Using Linkerd Service Mesh in Thalassa Cloud Kubernetes
Linkerd is a lightweight service mesh for Kubernetes that brings automatic mutual TLS, observability, and reliability—without requiring changes to your application code. By adding Linkerd to your Thalassa Cloud Kubernetes cluster, you can secure service-to-service traffic, gain detailed visibility into requests, and make your applications more resilient with features like automatic retries, timeouts, and load balancing.
A service mesh sits between your microservices and the network, handling all service-to-service communication transparently using sidecar proxies. This means you get built-in security (automatic encryption with mTLS), observability (metrics, logs, and traces), and reliability (retries and circuit breakers) across your cluster, all with minimal configuration.
This guide will show you how to install Linkerd, connect it with your apps, and use its features to improve security and insight across your microservices.
Lightweight Design
Linkerd is designed to be simple and lightweight. It uses a Rust-based data plane proxy that’s extremely fast and resource-efficient, making it suitable for high-throughput workloads. The control plane is also lightweight, requiring minimal resources to operate.
Prerequisites
Before installing Linkerd, make sure the following prerequisites are met:
- You have a running Kubernetes cluster in Thalassa Cloud.
- You have cluster access configured with
kubectl.- Use
tcloud kubernetes connectto configure access or set up your kubeconfig manually.
- Use
- You have cluster administrator permissions (required for installing cluster-level resources).
- Your cluster has sufficient resources for Linkerd. Although Linkerd is lightweight, ensure your cluster has enough CPU and memory to accommodate it (a small cluster with a few nodes is usually sufficient).
Installing the Linkerd CLI
The easiest way to install and manage Linkerd is using the Linkerd CLI. Install the CLI on your local machine first.
On macOS, you can use Homebrew:
brew install linkerdOn Linux, download the binary directly:
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install-edge | shFor Windows or other platforms, see the Linkerd installation documentation for platform-specific instructions.
Verify the installation:
linkerd version --clientThis shows the Linkerd CLI version. The CLI version should match or be compatible with the Linkerd control plane version you’ll install.
Checking Cluster Prerequisites
Before installing Linkerd, check that your cluster meets the requirements. Linkerd provides a command to verify this:
linkerd check --preThis command checks your cluster for Linkerd compatibility, including Kubernetes version, required APIs, permissions, and conflicting network settings. If issues are found, follow the command’s suggestions to resolve them before installing Linkerd.
Installing the Linkerd Control Plane
With the CLI installed and prerequisites verified, install the Linkerd control plane in your cluster:
linkerd install | kubectl apply -f -This installs all Linkerd control plane components, including the identity service (which manages mTLS certificates), the destination service (which provides service discovery), and the proxy injector (which automatically injects Linkerd proxies into pods).
The installation process typically takes a minute or two. Monitor the installation:
linkerd checkThis command verifies that all Linkerd components are running correctly. Wait until all checks pass before proceeding.
You can also check the control plane pods directly:
kubectl get pods -n linkerdYou should see pods for linkerd-identity, linkerd-destination, linkerd-proxy-injector, and other control plane components. All pods should be running.
Injecting the Linkerd Proxy
To use Linkerd with your applications, you need to add the Linkerd proxy to your pods. The easiest way is with the linkerd inject command, which updates your Kubernetes manifests before applying them:
kubectl get deployment my-app -o yaml | linkerd inject - | kubectl apply -f -This adds the Linkerd proxy as a sidecar to your deployment’s pods.
To inject the proxy into all pods in a namespace by default, add an annotation:
kubectl annotate namespace default linkerd.io/inject=enabledAfter deploying, check your pods:
kubectl get pods -o widePods with Linkerd will have two containers: your app and linkerd-proxy.
Viewing Linkerd Metrics
Linkerd makes it easy to see metrics for your services. After injecting the proxy, run:
linkerd stat deploymentsTo see metrics for a specific service:
linkerd stat svc/my-serviceFor a visual dashboard, install and open Linkerd Viz:
linkerd viz install | kubectl apply -f -
linkerd viz dashboardThis opens a web dashboard with service metrics and topology.
Securing Service Communication
Linkerd secures traffic between your services by automatically encrypting and authenticating it with mutual TLS (mTLS). No app changes or certificate setup needed—just inject the Linkerd proxy.
To check if mTLS is working:
linkerd edges deploymentsYou should see connections marked as mTLS between your services. You can also view mTLS status in the Linkerd dashboard.
Further Reading
To deepen your understanding of Linkerd, service meshes, and networking in Thalassa Cloud, explore the following resources:
- Official Linkerd Documentation: guides and references for installing, configuring, and operating Linkerd.
- Thalassa Cloud Networking Documentation: Learn about networking concepts, cluster connectivity, and how Linkerd integrates with Thalassa Cloud’s networking features.
- Service Load Balancers in Thalassa Cloud: Discover how to expose your services securely and reliably using Thalassa Cloud’s load balancer options.
- Cilium and Network Policy in Thalassa Cloud: Understand how Cilium provides advanced networking and security features alongside Linkerd.