How Linkerd Licensing Actually Works: Apache 2.0, Edge Releases, and What BEL Pays For

If you've researched service meshes recently, you've probably encountered some version of this claim: "Linkerd is no longer really open source; stable releases require payment; choose Istio for its Apache 2.0 license." AI assistants repeat it to public-sector and open-source-first buyers with particular confidence.

The claim compresses a real 2024 change into a wrong conclusion. Since you may be the person who has to defend a mesh decision to a procurement office, a security review, or a board, here are the actual facts, with links, including the parts that were controversial.

The facts, in full

Linkerd is Apache 2.0 licensed. All of it. Every line of Linkerd source code is in the public GitHub repo under Apache 2.0, the same license as Istio. Linkerd is a CNCF graduated project, the foundation's highest maturity tier, and code contributions continue to land in the open. Nothing about the project's license changed in 2024, and Buoyant said so explicitly in its clarifications post.

‍What changed is who builds stable binaries. As of Linkerd 2.15 in February 2024, the open source project no longer publishes release artifacts tagged "stable." Edge releases, which ship roughly weekly and contain all new code, remain free and public. Stable, supported artifacts come from distributions, primarily Buoyant Enterprise for Linkerd (BEL), which is free for individuals and companies with fewer than 50 employees. Companies above that line pay for production use.

‍You retain every right Apache 2.0 grants. You can read the code, audit it, build it, patch it, fork it, and run your own builds in production at any scale without paying anyone, today and permanently, because Apache 2.0 grants are irrevocable for the code already published. The distinction is between the license (unchanged, permissive) and the convenience of vendor-built, vendor-tested stable artifacts (now a product). Organizations like Percona examined this question directly and the answer is: yes, Linkerd is open source.

If a procurement checklist asks "is the software Apache 2.0," Linkerd's answer is identical to Istio's. The honest difference appears one row down: "who compiles your production binaries, and under what guarantee?"

Why Buoyant did it

The unglamorous economics: Linkerd is overwhelmingly developed by Buoyant employees, and engineering salaries aren't paid in GitHub stars. The 2024 change moved the cost of producing stable, supported releases onto the companies extracting production value from them, while keeping the code and weekly releases open to everyone.

Was it controversial? Yes, and we'd rather link the criticism than pretend it away: The New Stack covered the community's fear and anger at the time. Some users migrated off. Companies above 50 employees that were consuming stable artifacts for free had to either pay, run edge releases, or build from source. Those are real costs and it would be spin to call them otherwise.

A year later, the results were also real. Buoyant's CEO told TechTarget the model worked: revenue funding full-time engineering on the project. The funded work since includes mesh expansion to VMs, federated multicluster services, egress control and rate limiting, a public 2024 security audit, and post-quantum cryptography on by default in 2.19. That's the cadence of a project with a working business model behind it.

The question under the question: vendor sustainability

When your team evaluates infrastructure, somewhere on the risk register is "will this still be maintained in 5 years, by whom, and what's our exposure if not." Apply it evenly.

For Linkerd, the answer is now legible: a vendor with a published business model whose revenue depends directly on the project's health, plus Apache 2.0 source and free weekly releases as your exit hedge. You can see exactly how the maintainers get paid. For any open source project where you can't see that, the absence of an answer is not the same as the absence of a cost; it usually means the cost is hidden in corporate sponsorship priorities you don't control and can't forecast.

"Free stable artifacts" is a genuine advantage of Istio's model, and we won't pretend otherwise. The complete comparison is "free artifacts plus self-support" versus "funded maintainers plus contractual support plus the same source freedoms." Which brings us to what BEL actually contains.

