viz

viz manages the linkerd-viz extension of Linkerd service mesh.

Subcommands

allow-scrapes

Output Kubernetes resources to authorize Prometheus scrapes in a namespace or cluster with config.linkerd.io/default-inbound-policy: deny.

Examples

  1. # Allow scrapes in the 'emojivoto' namespace
  2. linkerd viz allow-scrapes --namespace emojivoto | kubectl apply -f -

Flags

FlagUsage
—namespace
-n		The namespace in which to authorize Prometheus scrapes.

authz

Display stats for authorizations for a resource.

Flags

FlagUsage
—namespace
-n		Namespace of the specified resource
—output
-o		Output format; one of: “table” or “json” or “wide”
—selector
-l		Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’
—time-window
-t		Stat window (for example: “15s”, “1m”, “10m”, “1h”). Needs to be at least 15s.

check

Check the Linkerd Viz extension for potential problems.

The check command will perform a series of checks to validate that the Linkerd Viz extension is configured correctly. If the command encounters a failure it will print additional information about the failure and exit with a non-zero exit code.

Examples

  1. # Check that the viz extension is up and running
  2. linkerd viz check

Flags

FlagUsage
—namespace
-n		Namespace to use for –proxy checks (default: all namespaces)
—output
-o		Output format. One of: basic, json
—proxyAlso run data-plane checks, to determine if the data plane is healthy
—waitMaximum allowed time for all tests to pass

dashboard

Open the Linkerd dashboard in a web browser

Check out the architecture docs for a more thorough explanation of what this command does.

Flags

FlagUsage
—addressThe address at which to serve requests
—port
-p		The local port on which to serve requests (when set to 0, a random port will be used)
—showOpen a dashboard in a browser or show URLs in the CLI (one of: linkerd, grafana, url)
—waitWait for dashboard to become available if it’s not available when the command is run

(*) You’ll need to tweak the dashboard’s enforced-host parameter with this value, as explained in the DNS-rebinding protection docs

edges

Display connections between resources, and Linkerd proxy identities.

The RESOURCETYPE argument specifies the type of resource to display edges within.

Examples:

  • cronjob
  • deploy
  • ds
  • job
  • po
  • rc
  • rs
  • sts

Valid resource types include:

  • cronjobs
  • daemonsets
  • deployments
  • jobs
  • pods
  • replicasets
  • replicationcontrollers
  • statefulsets

Examples

  1. # Get all edges between pods that either originate from or terminate in the test namespace.
  2. linkerd viz edges po -n test
  4. # Get all edges between pods that either originate from or terminate in the default namespace.
  5. linkerd viz edges po
  7. # Get all edges between pods in all namespaces.
  8. linkerd viz edges po --all-namespaces

Flags

FlagUsage
—all-namespaces
-A		If present, returns edges across all namespaces, ignoring the “–namespace” flag
—namespace
-n		Namespace of the specified resource
—output
-o		Output format; one of: “table” or “json” or “wide”

install

Output Kubernetes resources to install linkerd-viz extension.

Examples

  1. # Default install.
  2. linkerd viz install | kubectl apply -f -
  4. The installation can be configured by using the --set, --values, --set-string and --set-file flags.
  5. A full list of configurable values can be found at https://www.github.com/linkerd/linkerd2/tree/main/viz/charts/linkerd-viz/README.md

Flags

FlagUsage
—haInstall Viz Extension in High Availability mode.
—ignore-clusterIgnore the current Kubernetes cluster when checking for existing cluster configuration (default false)
—setset values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
—set-fileset values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
—set-stringset STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
—skip-checksSkip checks for linkerd core control-plane existence
—values
-f		specify values in a YAML file or a URL (can specify multiple)
—waitWait for core control-plane components to be available

list

Lists which pods can be tapped

Flags

FlagUsage
—all-namespaces
-A		If present, list pods across all namespaces
—namespace
-n		The namespace to list pods in

profile

Output service profile config for Kubernetes based off tap data.

Examples

  1. # Generate a profile by watching live traffic.
  2. linkerd viz profile -n emojivoto web-svc --tap deploy/web --tap-duration 10s --tap-route-limit 5

Flags

FlagUsage
—namespace
-n		Namespace of the service
—tapOutput a service profile based on tap data for the given target resource
—tap-durationDuration over which tap data is collected (for example: “10s”, “1m”, “10m”)
—tap-route-limitMax number of routes to add to the profile

routes

The routes command displays per-route service metrics. In order for this information to be available, a service profile must be defined for the service that is receiving the requests. For more information about how to create a service profile, see service profiles. and the profile command reference.

Inbound Metrics

By default, routes displays inbound metrics for a target. In other words, it shows information about requests which are sent to the target and responses which are returned by the target. For example, the command:

  1. linkerd viz routes deploy/webapp

Displays the request volume, success rate, and latency of requests to the webapp deployment. These metrics are from the webapp deployment’s perspective, which means that, for example, these latencies do not include the network latency between a client and the webapp deployment.

