# Linkerd — The Lightest, Fastest Service Mesh for Kubernetes

> Linkerd is a CNCF-graduated service mesh built on a purpose-built Rust proxy. It delivers mTLS, traffic management, and observability with a fraction of the resource cost of Istio — and sets up in minutes.

## Install

Save in your project root:

# Linkerd — The Lightweight Service Mesh

## Quick Use
```bash
# Install CLI
curl --proto "=https" --tlsv1.3 -sSfL https://run.linkerd.io/install-edge | sh
export PATH=$PATH:~/.linkerd2/bin

# Validate cluster
linkerd check --pre

# Install (CRDs + control plane)
linkerd install --crds | kubectl apply -f -
linkerd install | kubectl apply -f -
linkerd check

# Add viz extension for dashboard
linkerd viz install | kubectl apply -f -
linkerd viz dashboard
```

## Introduction
Linkerd was the first service mesh (2016) and remains the simplest and lightest. Unlike Istio's Envoy-based proxy, Linkerd uses a purpose-built Rust micro-proxy ("linkerd2-proxy") — orders of magnitude smaller and faster, with no configuration required for most use cases.

Graduated from the CNCF in 2021, Linkerd is used by Adidas, Nordstrom, HP, and hundreds of companies that want service mesh benefits without Istio's operational complexity.

## What Linkerd Does
Linkerd injects a tiny Rust sidecar proxy into each pod, automatically providing: **mTLS** (mutual TLS between all services, zero config), **observability** (golden metrics: RPS, latency, success rate), **traffic management** (retries, timeouts, traffic splitting), and **reliability** (circuit breaking, load balancing).

## Architecture Overview
```
[Control Plane]
  linkerd-identity   (mTLS CA)
  linkerd-destination (service discovery)
  linkerd-proxy-injector (admission webhook)
        |
[Data Plane - one per pod]
  linkerd2-proxy (Rust)
  - 10MB binary
  - ~10MB RAM, sub-ms latency
  - Transparent mTLS, metrics
        |
[Viz Extension (optional)]
  Prometheus + Grafana + Web dashboard
[Multicluster Extension]
  Gateway + Service Mirror
```

## Self-Hosting & Configuration
```yaml
# Enable injection by namespace
apiVersion: v1
kind: Namespace
metadata:
  name: myapp
  annotations:
    linkerd.io/inject: enabled

---
# Service-level retry policy
apiVersion: policy.linkerd.io/v1beta3
kind: HTTPRoute
metadata:
  name: api-retries
  namespace: myapp
spec:
  parentRefs:
    - name: api
      kind: Service
  rules:
    - matches: [{ path: { type: PathPrefix, value: "/" } }]
      filters: []
      backendRefs:
        - name: api
          port: 8080
          timeouts: { request: 10s }
          retries:
            limit: 3
            timeout: 1s
            conditions: [{ status: ["5XX"] }]

---
# Traffic split for canary
apiVersion: split.smi-spec.io/v1alpha2
kind: TrafficSplit
metadata: { name: web-canary }
spec:
  service: web
  backends:
    - { service: web-stable, weight: 90 }
    - { service: web-canary, weight: 10 }
```

```bash
# Observability commands
linkerd viz stat deploy -n myapp
linkerd viz top deploy/api -n myapp
linkerd viz tap deploy/api -n myapp
linkerd viz edges deployment -n myapp
```

## Key Features
- **Rust micro-proxy** — 10x smaller, faster than Envoy-based meshes
- **Automatic mTLS** — mutual TLS everywhere, zero config
- **Golden metrics** — RPS, success rate, latency per workload
- **HTTPRoute policies** — Gateway API-compatible retries, timeouts, routing
- **Multi-cluster** — gateway-based cluster federation for DR and global mesh
- **Traffic split** — canary deployments with weighted routing
- **Viz dashboard** — built-in Grafana + web UI for service topology
- **CNCF graduated** — neutral governance, proven at scale

## Comparison with Similar Tools
| Feature | Linkerd | Istio | Consul Connect | Cilium Mesh | Kuma |
|---|---|---|---|---|---|
| Proxy | linkerd2-proxy (Rust) | Envoy | Envoy | eBPF + Envoy | Envoy |
| Footprint | Very Low (~10MB/pod) | High (~100MB/pod) | Moderate | Low (eBPF) | Moderate |
| Setup complexity | Very low | High | Moderate | Moderate | Moderate |
| mTLS | Automatic | Automatic | Automatic | Automatic | Automatic |
| Multi-cluster | Yes | Yes | Yes | Yes | Yes |
| Gateway API | Yes | Yes | Partial | Yes | Yes |
| Best For | Pragmatic mesh | Feature-rich mesh | HashiCorp shops | eBPF-curious | Multi-zone edge |

## FAQ
**Q: Linkerd vs Istio — which should I pick?**
A: Linkerd for simplicity and low overhead. Istio for rich policy and broader ecosystem integration. Most teams that "just want a service mesh" are happier with Linkerd.

**Q: Can Linkerd run in production?**
A: Yes. CNCF-graduated, used in production by many Fortune 500 companies. Multi-cluster and policy features are stable.

**Q: How does Linkerd compare to Cilium's new mesh?**
A: Cilium uses eBPF to skip sidecars — potentially lower latency. Linkerd's sidecar approach is more portable and easier to reason about. Different trade-offs; both are strong.

**Q: Is Linkerd truly open source?**
A: Yes, Apache-2.0 with a CNCF foundation. Buoyant (the company behind Linkerd) sells an enterprise distribution (Buoyant Enterprise for Linkerd) with extra features, but the core is fully OSS.

## Sources
- GitHub: https://github.com/linkerd/linkerd2
- Docs: https://linkerd.io
- Foundation: CNCF (Graduated)
- License: Apache-2.0

---
Source: https://tokrepo.com/en/workflows/647b14c5-37c8-11f1-9bc6-00163e2b0d79
Author: AI Open Source