Merge branch 'main' into alex/protocol-detection-edge

README.md

@@ -24,6 +24,9 @@ Source code for the linkerd.io website.
    For Linux users, download the **extended** release of Hugo from its GitHub
    [release page](https://github.com/gohugoio/hugo/releases).
 
+   The minimum version of Hugo that is required to build linkerd.io is
+   **v0.131.0**.
+
 1. From the root `/website` directory, build site and run Hugo in development mode:
 
     ```bash

linkerd.io/config/_default/menu.yaml

@@ -17,9 +17,13 @@ main:
     pageRef: /community/ambassadors/
     weight: 3
     parent: Community
+  - name: Become an Ambassador
+    pageRef: /community/ambassadors-apply/
+    weight: 4
+    parent: Community
   - name: Buoyant's Linkerd Forum
     url: https://linkerd.buoyant.io
-    weight: 4
+    weight: 5
     parent: Community
   - name: Blog
     pageRef: /blog/

linkerd.io/config/_default/params.yaml

@@ -1,3 +1,6 @@
+# Minimum version of Hugo required to build linkerd.io
+minHugoVersion: "0.131.0"
+
 # Open Graph and Twitter Card defaults
 description: |-
   Linkerd is an ultralight service mesh for Kubernetes. It gives you
@@ -8,4 +11,5 @@ description: |-
 social:
   twitter: Linkerd
 
+# Latest major version of Linkerd
 latestMajorVersion: "2.16"

linkerd.io/content/2-edge/features/egress.md

@@ -0,0 +1,26 @@
+---
+title: Egress
+---
+
+Linkerd features capabilities to monitor and apply policies to egress traffic.
+This allows cluster operators to make use of the `EgressNetwork` CRD to classify
+and visualize traffic. This CRD can be used as a parent reference for
+Gateway API route primitives in order to enable policy and routing configuration.
+Linkerd's egress control is implemented in the sidecar proxy itself; separate
+egress gateways are not required (though they can be supported).
+
+{{< warning >}}
+
+No service mesh can provide a strong security guarantee about egress traffic
+by itself; for example, a malicious actor could bypass the Linkerd sidecar -
+and thus Linkerd's egress controls - entirely. Fully restricting egress
+traffic in the presence of arbitrary applications thus typically requires a
+more comprehensive approach.
+
+{{< /warning >}}
+
+Related content:
+
+* [Guide:  Managing egress traffic]
+  ({{< relref "../tasks/managing-egress-traffic" >}})
+* [EgressNetwork Reference]({{< relref "../reference/egress-network" >}})

linkerd.io/content/2-edge/features/multicluster.md

@@ -39,8 +39,8 @@ splitting](../traffic-split/) or [dynamic request routing](../request-routing/)
 to allow local services to access the *Foo* service as if it were on the local
 cluster.
 
-Linkerd supports two basic forms of multi-cluster communication: hierarchical
-and flat.
+Linkerd supports three basic forms of multi-cluster communication: hierarchical,
+flat, and federated.
 
 ![Architectural diagram comparing hierarchical and flat network modes](/docs/images/multicluster/flat-network.png)
 
@@ -65,11 +65,18 @@ several advantages:
 * Better multi-cluster authorization policies, as workload identity
   is preserved across cluster boundaries.
 
-Hierarchical (gateway-based) and flat (direct pod-to-pod) modes can be combined,
-and pod-to-pod mode can be enabled for specific services by using the
-`remote-discovery` value for the label selector used to export services to other
-clusters. See the [pod-to-pod multicluster
-communication](../../tasks/pod-to-pod-multicluster/) guide and the
+### Federated services
+
+A federated service is a union of services with the same name and namespace
+in multiple different clusters. Meshed clients that send traffic to a federated
+service will have that traffic distributed across all replicas of services in
+the federated service across clusters. Federated services use the *flat
+networking* model and do not use a gateway intermediary.
+
+These modes can be combined, with each specific service selecting the mode that
+is most appropriate for that service. See the
+[pod-to-pod multicluster communication](../../tasks/pod-to-pod-multicluster/)
+guide, the [federated services](../../tasks/federated-services/) guide, and the
 [multi-cluster reference](../../reference/multicluster/) for more.
 
 ## Headless services
@@ -80,8 +87,8 @@ communication](../../tasks/pod-to-pod-multicluster/) guide and the
 By default, Linkerd will mirror all exported services as Kubernetes `clusterIP`
 services. This also extends to [headless services][headless-svc]; an exported
 headless service will be mirrored as `clusterIP` and have an IP address
-assigned to it. In general, headless services _should not have an IP address_,
-they are used when a workloads needs a stable network identifier or to
+assigned to it. In general, headless services *should not have an IP address*;
+they are used when a workload needs a stable network identifier or to
 facilitate service discovery without being tied to Kubernetes' native
 implementation. This allows clients to either implement their own load
 balancing or to address a pod directly through its DNS name. In certain
@@ -110,14 +117,17 @@ exported as a headless service, the hosts backing the service need to be named
 Deployment would not be supported, since they do not allow for arbitrary
 hostnames in the pod spec).
 
