Linkerd Service Mesh Security
Linkerd Service Mesh Kubernetes mTLS Rust Go CNCF Security Hardening Authorization Policy Traffic Encryption Zero Trust Observability
| Feature | Linkerd | Istio |
|---|---|---|
| Proxy | linkerd2-proxy (Rust) | Envoy (C++) |
| mTLS | อัตโนมัติ ทันที | ต้อง Config |
| Resource | เบา ~10MB/proxy | หนัก ~50MB/proxy |
| Complexity | ต่ำ | สูง |
| VM Support | ไม่รองรับ | รองรับ |
| Multi-cluster | รองรับ | รองรับ |
Linkerd Installation และ mTLS
# === Linkerd Installation & Security ===
# Install CLI
# curl -fsL https://run.linkerd.io/install | sh
# export PATH=$HOME/.linkerd2/bin:$PATH
# linkerd version
# Pre-check
# linkerd check --pre
# Install Control Plane
# linkerd install --crds | kubectl apply -f -
# linkerd install | kubectl apply -f -
# linkerd check
# Inject Sidecar (Auto mTLS)
# kubectl get deploy -n my-app -o yaml | linkerd inject - | kubectl apply -f -
# หรือ
# kubectl annotate namespace my-app linkerd.io/inject=enabled
# Verify mTLS
# linkerd viz edges po -n my-app
# linkerd viz tap deploy/my-api -n my-app
# ดู tls=true ในผลลัพธ์
# Check Identity (Certificates)
# linkerd identity
# linkerd check --proxy
# Authorization Policy (Server + ServerAuthorization)
# apiVersion: policy.linkerd.io/v1beta2
# kind: Server
# metadata:
# name: api-server
# namespace: my-app
# spec:
# podSelector:
# matchLabels:
# app: my-api
# port: 8080
# proxyProtocol: HTTP/2
#
# ---
# apiVersion: policy.linkerd.io/v1beta2
# kind: ServerAuthorization
# metadata:
# name: allow-web-to-api
# namespace: my-app
# spec:
# server:
# name: api-server
# client:
# meshTLS:
# serviceAccounts:
# - name: web-frontend
# namespace: my-app
from dataclasses import dataclass, field
from typing import List
@dataclass
class MeshService:
name: str
namespace: str
meshed: bool
mtls: bool
success_rate: float
latency_p99_ms: float
rps: float
services = [
MeshService("web-frontend", "my-app", True, True, 99.95, 45, 250),
MeshService("api-server", "my-app", True, True, 99.98, 22, 500),
MeshService("auth-service", "my-app", True, True, 99.99, 15, 300),
MeshService("db-proxy", "my-app", True, True, 100.0, 5, 800),
MeshService("cache-service", "my-app", True, True, 100.0, 2, 1200),
MeshService("legacy-service", "legacy", False, False, 98.5, 120, 50),
]
print("=== Linkerd Mesh Status ===")
for s in services:
mesh = "Meshed" if s.meshed else "NOT Meshed"
tls = "mTLS" if s.mtls else "NO TLS"
print(f" [{mesh}] {s.name}.{s.namespace}")
print(f" {tls} | SR: {s.success_rate}% | P99: {s.latency_p99_ms}ms | "
f"RPS: {s.rps}")Authorization Policies
# === Security Hardening Policies ===
# Default Deny Policy
# apiVersion: policy.linkerd.io/v1beta2
# kind: Server
# metadata:
# name: default-deny
# namespace: my-app
# spec:
# podSelector: {} # All pods
# port: 8080
#
# # No ServerAuthorization = Deny All
# # Then create specific Allow rules
# Network Policy (Kubernetes)
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: deny-all
# namespace: my-app
# spec:
# podSelector: {}
# policyTypes:
# - Ingress
# - Egress
#
# ---
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: allow-web-to-api
# namespace: my-app
# spec:
# podSelector:
# matchLabels:
# app: api-server
# ingress:
# - from:
# - podSelector:
# matchLabels:
# app: web-frontend
# ports:
# - port: 8080
@dataclass
class AuthPolicy:
name: str
server: str
allowed_clients: List[str]
protocol: str
action: str
policies = [
AuthPolicy("allow-web-to-api", "api-server:8080",
["web-frontend"], "HTTP/2", "Allow"),
AuthPolicy("allow-api-to-db", "db-proxy:5432",
["api-server"], "TCP", "Allow"),
AuthPolicy("allow-api-to-cache", "cache-service:6379",
["api-server"], "TCP", "Allow"),
AuthPolicy("allow-api-to-auth", "auth-service:8080",
