Update edge docs for native sidecars enabled by default in Linkerd 2.20#2123
Merged
Conversation
alpeb
force-pushed
the
alpeb/native-sidecar-2.20
branch
from
87f49af to
a90b2e2
Compare
raykroeker
approved these changes
Jun 15, 2026
raykroeker
left a comment
raykroeker
left a comment
There was a problem hiding this comment.
I left a comment related to clarity around manual shutdown and a question.
| traffic cannot flow. In that case you should either avoid meshing grafana's | ||
| pod, skip outbound port 443 via the | ||
| `config.linkerd.io/skip-outbound-ports: "443"` annotation, or run the container | ||
| with the proxy's UID. See |
There was a problem hiding this comment.
Running multiple processes under the same UID feels like a general anti-pattern. I understand we recommend it elsewhere, should we continue to promote it?
Member
Author
There was a problem hiding this comment.
One advantage of this approach is that it keeps that specific init container out of the mesh, whereas the annotation alternative would apply to all containers in the pod. That said, I can see your point; it may be worth discussing further. If you feel strongly about it, please feel free to open a ticket so we can track it
As of Linkerd 2.20 the proxy is injected by default as a native sidecar container (an init container with `restartPolicy: Always`) instead of a regular container. Update the edge docs accordingly: - features/native-sidecars.md: state the new default and replace the "Enabling" section with instructions for disabling the mode, via the `config.linkerd.io/proxy-enable-native-sidecar: false` annotation at the namespace or workload level, or globally via the Helm value `proxy.nativeSidecar: false` - features/proxy-injection.md, reference/architecture.md: mention the proxy is now injected as a native sidecar by default - features/cni.md, tasks/grafana.md: scope the initContainer networking limitation (and its workarounds) to the case where native sidecars have been disabled, since init containers now have network access by default - tasks/graceful-shutdown.md: meshed Jobs and Cronjobs now complete without extra configuration; scope the hanging-pod issue and the manual /shutdown workaround to the non-native-sidecar case. Drop the `--wait-before-seconds` option and the "Slow Updating Clients" section, which are no longer relevant with native sidecars - tasks/adding-your-service.md: fix the mesh verification command to look for the proxy under `spec.initContainers` instead of `spec.containers`
alpeb
force-pushed
the
alpeb/native-sidecar-2.20
branch
from
a90b2e2 to
b8d907f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As of Linkerd 2.20 the proxy is injected by default as a native sidecar container (an init container with
restartPolicy: Always) instead of a regular container. Update the edge docs accordingly:config.linkerd.io/proxy-enable-native-sidecar: falseannotation at the namespace or workload level, or globally via the Helm valueproxy.nativeSidecar: false--wait-before-secondsoption and the "Slow Updating Clients" section, which are no longer relevant with native sidecarsspec.initContainersinstead ofspec.containers