+Note that headless services can *not* be part of a federated service.
+
 Ready to get started? See the [getting started with multi-cluster
 guide](../../tasks/multicluster/) for a walkthrough.
 
 ## Further reading
 
-* [Multi-cluster installation instructions](../../tasks/installing-multicluster/).
+* [Multi-cluster installation instructions](../../tasks/installing-multicluster/)
 * [Pod-to-pod multicluster communication](../../tasks/pod-to-pod-multicluster/)
-* [Multi-cluster communication with StatefulSets](../../tasks/multicluster-using-statefulsets/).
+* [Multi-cluster communication with StatefulSets](../../tasks/multicluster-using-statefulsets/)
+* [Federated services](../../tasks/federated-services/)
 * [Architecting for multi-cluster
   Kubernetes](/2020/02/17/architecting-for-multicluster-kubernetes/), a blog
   post explaining some of the design rationale behind Linkerd's multi-cluster

linkerd.io/content/2-edge/features/rate-limiting.md

@@ -0,0 +1,55 @@
+---
+title: Rate Limiting
+description: Linkerd offers a simple and performant HTTP local rate limiting solution to protect services from misbehaved clients
+---
+
+Rate limiting helps protect a service by controlling its inbound traffic flow to
+prevent overload, ensure fair resource use, enhance security, manage costs,
+maintain quality, and comply with SLAs.
+
+Please check the [Configuring Rate Limiting
+task](../../tasks/configuring-rate-limiting/) for an example guide on deploying
+rate limiting, and the [HTTPLocalRateLimitPolicy reference
+doc](../../reference/rate-limiting/).
+
+## Scope
+
+Linkerd offers a _local_ rate limiting solution, which means that each inbound
+proxy performs the limiting for the pod. This is unlike _global_ rate limiting,
+which takes into account all replicas for each service to track global request
+volume. Global rate limiting requires an additional service to track everything
+and is thus more complex to deploy and maintain.
+
+## Fairness
+
+In the `HTTPLocalRateLimitPolicy` CR you can optionally configure a rate limit
+to apply to all the inbound traffic for a given Server, regardless of the
+source.
+
+Additionally, you can specify fairness among clients by declaring a limit per
+identity. This avoids specific clients gobbling all the rate limit quota and
+affecting all the other clients. Note that all unmeshed sources (which don't
+have an identity) are treated as a single source.
+
+Finally, you also have at your disposal the ability to override the config for
+specific clients by their identity.
+
+## Algorithm
+
+Linkerd uses the [Generic cell rate algorithm
+(GCRA)](https://en.wikipedia.org/wiki/Generic_cell_rate_algorithm) to implement
+rate limiting, which is more performant than the token bucket and leaky bucket
+algorithms usually used for rate limiting.
+
+The GCRA has two parameters: cell rate and tolerance.
+
+In its virtual scheduling description, the algorithm determines a theoretical
+arrival time, representing the 'ideal' arrival time of a cell (request) if cells
+(requests) were transmitted at equal intervals of time, corresponding to the
+cell rate. How closely the flow of requests should abide to that arrival time is
+determined by the tolerance parameter.
+
+In Linkerd we derive the cell rate from the `requestsPerSecond` entries in
+`HTTPLocalRateLimitPolicy` and the tolerance is set to one second. This helps
+accommodating small variations or occasional bursts in traffic while ensuring
+the long-term rate remains within limits.