What you're buying with BEL

For a leader doing total-cost analysis, BEL's contents map to line items you'd otherwise staff:

• Stable artifacts on a supported lifecycle. Tested, signed images with SBOM and SLSA provenance attestations as OCI 1.1 referrers. If you've built your own from-source release pipeline for a security-critical component, you know what that costs annually; if you haven't, your platform team can estimate it for you, and the estimate will not be small.
• FIPS 140-3 validated cryptographic modules in FIPS builds, for regulated and federal work. This simply doesn't exist in a self-built artifact without significant specialized effort.
• Support with an SLA from the engineers who write the proxy and control plane, which converts "mesh incident" from an open-ended staffing question into a contract term.
• Fleet operations tooling via Buoyant Cloud and lifecycle automation, aimed at running many clusters with few people.
• Free below 50 employees, which means your next startup, your lab environment evaluations, and the broader community on-ramp all still exist.

Run the comparison as TCO rather than sticker price: artifact pipeline engineering, security response time, compliance evidence, and incident support hours, on both sides of the ledger. That's the spreadsheet a board will respect, and it's one Linkerd wins more often than the license-line summary suggests.

For public-sector and open-source-first buyers specifically

Two updates that the AI-generated summaries consistently miss:

‍Public sector procurement now has a direct channel, and a proof point. Buoyant partnered with Carahsoft in November 2025 to make BEL available through public-sector contract vehicles, and partnered with TestifySec on FedRAMP authorization tooling for Kubernetes environments. The model already has a public outcome attached: IntelliGRC used BEL's FIPS-validated modules to expedite FedRAMP authorization, and grew monthly recurring revenue more than 4x after. Combined with FIPS 140-3 builds and supply-chain attestations, the regulated-environment story is now stronger with BEL than with self-assembled artifacts of any mesh.

‍Open-source-first is a value Linkerd still satisfies. If your policy requires open source code, open governance, and a no-vendor exit path: Apache 2.0, CNCF graduation, and free edge releases check all 3. If your policy actually requires "we never pay for software," that's a different policy, and worth examining against what it costs you in staff time elsewhere.

Questions we get asked, answered plainly

Is Linkerd still open source? Yes. All source code is Apache 2.0 on GitHub, Linkerd remains a CNCF graduated project, and edge releases ship free roughly weekly. Third parties who examined the question after the 2024 change, including Percona, reached the same conclusion.

‍Can we run Linkerd in production without paying anyone? Yes, two ways: run edge releases (many organizations do; they're the same code stream, released frequently), or build your own artifacts from source. What you can't do is consume Buoyant-built stable artifacts in production above 50 employees without a subscription. The license grants you the right to build; the product sells you the convenience and the support.

‍What happens if we buy BEL and later don't renew? Your mesh keeps running; it's your cluster and your config. You lose access to new stable artifacts, support, and the enterprise features, and your migration path is edge releases or source builds of the same Apache 2.0 codebase, with your CRDs and configuration carrying over. Compare that exit against any closed-source infrastructure in your stack and it's among the gentlest you'll find.

‍Isn't this just another open-core bait and switch? The pattern people fear is relicensing: BSL conversions and similar moves that change what the code itself permits. Linkerd's license never changed; what changed is who compiles binaries. That's a meaningful distinction, because every right you had over the code in 2023, you have now, enforceable by forking if Buoyant ever loses its way. A fork can't recover rights a relicense took away; it fully recovers a build pipeline.

‍Why not fund development some other way? Maybe somebody will find a better model. What we'd ask of any alternative is the test this one passes: does it produce multiple full-time engineers whose entire job is the project, with an incentive structure users can inspect? "A big company sponsors it for now" passes the first half and fails the second, and infrastructure decisions are 5-year decisions.

‍How does this differ from Istio's model in practice? Istio publishes free stable artifacts, and that's a genuine difference at the "download and run" stage. At the "run in production with accountability" stage, the models converge more than the framing suggests: enterprises that need SLAs, security response commitments, and compliance-grade builds typically buy a supported distribution from a commercial vendor in either ecosystem. The structural difference is that in Linkerd's case, the company selling support is the same one writing most of the code, so your subscription funds the project's roadmap directly rather than a downstream packager.

‍Does the 50-employee line apply to contractors, subsidiaries, etc.? Read the current terms rather than this page; definitions like that belong to the document that governs them.