Outbound Metrics

If you specify the --to flag then linkerd viz routes displays outbound metrics from the target resource to the resource in the --to flag. In contrast to the inbound metrics, these metrics are from the perspective of the sender. This means that these latencies do include the network latency between the client and the server. For example, the command:

  1. linkerd viz routes deploy/traffic --to deploy/webapp

Displays the request volume, success rate, and latency of requests from traffic to webapp from the perspective of the traffic deployment.

Effective and Actual Metrics

If you are looking at outbound metrics (by specifying the --to flag) you can also supply the -o wide flag to differentiate between effective and actual metrics.

Effective requests are requests which are sent by some client to the Linkerd proxy. Actual requests are requests which the Linkerd proxy sends to some server. If the Linkerd proxy is performing retries, one effective request can translate into more than one actual request. If the Linkerd proxy is not performing retries, effective requests and actual requests will always be equal. When enabling retries, you should expect to see the actual request rate increase and the effective success rate increase. See the retries and timeouts section for more information.

Because retries are only performed on the outbound (client) side, the -o wide flag can only be used when the --to flag is specified.

Examples

  1. # Routes for the webapp service in the test namespace.
  2. linkerd viz routes service/webapp -n test
  4. # Routes for calls from the traffic deployment to the webapp service in the test namespace.
  5. linkerd viz routes deploy/traffic -n test --to svc/webapp

Flags

FlagUsage
—namespace
-n		Namespace of the specified resource
—output
-o		Output format; one of: “table”, “wide”, or “json”
—selector
-l		Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’
—time-window
-t		Stat window (for example: “10s”, “1m”, “10m”, “1h”)
—toIf present, shows outbound stats to the specified resource
—to-namespaceSets the namespace used to lookup the “–to” resource; by default the current “–namespace” is used

stat

Display traffic stats about one or many resources.

The RESOURCES argument specifies the target resource(s) to aggregate stats over: (TYPE [NAME] | TYPE/NAME) or (TYPE [NAME1] [NAME2]…) or (TYPE1/NAME1 TYPE2/NAME2…)

Examples:

  • cronjob/my-cronjob
  • deploy
  • deploy/my-deploy
  • deploy/ po/
  • ds/my-daemonset
  • job/my-job
  • ns/my-ns
  • po/mypod1 rc/my-replication-controller
  • po mypod1 mypod2
  • rc/my-replication-controller
  • rs
  • rs/my-replicaset
  • sts/my-statefulset
  • ts/my-split
  • authority
  • au/my-authority
  • httproute/my-route
  • route/my-route
  • all

Valid resource types include:

  • cronjobs
  • daemonsets
  • deployments
  • namespaces
  • jobs
  • pods
  • replicasets
  • replicationcontrollers
  • statefulsets
  • authorities (not supported in –from)
  • authorizationpolicies (not supported in –from)
  • httproutes (not supported in –from)
  • services (not supported in –from)
  • servers (not supported in –from)
  • serverauthorizations (not supported in –from)
  • all (all resource types, not supported in –from or –to)

This command will hide resources that have completed, such as pods that are in the Succeeded or Failed phases. If no resource name is specified, displays stats about all resources of the specified RESOURCETYPE

Examples

  1. # Get all deployments in the test namespace.
  2. linkerd viz stat deployments -n test
  4. # Get the hello1 replication controller in the test namespace.
  5. linkerd viz stat replicationcontrollers hello1 -n test
  7. # Get all namespaces.
  8. linkerd viz stat namespaces
  10. # Get all inbound stats to the web deployment.
  11. linkerd viz stat deploy/web
  13. # Get all inbound stats to the pod1 and pod2 pods
  14. linkerd viz stat po pod1 pod2
  16. # Get all inbound stats to the pod1 pod and the web deployment
  17. linkerd viz stat po/pod1 deploy/web
  19. # Get all pods in all namespaces that call the hello1 deployment in the test namespace.
  20. linkerd viz stat pods --to deploy/hello1 --to-namespace test --all-namespaces
  22. # Get all pods in all namespaces that call the hello1 service in the test namespace.
  23. linkerd viz stat pods --to svc/hello1 --to-namespace test --all-namespaces
  25. # Get the web service. With Services, metrics are generated from the outbound metrics
  26. # of clients, and thus will not include unmeshed client request metrics.
  27. linkerd viz stat svc/web
  29. # Get the web services and metrics for any traffic coming to the service from the hello1 deployment
  30. # in the test namespace.
  31. linkerd viz stat svc/web --from deploy/hello1 --from-namespace test
  33. # Get the web services and metrics for all the traffic that reaches the web-pod1 pod
  34. # in the test namespace exclusively.
  35. linkerd viz stat svc/web --to pod/web-pod1 --to-namespace test
  37. # Get all services in all namespaces that receive calls from hello1 deployment in the test namespace.
  38. linkerd viz stat services --from deploy/hello1 --from-namespace test --all-namespaces
  40. # Get all namespaces that receive traffic from the default namespace.
  41. linkerd viz stat namespaces --from ns/default
  43. # Get all inbound stats to the test namespace.
  44. linkerd viz stat ns/test
  46. # Get all inbound stats to the emoji-grpc server
  47. linkerd viz stat server/emoji-grpc
  49. # Get all inbound stats to the web-public server authorization resource
  50. linkerd viz stat serverauthorization/web-public
  52. # Get all inbound stats to the web-get and web-delete HTTP route resources
  53. linkerd viz stat route/web-get route/web-delete
  55. # Get all inbound stats to the web-authz authorization policy resource
  56. linkerd viz stat authorizationpolicy/web-authz

