Today we're happy to announce Buoyant Enterprise for Linkerd 2.19! This release introduces official support for containerized Windows applications, and adds a modern on-cluster dashboard designed to replace the aging Linkerd-Viz. The 2.19 release also introduces two significant state-of-the-art security improvements for Linkerd: a modernized TLS stack that uses post-quantum key exchange algorithms by default (or, optionally, FIPS 140-3 validated cryptographic modules); and a new supply chain security pipeline, with native OCI 1.1 referrer support and end-to-end signing for all images.

If you’re interested in a technical deep dive on this release, don't miss our next Service Mesh Academy workshop, Yes! Linkerd Does Windows, on December 11th, 2025, for a walkthrough of Linkerd's new support for Windows containers.

With this release, Linkerd becomes the first service mesh to offer official support for Windows. This is just the latest in a long list of firsts for Linkerd—the first service mesh; the project to coin the term itself; the first service mesh to achieve graduated status in the CNCF. Support for Windows containers is part of a longer roadmap for broad support of Windows applications with Linkerd. This roadmap started with the introduction of experimental Windows support announced in Linkerd 2.18, and will be continued in the upcoming Linkerd 2.20 release with support for running Linkerd on Windows VMs, outside of Kubernetes.

Linkerd has now seen almost a decade of continuous improvement and evolution. Our goal is to build a service mesh that our users can rely on for 100 years. To do this, we partner with users like Grammarly to ensure that Linkerd can accelerate the full scale and scope of modern software environments—and then we feed those lessons directly back into the product. Linkerd 2.19 release is the third major version since the announcement of Buoyant's profitability and Linkerd project sustainability a year ago, and continues our laser focus on operational simplicity—delivering the notoriously complex service mesh feature set in a way that is manageable, scalable, and performant.

Windows support

Linkerd’s ultra-light Rust “microproxies” can now run on Windows Kubernetes nodes, allowing containerized Windows applications to join the mesh and take full advantage of Linkerd’s full suite of reliability, observability, and security features, including mutual TLS, retries and timeouts, circuit breaking, and multicluster communication.

In keeping with Linkerd’s goal of delivering the full power of the service mesh with maximum simplicity, meshing your containerized Windows applications with Linkerd is as simple as annotating Windows pods with:

     annotations:
        linkerd.io/inject: windows
        config.linkerd.io/proxy-image: ghcr.io/buoyantio/proxy-win

Containerized Windows applications with these annotations will be automatically meshed by Linkerd, and all TCP traffic to and from these applications automatically mediated by the Linkerd dataplane microproxy.

Post-quantum TLS and FIPS 140-3

Linkerd’s internal TLS infrastructure received an overhaul in Linkerd 2.19, preparing it for a potential post-quantum future. We’ve updated the core cryptographic module in the proxy from `ring` to `aws-lc`, and added support for the AES_128_GCM ciphersuite and the post-quantum ML-KEM-768 key exchange algorithm, which are used by default for all communication between meshed pods. Additionally, the exact TLS cipher, key exchange, and signature algorithm in use are now exported as part of the standard metrics suite. Finally, in FIPS builds, Buoyant Enterprise for Linkerd now uses FIPS 140-3 validated cryptographic modules with AES_256_GCM.

End-to-end supply chain security

Supply chain attacks are an increasingly common threat vector in the enterprise, and Buoyant is at the forefront of protecting our customers against these issues. While we’ve been publishing full SBOMs for BEL container images since Linkerd 2.15, Linkerd 2.19 introduces a new, state-of-the-art container release pipeline with native OCI 1.1 referrer support and end-to-end image signing.

In Linkerd 2.19, all stable BEL images now ship with SBOM and SLSA v0.2 provenance attestations, published as first-class OCI 1.1 referrers and signed by digest. This means that BEL supply chain metadata is now linked to its corresponding images directly within the registry and is cryptographically signed, allowing registry-native verification of both image authenticity and integrity.

With these changes, Linkerd’s supply chain is not only transparent, standards-compliant, and verifiable, but also aligned with emerging industry standards for software supply chain security. Enterprises can take advantage of this supply-chain information to verify provenance and authenticity of BEL images in a fully programmatic way at deploy time, using tools such as `oras`, `cosign` and `skopeo`.

New on-cluster dashboard with TLS and FIPS auditing

We’re excited to announce that alongside Linkerd 2.19 we’ve also shipped a new on-cluster Linkerd web dashboard designed to replace the ailing `linkerd-viz` web UI. This new Linkerd dashboard is under rapid iteration, but as of today is stable and ready for you to kick the tires!

The new Linkerd dashboard includes the majority of the functionality of the older `linkerd-viz` dashboard, plus additional views of live TLS traffic that allow you to audit real-time and historical use of TLS, including (when enabled) use of FIPS validated cryptography. This includes:

• Easy identification of plaintext traffic
• Filtering by source, destination, port, and traffic type
• Identification of FIPS 140-3 and 140-2 cryptographic modules
• And more!

The dashboard is compatible with Buoyant Enterprise for Linkerd 2.17 and beyond and can be downloaded https://docs.buoyant.io/linkerd-dashboard/getting-started/. 

Other fun stuff

Linkerd 2.19 officially promotes its support of native sidecars from alpha to beta. Native sidecars were first supported by Linkerd 2.15, and moved to graduated status in Kubernetes this April. This feature fixes some of the long-standing annoyances of using sidecar containers in Kubernetes, especially around support for Jobs and race conditions around container startup. Native sidecars can now be enabled by setting the `config.beta.linkerd.io/proxy-enable-native-sidecar` annotation.

The 2.19 release also fixes a smattering of smaller issues. Linkerd will now block connections to ports of a clusterIP Service which are not defined in the Service spec, matching the behavior of kube-proxy. We fixed discovery staleness when targeting the linkerd-admin port in native-sidecar mode; a potential panic in the control plane when processing discovery requests with invalid hostnames; and an issue where invalid podSelectors in Server resources could prevent all Server resources from being processed. The full changelog will be available soon.

Getting your hands on Linkerd 2.19

Buoyant Enterprise for Linkerd is the enterprise version of Linkerd. Over the next few days, we will publish the official stable 2.19.0 release package of Buoyant Enterprise for Linkerd, as well as a comprehensive changelog and upgrade guidance for existing Linkerd users. BEL is free for anyone to download and use in non-production environments, and free for companies with fewer than 50 employees to run in production. BEL is the version of Linkerd that we run in our own production systems, and you can get started with BEL in under five minutes.