SlideShare a Scribd company logo

App Simplified - Use a Mesh from Day 0.pdf

Ivan Porta, profile picture
Ivan Porta

Developers working on the next killer cloud-native application always run into the same obstacles at the start: choosing a cloud, tackling the ingress problem, sorting out persistent storage, will the clusters be pets or cattle? What's almost always overlooked is the insecurity and unreliability of communications in the cluster. These concerns get put off for later, and over and over, that causes pain. Instead, use a service mesh right from the start! You get security, reliability, and observability from the moment you build your first microservice, without needing to put extra work into your application. These things are necessary, but the mesh can handle them for you, and with a little care it can make handling them easy.

Engineering
1 of 37
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Apps Simpli fi ed Use a Mesh from Day 0 Ivan Porta Customer Engineer @ Buoyant
Why Use a Service Mesh?
Why Use a Service Mesh? Kubernetes Isn’t a Sealed Box
Start With a Service Mesh on Day 0 • Runway is precious: Every sprint spent hand-rolling mTLS, retries, or dashboards is a sprint not spent fi nding product–market fi t. A mesh gives you zero-trust mTLS, circuit breakers, and “golden metrics” telemetry from minute one. • Two engineers ≠ two platform teams: The developers who ship features also get enterprise-grade security, reliability, and observability “for free,” rather than learning three new CNCF projects. • Avoid the “retro fi t tax”: Waiting until the fi rst security audit usually costs 2– 3× more e ff ort than adding the mesh on a blank canvas. Why Use a Service Mesh?
Why Use a Service Mesh? Microservices Are A Web of Calls
Why Use a Service Mesh? Every Team Re-implements the Same Code Team A Team B Team C Team A Each application will implement it’s own metrics, retries, policy enforcement, security, …
What Is a Service Mesh? A service mesh is a dedicated infrastructure layer for handling service- to-service communication typically implemented as an array of lightweight network proxies that are deployed alongside application code, without the application needing to be aware.
What Is a Service Mesh? Decouple Operations From Development Proxy Policy Enforcement Load Balancing Retries Security Logging Tracing Routing
Reduce Complexity Develop Application Code TLS, Certificates, Authentication, Authorization Metrics, Logs, Traces Retry logic & Circuit breaking Traffic control Develop Application Code TLS, Certificates, Authentication, Authorization Metrics, Logs, Traces Retry logic & Circuit breaking Traffic control Developers Service Mesh Rate Limiting Rate Limiting What Is a Service Mesh?
How Does a Service Mesh Work?
How Does a Service Mesh Work? Two Layers: Data Plane and Control Plane Data Plane Controllers Business Logic Business Logic Proxy Proxy Control Plane Encrypted traffic Service Discovery, Certificate and configuration distribution Localhost Localhost Data Plane: A set of sidecar proxies intercepts and controls every inbound and outbound request between microservices, enforcing policy and encrypting tra ffi c. Control Plane: Central controllers manage con fi guration, service discovery, and certi fi cate rotation, then push updates to the proxies.
How Does a Service Mesh Work? Two Layers: Data Plane and Control Plane Data Plane Controllers Business Logic Business Logic zTunnel zTunnel Control Plane Encrypted traffic Service Discovery, Certificate and configuration distribution Waypoint Data Plane: A set of sidecar proxies intercepts and controls every inbound and outbound request between microservices, enforcing policy and encrypting tra ffi c. Control Plane: Central controllers manage con fi guration, service discovery, and certi fi cate rotation, then push updates to the proxies.
How Does a Service Mesh Work? Service-Mesh Landscape Istio Linkerd Consul Trea fi k Kong
Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
Security From Plaintext to Encrypted by Default
Security How the Mesh Issues Identity and Enforces mTLS 1 Workload deployed Workload 2 The proxy-injector webhook watches every new Pod. If the Pod carries the mesh annotation, the webhook adds an init container and a proxy. 3 The init container rewrites the Pod’s routing table so that all inbound and outbound tra ffi c fl ows through the proxy 4 After the init container exits, the proxy generates a public/private key pair and associates it with the Pod’s ServiceAccount. 5 The proxy sends a Certi fi cate-Signing Request to the Identity service, including the public key and the ServiceAccount token. 6 The Identity issuer veri fi es that the Certi fi cate- Signing Request really belongs to that ServiceAccount. 7 If valid, the issuer signs the CSR with the cluster’s issuer key, creating a short-lived certi fi cate. 8 The Identity service returns the certi fi cate to the proxy. 9 The workload now makes a request to another service; the client-side proxy presents its certi fi cate and starts a TLS handshake. 10 The server-side proxy validates the certi fi cate’s signer and, if trusted, returns its own certi fi cate. Proxy Pod ProxyInit ServiceAccount Workload Pod ServiceAccount Proxy Identity Identity Proxy Proxy Proxy Proxy Proxy 11 The two proxies establish a mutual-TLS session; all application tra ffi c on the wire is now encrypted and identity-veri fi ed.
Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
