diff --git a/linkerd.io/content/blog/2024/0813-announcing-linkerd-2.16.md b/linkerd.io/content/blog/2024/0813-announcing-linkerd-2.16.md new file mode 100644 index 0000000000..c4d5eb7f1c --- /dev/null +++ b/linkerd.io/content/blog/2024/0813-announcing-linkerd-2.16.md @@ -0,0 +1,211 @@ +--- +author: 'william' +date: 2024-08-13T00:00:00Z +title: Announcing Linkerd 2.16! Metrics, retries, and timeouts for HTTP and gRPC routes; IPv6 support; policy audit mode; and lots more +thumbnail: '/images/pexels-raybilcliff-1494707.jpg' +tags: [Linkerd, linkerd, "2.16", features] +slug: announcing-linkerd-2.16 +featured: true +--- + +![Waves crashing in a stormy sea](/images/pexels-raybilcliff-1494707.jpg) + +Today we're happy to announce [Linkerd 2.16](/releases/#linkerd-216), a major +step forward for Linkerd that adds a whole host of new features, including +support for IPv6; an "audit mode" for Linkerd's zero trust security policies; a +new implementation of retries, timeouts, and per-route metrics for HTTPRoute and +GPRCRoute resources; and much more. + +## New route metrics, retries, and timeouts + +The 2.16 release continues our goal of ensuring Linkerd is the truly +_future-proof service mesh._ We expect the [Gateway +API](https://gateway-api.sigs.k8s.io/) to emerge as the standard for traffic +configuration in the Kubernetes space, and when that happens, Linkerd users will +be ready. (Of course, we're also actively involved in the Gateway API to ensure +the evolving design continues to make sense for Linkerd users!) + +To this end, Linkerd 2.16 now publishes metrics for Gateway API HTTPRoute and +GRPCRoute resources, so you can capture granular per-route success rates, +latencies, request volumes, and other metrics without changing any application +code. + +Linkerd 2.16 also adds retry and timeout configuration to these same Gateway API +resources, bringing the feature sets for Gateway API and ServiceProfiles to +parity (as [promised in our February Linkerd 2.15 +announcement](https://linkerd.io/blog/announcing-linkerd-2.15/)). This +configuration is backed by a new implementation that improves upon Linkerd's +earlier retry and timeout logic in two key ways: + +1. Requests that time out can now be retried; and +2. Retries and timeouts can now be combined with circuit breaking. + +Enabling Linkerd's new retry and timeout support is as simple as adding +annotations to Gateway API resources. For example: + +```yaml +kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: myapp-default-route + namespace: myns + annotations: + retry.linkerd.io/http: 5xx + retry.linkerd.io/limit: "2" + retry.linkerd.io/timeout: 300ms +spec: + parentRefs: + - name: myapp + kind: Service + group: core + port: 80 + rules: + - matches: + - path: + type: PathPrefix + value: "/foo/" +``` + +In short, Linkerd's new implementation of per-route metrics, retries, and +timeouts are now provided in a principled, future-proof way that is composable +with existing features such as circuit breaking, and configured using the +Gateway API resources that we believe are the future of service mesh +configuration. [Learn +more](https://linkerd.io/2/features/retries-and-timeouts/). + +## Audit mode for security policies + +Linkerd's "zero trust" authorization policies provide a powerful and expressive +mechanism for controlling which network traffic is allowed. They support a wide +variety of approaches to network security, including micro-segmentation and +"deny by default" policies. In contrast to ambient or host-proxy approaches, +Linkerd's sidecar design provides a clear security boundary that fits directly +into the zero trust model, where each pod makes its own authorization decisions +independently, maintains its (and only its) TLS keys, and makes policy decisions +based on cryptographic workload identity, not IP addresses. + +However, introducing authorization policy in a live system can be tricky. To +address this, Linkerd 2.16 introduces a new _audit mode_ to policies. In this +mode, policy violations are logged but not enforced. This allows policies to be +rolled out in a lower-risk fashion, as they can now start in audit mode and only +move to enforcement once fully vetted. Audit mode can be enabled cluster-wide, +per-namespace, or on specific Server resources by setting the new `accessPolicy` +field to `audit`, vs its default `deny`. + +For example: + +```yaml +apiVersion: policy.linkerd.io/v1beta3 +kind: Server +metadata: + namespace: emojivoto + name: web-http +spec: + accessPolicy: audit + podSelector: + matchLabels: + app: web-svc + port: http + proxyProtocol: HTTP/1 +``` + +Similarly, the `linkerd policy generate` command in Buoyant Enterprise for +Linkerd, which watches live traffic to a system and generates policy scaffolding +that accounts for observed traffic, has been updated to use audit mode by +default. [Learn +more](https://docs.buoyant.io/buoyant-enterprise-linkerd/latest/tasks/generating-policy/). + +## IPv6 + +Linkerd 2.16 adds support for IPv6 on IPv6-only and dual-stack clusters. (When +enabled on dual stack clusters, Linkerd will only use IPv6 endpoints.) For +backwards compatibility, this feature is disabled by default, but enabling it is +a simple boolean. [Learn more](https://linkerd.io/2/features/ipv6/). + +## Other noteworthy changes + +* Linkerd 2.16 adds HTTP/2 keep-alive messages