Automatic Proxy Injection

Linkerd automatically adds the data plane proxy to pods when thelinkerd.io/inject: enabled annotation is present on a namespace or anyworkloads such as deployments or pods, This is known as “proxy injection”.

See Adding Your Service for a walkthrough ofhow to use this feature in practice. There is a full list of the configurationoptions available in reference.

Details

Proxy injection is implemented as a Kubernetes admissionwebhook.This means that the proxies are added to pods within the Kubernetes clusteritself, regardless of whether the pods are created by kubectl, a CI/CDsystem, or any other system.

For each pod, two containers are injected:

• linkerd-init, a Kubernetes InitContainerthat configures iptables to automatically forward all incoming andoutgoing TCP traffic through the proxy. (Note that this container is notpresent if the Linkerd CNI Plugin has been enabled.)
• linkerd-proxy, the Linkerd data plane proxy itself.Note that simply adding the annotation to a resource with pre-existing podswill not automatically inject those pods. You will need to update the pods(e.g. with kubectl rollout restart etc.) for them to be injected. This isbecause Kubernetes does not call the webhook until it needs to update theunderlying resources.

Overriding injection

Automatic injection can be disabled for a pod or deployment for which it wouldotherwise be enabled, by adding the linkerd.io/inject: disabled annotation.

Manual injection

The linkerd inject CLI command is a texttransform that, by default, simply adds the inject annotation to a givenKubernetes manifest.

Alternatively, this command can also perform the full injection purely on theclient side with the —manual flag. This was the default behavior prior toLinkerd 2.4; however, having injection to the cluster side makes it easier toensure that the data plane is always present and configured correctly,regardless of how pods are deployed.

See the linkerd inject reference for moreinformation.