# TYPE outbound_http_route_request_frame_size_bytes histogram # UNIT outbound_http_route_request_frame_size_bytes bytes # HELP outbound_http_route_backend_requests The total number of requests dispatched. # HELP request_total Total count of H # TYPE request_total counter nsus_span_export_streams Total count of opened span export streams nsus_span_export_streams counter # HELP outbound_http_route_retry_over fl ow Retryable requests not sent due to circuit breakers. # TYPE outbound_http_route_retry_over fl ow counter # HELP outbound_http_route_retry_requests Retry requests emitted. # TYPE outbound_http_route_retry_requests counter # HELP outbound_grpc_route_retry_over fl ow Retryable requests not sent due to circuit breake # TYPE outbound_grpc_route_retry_over fl ow counter Observability # HELP inbound_http_authz_allow_total The total number of inbound HTTP requests that were authorized # TYPE inbound_http_authz_allow_total counter # HELP response_latency_ms Elapsed times between a request's headers being received and its response stream completing # TYPE response_latency_ms histogram # HELP response_total Total count of HTTP responses. # TYPE response_total counter # HELP control_response_latency_ms Elapsed times between a request's headers being received and its response stream completing # HELP tcp_open_total Total count of opened connections # TYPE tcp_open_total counter # HELP toki # TYPE tokio Zero-Code Golden Metrics, Instantly Visualized
Observability Out-of-the-Box Distributed Tracing
Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
Resiliency Failures Are Inevitable
Resiliency Cascading Failures
Resiliency Timeouts Business Logic Business Logic Proxy Proxy Localhost Localhost Service Endpoint Control Plane Destination Controller Endpoints are cached in the proxy and evicted after the configured timeout or sooner if the target becomes unreachable. The proxy then asks the Destination controller for a fresh endpoint. You can tune this behaviour with additional timeout annotations. annotations: timeout.linkerd.io/request: 2s timeout.linkerd.io/response: 1s The proxy will attempt to connect to the container for the duration specified by the timeout annotation. annotations: config.linkerd.io/proxy-outbound-connect-timeout: "2s"
Resiliency Retries Business Logic Business Logic Proxy Proxy Localhost Localhost Service Endpoint Control Plane Destination Controller annotations: retry.linkerd.io/http: 5xx retry.linkerd.io/limit: "2" retry.linkerd.io/timeout: 300ms The client-side proxy automatically retries failed calls up to the configured limit and within the per-try timeout.
Resiliency Circuit Breaker Business Logic Business Logic Proxy Proxy Localhost Localhost Control Plane Destination Controller Each proxy tracks successes and failures per endpoint. After N consecutive failures it “trips” the circuit, stops sending traffic to that endpoint, and retries only after a penalty window, shielding the rest of the call-graph from cascade latency. Business Logic Proxy Localhost Service Endpoint annotations: balancer.linkerd.io/failure-accrual: “consecutive” balancer.linkerd.io/failure-accrual-consecutive-max-failures: "2" balancer.linkerd.io/failure-accrual-consecutive-min-penalty: 300ms
Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
Control Tra ffi c Routing Business Logic Business Logic Proxy Proxy Localhost Localhost Service Endpoint Control Plane Destination Controller Proxies cache routing + auth policies locally, so every request is steered or denied inside the pod, with zero extra latency. HTTPRoute gRPCRoute Business Logic Proxy Localhost 30% 70%
Control Local Rate Limit Business Logic Business Logic Proxy Proxy Localhost Localhost Control Plane Destination Controller HTTPLocalRateLimit Server Service Endpoint Defines how many requests per second each replica will accept globally, per identity, or with client-specific overrides. The server matches incoming requests to Pods via labels and factors those identities into the decision.
Getting Started
Mesh in 3 Commands Install Linkerd via CLI, Helm, or Operator gtrekter@MacBook-Pro-M4 ~ % curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install-edge | sh Downloading linkerd2-cli-edge-25.5.1-darwin-arm64... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 76.0M 100 76.0M 0 0 6486k 0 0:00:11 0:00:11 --:--:-- 7365k Download complete! Validating checksum... Checksum valid. Linkerd edge-25.5.1 was successfully installed 🎉 gtrekter@MacBook-Pro-M4 ~ % kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/ download/v1.2.1/standard-install.yaml … gtrekter@MacBook-Pro-M4 ~ % linkerd install --crds | kubectl apply -f - Rendering Linkerd CRDs... … gtrekter@MacBook-Pro-M4 ~ % linkerd install | kubectl apply -f - … gtrekter@MacBook-Pro-M4 ~ % kubectl get ControlPlane linkerd-control-plane -o yaml apiVersion: linkerd.buoyant.io/v1alpha1 kind: ControlPlane metadata: name: linkerd-control-plane spec: components: linkerd: controlPlaneConfig: identity: issuer: scheme: kubernetes.io/tls identityTrustAnchorsPEM: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- version: enterprise-2.17.1 gtrekter@MacBook-Pro-M4 ~ % kubectl get ControlPlane -A NAME STATUS DESIRED CURRENT AGE linkerd-control-plane UpToDate enterprise-2.17.1 enterprise-2.17.1 60s
Best Practices & Lessons Learned
Certi fi cate Rotations Why Automated Rotation Matters • 81% of companies su ff ered a certi fi cate-related outage in the past two years. • 65% are concerned about the increased workload and risk of outages caused by shorter SSL/TLS certi fi cate lifespans. • Human error was a major contributing factor in 95% of breaches
Control Plane Certi fi cate Rotations Integrating Cert-Manager and Trust-Manager Linkerd Identity Cert-Manager ClusterIssuer Secret (linkerd-trust-root-issuer) Certificate Secret (linkerd-trust-anchor) Reference Installed with: - identity.externalCA:true - identity.issuer.scheme: kubernetes.io/tls This prevents Linkerd from creating its own Secrets and removes the need for the user to supply certificates during installation. Trust-Manager ClusterIssuer Certificate Secret (linkerd-identity-issuer) Reference Create or Update Bundle ConfigMap (linkerd-identity-trust-roots) Reference Create or Update Create or Update
Proxy’s Resource limits Start Flexible, Tune Empirically • No one-size- fi ts-all: A proxy’s CPU & memory usage depends on the workload it fronts. • Start with the Flexible pro fi le: Use Linkerd’s default limits until you’ve gathered real-world metrics, then tighten. • Override per workload: Global Helm values are a baseline. A good practice is to re fi ne the using annotations.
Q&A
감사합니다!

