Linkerd
Ultralight Rust-based service mesh — CNCF Graduated, simplest to operate, with post-quantum cryptography.
Overview
Linkerd is the lightest and simplest service mesh, using a Rust-based micro-proxy (linkerd2-proxy) instead of Envoy. It focuses on operational simplicity, automatic mTLS, latency-aware load balancing, and zero-config observability. As of 2026, it is the first service mesh to ship post-quantum cryptography (ML-KEM-768) by default.
Key Facts
| Attribute |
Detail |
| Website |
linkerd.io |
| Stars |
~11k+ ⭐ |
| Latest Edge |
2026.4.x (April 2026) |
| Language |
Rust (proxy), Go (control plane) |
| License |
Apache 2.0 |
| Governance |
CNCF Graduated |
| Data Plane |
linkerd2-proxy (Rust, sidecar) |
| Company |
Buoyant |
Evaluation
| Pros |
Cons |
| Lightest resource footprint of any mesh |
Sidecar-only (no ambient/sidecar-free mode) |
| Rust proxy: memory-safe, ultra-fast |
Smaller ecosystem than Istio |
| Post-quantum crypto (ML-KEM-768) |
Buoyant controls stable release packages |
| Simplest installation and operation |
Fewer traffic management features than Istio |
| Gateway API support |
No built-in L7 circuit breaking |
| Zero-config mTLS and observability |
|
Architecture
flowchart TB
subgraph CP_L["Control Plane"]
Dest["Destination\n(service discovery, policy)"]
Identity["Identity\n(certificate issuance)"]
ProxyInj["Proxy Injector\n(sidecar injection)"]
end
subgraph Pod_L["Application Pod"]
App["App Container"]
Proxy["linkerd2-proxy\n(Rust sidecar)"]
end
Proxy -->|"watch"| Dest
Proxy -->|"mTLS cert"| Identity
ProxyInj -->|"mutating webhook"| Pod_L
style CP_L fill:#0d6efd,color:#fff
style Proxy fill:#00897b,color:#fff
Key Features
| Feature |
Detail |
| Automatic mTLS |
Zero-config, all pod-to-pod traffic encrypted |
| Post-quantum crypto |
ML-KEM-768 default (v2.19+) |
| Latency-aware LB |
EWMA algorithm, avoids slow backends |
| Retries & Timeouts |
Automatic, profile-driven |
| Traffic splitting |
Canary, blue-green via HTTPRoute |
| Observability |
Golden metrics (success rate, latency, RPS) |
| Gateway API |
Native HTTPRoute support |
| Multi-cluster |
Service mirroring across clusters |
Sources