linkerd-patterns
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseLinkerd Patterns
Linkerd 服务网格模式
Production patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.
适用于Kubernetes的轻量型、安全优先的Linkerd服务网格的生产环境模式。
When to Use This Skill
何时使用该技能
- Setting up a lightweight service mesh
- Implementing automatic mTLS
- Configuring traffic splits for canary deployments
- Setting up service profiles for per-route metrics
- Implementing retries and timeouts
- Multi-cluster service mesh
- 搭建轻量型服务网格
- 实现自动mTLS
- 配置流量拆分以实现金丝雀发布
- 配置服务配置文件(ServiceProfile)以获取路由级指标
- 实现重试与超时机制
- 多集群服务网格部署
Core Concepts
核心概念
1. Linkerd Architecture
1. Linkerd 架构
┌─────────────────────────────────────────────┐
│ Control Plane │
│ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ destiny │ │ identity │ │ proxy-inject │ │
│ └─────────┘ └──────────┘ └──────────────┘ │
└─────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────┐
│ Data Plane │
│ ┌─────┐ ┌─────┐ ┌─────┐ │
│ │proxy│────│proxy│────│proxy│ │
│ └─────┘ └─────┘ └─────┘ │
│ │ │ │ │
│ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │
│ │ app │ │ app │ │ app │ │
│ └─────┘ └─────┘ └─────┘ │
└─────────────────────────────────────────────┘┌─────────────────────────────────────────────┐
│ Control Plane │
│ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ destiny │ │ identity │ │ proxy-inject │ │
│ └─────────┘ └──────────┘ └──────────────┘ │
└─────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────┐
│ Data Plane │
│ ┌─────┐ ┌─────┐ ┌─────┐ │
│ │proxy│────│proxy│────│proxy│ │
│ └─────┘ └─────┘ └─────┘ │
│ │ │ │ │
│ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │
│ │ app │ │ app │ │ app │ │
│ └─────┘ └─────┘ └─────┘ │
└─────────────────────────────────────────────┘2. Key Resources
2. 核心资源
| Resource | Purpose |
|---|---|
| ServiceProfile | Per-route metrics, retries, timeouts |
| TrafficSplit | Canary deployments, A/B testing |
| Server | Define server-side policies |
| ServerAuthorization | Access control policies |
| 资源名称 | 用途 |
|---|---|
| ServiceProfile | 路由级指标、重试与超时配置 |
| TrafficSplit | 金丝雀发布、A/B测试 |
| Server | 定义服务端策略 |
| ServerAuthorization | 访问控制策略 |
Templates
模板
Template 1: Mesh Installation
模板1:网格安装
bash
undefinedbash
undefinedInstall CLI
Install CLI
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
Validate cluster
Validate cluster
linkerd check --pre
linkerd check --pre
Install CRDs
Install CRDs
linkerd install --crds | kubectl apply -f -
linkerd install --crds | kubectl apply -f -
Install control plane
Install control plane
linkerd install | kubectl apply -f -
linkerd install | kubectl apply -f -
Verify installation
Verify installation
linkerd check
linkerd check
Install viz extension (optional)
Install viz extension (optional)
linkerd viz install | kubectl apply -f -
undefinedlinkerd viz install | kubectl apply -f -
undefinedTemplate 2: Inject Namespace
模板2:命名空间注入
yaml
undefinedyaml
undefinedAutomatic injection for namespace
Automatic injection for namespace
apiVersion: v1 kind: Namespace metadata: name: my-app annotations: linkerd.io/inject: enabled
apiVersion: v1 kind: Namespace metadata: name: my-app annotations: linkerd.io/inject: enabled
Or inject specific deployment
Or inject specific deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
annotations:
linkerd.io/inject: enabled
spec:
template:
metadata:
annotations:
linkerd.io/inject: enabled
undefinedapiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
annotations:
linkerd.io/inject: enabled
spec:
template:
metadata:
annotations:
linkerd.io/inject: enabled