More Related Content

PDF
Service mesh in Microservice World to Manage end to end service communications
Satya Syam
 
PPTX
MRA AMA Part 6: Service Mesh Models
NGINX, Inc.
 
PDF
Bringing it all together - Denver JUG
MelissaMcKay15
 
PDF
What is a Service Mesh and what can it do for your Microservices
Matt Turner
 
PDF
Service-Mesh-Presentation.pdf
chanhluc2112
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PDF
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
PPTX
Do I Need A Service Mesh.pptx
PINGXIONG3
 
Service mesh in Microservice World to Manage end to end service communications
Satya Syam
 
MRA AMA Part 6: Service Mesh Models
NGINX, Inc.
 
Bringing it all together - Denver JUG
MelissaMcKay15
 
What is a Service Mesh and what can it do for your Microservices
Matt Turner
 
Service-Mesh-Presentation.pdf
chanhluc2112
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
Do I Need A Service Mesh.pptx
PINGXIONG3
 

Similar to App Simplified - Use a Mesh from Day 0.pdf (20)

PDF
Docker microservices and the service mesh
Docker, Inc.
 
PPTX
Service mesh
Arnab Mitra
 
PDF
Effective Service Mesh to turbocharge Cloud Resiliency
Liang Gang Yu
 
PPTX
Cloud Native & Service Mesh
Roi Ezra
 
PDF
The Future of Service Mesh
All Things Open
 
PPTX
microXchg 2018: "What is a Service Mesh? Do I Need One When Developing 'Cloud...
Daniel Bryant
 
PPTX
Do You Need A Service Mesh?
NGINX, Inc.
 
PPTX
Micro xchg 2018 - What is a Service Mesh?
Ambassador Labs
 
PDF
Bringing it all together
MelissaMcKay15
 
PPTX
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays
 
PDF
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
NGINX, Inc.
 
PPTX
NGINX, Istio, and the Move to Microservices and Service Mesh
NGINX, Inc.
 
