kubernetesservicemeshlinkerd

Linkerd authorization policy without ingress


I am newbie to service mesh and k8 in general.

From my understanding Linkerd does not provide it's own ingress controller. In that case, in my understanding Linkerd does not have reverse-proxy in itself. However, it can still do authorization of the request. How is this possible? Is it the control plane responsible for authorization (e.g. mTLS) of inbound traffic (to pod)?


Solution

  • You are correct that Linkerd does not provide its own ingress controller, instead pairing with whichever existing ingress controller you want. Linkerd's mTLS, authn, authz features are used for internal service-to-service / pod-to-pod communication in the cluster. So the ingress handles the first contact with out-of-cluster traffic and hands it off to Linkerd for everything internal.