undefinedTemplate 3: Service Profile with Retries
模板3:带重试配置的服务配置文件
yaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: my-service.my-namespace.svc.cluster.local
namespace: my-namespace
spec:
routes:
- name: GET /api/users
condition:
method: GET
pathRegex: /api/users
responseClasses:
- condition:
status:
min: 500
max: 599
isFailure: true
isRetryable: true
- name: POST /api/users
condition:
method: POST
pathRegex: /api/users
# POST not retryable by default
isRetryable: false
- name: GET /api/users/{id}
condition:
method: GET
pathRegex: /api/users/[^/]+
timeout: 5s
isRetryable: true
retryBudget:
retryRatio: 0.2
minRetriesPerSecond: 10
ttl: 10syaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: my-service.my-namespace.svc.cluster.local
namespace: my-namespace
spec:
routes:
- name: GET /api/users
condition:
method: GET
pathRegex: /api/users
responseClasses:
- condition:
status:
min: 500
max: 599
isFailure: true
isRetryable: true
- name: POST /api/users
condition:
method: POST
pathRegex: /api/users
# POST not retryable by default
isRetryable: false
- name: GET /api/users/{id}
condition:
method: GET
pathRegex: /api/users/[^/]+
timeout: 5s
isRetryable: true
retryBudget:
retryRatio: 0.2
minRetriesPerSecond: 10
ttl: 10sTemplate 4: Traffic Split (Canary)
模板4:流量拆分(金丝雀发布)
yaml
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: my-service-canary
namespace: my-namespace
spec:
service: my-service
backends:
- service: my-service-stable
weight: 900m # 90%
- service: my-service-canary
weight: 100m # 10%yaml
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
name: my-service-canary
namespace: my-namespace
spec:
service: my-service
backends:
- service: my-service-stable
weight: 900m # 90%
- service: my-service-canary
weight: 100m # 10%Template 5: Server Authorization Policy
模板5:服务端授权策略
yaml
undefinedyaml
undefinedDefine the server
Define the server
apiVersion: policy.linkerd.io/v1beta1 kind: Server metadata: name: my-service-http namespace: my-namespace spec: podSelector: matchLabels: app: my-service port: http proxyProtocol: HTTP/1
apiVersion: policy.linkerd.io/v1beta1 kind: Server metadata: name: my-service-http namespace: my-namespace spec: podSelector: matchLabels: app: my-service port: http proxyProtocol: HTTP/1
Allow traffic from specific clients
Allow traffic from specific clients
apiVersion: policy.linkerd.io/v1beta1 kind: ServerAuthorization metadata: name: allow-frontend namespace: my-namespace spec: server: name: my-service-http client: meshTLS: serviceAccounts: - name: frontend namespace: my-namespace
apiVersion: policy.linkerd.io/v1beta1 kind: ServerAuthorization metadata: name: allow-frontend namespace: my-namespace spec: server: name: my-service-http client: meshTLS: serviceAccounts: - name: frontend namespace: my-namespace
Allow unauthenticated traffic (e.g., from ingress)
Allow unauthenticated traffic (e.g., from ingress)
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
name: allow-ingress
namespace: my-namespace
spec:
server:
name: my-service-http
client:
unauthenticated: true
networks:
- cidr: 10.0.0.0/8
undefinedapiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
name: allow-ingress
namespace: my-namespace
spec:
server:
name: my-service-http
client:
unauthenticated: true
networks:
- cidr: 10.0.0.0/8
undefinedTemplate 6: HTTPRoute for Advanced Routing
模板6:高级路由HTTPRoute
yaml
apiVersion: policy.linkerd.io/v1beta2
kind: HTTPRoute
metadata:
name: my-route
namespace: my-namespace
spec:
parentRefs:
- name: my-service
kind: Service
group: core
port: 8080
rules:
- matches:
- path:
