Linkerd 2.3 ramps up security by turning on default confidential communication
Linkerd increases its security with the latest stable release, 2.3. Now it turns on authenticated, confidential communication between meshed services on by default. Besides buffing up its security, Linkerd 2.3 also adds a new Community page for news and updates and improvements to the web dashboard.
Part of the Cloud Native Computing Foundation, Linkerd is a network proxy that deploys as a service mesh. According to their overview, its creators built it for solving complex problems while operating large production systems. Linkerd fixes communication issues between services.
Linkerd stable release v2.3 hit the scene on April 16, 2019. This new release brings with it improvements to the web dashboard, a new Community page, a TLS-based service identity system, and a few more changes.
Secure by default
According to the announcement by William Morgan, this release marks a step forward down the security-focused roadmap. What’s the ultimate goal?
Can we make secure communication easier than insecure communication for Kubernetes?
With buffed up security as one of the main stated goals for Linkerd, let’s look at the new additions in v2.3 and how they contribute.
Linkerd 2.3 turns on authenticated, confidential communication between meshed services by default. It requires no extra configuration or user effort. This is a step forward for Linkerd and adds an extra layer of ease of use. It adds more security guarantees and brings it closer to adopting zero-trust networking.
From William Morgan’s announcement post: “In the zero-trust approach, we discard assumptions about a datacenter security perimeter, and instead push requirements around authentication, authorization, and confidentiality “down” to individual units. In Kubernetes terms, this means that services running on the cluster validate, authorize, and encrypt their own communication.”
By turning on security measures by default, this new release ensures that users will actually use the security features. Now achieving enhanced security becomes easier than insecurity.
Web UI additions & changes
Linkerd 2.3 adds a new Community page. The Community page will serve as a hub for news and updates from linkerd.io.
The web dashboard gains a debug page, as well as mobile device improvements and several fixed issues.
Be aware: According to the GitHub release notes, v2.3 arrives in tow with five breaking changes:
- Removed the
--disable-external-profilesflag from the
installcommand; external profiles are now disabled by default and can be enabled with the new
--linkerd-cni-enabledflag has been removed from the
injectcommand; CNI configures at the cluster level with the
installcommand and no longer applies to the
- Removed the
--api-portflag from the
- Ended support for running the control plane in single-namespace mode, which was severely limited in the number of features it supported due to not having access to cluster-wide resources; the end goal being Linkerd degrading gracefully depending on its privileges
- Removed the
--tls=optionalflag from the
linkerd installcommand, with TLS now enabled by default