Flags

FlagUsage
—all-namespaces
-A		If present, returns stats across all namespaces, ignoring the “–namespace” flag
—fromIf present, restricts outbound stats from the specified resource name
—from-namespaceSets the namespace used from lookup the “–from” resource; by default the current “–namespace” is used
—namespace
-n		Namespace of the specified resource
—output
-o		Output format; one of: “table” or “json” or “wide”
—selector
-l		Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’
—time-window
-t		Stat window (for example: “15s”, “1m”, “10m”, “1h”). Needs to be at least 15s.
—toIf present, restricts outbound stats to the specified resource name
—to-namespaceSets the namespace used to lookup the “–to” resource; by default the current “–namespace” is used
—unmeshedIf present, include unmeshed resources in the output

tap

Listen to a traffic stream.

The RESOURCE argument specifies the target resource(s) to tap: (TYPE [NAME] | TYPE/NAME)

Examples:

  • cronjob/my-cronjob
  • deploy
  • deploy/my-deploy
  • deploy my-deploy
  • ds/my-daemonset
  • job/my-job
  • ns/my-ns
  • rs
  • rs/my-replicaset
  • sts
  • sts/my-statefulset

Valid resource types include:

  • cronjobs
  • daemonsets
  • deployments
  • jobs
  • namespaces
  • pods
  • replicasets
  • replicationcontrollers
  • statefulsets
  • services (only supported as a –to resource)

Examples

  1. # tap the web deployment in the default namespace
  2. linkerd viz tap deploy/web
  4. # tap the web-dlbvj pod in the default namespace
  5. linkerd viz tap pod/web-dlbvj
  7. # tap the test namespace, filter by request to prod namespace
  8. linkerd viz tap ns/test --to ns/prod

Flags

FlagUsage
—authorityDisplay requests with this :authority
—max-rpsMaximum requests per second to tap.
—methodDisplay requests with this HTTP method
—namespace
-n		Namespace of the specified resource
—output
-o		Output format. One of: “wide”, “json”
—pathDisplay requests with paths that start with this prefix
—schemeDisplay requests with this scheme
—selector
-l		Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’
—toDisplay requests to this resource
—to-namespaceSets the namespace used to lookup the “–to” resource; by default the current “–namespace” is used

top

Display sorted information about live traffic.

The RESOURCE argument specifies the target resource(s) to view traffic for: (TYPE [NAME] | TYPE/NAME)

Examples:

  • cronjob/my-cronjob
  • deploy
  • deploy/my-deploy
  • deploy my-deploy
  • ds/my-daemonset
  • job/my-job
  • ns/my-ns
  • rs
  • rs/my-replicaset
  • sts
  • sts/my-statefulset

Valid resource types include:

  • cronjobs
  • daemonsets
  • deployments
  • jobs
  • namespaces
  • pods
  • replicasets
  • replicationcontrollers
  • statefulsets
  • services (only supported as a –to resource)

Examples

  1. # display traffic for the web deployment in the default namespace
  2. linkerd viz top deploy/web
  4. # display traffic for the web-dlbvj pod in the default namespace
  5. linkerd viz top pod/web-dlbvj

Flags

FlagUsage
—authorityDisplay requests with this :authority
—hide-sourcesHide the source column
—max-rpsMaximum requests per second to tap.
—methodDisplay requests with this HTTP method
—namespace
-n		Namespace of the specified resource
—pathDisplay requests with paths that start with this prefix
—routesDisplay data per route instead of per path
—schemeDisplay requests with this scheme
—selector
-l		Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’
—toDisplay requests to this resource
—to-namespaceSets the namespace used to lookup the “–to” resource; by default the current “–namespace” is used

uninstall

Output Kubernetes resources to uninstall the linkerd-viz extension.

This command provides all Kubernetes namespace-scoped and cluster-scoped resources (e.g services, deployments, RBACs, etc.) necessary to uninstall the Linkerd-viz extension.

Examples

  1. linkerd viz uninstall | kubectl delete -f -