 Hi there, I'm William Morgan and I'm one of the creators of LinkerD. Welcome to the KubeCon EU 2021 overview and state of LinkerD talk. I'll be joined by LinkerD contributor Matei David. He will present the second part of the talk with the current state of the project and I will be providing the overview. So what is LinkerD? It is a service mesh. If you don't know what a service mesh is, I'll give you a very brief definition in the next slide but suffice it to say that LinkerD is a very unique kind of service mesh for one and is very focused on being as light and as fast and as simple as possible for Kubernetes environments. LinkerD has been in production for over four years. We have a very healthy and active community centered around the Slack channel and we have lots and lots of GitHub stars so thank you, please give us more. Over 200 contributors, we've publicly committed to open governance and of course we're hosted by the CNCF. We've proposed LinkerD for graduation so hopefully we'll hear some good news in that regard pretty soon. I'll also add that by watching this talk you are now also a member of the LinkerD community and you have just as much a right to run it, to talk about it and to participate as I do. It's a community project and you are now part of the community, welcome. So what does LinkerD do? Like any service mesh we categorize its features into three buckets, a set of features around observability, things like golden metrics and service topologies and distributed tracing, a set of features around reliability, things like load balancing and traffic shifting and retries and there's a set of features around security mostly built off of mutual TLS and the interesting thing about LinkerD and any service mesh really is that we cannot be a complete solution to any of those categories so LinkerD is not a complete observability solution, you still have to instrument your application, it's not a complete reliability solution, your application has to handle all sorts of failures that LinkerD cannot protect against and it's certainly not a complete security solution but the set of features that LinkerD can give you sit at the platform layer and they belong as part of the platform and so what the service mesh gives you is the ability to get those features at the platform layer without having to rely on developers to implement them in their application. So that's good for you because it means you have control over your destiny and it's good for the developers because it means that they can focus on writing business logic and not on having to implement things like mutual TLS and certificate rotation which are difficult and probably not where you want to develop your expertise. So how is LinkerD designed? In short, less is more, very powerful statement. So if you have a functioning Kubernetes application and you install LinkerD, the application should continue functioning with some minor asterisks on that statement but we can do that from the vast majority of cases. So zero config out of the box you should be able to just add LinkerD to a system and not break anything. It's designed to be as light as possible so introduce a bare minimum performance and resource cost especially when it comes to the latency introduced to your application because that is a user phasing cost and it's designed to be as simple as possible and by simple I mean operationally simple which means you the operator should not have to waste your precious life energies worrying about the service mesh. You should be able to let it run and understand it and feel confident in it. And then finally to the extent that it's possible when we have security features we try and enable those features out of the box and not to put them behind barriers involving configuration. So LinkerD today has a control plane that's written in Go. So it's in a Kubernetes namespace. It's about 200 banks and then it has a data plane built out of these rust micro proxies. I'll talk more about that in a few more slides that are extremely fast and extremely light. LinkerD has a long history. It was originally actually a JVM application and I wrote a little bit about that history in this article. So if you want some bedtime reading just click on the link in the slides or just search for that title. So what does LinkerD look like when deployed? Well it has a name it has a control plane and a data plane. The control plane has a couple components including one called identity that's basically a certificate authority one called destination that's a service discovery endpoint and so on. And then in the data plane like many sidecar based service measures LinkerD has a little proxy that gets injected into the same pod as the application does and it sits in there and has all TCP traffic transparently wired to go through that proxy. So the application is blissfully unaware that traffic is going through the proxy and that is how the service mesh does its magic. LinkerD 2.10 which is the latest version introduces this notion of extensions. So if you want additional functionality you can add these opt-in extensions. There's one called which is demonstrated here called the Viz extension which is a metrics pipeline includes things like Prometheus and Grafana and a web dashboard that take all of the metrics that the proxies instrument and turn them into a set of human consumable outputs. So if getting observability into your system without having to do any config is important to you then you may install that extension if it's not or if you have an additional mechanism for doing that then you don't have to install it. So that's the control plane. On the data plane we use a proxy called simply linkerd2-proxy. LinkerD is unique in a lot of ways one of those