Linkerd 2.3 ramps up security by turning on default confidential communication

Sarah Schlothauer
© Shutterstock / Michal Durinik

Linkerd increases its security with the latest stable release, 2.3. Now it turns on authenticated, confidential communication between meshed services on by default. Besides buffing up its security, Linkerd 2.3 also adds a new Community page for news and updates and improvements to the web dashboard.

Part of the Cloud Native Computing Foundation, Linkerd is a network proxy that deploys as a service mesh. According to their overview, its creators built it for solving complex problems while operating large production systems. Linkerd fixes communication issues between services.

Linkerd stable release v2.3 hit the scene on April 16, 2019. This new release brings with it improvements to the web dashboard, a new Community page, a TLS-based service identity system, and a few more changes.

Secure by default

According to the announcement by William Morgan, this release marks a step forward down the security-focused roadmap. What’s the ultimate goal?

Can we make secure communication easier than insecure communication for Kubernetes?

William Morgan

SEE ALSO: Multiple stages within a Kubernetes cluster

With buffed up security as one of the main stated goals for Linkerd, let’s look at the new additions in v2.3 and how they contribute.

Linkerd 2.3 turns on authenticated, confidential communication between meshed services by default. It requires no extra configuration or user effort. This is a step forward for Linkerd and adds an extra layer of ease of use. It adds more security guarantees and brings it closer to adopting zero-trust networking.

From William Morgan’s announcement post: “In the zero-trust approach, we discard assumptions about a datacenter security perimeter, and instead push requirements around authentication, authorization, and confidentiality “down” to individual units. In Kubernetes terms, this means that services running on the cluster validate, authorize, and encrypt their own communication.”

By turning on security measures by default, this new release ensures that users will actually use the security features. Now achieving enhanced security becomes easier than insecurity.

Web UI additions & changes

Linkerd 2.3 adds a new Community page. The Community page will serve as a hub for news and updates from

The web dashboard gains a debug page, as well as mobile device improvements and several fixed issues.

SEE ALSO: Klusterkit: Three open source Kubernetes tools for on-prem, air-gapped environments

Be aware: According to the GitHub release notes, v2.3 arrives in tow with five breaking changes:

  • Removed the --disable-external-profiles flag from the install command; external profiles are now disabled by default and can be enabled with the new --enable-external-profiles flag
  • The --linkerd-cni-enabled flag has been removed from the inject command; CNI configures at the cluster level with the install command and no longer applies to the inject command
  • Removed the --api-port flag from the inject and install commands
  • Ended support for running the control plane in single-namespace mode, which was severely limited in the number of features it supported due to not having access to cluster-wide resources; the end goal being Linkerd degrading gracefully depending on its privileges
  • Removed the --tls=optional flag from the linkerd install command, with TLS now enabled by default

For a full list of changes and additions, please refer to the GitHub release notes.

Sarah Schlothauer

Sarah Schlothauer

All Posts by Sarah Schlothauer

Sarah Schlothauer is the editor for She received her Bachelor's degree from Monmouth University, West Long Branch, New Jersey. She currently lives in Frankfurt, Germany with her husband and cat where she enjoys reading, writing, and medieval reenactment. She is also the editor for Conditio Humana, an online magazine about ethics, AI, and technology.

Inline Feedbacks
View all comments