Buoyant brings zero-trust network policies to the heart of Linkerd service mesh

Buoyant Inc. said today it has added new security features to the open-source Linkerd service mesh, as well as Bouyant Cloud, a software-as-a-service platform that bundles additional features with Linkerd.

The Linkerd service mesh is a software layer that provides connectivity for microservices, which are the components of modern, container-based applications. Containerized apps are popular because they’re lightweight and can easily be moved between different kinds of computing infrastructure without making any changes to the code.

Linkerd creates an abstraction layer across networking environments, making it easier for developers to deploy distributed applications within them. It automatically routes application traffic across multiple network underlays and eliminates the need to configure each application service for a specific network.

The service mesh landscape is fairly competitive, and Linkerd is one of several options along with the open-source Istio that was created by Google LLC, Kong Inc.’s Kuma and Solo.io Inc.’s Gloo.

With the launch of Linkerd 2.11, Buoyant is adding zero-trust network policies that will allow Kubernetes operators to control what type of traffic is allowed in their clusters. It means they’ll be able to adhere to zero-trust security principles that rely on cryptographic authentication and encryption.

Kubernetes is open-source software that’s used to manage large clusters of containers. It comes with some built-in mechanisms for restricting network communication, but as Buoyant explains, these are based on low-level information such as the user’s IP address and can express only a limited range of security policies.

Linkerd’s new network policies will provide better control because they use cryptographically secure identities based on the mutual TLS authentication protocol that capture a wider range of behaviors, the company said. So, for example, users will be able to restrict access to a sensitive service to a specific namespace or service account. Furthermore, Linkerd’s encryption, authentication and authorization will all be enforced at the most granular level, namely the pod receiving the traffic, in line with zero-trust security principles.

As for Buoyant Cloud, it gains new features that will make it possible for Linkerd users to manage those new network security policies and monitor the effect they have on traffic within Kubernetes clusters. The idea is to make it simpler for users to verify the effectiveness of the policies they implement and detect anomalies such as unexpected plaintext traffic or policy violations.

“This means that Kubernetes users everywhere can easily manage the encryption, identity and authorization of all traffic on their clusters in a way that was never possible before,” said Buoyant co-founder and Chief Executive William Morgan.

The Linkerd 2.11 release also adds incremental performance improvements and reduces its data plane and control plane resource usage, Buoyant said.

In July Linkerd became the first service mesh project to achieve graduated status from the Cloud Native Computing Foundation, which is a Linux Foundation-backed body that hosts open-source projects related to Kubernetes. Graduating from the CNCF signifies that Linkerd has reached the highest level of project maturity.

Image: Linkerd