linkerd-patterns

Name: linkerd-patterns
Author: W. Shobson

Linkerdservice meshKubernetesmicroservicesmTLStraffic managementzero trustdevops

⭐ 36.8k📄 MIT🕒 2026-06-16Source ↗

Install this skill

npx skills add wshobson/agents

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

Linkerd-patterns provides a structured framework for managing the Linkerd service mesh within Kubernetes environments. It facilitates the implementation of security-first communication by establishing automatic mutual TLS (mTLS) across microservices without manual certificate management. The skill focuses on observability and traffic manipulation through ServiceProfiles, enabling developers to define retry budgets, request timeouts, and granular response classification. TrafficSplits allow for managed canary deployments and progressive traffic shifting between service versions. Additionally, the skill encompasses policy enforcement through Server and ServerAuthorization objects, providing explicit control over service-to-service communication paths and ingress access. By standardizing these operational patterns, teams maintain consistent networking behaviors, diagnostic metrics, and security postures across complex distributed systems, reducing the overhead typically associated with configuring high-performance service mesh primitives.

When to Use This Skill

•Enforcing secure mTLS communication between internal microservices
•Implementing safe canary releases by shifting traffic weights
•Applying specific request timeout thresholds for fragile downstream services
•Debugging inter-service network issues using ServiceProfile metrics

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

“configure linkerd canary traffic split
“set up linkerd service profile with retries
“define linkerd server authorization for microservices
“debug linkerd service mesh connectivity
“inject linkerd proxy into namespace

Pro Tips

💡Always define `ServiceProfile` resources for critical services to gain per-route metrics and apply granular policies like retries/timeouts.
💡Start with injecting Linkerd into a non-production namespace to understand its impact before rolling out broadly.
💡Leverage Linkerd's built-in `tap` and `stat` commands for real-time traffic debugging and service health monitoring.

What this skill does

•Automatic mTLS setup and certificate lifecycle management
•Declarative traffic shifting for canary and A/B testing
•Granular per-route retry policies and latency timeouts
•Defined access control through policy-based server authorizations
•Automated sidecar injection into Kubernetes namespaces

When not to use it

✕In environments where network overhead is restricted and sidecar proxies are too heavy
✕When simple Kubernetes NetworkPolicies suffice without the need for application-layer observability

Example workflow

Validate the Kubernetes cluster state using linkerd check
Install the Linkerd control plane and Viz extension
Enable automatic sidecar proxy injection in the target namespace
Create a ServiceProfile to define retry budgets and timeouts for specific routes
Deploy a TrafficSplit resource to route 10% of traffic to a new version
Apply ServerAuthorization policies to restrict access to sensitive service ports

Prerequisites

–A running Kubernetes cluster
–Helm or kubectl access
–Linkerd CLI installed locally

Pitfalls & limitations

!Forgetting to exclude internal sidecar management ports in authorization policies
!Setting excessively aggressive retry budgets that amplify traffic during outages
!Failure to update ServiceProfiles when API route patterns change

FAQ

How does ServiceProfile differ from a standard Kubernetes Service?

A Kubernetes Service provides load balancing at the transport layer, whereas a ServiceProfile adds application-layer logic like retries, timeouts, and per-route observability.

Is Linkerd injection mandatory for all pods?

No, you can selectively enable injection via namespace-level annotations or by specific deployment labels to keep only necessary traffic within the mesh.

Can I use Linkerd policies without the full mesh?

No, the policy engine and traffic management features rely on the data plane proxies to enforce rules and report metrics.

How it compares

Unlike manual iptables or standard Kubernetes NetworkPolicies, this skill leverages proxy-level intelligence to provide layer-7 routing, detailed telemetry, and encrypted identity without modifying application code.

Source & trust

⭐ 37k stars📄 MIT🕒 Updated 2026-06-16

View original skill on GitHub →

📄 Full skill instructions — original source: wshobson/agents

# Linkerd Patterns

Production patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.

## When to Use This Skill

- Setting up a lightweight service mesh
- Implementing automatic mTLS
- Configuring traffic splits for canary deployments
- Setting up service profiles for per-route metrics
- Implementing retries and timeouts
- Multi-cluster service mesh

## Core Concepts

### 1. Linkerd Architecture

┌─────────────────────────────────────────────┐
│                Control Plane                 │
│  ┌─────────┐ ┌──────────┐ ┌──────────────┐ │
│  │ destiny │ │ identity │ │ proxy-inject │ │
│  └─────────┘ └──────────┘ └──────────────┘ │
└─────────────────────────────────────────────┘
                      │
┌─────────────────────────────────────────────┐
│                 Data Plane                   │
│  ┌─────┐    ┌─────┐    ┌─────┐             │
│  │proxy│────│proxy│────│proxy│             │
│  └─────┘    └─────┘    └─────┘             │
│     │           │           │               │
│  ┌──┴──┐    ┌──┴──┐    ┌──┴──┐            │
│  │ app │    │ app │    │ app │            │
│  └─────┘    └─────┘    └─────┘            │
└─────────────────────────────────────────────┘

### 2. Key Resources

| Resource | Purpose |
| ----------------------- | ------------------------------------ |
| **ServiceProfile** | Per-route metrics, retries, timeouts |
| **TrafficSplit** | Canary deployments, A/B testing |
| **Server** | Define server-side policies |
| **ServerAuthorization** | Access control policies |

