Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.16 announcement blog post #1825

Merged
merged 4 commits into from
Aug 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
211 changes: 211 additions & 0 deletions linkerd.io/content/blog/2024/0813-announcing-linkerd-2.16.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
---
author: 'william'
date: 2024-08-13T00:00:00Z
title: Announcing Linkerd 2.16! Metrics, retries, and timeouts for HTTP and gRPC routes; IPv6 support; policy audit mode; and lots more
thumbnail: '/images/pexels-raybilcliff-1494707.jpg'
tags: [Linkerd, linkerd, "2.16", features]
slug: announcing-linkerd-2.16
featured: true
---

![Waves crashing in a stormy sea](/images/pexels-raybilcliff-1494707.jpg)

Today we're happy to announce [Linkerd 2.16](/releases/#linkerd-216), a major
step forward for Linkerd that adds a whole host of new features, including
support for IPv6; an "audit mode" for Linkerd's zero trust security policies; a
new implementation of retries, timeouts, and per-route metrics for HTTPRoute and
GPRCRoute resources; and much more.

## New route metrics, retries, and timeouts

The 2.16 release continues our goal of ensuring Linkerd is the truly
_future-proof service mesh._ We expect the [Gateway
API](https://gateway-api.sigs.k8s.io/) to emerge as the standard for traffic
configuration in the Kubernetes space, and when that happens, Linkerd users will
be ready. (Of course, we're also actively involved in the Gateway API to ensure
the evolving design continues to make sense for Linkerd users!)

To this end, Linkerd 2.16 now publishes metrics for Gateway API HTTPRoute and
GRPCRoute resources, so you can capture granular per-route success rates,
latencies, request volumes, and other metrics without changing any application
code.

Linkerd 2.16 also adds retry and timeout configuration to these same Gateway API
resources, bringing the feature sets for Gateway API and ServiceProfiles to
parity (as [promised in our February Linkerd 2.15
announcement](https://linkerd.io/blog/announcing-linkerd-2.15/)). This
configuration is backed by a new implementation that improves upon Linkerd's
earlier retry and timeout logic in two key ways:

1. Requests that time out can now be retried; and
2. Retries and timeouts can now be combined with circuit breaking.

Enabling Linkerd's new retry and timeout support is as simple as adding
annotations to Gateway API resources. For example:
kflynn marked this conversation as resolved.
Show resolved Hide resolved

```yaml
kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1beta1
metadata:
name: myapp-default-route
namespace: myns
annotations:
retry.linkerd.io/http: 5xx
retry.linkerd.io/limit: "2"
retry.linkerd.io/timeout: 300ms
spec:
parentRefs:
- name: myapp
kind: Service
group: core
port: 80
rules:
- matches:
- path:
type: PathPrefix
value: "/foo/"
```

In short, Linkerd's new implementation of per-route metrics, retries, and
timeouts are now provided in a principled, future-proof way that is composable
with existing features such as circuit breaking, and configured using the
Gateway API resources that we believe are the future of service mesh
configuration. [Learn
more](https://linkerd.io/2/features/retries-and-timeouts/).

## Audit mode for security policies

Linkerd's "zero trust" authorization policies provide a powerful and expressive
mechanism for controlling which network traffic is allowed. They support a wide
variety of approaches to network security, including micro-segmentation and
"deny by default" policies. In contrast to ambient or host-proxy approaches,
Linkerd's sidecar design provides a clear security boundary that fits directly
into the zero trust model, where each pod makes its own authorization decisions
independently, maintains its (and only its) TLS keys, and makes policy decisions
based on cryptographic workload identity, not IP addresses.

However, introducing authorization policy in a live system can be tricky. To
address this, Linkerd 2.16 introduces a new _audit mode_ to policies. In this
mode, policy violations are logged but not enforced. This allows policies to be
rolled out in a lower-risk fashion, as they can now start in audit mode and only
move to enforcement once fully vetted. Audit mode can be enabled cluster-wide,
per-namespace, or on specific Server resources by setting the new `accessPolicy`
field to `audit`, vs its default `deny`.

For example:

```yaml
apiVersion: policy.linkerd.io/v1beta3
kind: Server
metadata:
namespace: emojivoto
name: web-http
spec:
accessPolicy: audit
podSelector:
matchLabels:
app: web-svc
port: http
proxyProtocol: HTTP/1
```

Similarly, the `linkerd policy generate` command in Buoyant Enterprise for
Linkerd, which watches live traffic to a system and generates policy scaffolding
that accounts for observed traffic, has been updated to use audit mode by
default. [Learn
more](https://docs.buoyant.io/buoyant-enterprise-linkerd/latest/tasks/generating-policy/).