PPTX
Service Mesh in the Real World [Raleigh NC Meetup]
Solo.io
 
PPTX
O'Reilly 2017: "Introduction to Service Meshes"
Daniel Bryant
 
PDF
The Complete Guide to Service Mesh
Aspen Mesh
 
PDF
Dublin Microservice "Introduction to Service Meshes"
Daniel Bryant
 
PDF
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Hello Cloud
 
PDF
Microservices with NGINX pdf
Katherine Bagood
 
PPTX
Service mesh from linkerd to conduit (cloud native taiwan meetup)
Chia-Chun Shih
 
PPTX
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
NGINX, Inc.
 
Docker microservices and the service mesh
Docker, Inc.
 
Service mesh
Arnab Mitra
 
Effective Service Mesh to turbocharge Cloud Resiliency
Liang Gang Yu
 
Cloud Native & Service Mesh
Roi Ezra
 
The Future of Service Mesh
All Things Open
 
microXchg 2018: "What is a Service Mesh? Do I Need One When Developing 'Cloud...
Daniel Bryant
 
Do You Need A Service Mesh?
NGINX, Inc.
 
Micro xchg 2018 - What is a Service Mesh?
Ambassador Labs
 
Bringing it all together
MelissaMcKay15
 
apidays LIVE Hong Kong 2021 - Zero Trust security with Service Mesh by Lauren...
apidays
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
NGINX, Inc.
 
NGINX, Istio, and the Move to Microservices and Service Mesh
NGINX, Inc.
 
Service Mesh in the Real World [Raleigh NC Meetup]
Solo.io
 
O'Reilly 2017: "Introduction to Service Meshes"
Daniel Bryant
 
The Complete Guide to Service Mesh
Aspen Mesh
 
Dublin Microservice "Introduction to Service Meshes"
Daniel Bryant
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Hello Cloud
 
Microservices with NGINX pdf
Katherine Bagood
 
Service mesh from linkerd to conduit (cloud native taiwan meetup)
Chia-Chun Shih
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
NGINX, Inc.
 
Ad

Recently uploaded (20)

PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPT
CRASH COURSE IN ALTERNATIVE PLUMBING CLASS
rene militante
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
CRASH COURSE IN ALTERNATIVE PLUMBING CLASS
rene militante
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
Sustainable Sites - Green Building Construction
mhdumerali
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
Ad