## Templates

### Template 1: Mesh Installation

# Install CLI
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh

# Validate cluster
linkerd check --pre

# Install CRDs
linkerd install --crds | kubectl apply -f -

# Install control plane
linkerd install | kubectl apply -f -

# Verify installation
linkerd check

# Install viz extension (optional)
linkerd viz install | kubectl apply -f -

### Template 2: Inject Namespace

# Automatic injection for namespace
apiVersion: v1
kind: Namespace
metadata:
  name: my-app
  annotations:
    linkerd.io/inject: enabled
---
# Or inject specific deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  annotations:
    linkerd.io/inject: enabled
spec:
  template:
    metadata:
      annotations:
        linkerd.io/inject: enabled

### Template 3: Service Profile with Retries

apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
  name: my-service.my-namespace.svc.cluster.local
  namespace: my-namespace
spec:
  routes:
    - name: GET /api/users
      condition:
        method: GET
        pathRegex: /api/users
      responseClasses:
        - condition:
            status:
              min: 500
              max: 599
          isFailure: true
      isRetryable: true
    - name: POST /api/users
      condition:
        method: POST
        pathRegex: /api/users
      # POST not retryable by default
      isRetryable: false
    - name: GET /api/users/{id}
      condition:
        method: GET
        pathRegex: /api/users/[^/]+
      timeout: 5s
      isRetryable: true
  retryBudget:
    retryRatio: 0.2
    minRetriesPerSecond: 10
    ttl: 10s

### Template 4: Traffic Split (Canary)

apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
  name: my-service-canary
  namespace: my-namespace
spec:
  service: my-service
  backends:
    - service: my-service-stable
      weight: 900m # 90%
    - service: my-service-canary
      weight: 100m # 10%

### Template 5: Server Authorization Policy

# Define the server
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: my-service-http
  namespace: my-namespace
spec:
  podSelector:
    matchLabels:
      app: my-service
  port: http
  proxyProtocol: HTTP/1
---
# Allow traffic from specific clients
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: allow-frontend
  namespace: my-namespace
spec:
  server:
    name: my-service-http
  client:
    meshTLS:
      serviceAccounts:
        - name: frontend
          namespace: my-namespace
---
# Allow unauthenticated traffic (e.g., from ingress)
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: allow-ingress
  namespace: my-namespace
spec:
  server:
    name: my-service-http
  client:
    unauthenticated: true
    networks:
      - cidr: 10.0.0.0/8

### Template 6: HTTPRoute for Advanced Routing

apiVersion: policy.linkerd.io/v1beta2
kind: HTTPRoute
metadata:
  name: my-route
  namespace: my-namespace
spec:
  parentRefs:
    - name: my-service
      kind: Service
      group: core
      port: 8080
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api/v2
        - headers:
            - name: x-api-version
              value: v2
      backendRefs:
        - name: my-service-v2
          port: 8080
    - matches:
        - path:
            type: PathPrefix
            value: /api
      backendRefs:
        - name: my-service-v1
          port: 8080

### Template 7: Multi-cluster Setup

# On each cluster, install with cluster credentials
linkerd multicluster install | kubectl apply -f -

# Link clusters
linkerd multicluster link --cluster-name west \
  --api-server-address https://west.example.com:6443 \
  | kubectl apply -f -

# Export a service to other clusters
kubectl label svc/my-service mirror.linkerd.io/exported=true

# Verify cross-cluster connectivity
linkerd multicluster check
linkerd multicluster gateways

## Monitoring Commands

# Live traffic view
linkerd viz top deploy/my-app

# Per-route metrics
linkerd viz routes deploy/my-app

# Check proxy status
linkerd viz stat deploy -n my-namespace

# View service dependencies
linkerd viz edges deploy -n my-namespace

# Dashboard
linkerd viz dashboard

## Debugging

# Check injection status
linkerd check --proxy -n my-namespace

# View proxy logs
kubectl logs deploy/my-app -c linkerd-proxy

# Debug identity/TLS
linkerd identity -n my-namespace

# Tap traffic (live)
linkerd viz tap deploy/my-app --to deploy/my-backend

## Best Practices

### Do's

- **Enable mTLS everywhere** - It's automatic with Linkerd
- **Use ServiceProfiles** - Get per-route metrics and retries
- **Set retry budgets** - Prevent retry storms
- **Monitor golden metrics** - Success rate, latency, throughput

### Don'ts

- **Don't skip check** - Always run linkerd check after changes
- **Don't over-configure** - Linkerd defaults are sensible
- **Don't ignore ServiceProfiles** - They unlock advanced features
- **Don't forget timeouts** - Set appropriate values per route

## Resources

- [Linkerd Documentation](https://linkerd.io/2.14/overview/)
- [Service Profiles](https://linkerd.io/2.14/features/service-profiles/)
- [Authorization Policy](https://linkerd.io/2.14/features/server-policy/)

By W. Shobson

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

Click "Download" above
In your project, create the directory: .agent/skills/linkerd-patterns/
Save the file as SKILL.md
The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

Claude Code: ~/.claude/skills/wshobson/agents/linkerd-patterns/SKILL.md
Cursor: ~/.cursor/skills/wshobson/agents/linkerd-patterns/SKILL.md
Antigravity: ~/.gemini/antigravity/skills/wshobson/agents/linkerd-patterns/SKILL.md