Buoyant has released Buoyant Enterprise for Linkerd 2.20, adding automated trust anchor rotation.
The update also extends support to Windows virtual machines outside Kubernetes and adds rate-limit-aware load balancing. Buoyant says it can also reduce control plane memory use by up to 85% during rapid pod churn.
Buoyant develops the commercial distribution of Linkerd, an open-source service mesh used to manage, secure and observe communication between applications. Service meshes have become a standard part of many cloud-native environments because they handle traffic management and mutual TLS encryption between services without requiring developers to build those functions into application code.
The release focuses on three areas that often create operational strain for platform teams: certificate management, support for older infrastructure and routing under traffic constraints. Those issues can become acute in production environments, where security changes and infrastructure updates risk service interruptions.
Security automation
A central element of the update is a built-in operator for trust anchor rotation. In service mesh deployments, trust anchors sit at the root of the certificate chain used to establish mutual TLS between services. Rotating those anchors is necessary for security and compliance, but the process has often required careful manual coordination across clusters.
Mistakes can cause services to stop trusting each other, disrupting application-to-application communication. Buoyant says the new operator automates the steps involved in trust anchor rotation and adds safeguards intended to reduce the risk of downtime during the change.
The move reflects a broader trend in infrastructure software toward automating security operations once treated as specialist maintenance work. As more organisations run large clusters with constant application changes, even routine certificate tasks can have outsized operational consequences.
Windows support
The release also expands Linkerd beyond container-only environments by adding support for Windows virtual machines running outside Kubernetes. That brings non-containerised Windows applications into a mesh architecture largely associated with Linux-based containers and Kubernetes clusters.
The feature uses Linkerd's Rust-based dataplane microproxies to connect those external Windows workloads to the mesh. Once attached, those workloads can use the same encrypted communications and traffic policies as services already running inside Kubernetes.
That includes mutual TLS, retries, timeouts, circuit breaking and multi-cluster routing. For companies still operating a mix of modern cloud-native applications and older Windows-based systems, the feature could provide a way to apply consistent networking and security controls across both environments.
Buoyant described the release as the first formal service mesh support for non-containerised Windows legacy applications. The addition addresses a practical issue for many larger IT estates, where critical business software may remain on virtual machines long after newer services have moved into containers.
Traffic handling
Another part of the update changes how Linkerd distributes traffic when upstream services are reaching rate limits. Buoyant says the new rate-limit-aware load balancing shifts requests away from overloaded targets to preserve overall throughput across the platform.
Load balancing has become more nuanced as distributed applications depend on upstream services with their own quotas and thresholds. A routing system that continues to send traffic evenly to constrained targets can worsen failures, particularly during traffic spikes or periods of partial degradation. By making the load balancer aware of those limits, Buoyant is trying to reduce that effect.
Buoyant has also reworked the internal destination controller to structure common cluster states differently, lowering memory consumption in the control plane. The company says the change can cut memory use by up to 85% when pods are rapidly starting, stopping or being rescheduled.
That type of churn is common in busy Kubernetes environments, especially in autoscaling systems and batch workloads. Lower memory requirements in the control plane can help operators keep clusters stable and reduce infrastructure overhead, particularly where many services are being orchestrated at once.
Native Kubernetes sidecar orchestration has also been promoted to general availability and made the default in the release. Buoyant says the change is intended to address anomalies in container start-up order and initialisation races during batch job execution.
The launch marks the sixth consecutive major enterprise product release from Buoyant, which has built its business around commercial support and tooling for Linkerd. The company was founded by engineers focused on cloud infrastructure and has positioned itself around security and reliability for distributed applications.
William Morgan, Founder and CEO of Buoyant, outlined the company's rationale for the update.
"Linkerd is mission-critical infrastructure for companies and systems that people around the world rely on every day," said William Morgan, Founder and CEO of Buoyant. "Our goal for the 2.20 release was to eliminate the operational complexities that crop up when Kubernetes platforms are truly pushed to their limits, and we worked hand-in-hand with our customers to ensure Linkerd allows them to deliver even the most complex capabilities seamlessly and reliably at scale."