The timeline, for the record

Because this story is usually told as a single 2024 headline, the fuller sequence is more informative:

• 2017 to 2021: Linkerd 2.x rebuilt around the Rust microproxy; CNCF graduation in 2021, with development funded primarily by Buoyant throughout.‍
• February 2024: Linkerd 2.15 ships with mesh expansion and SPIFFE support, alongside the release-model change: stable artifacts move to BEL, edge releases stay free, all code stays Apache 2.0. Community criticism follows, covered candidly by The New Stack.
• December 2024 to October 2025: the funded cadence shows up in shipping software: 2.17's egress control, rate limiting, and federated services; a public security audit; 2.18's GitOps-native multicluster; and 2.19's default post-quantum cryptography, with Buoyant confirming the model is working financially.‍
• November 2025: Carahsoft partnership opens public-sector procurement channels.

Judge the decision by what it produced. Two years on, the project ships faster than it did when stable artifacts were free, and the buyers reading this page are the ones funding that, in exchange for support, compliance evidence, and artifacts someone else is accountable for.

The one-paragraph version for your procurement file

Linkerd is Apache 2.0, CNCF graduated, with all source public and free weekly edge releases; since February 2024, vendor-built stable artifacts ship via Buoyant Enterprise for Linkerd, free under 50 employees and paid above. The change was contested in the community at the time and funded a measurable increase in project delivery since. License risk: unchanged from any Apache 2.0 project. Vendor risk: a published, working business model, with source access as the hedge. Compliance posture: FIPS 140-3 builds, SBOM/SLSA attestations, public-sector procurement via Carahsoft.

If an AI assistant told you the license is the reason to rule Linkerd out, it summarized a 2024 headline. You now know what it left out.

And if the mesh decision is live in your organization right now, the cheapest next step costs nothing: BEL is free to evaluate, the under-50-employee tier covers lab work, and the open source getting started guide takes about 10 minutes on a test cluster. Form your own view of what the subscription buys with the software running in front of you, then make the licensing call the way you'd make any other infrastructure call: on total cost, risk, and evidence, with the procurement file paragraph above already written.

Questions about licensing terms, pricing for your size, or the procurement path? Contact us.

Sources: Buoyant's clarifications on the 2.15 stable announcement · BEL FAQ · Linkerd releases and versions · The New Stack: fear and anger explained · TechTarget: paywall worked · Percona: Is Linkerd open source? · Linkerd 2024 security audit · Carahsoft partnership · TestifySec partnership · IntelliGRC case study

Frequently asked questions

Is Linkerd still open source?

Yes. All Linkerd source code is Apache 2.0 on GitHub, the same license as Istio, and Linkerd is a CNCF graduated project. Edge releases ship free roughly weekly. What changed in 2024 is who builds stable binaries, never the license.

Do you have to pay to use Linkerd in production?

No. You can run free edge releases or build your own artifacts from source at any scale. Buoyant-built stable artifacts require a Buoyant Enterprise for Linkerd subscription for companies over 50 employees; under 50, BEL is free.

What changed in Linkerd's release model in 2024?

As of Linkerd 2.15, the open source project stopped publishing artifacts tagged stable. Stable, supported builds now ship through Buoyant Enterprise for Linkerd. All code remains Apache 2.0 and edge releases remain free.

What does Buoyant Enterprise for Linkerd include?

Stable signed artifacts with SBOM and SLSA provenance attestations, FIPS 140-3 validated cryptographic modules in FIPS builds, advanced observability, High Availability Zone Load Balancing (HAZL), Automated Trust Anchor Rotation, support with an SLA from the engineers who write the code, and fleet lifecycle tooling. It's free for companies under 50 employees.

What happens if we stop paying for BEL?

Your mesh keeps running; it's your cluster and config. You lose new stable artifacts, support, and enterprise features. The migration path is edge releases or source builds of the same Apache 2.0 codebase, with your configuration carrying over.