App Simplified - Use a Mesh from Day 0.pdf

  • 1. Apps Simpli fi ed Use a Mesh from Day 0 Ivan Porta Customer Engineer @ Buoyant
  • 2. Why Use a Service Mesh?
  • 3. Why Use a Service Mesh? Kubernetes Isn’t a Sealed Box
  • 4. Start With a Service Mesh on Day 0 • Runway is precious: Every sprint spent hand-rolling mTLS, retries, or dashboards is a sprint not spent fi nding product–market fi t. A mesh gives you zero-trust mTLS, circuit breakers, and “golden metrics” telemetry from minute one. • Two engineers ≠ two platform teams: The developers who ship features also get enterprise-grade security, reliability, and observability “for free,” rather than learning three new CNCF projects. • Avoid the “retro fi t tax”: Waiting until the fi rst security audit usually costs 2– 3× more e ff ort than adding the mesh on a blank canvas. Why Use a Service Mesh?
  • 5. Why Use a Service Mesh? Microservices Are A Web of Calls
  • 6. Why Use a Service Mesh? Every Team Re-implements the Same Code Team A Team B Team C Team A Each application will implement it’s own metrics, retries, policy enforcement, security, …
  • 7. What Is a Service Mesh? A service mesh is a dedicated infrastructure layer for handling service- to-service communication typically implemented as an array of lightweight network proxies that are deployed alongside application code, without the application needing to be aware.
  • 8. What Is a Service Mesh? Decouple Operations From Development Proxy Policy Enforcement Load Balancing Retries Security Logging Tracing Routing
  • 9. Reduce Complexity Develop Application Code TLS, Certificates, Authentication, Authorization Metrics, Logs, Traces Retry logic & Circuit breaking Traffic control Develop Application Code TLS, Certificates, Authentication, Authorization Metrics, Logs, Traces Retry logic & Circuit breaking Traffic control Developers Service Mesh Rate Limiting Rate Limiting What Is a Service Mesh?
  • 10. How Does a Service Mesh Work?
  • 11. How Does a Service Mesh Work? Two Layers: Data Plane and Control Plane Data Plane Controllers Business Logic Business Logic Proxy Proxy Control Plane Encrypted traffic Service Discovery, Certificate and configuration distribution Localhost Localhost Data Plane: A set of sidecar proxies intercepts and controls every inbound and outbound request between microservices, enforcing policy and encrypting tra ffi c. Control Plane: Central controllers manage con fi guration, service discovery, and certi fi cate rotation, then push updates to the proxies.
  • 12. How Does a Service Mesh Work? Two Layers: Data Plane and Control Plane Data Plane Controllers Business Logic Business Logic zTunnel zTunnel Control Plane Encrypted traffic Service Discovery, Certificate and configuration distribution Waypoint Data Plane: A set of sidecar proxies intercepts and controls every inbound and outbound request between microservices, enforcing policy and encrypting tra ffi c. Control Plane: Central controllers manage con fi guration, service discovery, and certi fi cate rotation, then push updates to the proxies.
  • 13. How Does a Service Mesh Work? Service-Mesh Landscape Istio Linkerd Consul Trea fi k Kong
  • 14. Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
  • 15. Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
  • 16. Security From Plaintext to Encrypted by Default
  • 17. Security How the Mesh Issues Identity and Enforces mTLS 1 Workload deployed Workload 2 The proxy-injector webhook watches every new Pod. If the Pod carries the mesh annotation, the webhook adds an init container and a proxy. 3 The init container rewrites the Pod’s routing table so that all inbound and outbound tra ffi c fl ows through the proxy 4 After the init container exits, the proxy generates a public/private key pair and associates it with the Pod’s ServiceAccount. 5 The proxy sends a Certi fi cate-Signing Request to the Identity service, including the public key and the ServiceAccount token. 6 The Identity issuer veri fi es that the Certi fi cate- Signing Request really belongs to that ServiceAccount. 7 If valid, the issuer signs the CSR with the cluster’s issuer key, creating a short-lived certi fi cate. 8 The Identity service returns the certi fi cate to the proxy. 9 The workload now makes a request to another service; the client-side proxy presents its certi fi cate and starts a TLS handshake. 10 The server-side proxy validates the certi fi cate’s signer and, if trusted, returns its own certi fi cate. Proxy Pod ProxyInit ServiceAccount Workload Pod ServiceAccount Proxy Identity Identity Proxy Proxy Proxy Proxy Proxy 11 The two proxies establish a mutual-TLS session; all application tra ffi c on the wire is now encrypted and identity-veri fi ed.
  • 18. Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
  • 19. # TYPE outbound_http_route_request_frame_size_bytes histogram # UNIT outbound_http_route_request_frame_size_bytes bytes # HELP outbound_http_route_backend_requests The total number of requests dispatched. # HELP request_total Total count of H # TYPE request_total counter nsus_span_export_streams Total count of opened span export streams nsus_span_export_streams counter # HELP outbound_http_route_retry_over fl ow Retryable requests not sent due to circuit breakers. # TYPE outbound_http_route_retry_over fl ow counter # HELP outbound_http_route_retry_requests Retry requests emitted. # TYPE outbound_http_route_retry_requests counter # HELP outbound_grpc_route_retry_over fl ow Retryable requests not sent due to circuit breake # TYPE outbound_grpc_route_retry_over fl ow counter Observability # HELP inbound_http_authz_allow_total The total number of inbound HTTP requests that were authorized # TYPE inbound_http_authz_allow_total counter # HELP response_latency_ms Elapsed times between a request's headers being received and its response stream completing # TYPE response_latency_ms histogram # HELP response_total Total count of HTTP responses. # TYPE response_total counter # HELP control_response_latency_ms Elapsed times between a request's headers being received and its response stream completing # HELP tcp_open_total Total count of opened connections # TYPE tcp_open_total counter # HELP toki # TYPE tokio Zero-Code Golden Metrics, Instantly Visualized
