ExternalWorkload

Linkerd’s mesh expansion functionality allows you to join workloads outside of Kubernetes into the mesh.

At its core, this behavior is controlled by an ExternalWorkload resource, which is used by Linkerd to describe a workload that lives outside of Kubernetes for discovery and policy. This resource contains information such as the workload’s identity, the concrete IP address as well as ports that this workload accepts connections on.

ExternalWorkloads

An ExternalWorkload is a namespace resource that defines a set of ports and an IP address that is reachable from within the mesh. Linkerd uses that information and translates it into EndpointSlices that are then attached to Service objects.

Spec

  • meshTLS (required) - specified the identity information that Linkerd requires to establish encrypted connections to this workload
  • workloadIPs (required, at most 1) - an IP address that this workload is reachable on
  • ports - a list of port definitions that the workload exposes

MeshTLS

  • identity (required) - the TLS identity of the workload, proxies require this value to establish TLS connections with the workload
  • serverName (required) - this value is what the workload’s proxy expects to see in the ClientHello SNI TLS extension when other peers attempt to initiate a TLS connection

Port

  • name - must be unique within the ports set. Each named port can be referred to by services.
  • port (required) - a port number that the workload is listening on
  • protocol - protocol exposed by the port

Status

  • conditions - a list of condition objects

Condition

  • lastProbeTime - the last time the healthcheck endpoint was probed
  • lastTransitionTime - the last time the condition transitioned from one status to another
  • status - status of the condition (one of True, False, Unknown)
  • type - type of the condition (Ready is used for indicating discoverability)
  • reason - contains a programmatic identifier indicating the reason for the condition’s last transition
  • message - message is a human-readable message indicating details about the transition.

Example

Below is an example of an ExternalWorkload resource that specifies a number of ports and is selected by a service.

  1. apiVersion: workload.linkerd.io/v1beta1
  2. kind: ExternalWorkload
  3. metadata:
  4. name: external-workload
  5. namespace: mixed-env
  6. labels:
  7. location: vm
  8. workload_name: external-workload
  9. spec:
  10. meshTLS:
  11. identity: "spiffe://root.linkerd.cluster.local/external-workload"
  12. serverName: "external-workload.cluster.local"
  13. workloadIPs:
  14. - ip: 193.1.4.11
  15. ports:
  16. - port: 80
  17. name: http
  18. - port: 9980
  19. name: admin
  20. status:
  21. conditions:
  22. - type: Ready
  23. status: "True"
  24. ---
  25. apiVersion: v1
  26. kind: Service
  27. metadata:
  28. name: external-workload
  29. namespace: mixed-env
  30. spec:
  31. type: ClusterIP
  32. selector:
  33. workload_name: external-workload
  34. ports:
  35. - port: 80
  36. protocol: TCP
  37. name: http
  38. - port: 9980
  39. protocol: TCP
  40. name: admin