Linkerd 2.16: IPv6 support and new audit mode for more security

The service mesh update offers many new features with IPv6 support, a new audit mode for security policies and improved route metrics.

Save to Pocket listen Print view
Blue background with pixel blocks, generated key alluding to security aspect

(Image: Jackie Niam/Shutterstock.com)

3 min. read
Contents

Version 2.16 of Service-Mesh Linkerd, which is managed by the Cloud Native Computing Foundation (CNCF), is now available. The list of new features is long, but the most important ones include support for the IPv6 Internet protocol in IPv6-only and dual-stack clusters, which can be activated with a simple configuration, as well as a new audit mode for security policies.

An important item on the feature list is the new audit mode for security policies, which makes it possible to log policy violations without immediately enforcing them. This should enable new policies to be introduced with less risk.

Linkerd's "Zero Trust" authorization policies offer strong control of network traffic and support various security approaches such as micro-segmentation and "Deny by Default", according to the announcement article. The audit mode can be activated cluster-wide, per namespace or for specific server resources by setting the accessPolicy field to audit. The example from the blog post is intended to illustrate the new feature:

apiVersion: policy.linkerd.io/v1beta3
kind: Server
metadata:
  namespace: emojivoto
  name: web-http
spec:
  accessPolicy: audit
  podSelector:
    matchLabels:
      app: web-svc
  port: http
  proxyProtocol: HTTP/1

Linkerd 2.16 also offers a new implementation of retry and timeout configurations for HTTPRoute and GRPCRoute resources of the Gateway API. These features can be combined with circuit breaking to provide a future-proof option for service mesh configuration. Circuit breaking (backup) is a software development behavior pattern that improves the stability and fault tolerance of distributed systems by automatically interrupting access to faulty or overloaded services.

Linkerd now also captures detailed metrics such as success rates, latencies and request volumes for these routes without requiring any changes to the application code.

Other changes include enabling HTTP/2 keep-alive messages by default for all networked connections to proactively detect lost connections, as well as support for JSON output for all Linkerd CLI commands that output Kubernetes resources.

In addition, Linkerd 2.16 disables the /shutdown endpoint to minimize security risks. HTTP headers are no longer logged in debug or trace output by default to protect sensitive information.

In the future, the Service Mesh for Kubernetes plans to add egress functionalities in the next version 2.17 to improve both visibility and control over outbound traffic. They will provide administrators with the ability to specify which pods or services are allowed to initiate outbound traffic and which external destinations to target to ensure security and compliance.

Other exciting multi-cluster features are also in the works. According to the blog post, Linkerd remains committed to the open governance approach and invites the community to participate on GitHub, Slack, X (formerly Twitter) and the mailing lists. More information on Linkerd 2.16 can be found in the blog post on the release.

(mdo)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.