Skip to content

Linkerd Architecture Quiz

This quiz tests your understanding of Linkerd architecture.

Quiz Questions

1. Which is NOT a core component of the Linkerd control plane?

A. Destination Controller B. Identity Controller C. Proxy Injector D. Envoy Proxy

Show Answer

Answer: D. Envoy Proxy

Explanation: The Linkerd control plane consists of Destination, Identity, and Proxy Injector. Envoy is Istio's data plane proxy; Linkerd uses its own linkerd2-proxy written in Rust.

2. What programming language is linkerd2-proxy written in?

A. Go B. C++ C. Rust D. Java

Show Answer

Answer: C. Rust

Explanation: linkerd2-proxy is written in Rust, providing memory safety and high performance. It uses only about 10MB of memory and adds less than 1ms p99 latency.

3. Which is NOT a primary role of the Destination Controller?

A. Service discovery B. Certificate issuance C. ServiceProfile information delivery D. Endpoint updates

Show Answer

Answer: B. Certificate issuance

Explanation: Certificate issuance is the role of the Identity Controller. The Destination Controller is responsible for service discovery, endpoint updates, and distributing ServiceProfile and TrafficSplit policies.

4. What is at the top of Linkerd's certificate hierarchy?

A. Workload Certificate B. Identity Issuer C. Trust Anchor D. Proxy Certificate

Show Answer

Answer: C. Trust Anchor

Explanation: The certificate hierarchy is Trust Anchor (Root CA) → Identity Issuer (Intermediate CA) → Workload Certificate. The Trust Anchor is the root of the PKI and the foundation of trust for all certificate chains.

5. What is the default validity period of workload certificates?

A. 1 hour B. 24 hours C. 7 days D. 30 days

Show Answer

Answer: B. 24 hours

Explanation: Linkerd workload certificates have a default validity period of 24 hours. Proxies automatically renew certificates before expiration. Short validity periods minimize risk in case of certificate compromise.

6. What Kubernetes mechanism does the Proxy Injector use?

A. DaemonSet B. CronJob C. Admission Webhook D. Custom Controller

Show Answer

Answer: C. Admission Webhook

Explanation: The Proxy Injector operates as a Mutating Admission Webhook. It intercepts Pod creation requests and automatically injects the linkerd-proxy sidecar and linkerd-init init container.

7. What is the role of the linkerd-init container?

A. Download proxy configuration B. Set up iptables rules C. Generate certificates D. Collect metrics

Show Answer

Answer: B. Set up iptables rules

Explanation: linkerd-init runs as an Init container to set up iptables rules. These rules redirect all inbound/outbound traffic to the linkerd-proxy.

8. What is the Linkerd proxy inbound port?

A. 4140 B. 4143 C. 4191 D. 8080

Show Answer

Answer: B. 4143

Explanation: Linkerd proxy ports: 4143 (inbound), 4140 (outbound), 4191 (admin/metrics). The inbound port receives traffic from other services.

9. What is the correct SPIFFE ID format?

A. spiffe://cluster/namespace/service B. spiffe://trust-domain/ns/namespace/sa/service-account C. https://linkerd.io/identity/namespace/pod D. urn:linkerd:identity:namespace:pod

Show Answer

Answer: B. spiffe://trust-domain/ns/namespace/sa/service-account

Explanation: Linkerd's SPIFFE ID follows the format spiffe://<trust-domain>/ns/<namespace>/sa/<service-account>. Example: spiffe://root.linkerd.cluster.local/ns/production/sa/web-server

10. Which is NOT a characteristic of linkerd2-proxy compared to Istio's Envoy?

A. Lower memory usage B. Wasm extension support C. Lower latency D. Smaller binary size

Show Answer

Answer: B. Wasm extension support

Explanation: linkerd2-proxy does not support Wasm extensions (limited extensibility). Instead, it is more lightweight with ~10MB memory (Envoy ~50-100MB), <1ms p99 latency (Envoy 2-5ms), and ~10MB binary (Envoy ~60MB).

11. What does the Identity Controller verify before issuing a certificate?

A. Pod's IP address B. ServiceAccount token C. Namespace labels D. ConfigMap settings

Show Answer

Answer: B. ServiceAccount token

Explanation: The Identity Controller verifies the ServiceAccount token sent along with the CSR submitted by the proxy. This confirms that the proxy's identity (SPIFFE ID) matches the actual workload.

12. What is NOT provided by the Linkerd proxy admin port (4191)?

A. Prometheus metrics B. Health check endpoints C. Traffic routing configuration D. Proxy version information

Show Answer

Answer: C. Traffic routing configuration

Explanation: The admin port (4191) provides Prometheus metrics (/metrics), health checks (/ready, /live), and proxy information. Traffic routing configuration is delivered to proxies via gRPC from the Destination Controller.