  • 21. Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
  • 24. Resiliency Timeouts Business Logic Business Logic Proxy Proxy Localhost Localhost Service Endpoint Control Plane Destination Controller Endpoints are cached in the proxy and evicted after the configured timeout or sooner if the target becomes unreachable. The proxy then asks the Destination controller for a fresh endpoint. You can tune this behaviour with additional timeout annotations. annotations: timeout.linkerd.io/request: 2s timeout.linkerd.io/response: 1s The proxy will attempt to connect to the container for the duration specified by the timeout annotation. annotations: config.linkerd.io/proxy-outbound-connect-timeout: "2s"
  • 25. Resiliency Retries Business Logic Business Logic Proxy Proxy Localhost Localhost Service Endpoint Control Plane Destination Controller annotations: retry.linkerd.io/http: 5xx retry.linkerd.io/limit: "2" retry.linkerd.io/timeout: 300ms The client-side proxy automatically retries failed calls up to the configured limit and within the per-try timeout.
  • 26. Resiliency Circuit Breaker Business Logic Business Logic Proxy Proxy Localhost Localhost Control Plane Destination Controller Each proxy tracks successes and failures per endpoint. After N consecutive failures it “trips” the circuit, stops sending traffic to that endpoint, and retries only after a penalty window, shielding the rest of the call-graph from cascade latency. Business Logic Proxy Localhost Service Endpoint annotations: balancer.linkerd.io/failure-accrual: “consecutive” balancer.linkerd.io/failure-accrual-consecutive-max-failures: "2" balancer.linkerd.io/failure-accrual-consecutive-min-penalty: 300ms
  • 27. Business Drivers for Service-Mesh Adoption Four Pillars of Service Security Observability Resiliency Control
  • 28. Control Tra ffi c Routing Business Logic Business Logic Proxy Proxy Localhost Localhost Service Endpoint Control Plane Destination Controller Proxies cache routing + auth policies locally, so every request is steered or denied inside the pod, with zero extra latency. HTTPRoute gRPCRoute Business Logic Proxy Localhost 30% 70%
  • 29. Control Local Rate Limit Business Logic Business Logic Proxy Proxy Localhost Localhost Control Plane Destination Controller HTTPLocalRateLimit Server Service Endpoint Defines how many requests per second each replica will accept globally, per identity, or with client-specific overrides. The server matches incoming requests to Pods via labels and factors those identities into the decision.
  • 31. Mesh in 3 Commands Install Linkerd via CLI, Helm, or Operator gtrekter@MacBook-Pro-M4 ~ % curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install-edge | sh Downloading linkerd2-cli-edge-25.5.1-darwin-arm64... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 76.0M 100 76.0M 0 0 6486k 0 0:00:11 0:00:11 --:--:-- 7365k Download complete! Validating checksum... Checksum valid. Linkerd edge-25.5.1 was successfully installed 🎉 gtrekter@MacBook-Pro-M4 ~ % kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/ download/v1.2.1/standard-install.yaml … gtrekter@MacBook-Pro-M4 ~ % linkerd install --crds | kubectl apply -f - Rendering Linkerd CRDs... … gtrekter@MacBook-Pro-M4 ~ % linkerd install | kubectl apply -f - … gtrekter@MacBook-Pro-M4 ~ % kubectl get ControlPlane linkerd-control-plane -o yaml apiVersion: linkerd.buoyant.io/v1alpha1 kind: ControlPlane metadata: name: linkerd-control-plane spec: components: linkerd: controlPlaneConfig: identity: issuer: scheme: kubernetes.io/tls identityTrustAnchorsPEM: | -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- version: enterprise-2.17.1 gtrekter@MacBook-Pro-M4 ~ % kubectl get ControlPlane -A NAME STATUS DESIRED CURRENT AGE linkerd-control-plane UpToDate enterprise-2.17.1 enterprise-2.17.1 60s
  • 33. Certi fi cate Rotations Why Automated Rotation Matters • 81% of companies su ff ered a certi fi cate-related outage in the past two years. • 65% are concerned about the increased workload and risk of outages caused by shorter SSL/TLS certi fi cate lifespans. • Human error was a major contributing factor in 95% of breaches
  • 34. Control Plane Certi fi cate Rotations Integrating Cert-Manager and Trust-Manager Linkerd Identity Cert-Manager ClusterIssuer Secret (linkerd-trust-root-issuer) Certificate Secret (linkerd-trust-anchor) Reference Installed with: - identity.externalCA:true - identity.issuer.scheme: kubernetes.io/tls This prevents Linkerd from creating its own Secrets and removes the need for the user to supply certificates during installation. Trust-Manager ClusterIssuer Certificate Secret (linkerd-identity-issuer) Reference Create or Update Bundle ConfigMap (linkerd-identity-trust-roots) Reference Create or Update Create or Update
  • 35. Proxy’s Resource limits Start Flexible, Tune Empirically • No one-size- fi ts-all: A proxy’s CPU & memory usage depends on the workload it fronts. • Start with the Flexible pro fi le: Use Linkerd’s default limits until you’ve gathered real-world metrics, then tighten. • Override per workload: Global Helm values are a baseline. A good practice is to re fi ne the using annotations.
  • 36. Q&A