ways is that this proxy is not Envoy. I wrote a long article about why that is so if you want to dig more into this just search for why LinkerD doesn't use Envoy or click on that link in the slides below. The short story is Rust the choice of Rust which is what we use to implement this proxy allows us to avoid an entire class of memory vulnerabilities and CVEs that are endemic to C and C++ programs. Rust of course compiles a native code so we can be as fast as the machine will let us be and using Rust gives us access to a state-of-the-art network stack so libraries like Tokyo and Hyper and Tower and the rest of the modern Rust asynchronous networking stack. I think this part of LinkerD the LinkerD2 proxy is probably the most advanced technologically advanced project in the entire CNCF landscape but that's my biased opinion and our philosophy here is that the proxy ultimately should be an implementation detail for a service mesh so if you install LinkerD you will have to learn how to operate LinkerD but you should not have to also learn how to operate a complicated proxy that's the goal. Okay I mentioned a little bit about security LinkerD is very security focused and we have a very strict philosophy that starts with number one making sure that the foundations are secure which is a big part of why LinkerD2 proxies are in Rust. Number two building on top of Kubernetes as much as possible so rather than introducing new primitives you use ones that are already there things like service accounts and then removing the barriers as much as possible so you know the moment you install LinkerD and you mesh your application all TCP communication is automatically put behind mutual TLS without you having to configure anything. Complexity is the enemy of security that's our belief and so we want to reduce the configuration as much as possible turn it all on by default and basically don't make you have to work for security. Okay I always have to talk about LinkerD versus Istio because Istio has a lot of marketing energy behind it I think it comes down to what do you need in the service mesh Istio is designed to handle a very large set of scenarios and has a very large feature set the downside is that it is very complex to operate. LinkerD has a very different philosophy which is we should give you the bare minimum to build a secure and reliable and flexible Kubernetes platform so it's much easier to understand and operate smaller lighter faster but it is also very Kubernetes specific so if that doesn't work for you then LinkerD will not be the right service mesh for you. Here at KubeCon EU 2021 we actually have a pretty amazing LinkerD turnout so if you want to learn more I encourage you to look at to attend some of these talks. Oliver Gould who is the creator the real creator of LinkerD will be delivering a talk why the future of the cloud will be built on Rust on May 3rd on May 4th at service mesh con we've got a whole set of end user talks around scheduling COVID tests doing experimentation adding FIPS 140 compliance and doing chaos testing and May 5th we've got some debugging we've got some compliance the easy way talks that sounds scary and seamless multi-cluster communication and observability and then finally if you really enjoy my voice I'll be giving a keynote about LinkerD versus COVID-19 on May 6th so I encourage you to join those talks with that said I am now going to hand things over to LinkerD contributor Matej David. Thank you William and hello everyone my name is Matej and today I'll be giving you a brief overview on LinkerD in 2021 more specifically I'll be talking about some previous releases that we've had I'll touch base on the roadmap give you some community updates and finally tell you how you can be involved so before I start I'm going to talk about myself for a little bit I've been a LinkerD contributor for over a year now and like a lot of people in the community I had my first contribution completely by accident I stumbled upon LinkerD when I was looking for some projects to contribute to I attended my first meet-up in March 2020 after I saw how inclusive and supportive the community is I kind of got over my anxiety of contributing to open source so in April 2020 I had my first merge PR and it's sort of snowballed from there I applied for a CNCF mentorship scheme and in September 2020 delivered topology wear service routing just in time for LinkerD 2.9 and since then I've just been around the community helping people out on Slack doing some bug fixing here and there and small improvements in April 2021 I became a full-time contributor as a software engineer at point so if my my humbling story doesn't convince you that the community is awesome hopefully the next slide will I'll be talking a bit about some some updates we've had in the community so as LinkerD grows so does its community and I think in 2021 we saw a lot of updates that went a bit unnoticed in favor of the codebase updates that I'll be talking about shortly but first of all we created a LinkerD steering committee so in a very fast and dynamic space there are always new cloud native emerging trends and it's pretty hard to stay on top of everything and aside from that we we have adopters from large enterprises the very small and lean startups so we wanted to have a way to get the end user involved and in prioritization and shaping the direction of LinkerD and the steering committee does just that second we rolled out a LinkerD community anchor program a lot of people in our community do amazing things with LinkerD they have amazing stories tales from production where LinkerD helped them fix some bugs or find a bottleneck we have a lot of people who use LinkerD for research so lots of cool stories we want to