Introduction
Service meshes can automate the process of providing additional security, reliability, and functionality around your containers. In this tutorial, you will be able to see how a service mesh works up close by exploring how the service mesh interacts with a simple application.
Explore the Linkerd Dashboard
Copy the public IP address of the Kubernetes server from the lab.
Open a new browser Insert the public IP of Kubernetes server in place of in the web address below:
http://<****>:30080
Copy and paste the resulting address into your browser's address bar. This should bring you to the Linkerd dashboard for the Kubernetes cluster.
Under HTTP Metrics, click default. This should let you see our two deployments, which have not been meshed with Linkerd yet.
Mesh the Application with Linkerd
access the Kubernetes control plane node.
Get a list of the deployments in the default Namespace in YAML format, inject Linkerd's configuration into the YAML, and apply those changes using kubectl apply
kubectl get -n default deploy -o yaml | \
linkerd inject - | \
kubectl apply -f -
This should reconfigure the deployments so that Linkerd can inject the sidecar proxies.
changes made
pods are meshed
Explore the Changes to Application Components Made by Linkerd
View the list of Pods:
kubectl get pods
cloud_user@k8s-control:~$ kubectl describe pod terrapin-client-dep-666cf6cdfd-ghz29
Name: terrapin-client-dep-666cf6cdfd-ghz29
Namespace: default
Priority: 0
Node: k8s-worker1/10.0.1.102
Start Time: Mon, 22 Dec 2025 23:55:02 +0000
Labels: app=terrapin-client
linkerd.io/control-plane-ns=linkerd
linkerd.io/proxy-deployment=terrapin-client-dep
linkerd.io/workload-ns=default
pod-template-hash=666cf6cdfd
Annotations: cni.projectcalico.org/containerID: 8e32df1bf505e17d7dd7e84883d6fe56c9c0c5d48eb6df9e1eba7d5dace9b5b0
cni.projectcalico.org/podIP: 192.168.194.81/32
cni.projectcalico.org/podIPs: 192.168.194.81/32
linkerd.io/created-by: linkerd/proxy-injector stable-2.11.1
linkerd.io/identity-mode: default
linkerd.io/inject: enabled
linkerd.io/proxy-version: stable-2.11.1
viz.linkerd.io/tap-enabled: true
Status: Running
IP: 192.168.194.81
IPs:
IP: 192.168.194.81
Controlled By: ReplicaSet/terrapin-client-dep-666cf6cdfd
Init Containers:
linkerd-init:
Container ID: containerd://0c1e6c79651831846eb35abd56353c8195b74192bab00f0442d4012bac4bb717
Image: cr.l5d.io/linkerd/proxy-init:v1.4.0
Image ID: cr.l5d.io/linkerd/proxy-init@sha256:60d12fbb0b4a53962a5c2a59b496b3ee20052d26c0c56fd2ee38fd7fae62146e
Port: <none>
Host Port: <none>
Args:
--incoming-proxy-port
4143
--outgoing-proxy-port
4140
--proxy-uid
2102
--inbound-ports-to-ignore
4190,4191,4567,4568
--outbound-ports-to-ignore
4567,4568
State: Terminated
Reason: Completed
Exit Code: 0
Started: Mon, 22 Dec 2025 23:55:04 +0000
Finished: Mon, 22 Dec 2025 23:55:04 +0000
Ready: True
Restart Count: 0
Limits:
cpu: 100m
memory: 50Mi
Requests:
cpu: 10m
memory: 10Mi
Environment: <none>
Mounts:
/run from linkerd-proxy-init-xtables-lock (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q45w2 (ro)
Containers:
linkerd-proxy:
Container ID: containerd://79e2aee1789f786dbe749e0ee200afc8db2d33b46296d2d2c1da39204a44a5a4
Image: cr.l5d.io/linkerd/proxy:stable-2.11.1
Image ID: cr.l5d.io/linkerd/proxy@sha256:91b53d4b39e4c058e5fc63b72dd7ab6fe7f7051869ec5251dc9c0d8287b2771f
Ports: 4143/TCP, 4191/TCP
Host Ports: 0/TCP, 0/TCP
State: Running
Started: Mon, 22 Dec 2025 23:55:06 +0000
Ready: True
Restart Count: 0
Liveness: http-get http://:4191/live delay=10s timeout=1s period=10s #success=1 #failure=3
Readiness: http-get http://:4191/ready delay=2s timeout=1s period=10s #success=1 #failure=3
Environment:
_pod_name: terrapin-client-dep-666cf6cdfd-ghz29 (v1:metadata.name)
_pod_ns: default (v1:metadata.namespace)
_pod_nodeName: (v1:spec.nodeName)
LINKERD2_PROXY_LOG: warn,linkerd=info
LINKERD2_PROXY_LOG_FORMAT: plain
LINKERD2_PROXY_DESTINATION_SVC_ADDR: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
LINKERD2_PROXY_POLICY_SVC_ADDR: linkerd-policy.linkerd.svc.cluster.local.:8090
LINKERD2_PROXY_POLICY_WORKLOAD: $(_pod_ns):$(_pod_name)
LINKERD2_PROXY_INBOUND_DEFAULT_POLICY: all-unauthenticated
LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT: 100ms
LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT: 1000ms
LINKERD2_PROXY_CONTROL_LISTEN_ADDR: 0.0.0.0:4190
LINKERD2_PROXY_ADMIN_LISTEN_ADDR: 0.0.0.0:4191
LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR: 127.0.0.1:4140
LINKERD2_PROXY_INBOUND_LISTEN_ADDR: 0.0.0.0:4143
LINKERD2_PROXY_INBOUND_IPS: (v1:status.podIPs)
LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES: svc.cluster.local.
LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE: 10000ms
LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE: 10000ms
LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION: 25,587,3306,4444,5432,6379,9300,11211
LINKERD2_PROXY_DESTINATION_CONTEXT: {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
_pod_sa: (v1:spec.serviceAccountName)
_l5d_ns: linkerd
_l5d_trustdomain: cluster.local
LINKERD2_PROXY_IDENTITY_DIR: /var/run/linkerd/identity/end-entity
LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS: -----BEGIN CERTIFICATE-----
MIIBiDCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yNTEyMjIyMzM4NDlaFw0yNjEyMjIyMzM5MDlaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAE94d/0iTwQe7HZkt2fwFwSrietAUlwg9VwgCdeMYlaOrx30cj8+jy/fJJdEvH
sjsWl5HcG10FPn99fEulz4JmIKNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRK/cAaNL05Lrepa6yUQxff49kfGTAKBggqhkjOPQQDAgNIADBFAiEAr1e+6hCh
kTBROQE6uDal2CRvtkl6rHOjLTOzueKIVPICIBQYOccdiDWTbEi4qWjhrX++aExU
bg9xL9dtUmhs9EVA
-----END CERTIFICATE-----
LINKERD2_PROXY_IDENTITY_TOKEN_FILE: /var/run/secrets/kubernetes.io/serviceaccount/token
LINKERD2_PROXY_IDENTITY_SVC_ADDR: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
LINKERD2_PROXY_IDENTITY_LOCAL_NAME: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
LINKERD2_PROXY_IDENTITY_SVC_NAME: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
LINKERD2_PROXY_DESTINATION_SVC_NAME: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
LINKERD2_PROXY_POLICY_SVC_NAME: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
LINKERD2_PROXY_TAP_SVC_NAME: tap.linkerd-viz.serviceaccount.identity.linkerd.cluster.local
Mounts:
/var/run/linkerd/identity/end-entity from linkerd-identity-end-entity (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q45w2 (ro)
busybox:
Container ID: containerd://4d090b5d52f2ed1ee7b19d4172f203aea60837ae30c8136b9e063550dbd06d29
Image: radial/busyboxplus:curl
Image ID: sha256:4776f1f7d1f625c8c5173a969fdc9ae6b62655a2746aba989784bb2b7edbfe9b
Port: <none>
Host Port: <none>
Command:
sh
-c
while true; do curl -s terrapin-web-svc; sleep 5; done
State: Running
Started: Mon, 22 Dec 2025 23:55:07 +0000
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q45w2 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-q45w2:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
linkerd-proxy-init-xtables-lock:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
linkerd-identity-end-entity:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium: Memory
SizeLimit: <unset>
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 4m32s default-scheduler Successfully assigned default/terrapin-client-dep-666cf6cdfd-ghz29 to k8s-worker1
Normal Pulled 4m32s kubelet Container image "cr.l5d.io/linkerd/proxy-init:v1.4.0" already present on machine
Normal Created 4m30s kubelet Created container linkerd-init
Normal Started 4m30s kubelet Started container linkerd-init
Normal Pulled 4m29s kubelet Container image "cr.l5d.io/linkerd/proxy:stable-2.11.1" already present on machine
Normal Created 4m28s kubelet Created container linkerd-proxy
Normal Started 4m28s kubelet Started container linkerd-proxy
Normal Pulled 4m28s kubelet Container image "radial/busyboxplus:curl" already present on machine
Normal Created 4m27s kubelet Created container busybox
Normal Started 4m27s kubelet Started container busybox
cloud_user@k8s-control:~$
side car attached
Top comments (0)