["api-server", "web-frontend"], "HTTP/2", "Allow"),
AuthPolicy("deny-all-default", "all:*",
[], "Any", "Deny (Default)"),
]
print("\n=== Authorization Policies ===")
for p in policies:
clients = ", ".join(p.allowed_clients) if p.allowed_clients else "None"
print(f" [{p.action}] {p.name}")
print(f" Server: {p.server} ({p.protocol})")
print(f" Clients: {clients}")
# Security Checklist
security = {
"mTLS": ["Verify all pods are meshed", "Check certificate rotation", "Monitor TLS errors"],
"Authorization": ["Default deny all", "Explicit allow rules only", "Service account per service"],
"Network": ["NetworkPolicy deny all first", "Allow only required traffic", "Egress control"],
"Observability": ["Monitor success rates", "Alert on mTLS failures", "Audit access logs"],
"Supply Chain": ["Scan container images", "Pin image versions", "Sign with cosign"],
}
print(f"\n\nSecurity Hardening Checklist:")
for category, items in security.items():
print(f"\n [{category}]")
for item in items:
print(f" - {item}")Observability และ Monitoring
# === Linkerd Observability ===
# linkerd viz install | kubectl apply -f -
# linkerd viz dashboard &
#
# # Live Traffic
# linkerd viz top deploy/api-server -n my-app
# linkerd viz tap deploy/api-server -n my-app
#
# # Routes
# linkerd viz routes deploy/api-server -n my-app
#
# # Service Profile (Retry + Timeout)
# apiVersion: linkerd.io/v1alpha2
# kind: ServiceProfile
# metadata:
# name: api-server.my-app.svc.cluster.local
# namespace: my-app
# spec:
# routes:
# - name: GET /api/users
# condition:
# method: GET
# pathRegex: /api/users
# timeout: 5s
# isRetryable: true
# - name: POST /api/orders
# condition:
# method: POST
# pathRegex: /api/orders
# timeout: 10s
# isRetryable: false
# Prometheus Metrics
# linkerd_request_total
# linkerd_response_total
# linkerd_response_latency_ms_bucket
# linkerd_tcp_open_total
# linkerd_identity_cert_expiration_timestamp
golden_signals = {
"Latency": {
"metric": "linkerd_response_latency_ms_bucket",
"alert": "P99 > 500ms for 5 min",
"dashboard": "Latency percentiles per route",
},
"Traffic": {
"metric": "linkerd_request_total",
"alert": "RPS drop > 50% in 5 min",
"dashboard": "RPS per service and route",
},
"Errors": {
"metric": "linkerd_response_total{classification='failure'}",
"alert": "Error rate > 1% for 3 min",
"dashboard": "Error rate per service",
},
"Saturation": {
"metric": "container_memory_usage_bytes",
"alert": "Memory > 90% for 5 min",
"dashboard": "CPU and Memory per proxy",
},
}
print("Golden Signals Monitoring:")
for signal, info in golden_signals.items():
print(f"\n [{signal}]")
for k, v in info.items():
print(f" {k}: {v}")เคล็ดลับ
- mTLS: Linkerd เปิด mTLS อัตโนมัติ ไม่ต้อง Config เพิ่ม
- Default Deny: ตั้ง Server without Authorization = Deny All
- Inject: ใช้ Namespace Annotation auto-inject สะดวกกว่า Manual
- Profile: สร้าง ServiceProfile ตั้ง Timeout Retry ทุก Route
- Monitor: ดู Golden Signals ทุก Service ตั้ง Alert ที่เหมาะสม
Linkerd คืออะไร
Open Source Service Mesh Kubernetes Rust Go เบา เร็ว mTLS อัตโนมัติ Traffic Splitting Observability CNCF Graduated
mTLS คืออะไร
mutual TLS เข้ารหัสยืนยันตัวตนทั้งสองฝั่ง Client Server Certificate ป้องกัน MITM Encrypted ตลอดเส้นทาง Linkerd อัตโนมัติ
Service Mesh จำเป็นไหม
จำเป็นเมื่อ Microservices มาก mTLS Observability Traffic Management ไม่จำเป็น Services น้อย Monolith เพิ่ม Complexity Resource
Linkerd กับ Istio ต่างกันอย่างไร
Linkerd เบา Rust Resource น้อย ง่าย Istio Envoy ฟีเจอร์มาก ซับซ้อน Resource มาก VM Linkerd ทีมเล็ก Istio Enterprise
สรุป
Linkerd Service Mesh Kubernetes mTLS Rust Authorization Policy Default Deny Network Policy Observability Golden Signals Zero Trust Security Hardening ServiceProfile Timeout Retry Certificate