## IPv6

Linkerd 2.16 adds support for IPv6 on IPv6-only and dual-stack clusters. (When
enabled on dual stack clusters, Linkerd will only use IPv6 endpoints.) For
backwards compatibility, this feature is disabled by default, but enabling it is
a simple boolean. [Learn more](https://linkerd.io/2/features/ipv6/).

## Other noteworthy changes

* Linkerd 2.16 adds HTTP/2 keep-alive messages by default for all meshed
communication. This helps Linkerd proactively detect connections that have
been lost by the operating system or underlying network.
* All Linkerd CLI commands that output Kubernetes resources now support JSON
output.
* To mitigate [CVE-2024-40632](https://nvd.nist.gov/vuln/detail/CVE-2024-40632),
in which a meshed application that is already vulnerable to an SSRF attack may
also leave the proxy open to shutdown, the /shutdown endpoint is now disabled
by default unless explicitly enabled.
* To prevent accidentally logging sensitive information, HTTP headers are no
longer logged in debug or trace output by default, unless explicitly enabled.
* To remove unnecessary configuration, resource requests for proxy-init now
simply use those of the proxy.

## Linkerd continues to outperform Istio and Cilium

In May, cloud consultancy [LiveWyre](https://livewyer.io/) published a set of
[service mesh
benchmarks](https://livewyer.io/blog/2024/05/08/comparison-of-service-meshes/)
showing that Linkerd resulted in lower latency and less resource consumption
than either Istio or Cilium. This has been the [consistent result of service
mesh benchmarks since
2021](https://linkerd.io/2021/05/27/linkerd-vs-istio-benchmarks/), and we were
happy to see this confirmed by another third party.

## What's next for Linkerd?

Momentum compounds, and Linkerd's momentum is currently at an all-time high.
Since March we've merged 250+ pull requests, revamped our edge release process
to provide [production-readiness
guidance](https://github.com/linkerd/linkerd2/releases) and [monthly
reviews](https://linkerd.io/2024/08/05/linkerd-edge-release-roundup/), and
published an average of 5 edge releases a month—more than one a week. There is a
lot more great news to report, and early next month we'll publish a deeper
retrospective of the past six months, but in short—it's an incredibly exciting
time to be involved with Linkerd!

We're hard at work on egress functionality, which will provide both visibility
into all traffic leaving the cluster as well as the authorization policies
necessary to control it. Our original plan was to deliver this feature in
Linkerd 2.16, but we ultimately decided some of the features we had already
shipped were too good to delay any longer. Egress is now slated for the upcoming
Linkerd 2.17 release, which should follow relatively quickly after 2.16. After
egress we have our sights on ingress, plus a couple other exciting multi-cluster
features to make managing clusters at scale a lot easier.

We've discussed deprecating ServiceProfiles in the past. Based on the extensive
use within the Linkerd community, we've decided to continue supporting them for
the foreseeable future. However, the new Gateway API retry and timeout logic is
a separate implementation, and that's where our active development will be
focused. We expect the feature gap to grow over time, and encourage you to
migrate to the new types.

## Come see us at KubeCon!

Many of the maintainers will be in attendance at [KubeCon
NA](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/)
this November in Salt Lake City, UT, where we have a great lineup of Linkerd
talks as well as many of your fellow Linkerd users. If you're attending the
conference, please stop by the Linkerd booth in the Project Pavilion and say hi!

## Additional content

[Buoyant](https://buoyant.io/), creators of Linkerd, have published a [release
announcement for Buoyant Enterprise for Linkerd
2.16](https://buoyant.io/blog/announcing-linkerd-2-16-ipv6-gateway-api-parity-audit-mode),
and a [Linkerd 2.16
changelog](https://docs.buoyant.io/release-notes/buoyant-enterprise-linkerd/enterprise-2.16.0/)
with additional guidance and content.

## Linkerd is for everyone

Linkerd is a graduated project of the [Cloud Native Computing
Foundation](https://cncf.io/). Linkerd is [committed to open
governance.](/2019/10/03/linkerds-commitment-to-open-governance/) If you have
feature requests, questions, or comments, we'd love to have you join our
rapidly-growing community! Linkerd is hosted on
[GitHub](https://github.com/linkerd/), and we have a thriving community on
[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and
the [mailing lists](/community/get-involved/). Come and join the fun!

## Photo credit

Photo by [Ray Bilcliff](https://www.pexels.com/photo/crashing-waves-1494707/) on
[Pexels](https://pexels.com/).
4 changes: 2 additions & 2 deletions linkerd.io/content/blog/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ tags:
- Tutorials & How-To's
- Video
items:
- blog/2024/0221-announcing-linkerd-2.15.md
- blog/2023/1107-mesh-expansion.md
- blog/2024/0813-announcing-linkerd-2.16.md
- blog/2024/0805-edge-release-roundup.md
description: The latest blog posts on the Linkerd service mesh, from technical tutorials to announcements to what's next on the roadmap.
keywords: []
---
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading