check # Install viz extension (optional) linkerd viz install | kubectl apply -f – “` ### Template 2: Inject Namespace “`yaml # Automatic injection for namespace apiVersion: v1 kind: Namespace metadata: name: my-app annotations: linkerd.io/inject: enabled — # Or inject specific deployment apiVersion: apps/v1 kind: Deployment metadata: name: my-app annotations: linkerd.io/inject: enabled spec: template: metadata: annotations: linkerd.io/inject: enabled “` ### Template 3: Service Profile with Retries “`yaml apiVersion: linkerd.io/v1alpha2 kind: ServiceProfile metadata: name: my-service.my-namespace.svc.cluster.local namespace: my-namespace spec: routes: – name: GET /api/users condition: method: GET pathRegex: /api/users responseClasses: – condition: status: min: 500 max: 599 isFailure: true isRetryable: true – name: POST /api/users condition: method: POST pathRegex: /api/users # POST not retryable by default isRetryable: false – name: GET /api/users/{id} condition: method: GET pathRegex: /api/users/[^/]+ timeout: 5s isRetryable: true retryBudget: retryRatio: 0.2 minRetriesPerSecond: 10 ttl: 10s “` ### Template 4: Traffic Split (Canary) “`yaml apiVersion: split.smi-spec.io/v1alpha1 kind: TrafficSplit metadata: name: my-service-canary namespace: my-namespace spec: service: my-service backends: – service: my-service-stable weight: 900m # 90% – service: my-service-canary weight: 100m # 10% “` ### Template 5: Server Authorization Policy “`yaml # Define the server apiVersion: policy.linkerd.io/v1beta1 kind: Server metadata: name: my-service-http namespace: my-namespace spec: podSelector: matchLabels: app: my-service port: http proxyProtocol: HTTP/1 — # Allow traffic from specific clients apiVersion: policy.linkerd.io/v1beta1 kind: ServerAuthorization metadata: name: allow-frontend namespace: my-namespace spec: server: name: my-service-http client: meshTLS: serviceAccounts: – name: frontend namespace: my-namespace — # Allow unauthenticated traffic (e.g., from ingress) apiVersion: policy.linkerd.io/v1beta1 kind: ServerAuthorization metadata: name: allow-ingress namespace: my-namespace spec: server: name: my-service-http client: unauthenticated: true networks: – cidr: 10.0.0.0/8 “` ### Template 6: HTTPRoute for Advanced Routing “`yaml apiVersion: policy.linkerd.io/v1beta2 kind: HTTPRoute metadata: name: my-route namespace: my-namespace spec: parentRefs: – name: my-service kind: Service group: core port: 8080 rules: – matches: – path: type: PathPrefix value: /api/v2 – headers: – name: x-api-version value: v2 backendRefs: – name: my-service-v2 port: 8080 – matches: – path: type: PathPrefix value: /api backendRefs: – name: my-service-v1 port: 8080 “` ### Template 7: Multi-cluster Setup “`bash # On each cluster, install with cluster credentials linkerd multicluster install | kubectl apply -f – # Link clusters linkerd multicluster link –cluster-name west \ –api-server-address https://west.example.com:6443 \ | kubectl apply -f – # Export a service to other clusters kubectl label svc/my-service mirror.linkerd.io/exported=true # Verify cross-cluster connectivity linkerd multicluster check linkerd multicluster gateways “` ## Monitoring Commands “`bash # Live traffic view linkerd viz top deploy/my-app # Per-route metrics linkerd viz routes deploy/my-app # Check proxy status linkerd viz stat deploy -n my-namespace # View service dependencies linkerd viz edges deploy -n my-namespace # Dashboard linkerd viz dashboard “` ## Debugging “`bash # Check injection status linkerd check –proxy -n my-namespace # View proxy logs kubectl logs deploy/my-app -c linkerd-proxy # Debug identity/TLS linkerd identity -n my-namespace # Tap traffic (live) linkerd viz tap deploy/my-app –to deploy/my-backend “` ## Best Practices ### Do's – **Enable mTLS everywhere** – It's automatic with Linkerd – **Use ServiceProfiles** – Get per-route metrics and retries – **Set retry budgets** – Prevent retry storms – **Monitor golden metrics** – Success rate, latency, throughput ### Don'ts – **Don't skip check** – Always run `linkerd check` after changes – **Don't over-configure** – Linkerd defaults are sensible – **Don't ignore ServiceProfiles** – They unlock advanced features – **Don't forget timeouts** – Set appropriate values per route