type: PathPrefix
value: /api/v2
- headers:
- name: x-api-version
value: v2
backendRefs:
- name: my-service-v2
port: 8080
- matches:
- path:
type: PathPrefix
value: /api
backendRefs:
- name: my-service-v1
port: 8080yaml
apiVersion: policy.linkerd.io/v1beta2
kind: HTTPRoute
metadata:
name: my-route
namespace: my-namespace
spec:
parentRefs:
- name: my-service
kind: Service
group: core
port: 8080
rules:
- matches:
- path:
type: PathPrefix
value: /api/v2
- headers:
- name: x-api-version
value: v2
backendRefs:
- name: my-service-v2
port: 8080
- matches:
- path:
type: PathPrefix
value: /api
backendRefs:
- name: my-service-v1
port: 8080Template 7: Multi-cluster Setup
模板7:多集群配置
bash
undefinedbash
undefinedOn each cluster, install with cluster credentials
On each cluster, install with cluster credentials
linkerd multicluster install | kubectl apply -f -
linkerd multicluster install | kubectl apply -f -
Link clusters
Link clusters
linkerd multicluster link --cluster-name west
--api-server-address https://west.example.com:6443
| kubectl apply -f -
--api-server-address https://west.example.com:6443
| kubectl apply -f -
linkerd multicluster link --cluster-name west
--api-server-address https://west.example.com:6443
| kubectl apply -f -
--api-server-address https://west.example.com:6443
| kubectl apply -f -
Export a service to other clusters
Export a service to other clusters
kubectl label svc/my-service mirror.linkerd.io/exported=true
kubectl label svc/my-service mirror.linkerd.io/exported=true
Verify cross-cluster connectivity
Verify cross-cluster connectivity
linkerd multicluster check
linkerd multicluster gateways
undefinedlinkerd multicluster check
linkerd multicluster gateways
undefinedMonitoring Commands
监控命令
bash
undefinedbash
undefinedLive traffic view
Live traffic view
linkerd viz top deploy/my-app
linkerd viz top deploy/my-app
Per-route metrics
Per-route metrics
linkerd viz routes deploy/my-app
linkerd viz routes deploy/my-app
Check proxy status
Check proxy status
linkerd viz stat deploy -n my-namespace
linkerd viz stat deploy -n my-namespace
View service dependencies
View service dependencies
linkerd viz edges deploy -n my-namespace
linkerd viz edges deploy -n my-namespace
Dashboard
Dashboard
linkerd viz dashboard
undefinedlinkerd viz dashboard
undefinedDebugging
调试
bash
undefinedbash
undefinedCheck injection status
Check injection status
linkerd check --proxy -n my-namespace
linkerd check --proxy -n my-namespace
View proxy logs
View proxy logs
kubectl logs deploy/my-app -c linkerd-proxy
kubectl logs deploy/my-app -c linkerd-proxy
Debug identity/TLS
Debug identity/TLS
linkerd identity -n my-namespace
linkerd identity -n my-namespace
Tap traffic (live)
Tap traffic (live)
linkerd viz tap deploy/my-app --to deploy/my-backend
undefinedlinkerd viz tap deploy/my-app --to deploy/my-backend
undefinedBest Practices
最佳实践
Do's
建议
- Enable mTLS everywhere - It's automatic with Linkerd
- Use ServiceProfiles - Get per-route metrics and retries
- Set retry budgets - Prevent retry storms
- Monitor golden metrics - Success rate, latency, throughput
- 全局启用mTLS - Linkerd可自动实现
- 使用ServiceProfiles - 获取路由级指标与重试能力
- 设置重试预算 - 防止重试风暴
- 监控黄金指标 - 成功率、延迟、吞吐量
Don'ts
不建议
- Don't skip check - Always run after changes
linkerd check - Don't over-configure - Linkerd defaults are sensible
- Don't ignore ServiceProfiles - They unlock advanced features
- Don't forget timeouts - Set appropriate values per route
- 不要跳过检查 - 变更后务必运行
linkerd check - 不要过度配置 - Linkerd默认配置已足够合理
- 不要忽略ServiceProfiles - 它们是解锁高级功能的关键
- 不要忘记设置超时 - 为每个路由配置合适的超时时间