Linkerd Patterns

1---2name: linkerd-patterns3description: Implement Linkerd service mesh patterns for lightweight, security-focused service mesh deployments. Use when setting up Linkerd, configuring traffic policies, or implementing zero-trust networking with minimal overhead.4---5 6# Linkerd Patterns7 8Production patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.9 10## When to Use This Skill11 12- Setting up a lightweight service mesh13- Implementing automatic mTLS14- Configuring traffic splits for canary deployments15- Setting up service profiles for per-route metrics16- Implementing retries and timeouts17- Multi-cluster service mesh18 19## Core Concepts20 21### 1. Linkerd Architecture22 23```24┌─────────────────────────────────────────────┐25│                Control Plane                 │26│  ┌─────────┐ ┌──────────┐ ┌──────────────┐ │27│  │ destiny │ │ identity │ │ proxy-inject │ │28│  └─────────┘ └──────────┘ └──────────────┘ │29└─────────────────────────────────────────────┘30                      │31┌─────────────────────────────────────────────┐32│                 Data Plane                   │33│  ┌─────┐    ┌─────┐    ┌─────┐             │34│  │proxy│────│proxy│────│proxy│             │35│  └─────┘    └─────┘    └─────┘             │36│     │           │           │               │37│  ┌──┴──┐    ┌──┴──┐    ┌──┴──┐            │38│  │ app │    │ app │    │ app │            │39│  └─────┘    └─────┘    └─────┘            │40└─────────────────────────────────────────────┘41```42 43### 2. Key Resources44 45| Resource                | Purpose                              |46| ----------------------- | ------------------------------------ |47| **ServiceProfile**      | Per-route metrics, retries, timeouts |48| **TrafficSplit**        | Canary deployments, A/B testing      |49| **Server**              | Define server-side policies          |50| **ServerAuthorization** | Access control policies              |51 52## Templates53 54### Template 1: Mesh Installation55 56```bash57# Install CLI58curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh59 60# Validate cluster61linkerd check --pre62 63# Install CRDs64linkerd install --crds | kubectl apply -f -65 66# Install control plane67linkerd install | kubectl apply -f -68 69# Verify installation70linkerd check71 72# Install viz extension (optional)73linkerd viz install | kubectl apply -f -74```75 76### Template 2: Inject Namespace77 78```yaml79# Automatic injection for namespace80apiVersion: v181kind: Namespace82metadata:83  name: my-app84  annotations:85    linkerd.io/inject: enabled86---87# Or inject specific deployment88apiVersion: apps/v189kind: Deployment90metadata:91  name: my-app92  annotations:93    linkerd.io/inject: enabled94spec:95  template:96    metadata:97      annotations:98        linkerd.io/inject: enabled99```100 101### Template 3: Service Profile with Retries102 103```yaml104apiVersion: linkerd.io/v1alpha2105kind: ServiceProfile106metadata:107  name: my-service.my-namespace.svc.cluster.local108  namespace: my-namespace109spec:110  routes:111    - name: GET /api/users112      condition:113        method: GET114        pathRegex: /api/users115      responseClasses:116        - condition:117            status:118              min: 500119              max: 599120          isFailure: true121      isRetryable: true122    - name: POST /api/users123      condition:124        method: POST125        pathRegex: /api/users126      # POST not retryable by default127      isRetryable: false128    - name: GET /api/users/{id}129      condition:130        method: GET131        pathRegex: /api/users/[^/]+132      timeout: 5s133      isRetryable: true134  retryBudget:135    retryRatio: 0.2136    minRetriesPerSecond: 10137    ttl: 10s138```139 140### Template 4: Traffic Split (Canary)141 142```yaml143apiVersion: split.smi-spec.io/v1alpha1144kind: TrafficSplit145metadata:146  name: my-service-canary147  namespace: my-namespace148spec:149  service: my-service150  backends:151    - service: my-service-stable152      weight: 900m # 90%153    - service: my-service-canary154      weight: 100m # 10%155```156 157### Template 5: Server Authorization Policy158 159```yaml160# Define the server161apiVersion: policy.linkerd.io/v1beta1162kind: Server163metadata:164  name: my-service-http165  namespace: my-namespace166spec:167  podSelector:168    matchLabels:169      app: my-service170  port: http171  proxyProtocol: HTTP/1172---173# Allow traffic from specific clients174apiVersion: policy.linkerd.io/v1beta1175kind: ServerAuthorization176metadata:177  name: allow-frontend178  namespace: my-namespace179spec:180  server:181    name: my-service-http182  client:183    meshTLS:184      serviceAccounts:185        - name: frontend186          namespace: my-namespace187---188# Allow unauthenticated traffic (e.g., from ingress)189apiVersion: policy.linkerd.io/v1beta1190kind: ServerAuthorization191metadata:192  name: allow-ingress193  namespace: my-namespace194spec:195  server:196    name: my-service-http197  client:198    unauthenticated: true199    networks:200      - cidr: 10.0.0.0/8201```202 203### Template 6: HTTPRoute for Advanced Routing204 205```yaml206apiVersion: policy.linkerd.io/v1beta2207kind: HTTPRoute208metadata:209  name: my-route210  namespace: my-namespace211spec:212  parentRefs:213    - name: my-service214      kind: Service215      group: core216      port: 8080217  rules:218    - matches:219        - path:220            type: PathPrefix221            value: /api/v2222        - headers:223            - name: x-api-version224              value: v2225      backendRefs:226        - name: my-service-v2227          port: 8080228    - matches:229        - path:230            type: PathPrefix231            value: /api232      backendRefs:233        - name: my-service-v1234          port: 8080235```236 237### Template 7: Multi-cluster Setup238 239```bash240# On each cluster, install with cluster credentials241linkerd multicluster install | kubectl apply -f -242 243# Link clusters244linkerd multicluster link --cluster-name west \245  --api-server-address https://west.example.com:6443 \246  | kubectl apply -f -247 248# Export a service to other clusters249kubectl label svc/my-service mirror.linkerd.io/exported=true250 251# Verify cross-cluster connectivity252linkerd multicluster check253linkerd multicluster gateways254```255 256## Monitoring Commands257 258```bash259# Live traffic view260linkerd viz top deploy/my-app261 262# Per-route metrics263linkerd viz routes deploy/my-app264 265# Check proxy status266linkerd viz stat deploy -n my-namespace267 268# View service dependencies269linkerd viz edges deploy -n my-namespace270 271# Dashboard272linkerd viz dashboard273```274 275## Debugging276 277```bash278# Check injection status279linkerd check --proxy -n my-namespace280 281# View proxy logs282kubectl logs deploy/my-app -c linkerd-proxy283 284# Debug identity/TLS285linkerd identity -n my-namespace286 287# Tap traffic (live)288linkerd viz tap deploy/my-app --to deploy/my-backend289```290 291## Best Practices292 293### Do's294 295- **Enable mTLS everywhere** - It's automatic with Linkerd296- **Use ServiceProfiles** - Get per-route metrics and retries297- **Set retry budgets** - Prevent retry storms298- **Monitor golden metrics** - Success rate, latency, throughput299 300### Don'ts301 302- **Don't skip check** - Always run `linkerd check` after changes303- **Don't over-configure** - Linkerd defaults are sensible304- **Don't ignore ServiceProfiles** - They unlock advanced features305- **Don't forget timeouts** - Set appropriate values per route