G
GuideDevOps
Lesson 6 of 9

Linkerd

Part of the Service Mesh tutorial series.

The Drawback of Istio

Istio is the most powerful service mesh in the world—but this power comes at a severe cost.

Istio uses Envoy (written in C++) as its sidecar proxy. Envoy consumes a noticeable amount of CPU and RAM. When you run 500 sidecars, that infrastructure tax adds up to thousands of dollars a month in cloud compute costs.

Furthermore, configuring Istio's massive CRDs is highly complex and requires significant expertise.

Does everyone need Istio?

If you are running Netflix, yes. If you are a standard enterprise just trying to encrypt traffic between 20 microservices, Istio is massive overkill.

What is Linkerd?

Linkerd is the pioneer. It was actually the first project to ever use the term "Service Mesh". It currently thrives as a fully graduated CNCF project perfectly positioned as the primary alternative to Istio.

Linkerd has an entirely different design philosophy: Simplicity and Performance.

It intentionally strips out hyper-advanced routing features (like complex A/B header routing) in exchange for being incredibly lightweight. It aims to work right out of the box with zero configuration YAML required.

The Linkerd2-Proxy (Rust)

Instead of using the heavy Envoy C++ proxy, Linkerd built a completely custom sidecar proxy called linkerd2-proxy.

This proxy is written entirely in Rust. Because Rust is memory-safe and blisteringly fast, the Linkerd proxies consume exponentially less RAM and CPU than Istio's Envoy proxies. They often run in just a few megabytes of memory, making Linkerd the ultimate choice for financially-conscious deployments or edge-computing.

Installing Linkerd

Linkerd's installation and operational workflow is incredibly slick and user-friendly.

# 1. Install the Linkerd CLI
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
export PATH=$PATH:$HOME/.linkerd2/bin
 
# 2. Check if your cluster is capable of running Linkerd
linkerd check --pre
 
# 3. Install the Custom Resource Definitions (CRDs)
linkerd install --crds | kubectl apply -f -
 
# 4. Install the Control Plane
linkerd install | kubectl apply -f -
 
# 5. Verify the Control Plane is healthy
linkerd check

Injecting Sidecars

Just like Istio, you can automatically inject sidecars by adding an annotation to your Kubernetes Namespace (kubectl annotate namespace my-app linkerd.io/inject=enabled).

However, Linkerd has an amazing CLI tool for injecting sidecars dynamically into existing YAML manifests during your CI pipeline without modifying the cluster:

# Reads an old deployment file, injects the Rust sidecar, and applies it immediately
cat deployment.yaml | linkerd inject - | kubectl apply -f -

Instantly Visible Success

The greatest feature of Linkerd is its out-of-the-box observability. Without writing a single line of YAML configuration, Linkerd immediately begins tracking golden metrics for every application using a sidecar.

You can simply type:

linkerd stat deploy

This CLI command will instantly print a real-time table in your terminal showing:

  • How many HTTP requests per second each deployment is serving.
  • What the exact P99 latency is.
  • What percentage of the traffic is currently succeeding vs failing (HTTP 500s).

With Linkerd, you achieve zero-trust mTLS encryption and deep, code-level observability within 5 minutes of installation.