Buoyant Introduces Secure, Zero Trust Network Policies for Kubernetes in Linkerd 2.11 and Buoyant Cloud

October 1, 2021 Off By David

Buoyant unveiled new security features in Linkerd and in Buoyant Cloud, its SaaS platform for running Linkerd in mission-critical environments. These features include the launch of zero-trust network policies in the new Linkerd 2.11 release as well as the addition of new network policy management capabilities in Buoyant Cloud.

“The network policy features in Linkerd 2.11 allow Kubernetes operators to control which types of network traffic are allowed in their cluster in a way that follows zero-trust principles and builds directly on top of the cryptographic authentication and encryption provided by mutual TLS,” said William Morgan, CEO and cofounder of Buoyant. “With the addition of new policy and traffic management features to Buoyant Cloud, this means that Kubernetes users everywhere can easily manage the encryption, identity, and authorization of all traffic on their clusters in a way that was never possible before.”

While Kubernetes include some built-in mechanisms for restricting network communication, these features are based on low-level information such as the IP address and can express only a limited range of policies. In contrast, Linkerd’s network policies use the cryptographically-secure identities provided by mutual TLS (mTLS) to provide encryption and fine-grained identity while capturing a wide range of behaviors. For example, Kubernetes users can ensure that access to a sensitive service comes from a specific namespace or service account; that all communication to a service is secured by mTLS; and more. In accordance with the principles of zero trust, Linkerd’s encryption, authentication, and authorization are all enforced at the most granular level-that of the pod receiving the traffic.

“Linkerd’s new traffic policies can enable us to secure our Kubernetes clusters in a way that we couldn’t easily accomplish before,” said Christian Hüning, Director of Cloud Technologies at finleap connect, a leading financial services provider in Europe. “Security and compliance are core values for us, and Linkerd and Buoyant Cloud allow us to provide best-in-class security based on zero trust principles for our customers.”

Paired with the release of Linkerd 2.11 is the launch of new features in Buoyant Cloud that allow Linkerd users to manage their policies and to monitor the effect they have on the traffic in their clusters. With Buoyant Cloud, users can now easily verify the policies that are in effect for each allowed or attempted type of traffic on their cluster, and detect anomalies such as unexpected plaintext traffic or policy violations. Combined with Buoyant Cloud’s existing feature set, these features reinforce Buoyant Cloud’s role as an essential tool for security-conscious Linkerd operators.

In addition to the network policy enforcement features, Linkerd 2.11 also introduces several improvements and performance enhancements, which include retries for gRPC calls, a fix for container startup ordering issues, and further reductions in Linkerd’s data plane and control plane resource usage-building on its demonstrated ability to be many times smaller and faster than other service meshes such as Istio.

The 2.11 release continues a momentous year for Linkerd, which recently became the only service mesh to achieve graduated status from the Cloud Native Computing Foundation, the highest level of project maturity tracked by the foundation. For more information on Linkerd and to learn more about Buoyant Cloud, please visit https://buoyant.io/.