linkerd

What is linkerd?

The linkerd image packages the Linkerd service mesh control plane so you can add automatic mTLS, observability, and traffic reliability to your Kubernetes workloads without changing a single line of application code. Linkerd works by injecting an ultralight Rust-based micro-proxy as a sidecar alongside each service pod — this proxy intercepts all inbound and outbound traffic, enforces mutual TLS between services, collects golden metrics (success rate, latency, and throughput), and applies latency-aware load balancing transparently at the network layer. The control plane, installed via the linkerd image, manages proxy configuration, certificate issuance, and policy enforcement across the mesh. Linkerd is a CNCF-graduated project and the lightest-weight service mesh available, consuming significantly fewer resources than Envoy-based alternatives like Istio — making it the standard choice for platform teams that want zero-trust networking, deep observability, and traffic reliability without the operational overhead.

What is Echo's linkerd image?

Echo's linkerd image is a hardened build of linkerd on Echo's hardened base. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile or image reference and CVEs go to zero without disrupting your service mesh. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants:

• Distroless variant — optimized for runtime use, with the smallest possible attack surface
• Default variant — includes essential build tools, package managers, and shells for teams that need operational access

For production linkerd deployments, the distroless variant keeps control plane operations — proxy injection, certificate management, policy enforcement, and metrics collection — fully intact while minimizing exposure; the default variant suits platform teams that need shell access for mesh debugging, certificate inspection, or configuration tooling around the Linkerd CLI.

What is the difference between Echo's linkerd image and the public linkerd image?

Public linkerd images ship on bases that include OS-level tooling useful for development and operational tasks but which contribute CVEs that accumulate on a component sitting at the center of every service-to-service connection in your cluster. The service mesh control plane is one of the most sensitive attack surfaces in Kubernetes infrastructure — it issues mTLS certificates for all meshed workloads, enforces traffic policy across namespaces, and has visibility into inter-service communication across your entire application. A compromised linkerd image doesn't just expose one service; it undermines the zero-trust foundation the mesh was installed to provide. Echo's build retains everything linkerd needs for proxy management, certificate issuance, and policy enforcement while removing the packages that don't belong in a production control plane container. As we covered in our post on how to protect your company from software supply chain attacks, security infrastructure images are the highest-value targets in supply chain attacks precisely because compromising them defeats the protections they're meant to provide. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.

FAQ

Can I replace my linkerd image with Echo's linkerd image?

Yes. Echo's linkerd image is a drop-in replacement. Update the image reference in your Helm values or deployment manifests and your service mesh keeps running — the CVEs disappear, the behavior doesn't. Proxy injection, automatic mTLS, golden metrics collection, latency-aware load balancing, and policy enforcement all continue to work without any changes to your existing Linkerd configuration or meshed workloads.

Is Echo's linkerd image FIPS-validated?

Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use — unlike FIPS-compliant images that haven't been validated. This matters especially for linkerd, whose core value proposition is cryptographic — the control plane issues mTLS certificates for every meshed workload, so the cryptographic integrity of the linkerd image directly determines the security guarantees of your entire service mesh.

What is Echo's vulnerability management SLA on the linkerd image?

Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version — critical for a control plane image that issues certificates and enforces traffic policy across every meshed service in your cluster.

Is Echo's linkerd image distroless?

Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For production linkerd deployments, the distroless variant is the leaner, more secure choice; for platform teams that rely on shell access for mesh debugging, certificate inspection, or Linkerd CLI tooling, the default variant is the right fit.

How does Echo achieve such a drastic CVE reduction in linkerd?

Echo's linkerd image is built from source with only the absolute essentials needed to run the service mesh control plane workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the Linkerd version that works for your mesh without forcing a disruptive upgrade for the sake of security.

Will Echo's linkerd image help us achieve FedRAMP?

Yes. The hard parts of FedRAMP — managing vulnerabilities, applying fixes, and using FIPS-validated cryptography — are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting. For platform teams running Linkerd as the zero-trust networking layer under an ATO, Echo's hardened linkerd image keeps the service mesh control plane in-boundary and compliant.