Buoyant Articles

For regulated and public-sector organizations, the service mesh decision is really a compliance evidence question. This piece maps Linkerd and BEL capabilities directly to control language, covers FIPS 140-3, post-quantum cryptography, supply chain attestations, and the Carahsoft procurement path, with a concrete 90-day plan for turning the evaluation into an authorization package.

"Enterprise-grade" gets asserted in the service mesh category far more often than it gets defined. This piece gives engineering leaders a 6-check evaluation framework with numbers, linked evidence, and named customer references to make a mesh decision that survives board scrutiny, auditor review, and 5 years of production use.

Istio ambient mode reduced the cost of Istio's entry point, but the comparison shifts once you need L7 features. This piece walks the architectures properly: what runs where, what breaks how, and what 2025 benchmarks show. The case for Linkerd is the same simple shape on day 1 and day 400, and beyond.

Linkerd's proxy has no WASM extension API, and that's intentional. This piece breaks down what teams actually use proxy extensions for, shows how Linkerd covers the same ground with built-in features and Gateway API config, and is precise about the cases where WASM genuinely makes sense. Fixed-function isn't a gap; it's a tradeoff with real operational consequences.

Linkerd's multicluster model changed significantly in 2.17 and 2.18. Federated services, fully declarative GitOps-native Links, and cross-cluster authorization built on workload identity. This guide covers how it works today, what "governance" actually means operationally across hundreds of clusters, and how to run a 2-week POC that maps vendor claims to measurable results.

The 2024 Linkerd release model change was real and controversial, but it didn't touch the license. All Linkerd source code remains Apache 2.0, CNCF graduated, with free weekly edge releases. This piece breaks down exactly what changed, what it costs, what BEL includes, and how to frame the decision for procurement, security review, or a board.

Linkerd 2.15 added mesh expansion in February 2024, making it possible to run Linkerd's Rust microproxy on VMs and bare metal — not just Kubernetes pods. This guide walks through how it works: SPIFFE/SPIRE identity for machines, ExternalWorkload resources, iptables traffic redirection, and zero-trust policy that includes your legacy fleet.