Linkerd 2.3 introduces Zero-Trust Networking for Kubernetes

2 min read

This week, the team at Linkerd announced an updated version of the service mesh, Linkerd 2.3. In this release, the mTLS is out of experimental to a fully supported feature. Along with several important security primitives, the important update in Linkerd 2.3 is that it turns authenticated, confidential communication between meshed services on by default.

Linkerd, a Cloud Native Computing Foundation (CNCF) project, is a service mesh, designed to give platform-wide observability, reliability, and security without requiring configuration or code changes.

The team at Linkerd says, “Securing the communication between Kubernetes services is an important step towards adopting zero-trust networking. In the zero-trust approach, we discard assumptions about a datacenter security perimeter and instead push requirements around authentication, authorization, and confidentiality “down” to individual units. In Kubernetes terms, this means that services running on the cluster validate, authorize, and encrypt their own communication.”

Linkerd 2.3 addresses challenges with the adoption of zero-trust networking as follows:

The control plane ships with a certificate authority (called simply “identity”).
The data plane proxies receive TLS certificates from this identity service, tied to the Kubernetes Service Account that the proxy belongs to, rotated every 24 hours.
The data plane proxies automatically upgrade all communication between meshed services to authenticated, encrypted TLS connections using these certificates.
Since the control plane also runs on the data plane, communication between control plane components is secured in the same way.

All of these changes mentioned are enabled by default and requires no configuration.

“This release represents a major step forward in Linkerd’s security roadmap. In an upcoming blog post, Linkerd creator Oliver Gould will be detailing the design tradeoffs in this approach, as well as covering Linkerd’s upcoming roadmap around certificate chaining, TLS enforcement, identity beyond service accounts, and authorization”, the Linkerd’s official blog mentions. These topics and all the other fun features in 2.3 will be further discussed in the upcoming Linkerd Online Community Meeting on Wednesday, April 24, 2019 at 10am PT.

To know more about Linkerd 2.3 in detail, visit its official website.