[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-d8a2ca6b-5f71-463f-a00b-f79d6d88edee":3,"$fSZx9ZRnle9r96Z4LJOhVf59_QAnUqvBEK9YRHLgz2OY":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"d8a2ca6b-5f71-463f-a00b-f79d6d88edee","linkerd-patterns","Linkerd服务网格的生产模式 - 适用于Kubernetes的轻量级、以安全为首要考虑的服务网格。","cat_coding_devops","mod_coding","sickn33,coding","---\nname: linkerd-patterns\ndescription: \"Production patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.\"\nrisk: critical\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n\u003C!-- security-allowlist: curl-pipe-bash -->\n\n# Linkerd Patterns\n\nProduction patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.\n\n## Do not use this skill when\n\n- The task is unrelated to linkerd patterns\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Use this skill when\n\n- Setting up a lightweight service mesh\n- Implementing automatic mTLS\n- Configuring traffic splits for canary deployments\n- Setting up service profiles for per-route metrics\n- Implementing retries and timeouts\n- Multi-cluster service mesh\n\n## Core Concepts\n\n### 1. Linkerd Architecture\n\n```\n┌─────────────────────────────────────────────┐\n│                Control Plane                 │\n│  ┌─────────┐ ┌──────────┐ ┌──────────────┐ │\n│  │ destiny │ │ identity │ │ proxy-inject │ │\n│  └─────────┘ └──────────┘ └──────────────┘ │\n└─────────────────────────────────────────────┘\n                      │\n┌─────────────────────────────────────────────┐\n│                 Data Plane                   │\n│  ┌─────┐    ┌─────┐    ┌─────┐             │\n│  │proxy│────│proxy│────│proxy│             │\n│  └─────┘    └─────┘    └─────┘             │\n│     │           │           │               │\n│  ┌──┴──┐    ┌──┴──┐    ┌──┴──┐            │\n│  │ app │    │ app │    │ app │            │\n│  └─────┘    └─────┘    └─────┘            │\n└─────────────────────────────────────────────┘\n```\n\n### 2. Key Resources\n\n| Resource | Purpose |\n|----------|---------|\n| **ServiceProfile** | Per-route metrics, retries, timeouts |\n| **TrafficSplit** | Canary deployments, A\u002FB testing |\n| **Server** | Define server-side policies |\n| **ServerAuthorization** | Access control policies |\n\n## Templates\n\n### Template 1: Mesh Installation\n\n```bash\n# Install CLI\ncurl --proto '=https' --tlsv1.2 -sSfL https:\u002F\u002Frun.linkerd.io\u002Finstall | sh\n\n# Validate cluster\nlinkerd check --pre\n\n# Install CRDs\nlinkerd install --crds | kubectl apply -f -\n\n# Install control plane\nlinkerd install | kubectl apply -f -\n\n# Verify installation\nlinkerd check\n\n# Install viz extension (optional)\nlinkerd viz install | kubectl apply -f -\n```\n\n### Template 2: Inject Namespace\n\n```yaml\n# Automatic injection for namespace\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: my-app\n  annotations:\n    linkerd.io\u002Finject: enabled\n---\n# Or inject specific deployment\napiVersion: apps\u002Fv1\nkind: Deployment\nmetadata:\n  name: my-app\n  annotations:\n    linkerd.io\u002Finject: enabled\nspec:\n  template:\n    metadata:\n      annotations:\n        linkerd.io\u002Finject: enabled\n```\n\n### Template 3: Service Profile with Retries\n\n```yaml\napiVersion: linkerd.io\u002Fv1alpha2\nkind: ServiceProfile\nmetadata:\n  name: my-service.my-namespace.svc.cluster.local\n  namespace: my-namespace\nspec:\n  routes:\n    - name: GET \u002Fapi\u002Fusers\n      condition:\n        method: GET\n        pathRegex: \u002Fapi\u002Fusers\n      responseClasses:\n        - condition:\n            status:\n              min: 500\n              max: 599\n          isFailure: true\n      isRetryable: true\n    - name: POST \u002Fapi\u002Fusers\n      condition:\n        method: POST\n        pathRegex: \u002Fapi\u002Fusers\n      # POST not retryable by default\n      isRetryable: false\n    - name: GET \u002Fapi\u002Fusers\u002F{id}\n      condition:\n        method: GET\n        pathRegex: \u002Fapi\u002Fusers\u002F[^\u002F]+\n      timeout: 5s\n      isRetryable: true\n  retryBudget:\n    retryRatio: 0.2\n    minRetriesPerSecond: 10\n    ttl: 10s\n```\n\n### Template 4: Traffic Split (Canary)\n\n```yaml\napiVersion: split.smi-spec.io\u002Fv1alpha1\nkind: TrafficSplit\nmetadata:\n  name: my-service-canary\n  namespace: my-namespace\nspec:\n  service: my-service\n  backends:\n    - service: my-service-stable\n      