linkerd.io/content/2-edge/reference/egress-network.md

@@ -0,0 +1,110 @@
+---
+title: EgressNetwork
+---
+
+Linkerd's [egress functionality]({{< relref "../features/egress">}}) allows
+you to monitor and control traffic that leaves the cluster. This behavior is
+controlled by creating `EgressNetwork` resources, which describe the properties
+of traffic that leaves a cluster and provide a way to apply policies to it, using
+Gateway API primitives.
+
+{{< warning >}}
+
+No service mesh can provide a strong security guarantee about egress traffic
+by itself; for example, a malicious actor could bypass the Linkerd sidecar -
+and thus Linkerd's egress controls - entirely. Fully restricting egress
+traffic in the presence of arbitrary applications thus typically requires a
+more comprehensive approach.
+
+{{< /warning >}}
+
+## EgressNetwork semantics
+
+An `EgressNetwork` is essentially a description for a set of traffic
+destinations that reside outside the cluster. In that sense, it is comparable
+to a Service, with the main difference being that a Service encompasses a single
+logical destination while an `EgressNetwork` can encompass a set of
+destinations. This set can vary in size - from a single IP address to the entire
+network space that is not within the boundaries of the cluster.
+
+An `EgressNetwork` resource by default has several namespace semantics that are
+worth outlining. EgressNetworks are namespaced resources, which means that they
+affect only clients within the namespace that they reside in. The only exception
+is EgressNetworks created in the global egress namespace: these EgressNetworks
+affect clients in all namespaces. The namespace-local resources take priority.
+By default the global egress namespace is set to `linkerd-egress`, but can be
+configured by setting the `egress.globalEgressNetworkNamespace` Helm
+value.
+
+## EgressNetwork Spec
+
+An `EgressNetwork` spec may contain the following top level fields:
+
+{{< keyval >}}
+
+| field| value |
+|------|-------|
+| `networks`| A set of [network specifications](#networks) that describe the address space that this `EgressNetwork` captures |
+| `trafficPolicy`| the default [traffic policy](#trafficpolicy) for this resource. |
+{{< /keyval >}}
+
+### networks
+
+This field is used to concretely describe the set of outside networks that this
+network captures. All traffic to these destinations will be considered as
+flowing to this `EgressNetwork` and subject to its traffic policy.
+If an `EgressNetwork` does not specify any `networks`, the `EgressNetwork`
+captures the entire IP address space except for the in-cluster networks specified
+by the `clusterNetworks` value provided when Linkerd was installed.
+
+{{< keyval >}}
+
+| field| value |
+|------|-------|
+| `cidr`| A subnet in CIDR notation.|
+| `except`| A list of subnets in CIDR notation to exclude.|
+{{< /keyval >}}
+
+### trafficPolicy
+
+This field is required and must be either `Allow` or `Deny`. If `trafficPolicy`
+is set to `Allow`, all traffic through this EgressNetwork will be let through
+even if there is no explicit Gateway API Route that describes it. If
+`trafficPolicy` is set to `Deny`, traffic through this `EgressNetwork` that
+is not explicitly matched by a Route will be refused.
+
+## Example
+
+Below is an example of an `EgressNetwork` resource that will block all external
+traffic except HTTPS traffic to httpbin.org on port 443. The later is done via
+an explicit TLSRoute.
+
+```yaml
+apiVersion: policy.linkerd.io/v1alpha1
+kind: EgressNetwork
+metadata:
+  namespace: linkerd-egress
+  name: all-egress-traffic
+spec:
+  trafficPolicy: Deny
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: tls-egress
+  namespace: linkerd-egress
+spec:
+  hostnames:
+  - httpbin.org
+  parentRefs:
+  - name: all-egress-traffic
+    kind: EgressNetwork
+    group: policy.linkerd.io
+    namespace: linkerd-egress
+    port: 443
+  rules:
+  - backendRefs:
+    - kind: EgressNetwork
+      group: policy.linkerd.io
+      name: all-egress-traffic
+```

linkerd.io/content/2-edge/reference/multicluster.md

@@ -5,14 +5,16 @@ description: Multi-cluster communication
 
 Linkerd's [multi-cluster functionality](../../features/multicluster/) allows
 pods to connect to Kubernetes services across cluster boundaries in a way that
-is secure and fully transparent to the application. As of Linkerd 2.14, this
-feature supports two modes: hierarchical (using an gateway) and flat (without a
-gateway):
+is secure and fully transparent to the application. This feature supports three
+modes: hierarchical (using a gateway), flat (without a gateway), and federated.
 
-* **Flat mode** requires that all pods on the source cluster be able to directly
-  connect to pods on the destination cluster.
 * **Hierarchical mode** only requires that the gateway IP of the destination
   cluster be reachable by pods on the source cluster.
+* **Flat mode** requires that all pods on the source cluster be able to directly
+  connect to pods on the destination cluster.
+* **Federated mode** has the same requirements as flat mode but allows a service
+  deployed to multiple clusters to be treated as a single cluster agnostic
+  service.
 
 These modes can be mixed and matched.
 
@@ -66,3 +68,26 @@ together, a Kubernetes `Secret` is created in the control plane's namespace with
 a kubeconfig file that allows an API client to be configured. The kubeconfig
 file uses RBAC to provide the "principle of least privilege", ensuring the
 *destination service* may only access only the resources it needs.
+
+## Federated Services
+
+Federated services take this a step farther by allowing a service which is
+deployed to multiple clusters to be joined into a single unified service.
+
+The service mirror controller will look for all services in all linked clusters
+which match a label selector (`mirror.linkerd.io/federated=member` by default)
+and create a federated service called `<svc name>-federated` which will act as
+a union of all those services with that name. For example, all traffic sent to
+the `store-web-federated` federated service will be load balanced over all
+replicas of all services named `store-web` in all linked clusters.
+
+The concept of "namespace sameness" applies, which means that the federated
+service will be created in the same namespace as the individual services and
+services can only join a federated service in the same namespace.
+
+Since Linkerd's *destination service* uses "remote-discovery" to discover the
+endpoints of a federated service, all of the requirements for flat mode also
+apply to federated services: the clusters must be on a flat network where pods
+in one cluster can connect to pods in the others, the clusters must have the
+same trust root, and any clients connecting to the federated service must be
+meshed.