🎯

linkerd-patterns

🎯Skill

from rmyndharis/antigravity-skills

What it does

Implements lightweight, security-focused Linkerd service mesh patterns for Kubernetes with zero-trust networking and minimal overhead.

📦

Part of

rmyndharis/antigravity-skills(289 items)

linkerd-patterns

Installation

Install ScriptRun install script

curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh

📖 Extracted from docs: rmyndharis/antigravity-skills

Need more details? View full documentation on GitHub →

10Installs

AddedFeb 4, 2026

View on GitHub Back to Skills

Skill Details

SKILL.md

Implement Linkerd service mesh patterns for lightweight, security-focused service mesh deployments. Use when setting up Linkerd, configuring traffic policies, or implementing zero-trust networking with minimal overhead.

Overview

# Linkerd Patterns

Production patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.

Do not use this skill when

The task is unrelated to linkerd patterns
You need a different domain or tool outside this scope

Instructions

Clarify goals, constraints, and required inputs.
Apply relevant best practices and validate outcomes.
Provide actionable steps and verification.
If detailed examples are required, open resources/implementation-playbook.md.

Use this skill when

Setting up a lightweight service mesh
Implementing automatic mTLS
Configuring traffic splits for canary deployments
Setting up service profiles for per-route metrics
Implementing retries and timeouts
Multi-cluster service mesh

Core Concepts

1. Linkerd Architecture

```

┌─────────────────────────────────────────────┐

│ Control Plane │

│ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │

│ │ destiny │ │ identity │ │ proxy-inject │ │

│ └─────────┘ └──────────┘ └──────────────┘ │

└─────────────────────────────────────────────┘

│

┌─────────────────────────────────────────────┐

│ Data Plane │

│ ┌─────┐ ┌─────┐ ┌─────┐ │

│ │proxy│────│proxy│────│proxy│ │

│ └─────┘ └─────┘ └─────┘ │

│ │ │ │ │

│ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │

│ │ app │ │ app │ │ app │ │

│ └─────┘ └─────┘ └─────┘ │

└─────────────────────────────────────────────┘

```

2. Key Resources

| Resource | Purpose |

|----------|---------|

| ServiceProfile | Per-route metrics, retries, timeouts |

| TrafficSplit | Canary deployments, A/B testing |

| Server | Define server-side policies |

| ServerAuthorization | Access control policies |

Templates

Template 1: Mesh Installation

```bash

# Install CLI

curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh

# Validate cluster

linkerd check --pre

# Install CRDs

linkerd install --crds | kubectl apply -f -

# Install control plane

linkerd install | kubectl apply -f -

# Verify installation

linkerd check

# Install viz extension (optional)

linkerd viz install | kubectl apply -f -

```

Template 2: Inject Namespace

```yaml

# Automatic injection for namespace

apiVersion: v1

kind: Namespace

metadata:

annotations:

linkerd.io/inject: enabled

---

# Or inject specific deployment

apiVersion: apps/v1

kind: Deployment

metadata:

annotations:

linkerd.io/inject: enabled

spec:

template:

metadata:

annotations:

linkerd.io/inject: enabled

```

Template 3: Service Profile with Retries

```yaml

apiVersion: linkerd.io/v1alpha2

kind: ServiceProfile

metadata:

namespace: my-namespace

spec:

routes:

- name: GET /api/users

condition:

method: GET

pathRegex: /api/users

responseClasses:

- condition:

status:

min: 500

max: 599

isFailure: true

isRetryable: true

- name: POST /api/users

condition:

method: POST

pathRegex: /api/users

# POST not retryable by default

isRetryable: false

- name: GET /api/users/{id}

condition:

method: GET

pathRegex: /api/users/[^/]+

timeout: 5s

isRetryable: true

retryBudget:

retryRatio: 0.2

minRetriesPerSecond: 10

ttl: 10s

```

Template 4: Traffic Split (Canary)

```yaml

apiVersion: split.smi-spec.io/v1alpha1

kind: TrafficSplit

metadata:

namespace: my-namespace

spec:

service: my-service

backends:

- service: my-service-stable

weight: 900m # 90%

- service: my-service-canary

weight: 100m # 10%

