Install the Linkerd CLI: curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh and run linkerd check --pre to validate cluster prerequisites
Generate CA and issuer certificates with step or the Linkerd cert generation guide, then install the control plane with those certs: linkerd install --identity-trust-anchors-file ca.crt --identity-issuer-certificate-file issuer.crt --identity-issuer-key-file issuer.key | kubectl apply -f -
Inject the data plane into namespaces by adding the annotation linkerd.io/inject: enabled to the namespace or using linkerd inject: kubectl get deploy -n myapp -o yaml | linkerd inject - | kubectl apply -f -
Create a ServiceProfile for the target service specifying routes with name, condition (pathRegex or method), and optionally retryBudget and timeout per route
Apply the ServiceProfile: kubectl apply -f serviceprofile.yaml and observe per-route golden metrics in the Linkerd dashboard: linkerd viz dashboard
Verify mTLS is active for pod-to-pod traffic: linkerd viz edges deployment -n myapp — the SECURED column should show a lock icon for meshed connections
Known gotchas
Linkerd's identity certificates have a 24-hour default validity; if the cert-manager or step issuer is not configured for automatic rotation, certificates will expire and meshed pods will lose mTLS connectivity
ServiceProfile retries apply only to requests that are classified as retryable (idempotent methods like GET by default); POSTs are not retried unless the ServiceProfile route explicitly sets isRetryable: true, which must only be set for truly idempotent endpoints
The Linkerd proxy is injected at pod creation time; existing pods must be restarted after adding the inject annotation to the namespace before they join the mesh
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp