Linkerd Service Mesh Security Hardening
Linkerd Service Mesh Security
Linkerd Service Mesh Kubernetes mTLS Rust Go CNCF Security Hardening Authorization Policy Traffic Encryption Zero Trust Observability
| Feature | Linkerd | Istio |
|---|---|---|
| Proxy | linkerd2-proxy (Rust) | Envoy (C++) |
| mTLS | อัตโนมัติ ทันที | ต้อง Config |
| Resource | เบา ~10MB/proxy | หนัก ~50MB/proxy |
| Complexity | ต่ำ | สูง |
| VM Support | ไม่รองรับ | รองรับ |
| Multi-cluster | รองรับ | รองรับ |
Linkerd Installation และ mTLS
=== Linkerd Installation & Security ===
อ่านเพิ่ม: Let's Encrypt SSL ฟรี ติดตั้ง HTTPS บน Server Linux · ดูรายละเอียด Let's Encrypt SSL ฟรี ติดตั้ง HTTPS บน Server Linux · อ่านเพิ่ม: Zabbix Network Monitoring ตั้งค่าดูแล Network ทั้งออฟฟิศ
Install CLI
curl -fsL https://run.linkerd.io/install | sh
export PATH=$HOME/.linkerd2/bin:$PATH
linkerd version
Pre-check
linkerd check --pre
Install Control Plane
linkerd install --crds | kubectl apply -f -
linkerd install | kubectl apply -f -
linkerd check
Inject Sidecar (Auto mTLS)
kubectl get deploy -n my-app -o yaml | linkerd inject - | kubectl apply -f -
หรือ
kubectl annotate namespace my-app linkerd.io/inject=enabled
Verify mTLS
linkerd viz edges po -n my-app
linkerd viz tap deploy/my-api -n my-app
ดู tls=true ในผลลัพธ์
Check Identity (Certificates)
linkerd identity
linkerd check --proxy
เนื้อหาเกี่ยวข้อง — อ่านต่อ: Vector Database Pinecone Internal Developer
Authorization Policy (Server + ServerAuthorization)
apiVersion: policy.linkerd.io/v1beta2
kind: Server
metadata:
name: api-server
namespace: my-app
spec:
podSelector:
matchLabels:
app: my-api
port: 8080
แนะนำเพิ่มเติม — บทวิเคราะห์จาก XM Signal
proxyProtocol: HTTP/2
---
apiVersion: policy.linkerd.io/v1beta2
kind: ServerAuthorization
metadata:
name: allow-web-to-api
namespace: my-app
spec:
server:
name: api-server
client:
meshTLS:
serviceAccounts:
- name: web-frontend
namespace: my-app
from dataclasses import dataclass, field
from typing import List
@dataclass
class MeshService:
name: str
namespace: str
meshed: bool
mtls: bool
success_rate: float
เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน react-helmet คือ — ข้อมูลครบถ้วน 2026
latency_p99_ms: float
rps: float
services = [
MeshService("web-frontend", "my-app", True, True, 99.95, 45, 250),
MeshService("api-server", "my-app", True, True, 99.98, 22, 500),
MeshService("auth-service", "my-app", True, True, 99.99, 15, 300),
MeshService("db-proxy", "my-app", True, True, 100.0, 5, 800),
MeshService("cache-service", "my-app", True, True, 100.0, 2, 1200),
MeshService("legacy-service", "legacy", False, False, 98.5, 120, 50),
]
print("=== Linkerd Mesh Status ===")
for s in services:
mesh = "Meshed" if s.meshed else "NOT Meshed"
tls = "mTLS" if s.mtls else "NO TLS"
แนะนำเพิ่มเติม — SiamCafeBook
print(f" [{mesh}] {s.name}.{s.namespace}")
print(f" {tls} | SR: {s.success_rate}% | P99: {s.latency_p99_ms}ms | "
f"RPS: {s.rps}")
Authorization Policies
# === Security Hardening Policies ===
# Default Deny Policy
# apiVersion: policy.linkerd.io/v1beta2
# kind: Server
# metadata:
# name: default-deny
# namespace: my-app
# spec:
# podSelector: {} # All pods
# port: 8080
#
# # No ServerAuthorization = Deny All
# # Then create specific Allow rules
# Network Policy (Kubernetes)
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: deny-all
# namespace: my-app
# spec:
# podSelector: {}
# policyTypes:
# - Ingress
# - Egress
#
# ---
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: allow-web-to-api
# namespace: my-app
# spec:
# podSelector:
# matchLabels:
# app: api-server
# ingress:
# - from:
# - podSelector:
# matchLabels:
# app: web-frontend
# ports:
# - port: 8080
@dataclass
class AuthPolicy:
name: str
server: str
allowed_clients: List[str]
protocol: str
action: str
policies = [
AuthPolicy("allow-web-to-api", "api-server:8080",
["web-frontend"], "HTTP/2", "Allow"),
AuthPolicy("allow-api-to-db", "db-proxy:5432",
["api-server"], "TCP", "Allow"),
AuthPolicy("allow-api-to-cache", "cache-service:6379",
["api-server"], "TCP", "Allow"),
AuthPolicy("allow-api-to-auth", "auth-service:8080",
["api-server", "web-frontend"], "HTTP/2", "Allow"),
AuthPolicy("deny-all-default", "all:*",
[], "Any", "Deny (Default)"),
]
print("\n=== Authorization Policies ===")
for p in policies:
clients = ", ".join(p.allowed_clients) if p.allowed_clients else "None"
print(f" [{p.action}] {p.name}")
print(f" Server: {p.server} ({p.protocol})")
print(f" Clients: {clients}")
# Security Checklist
security = {
"mTLS": ["Verify all pods are meshed", "Check certificate rotation", "Monitor TLS errors"],
"Authorization": ["Default deny all", "Explicit allow rules only", "Service account per service"],
"Network": ["NetworkPolicy deny all first", "Allow only required traffic", "Egress control"],
"Observability": ["Monitor success rates", "Alert on mTLS failures", "Audit access logs"],
"Supply Chain": ["Scan container images", "Pin image versions", "Sign with cosign"],
}
print(f"\n\nSecurity Hardening Checklist:")
for category, items in security.items():
print(f"\n [{category}]")
for item in items:
print(f" - {item}")Observability และ Monitoring
=== Linkerd Observability ===
linkerd viz install | kubectl apply -f -
linkerd viz dashboard &
# Live Traffic
linkerd viz top deploy/api-server -n my-app
linkerd viz tap deploy/api-server -n my-app
# Routes
linkerd viz routes deploy/api-server -n my-app
เนื้อหาเกี่ยวข้อง — ดูเพิ่มเติมเรื่อง Azure Front Door Automation Script
# Service Profile (Retry + Timeout)
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: api-server.my-app.svc.cluster.local
namespace: my-app
spec:
routes:
- name: GET /api/users
condition:
method: GET
pathRegex: /api/users
timeout: 5s
isRetryable: true
- name: POST /api/orders
condition:
method: POST
pathRegex: /api/orders
timeout: 10s
isRetryable: false
Prometheus Metrics
linkerd_request_total
linkerd_response_total
linkerd_response_latency_ms_bucket
linkerd_tcp_open_total
linkerd_identity_cert_expiration_timestamp
golden_signals = {
"Latency": {
"metric": "linkerd_response_latency_ms_bucket",
"alert": "P99 > 500ms for 5 min",
เนื้อหาเกี่ยวข้อง — บทความที่เกี่ยวข้อง: Nginx Plus Community Building
"dashboard": "Latency percentiles per route",
},
"Traffic": {
"metric": "linkerd_request_total",
"alert": "RPS drop > 50% in 5 min",
"dashboard": "RPS per service and route",
},
"Errors": {
"metric": "linkerd_response_total{classification='failure'}",
"alert": "Error rate > 1% for 3 min",
"dashboard": "Error rate per service",
},
"Saturation": {
"metric": "container_memory_usage_bytes",
"alert": "Memory > 90% for 5 min",
"dashboard": "CPU and Memory per proxy",
},
}
print("Golden Signals Monitoring:")
for signal, info in golden_signals.items():
print(f"\n [{signal}]")
for k, v in info.items():
print(f" {k}: {v}")
เคล็ดลับ
- mTLS: Linkerd เปิด mTLS อัตโนมัติ ไม่ต้อง Config เพิ่ม
- Default Deny: ตั้ง Server without Authorization = Deny All
- Inject: ใช้ Namespace Annotation auto-inject สะดวกกว่า Manual
- Profile: สร้าง ServiceProfile ตั้ง Timeout Retry ทุก Route
- Monitor: ดู Golden Signals ทุก Service ตั้ง Alert ที่เหมาะสม
Linkerd คืออะไร
Open Source Service Mesh Kubernetes Rust Go เบา เร็ว mTLS อัตโนมัติ Traffic Splitting Observability CNCF Graduated
