Linkerd Adds Default mTLS to Kubernetes to Enable Zero Trust
Linkerd, the open source service mesh, has been updated with a number of new features, including support for the ARM architecture, a new multicore proxy runtime, and the automatic enabling of mutual TLS (mTLS) security for all TCP connections.
William Morgan, CEO of Buoyant, the company behind Linkerd, says that the zero-config mTLS is a big step for Linkerd’s focus on zero trust security for Kubernetes and that it handles a lot of the complexity that might otherwise be the reason for insecure practices.
“Security is one of those things where, when you make it complicated and hard to implement, then people don’t do it. The more complex you make something from the less secure it is, that’s just human nature,” said Morgan.
While Linkerd has had mTLS for several versions now, it was only for HTTP and gRPC. With Linkerd 2.9, this will be extended to all TCP connections, and Morgan points out that there’s a lot of software that transcends those two protocols, especially when you’re building an internal application.
“What’s unique about Linkerd is that we do that in a way that requires zero configurations from the user, and that’s turned on by default. From the moment that you enable Linkerd, we take care of all the certificate management, rotation, provisioning of identities, and all that stuff,” said Morgan. “It’s really complicated because, ideally, you want to rotate those certificates on a regular basis. Doing this sort of kind of certificate management is the hard part. You want to tie those certificates to service identity in a way that maps to your Kubernetes infrastructure and so on.”
This zero-config, automatically enabled mTLS is just the beginning for Linkerd’s zero-trust security approach to Kubernetes, said Morgan, with FIPS compliance and Kubernetes policies among the next areas to tackle.
Another key change that arrives with Linkerd 2.9 is the multicore proxy runtime, which will allow Linkerd to handle even higher traffic situations. As opposed to other service meshes, Linkerd runs using its own proxy, the Linkerd2-proxy, which is a “micro-proxy” built-in Rust specifically for this purpose.
“The reason we call it a micro-proxy, it’s really just designed for this one use case; we can shed all sorts of complexity about handling the many other ways proxying can be done and just focus on this. The result is that the operational overhead of running these proxies is actually very, very minimal, so the users are rarely exposed to the proxies, they just work and they don’t have to be tuned and configured and tweaked and have some 10,000, line YAML file,” said Morgan. “This Linkerd2-proxy micro proxy has been so fast and so lightweight that we’ve actually gotten by with just a single core architecture up to Linkerd 2.8.”
With this release, Linkerd will gain greater throughput and concurrency for individual pods with the ability to scale to multiple cores. The project will be releasing new benchmarks to that effect in the near future.
Finally, Linkerd 2.9 adds ARM64 support, allowing it to run on devices like Raspberry Pi, but also on ARM-based compute such as AWS Graviton, and support for Kubernetes’s new service topology feature will again increase operating efficiency with the ability to decide routing preferences.
A complete rundown of Linkerd improvements, performance enhancements, and bug fixes can be found in the full release notes.