help people work on them and share them so that's what the community anchor program is all about if you have an exciting story please check it out we've opened up a new discord server we have a very active community on Slack but we also started trialing with discord and there are a couple of cool conversations going around there a bit more implementation specific so if that's your cup of tea please come and say hello and finally something I'm very excited about we have our graduation proposal officially submitted it's still early days to talk about it but I just wanted to kind of echo this out and let people know that it's been submitted and I'm super excited about it huge round of applause for for the whole team and community all right now let's get technical when I first joined as a contributor the team had just released 2.8 multi cluster support well LinkerD multi cluster and also the idea of add-ons started floating and that's important I'm going to come back to it later but LinkerD 2.9 extends zero-config mutual TLS support TCP connections this was the banner feature allowing TCP traffic to be in TLS and to do this there actually were a couple of changes with the service discovery mechanism I won't be going into details now but a lot of work went into 2.9 it was a huge release happened in November and it's very close to my heart because the CNCF mentorship schemes projects were also delivered as part of this we had arm support which allows LinkerD to run anywhere on Raspberry Pis I use it on my Pi clusters for example this was a GSOC project we had multi core proxy runtimes to add throughput and concurrency serviced apologies my project as part of CNCF LFX to introduce routing preferences on per node basis and bring your own Prometheus to make the control plane lighter so if in 2.8 we started floating around the idea of an add-on in 2.9 it started taking shape and then in 2.10 it came to fruition because we delivered modularized control plane with extensions so we split the control plane up into multiple extensions to make it lighter have less of an overhead and truly allow you to run LinkerD on any platform that you want as light as possible so with LinkerD 2.10 you can pick and mix what you want with your LinkerD distribution out of the box the control plane comes with the discovery service identity and zero config mtls and then we have a Viz extension for the metric stack so Prometheus Grafana dashboard LinkerD tap which is an amazing tool Yeager extension for distributed tracing and then the multicluster extension for those of you that want to do multicluster and on the topic of multicluster in 2.10 we've extended a multicluster to TCP connections so before LinkerD was more geared towards HTTP with multicluster and in 2.10 that changed we've also included opaque ports to proxy traffic without protocol detection so LinkerD used protocol detection to determine if you're running gRPC or HTTP and this aided in load balancing decisions and also in mtls but with opaque ports we also added support for server speak first protocol we're doing mtls is a bit trickier but yeah there's a great blog post about this so if you want to get a bit more in depth knowledge please please give that a read but moving on where we are today in 2021 our main objective for 2.11 is to bring configurable access policies to LinkerD and this is something that I'm very excited about because I've seen how excited the community is about it and the maintaining team is about it and the community has been asking for authorization policies for for some time now and I'm happy to say that with 2.11 we're bringing this in so authorization policies bring flexible access control to meshed workloads and I have two examples here the first of all we'll make it so we can you can make it so that service owners can require connections to be mtls and then service owners can also limit which client can connect to their server so to kind of have a visual aid for this I have this very simple diagram to the left where we have free pods all of them running inside a mesh and if you have two servers A and B then you can configure some policies on the server to say okay I do not want the client to connect or I do not want the client to connect without mtls so this gives you a lot of flexibility and power over authorization so I'm very excited about this the roadmap it's still in early days so if you want to keep up to date give us a star on github and make sure to keep up with the issues there and on the topic of github finally to get involved my favorite part of the presentation all of our development is on github we're active in the discussions we're active in issues pull requests so please come and have a look if you're curious or if you want to contribute please feel free to do so it's very easy to get set up we have a thriving community in Slack and Discord we make formal announcements using mailing lists we have monthly community meetups my favorite part of the month for sure and then also for the party security audits most of all I think what I want to say is that to be a contributor with linkerd you do not really need to contribute code we accept contributions in all forms and shapes and actually we encourage people to do some doc contributions to come and help out on Slack there are a lot of people with good production experience that give great advice on Slack there are a couple of people that I really look up to that are daily active and helping people out so yeah we're very friendly and welcoming community join us it's tons of fun and we're doing lots of good work so that's it for me I think it will be time for Q&A yeah I hope you're excited as I am for linkerd and stay tuned for more updates to come in 2021 thank you