weight: 900m  # 90%\n    - service: my-service-canary\n      weight: 100m  # 10%\n```\n\n### Template 5: Server Authorization Policy\n\n```yaml\n# Define the server\napiVersion: policy.linkerd.io\u002Fv1beta1\nkind: Server\nmetadata:\n  name: my-service-http\n  namespace: my-namespace\nspec:\n  podSelector:\n    matchLabels:\n      app: my-service\n  port: http\n  proxyProtocol: HTTP\u002F1\n---\n# Allow traffic from specific clients\napiVersion: policy.linkerd.io\u002Fv1beta1\nkind: ServerAuthorization\nmetadata:\n  name: allow-frontend\n  namespace: my-namespace\nspec:\n  server:\n    name: my-service-http\n  client:\n    meshTLS:\n      serviceAccounts:\n        - name: frontend\n          namespace: my-namespace\n---\n# Allow unauthenticated traffic (e.g., from ingress)\napiVersion: policy.linkerd.io\u002Fv1beta1\nkind: ServerAuthorization\nmetadata:\n  name: allow-ingress\n  namespace: my-namespace\nspec:\n  server:\n    name: my-service-http\n  client:\n    unauthenticated: true\n    networks:\n      - cidr: 10.0.0.0\u002F8\n```\n\n### Template 6: HTTPRoute for Advanced Routing\n\n```yaml\napiVersion: policy.linkerd.io\u002Fv1beta2\nkind: HTTPRoute\nmetadata:\n  name: my-route\n  namespace: my-namespace\nspec:\n  parentRefs:\n    - name: my-service\n      kind: Service\n      group: core\n      port: 8080\n  rules:\n    - matches:\n        - path:\n            type: PathPrefix\n            value: \u002Fapi\u002Fv2\n        - headers:\n            - name: x-api-version\n              value: v2\n      backendRefs:\n        - name: my-service-v2\n          port: 8080\n    - matches:\n        - path:\n            type: PathPrefix\n            value: \u002Fapi\n      backendRefs:\n        - name: my-service-v1\n          port: 8080\n```\n\n### Template 7: Multi-cluster Setup\n\n```bash\n# On each cluster, install with cluster credentials\nlinkerd multicluster install | kubectl apply -f -\n\n# Link clusters\nlinkerd multicluster link --cluster-name west \\\n  --api-server-address https:\u002F\u002Fwest.example.com:6443 \\\n  | kubectl apply -f -\n\n# Export a service to other clusters\nkubectl label svc\u002Fmy-service mirror.linkerd.io\u002Fexported=true\n\n# Verify cross-cluster connectivity\nlinkerd multicluster check\nlinkerd multicluster gateways\n```\n\n## Monitoring Commands\n\n```bash\n# Live traffic view\nlinkerd viz top deploy\u002Fmy-app\n\n# Per-route metrics\nlinkerd viz routes deploy\u002Fmy-app\n\n# Check proxy status\nlinkerd viz stat deploy -n my-namespace\n\n# View service dependencies\nlinkerd viz edges deploy -n my-namespace\n\n# Dashboard\nlinkerd viz dashboard\n```\n\n## Debugging\n\n```bash\n# Check injection status\nlinkerd check --proxy -n my-namespace\n\n# View proxy logs\nkubectl logs deploy\u002Fmy-app -c linkerd-proxy\n\n# Debug identity\u002FTLS\nlinkerd identity -n my-namespace\n\n# Tap traffic (live)\nlinkerd viz tap deploy\u002Fmy-app --to deploy\u002Fmy-backend\n```\n\n## Best Practices\n\n### Do's\n- **Enable mTLS everywhere** - It's automatic with Linkerd\n- **Use ServiceProfiles** - Get per-route metrics and retries\n- **Set retry budgets** - Prevent retry storms\n- **Monitor golden metrics** - Success rate, latency, throughput\n\n### Don'ts\n- **Don't skip check** - Always run `linkerd check` after changes\n- **Don't over-configure** - Linkerd defaults are sensible\n- **Don't ignore ServiceProfiles** - They unlock advanced features\n- **Don't forget timeouts** - Set appropriate values per route\n\n## Resources\n\n- [Linkerd Documentation](https:\u002F\u002Flinkerd.io\u002F2.14\u002Foverview\u002F)\n- [Service Profiles](https:\u002F\u002Flinkerd.io\u002F2.14\u002Ffeatures\u002Fservice-profiles\u002F)\n- [Authorization Policy](https:\u002F\u002Flinkerd.io\u002F2.14\u002Ffeatures\u002Fserver-policy\u002F)\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,156,423,"2026-05-16 13:26:38",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"DevOps","devops","mdi-cog-outline","CI\u002FCD、容器化、部署运维",3,162,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"4bf201f6-31a0-4280-85f7-1e61833a7d98","1.0.0","linkerd-patterns.zip",2810,"uploads\u002Fskills\u002Fd8a2ca6b-5f71-463f-a00b-f79d6d88edee\u002Flinkerd-patterns.zip","61e28d309ca4a4faa67f06b316a7b82a8f030aca20f92626e298e0378849d0bd","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":8694}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]