by default for all meshed + communication. This helps Linkerd proactively detect connections that have + been lost by the operating system or underlying network. +* All Linkerd CLI commands that output Kubernetes resources now support JSON + output. +* To mitigate [CVE-2024-40632](https://nvd.nist.gov/vuln/detail/CVE-2024-40632), + in which a meshed application that is already vulnerable to an SSRF attack may + also leave the proxy open to shutdown, the /shutdown endpoint is now disabled + by default unless explicitly enabled. +* To prevent accidentally logging sensitive information, HTTP headers are no + longer logged in debug or trace output by default, unless explicitly enabled. +* To remove unnecessary configuration, resource requests for proxy-init now + simply use those of the proxy. + +## Linkerd continues to outperform Istio and Cilium + +In May, cloud consultancy [LiveWyre](https://livewyer.io/) published a set of +[service mesh +benchmarks](https://livewyer.io/blog/2024/05/08/comparison-of-service-meshes/) +showing that Linkerd resulted in lower latency and less resource consumption +than either Istio or Cilium. This has been the [consistent result of service +mesh benchmarks since +2021](https://linkerd.io/2021/05/27/linkerd-vs-istio-benchmarks/), and we were +happy to see this confirmed by another third party. + +## What's next for Linkerd? + +Momentum compounds, and Linkerd's momentum is currently at an all-time high. +Since March we've merged 250+ pull requests, revamped our edge release process +to provide [production-readiness +guidance](https://github.com/linkerd/linkerd2/releases) and [monthly +reviews](https://linkerd.io/2024/08/05/linkerd-edge-release-roundup/), and +published an average of 5 edge releases a month—more than one a week. There is a +lot more great news to report, and early next month we'll publish a deeper +retrospective of the past six months, but in short—it's an incredibly exciting +time to be involved with Linkerd! + +We're hard at work on egress functionality, which will provide both visibility +into all traffic leaving the cluster as well as the authorization policies +necessary to control it. Our original plan was to deliver this feature in +Linkerd 2.16, but we ultimately decided some of the features we had already +shipped were too good to delay any longer. Egress is now slated for the upcoming +Linkerd 2.17 release, which should follow relatively quickly after 2.16. After +egress we have our sights on ingress, plus a couple other exciting multi-cluster +features to make managing clusters at scale a lot easier. + +We've discussed deprecating ServiceProfiles in the past. Based on the extensive +use within the Linkerd community, we've decided to continue supporting them for +the foreseeable future. However, the new Gateway API retry and timeout logic is +a separate implementation, and that's where our active development will be +focused. We expect the feature gap to grow over time, and encourage you to +migrate to the new types. + +## Come see us at KubeCon! + +Many of the maintainers will be in attendance at [KubeCon +NA](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/) +this November in Salt Lake City, UT, where we have a great lineup of Linkerd +talks as well as many of your fellow Linkerd users. If you're attending the +conference, please stop by the Linkerd booth in the Project Pavilion and say hi! + +## Additional content + +[Buoyant](https://buoyant.io/), creators of Linkerd, have published a [release +announcement for Buoyant Enterprise for Linkerd +2.16](https://buoyant.io/blog/announcing-linkerd-2-16-ipv6-gateway-api-parity-audit-mode), +and a [Linkerd 2.16 +changelog](https://docs.buoyant.io/release-notes/buoyant-enterprise-linkerd/enterprise-2.16.0/) +with additional guidance and content. + +## Linkerd is for everyone + +Linkerd is a graduated project of the [Cloud Native Computing +Foundation](https://cncf.io/). Linkerd is [committed to open +governance.](/2019/10/03/linkerds-commitment-to-open-governance/) If you have +feature requests, questions, or comments, we'd love to have you join our +rapidly-growing community! Linkerd is hosted on +[GitHub](https://github.com/linkerd/), and we have a thriving community on +[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and +the [mailing lists](/community/get-involved/). Come and join the fun! + +## Photo credit + +Photo by [Ray Bilcliff](https://www.pexels.com/photo/crashing-waves-1494707/) on +[Pexels](https://pexels.com/). diff --git a/linkerd.io/content/blog/_index.md b/linkerd.io/content/blog/_index.md index 76138f9382..38ca484808 100644 --- a/linkerd.io/content/blog/_index.md +++ b/linkerd.io/content/blog/_index.md @@ -7,8 +7,8 @@ tags: - Tutorials & How-To's - Video items: - - blog/2024/0221-announcing-linkerd-2.15.md - - blog/2023/1107-mesh-expansion.md + - blog/2024/0813-announcing-linkerd-2.16.md + - blog/2024/0805-edge-release-roundup.md description: The latest blog posts on the Linkerd service mesh, from technical tutorials to announcements to what's next on the roadmap. keywords: [] --- diff --git a/linkerd.io/static/images/pexels-raybilcliff-1494707.jpg b/linkerd.io/static/images/pexels-raybilcliff-1494707.jpg new file mode 100644 index 0000000000..8a45d97ef1 Binary files /dev/null and b/linkerd.io/static/images/pexels-raybilcliff-1494707.jpg differ