```

Template 5: Server Authorization Policy

```yaml

# Define the server

apiVersion: policy.linkerd.io/v1beta1

kind: Server

metadata:

namespace: my-namespace

spec:

podSelector:

matchLabels:

app: my-service

port: http

proxyProtocol: HTTP/1

---

# Allow traffic from specific clients

apiVersion: policy.linkerd.io/v1beta1

kind: ServerAuthorization

metadata:

namespace: my-namespace

spec:

server:

client:

meshTLS:

serviceAccounts:

- name: frontend

namespace: my-namespace

---

# Allow unauthenticated traffic (e.g., from ingress)

apiVersion: policy.linkerd.io/v1beta1

kind: ServerAuthorization

metadata:

namespace: my-namespace

spec:

server:

client:

unauthenticated: true

networks:

- cidr: 10.0.0.0/8

```

Template 6: HTTPRoute for Advanced Routing

```yaml

apiVersion: policy.linkerd.io/v1beta2

kind: HTTPRoute

metadata:

namespace: my-namespace

spec:

parentRefs:

- name: my-service

kind: Service

group: core

port: 8080

rules:

- matches:

- path:

type: PathPrefix

value: /api/v2

- headers:

- name: x-api-version

value: v2

backendRefs:

- name: my-service-v2

port: 8080

- matches:

- path:

type: PathPrefix

value: /api

backendRefs:

- name: my-service-v1

port: 8080

```

Template 7: Multi-cluster Setup

```bash

# On each cluster, install with cluster credentials

linkerd multicluster install | kubectl apply -f -

# Link clusters

linkerd multicluster link --cluster-name west \

--api-server-address https://west.example.com:6443 \

| kubectl apply -f -

# Export a service to other clusters

kubectl label svc/my-service mirror.linkerd.io/exported=true

# Verify cross-cluster connectivity

linkerd multicluster check

linkerd multicluster gateways

```

Monitoring Commands

```bash

# Live traffic view

linkerd viz top deploy/my-app

# Per-route metrics

linkerd viz routes deploy/my-app

# Check proxy status

linkerd viz stat deploy -n my-namespace

# View service dependencies

linkerd viz edges deploy -n my-namespace

# Dashboard

linkerd viz dashboard

```

Debugging

```bash

# Check injection status

linkerd check --proxy -n my-namespace

# View proxy logs

kubectl logs deploy/my-app -c linkerd-proxy

# Debug identity/TLS

linkerd identity -n my-namespace

# Tap traffic (live)

linkerd viz tap deploy/my-app --to deploy/my-backend

```

Best Practices

Do's

Enable mTLS everywhere - It's automatic with Linkerd
Use ServiceProfiles - Get per-route metrics and retries
Set retry budgets - Prevent retry storms
Monitor golden metrics - Success rate, latency, throughput

Don'ts

Don't skip check - Always run linkerd check after changes
Don't over-configure - Linkerd defaults are sensible
Don't ignore ServiceProfiles - They unlock advanced features
Don't forget timeouts - Set appropriate values per route

Resources

[Linkerd Documentation](https://linkerd.io/2.14/overview/)
[Service Profiles](https://linkerd.io/2.14/features/service-profiles/)
[Authorization Policy](https://linkerd.io/2.14/features/server-policy/)

More from this repository10

🎯

unity-developer🎯Skill

unity-developer skill from rmyndharis/antigravity-skills

🎯

dotnet-architect🎯Skill

dotnet-architect skill from rmyndharis/antigravity-skills

🎯

ios-developer🎯Skill

ios-developer skill from rmyndharis/antigravity-skills

🎯

java-pro🎯Skill

java-pro skill from rmyndharis/antigravity-skills

🎯

error-detective🎯Skill

error-detective skill from rmyndharis/antigravity-skills

🎯

backend-architect🎯Skill

backend-architect skill from rmyndharis/antigravity-skills

🎯

frontend-developer🎯Skill

frontend-developer skill from rmyndharis/antigravity-skills

🎯

fastapi-pro🎯Skill

fastapi-pro skill from rmyndharis/antigravity-skills

🎯

performance-engineer🎯Skill

performance-engineer skill from rmyndharis/antigravity-skills

🎯

kubernetes-architect🎯Skill

kubernetes-architect skill from rmyndharis/antigravity-skills