Skip to content
Latchkey

linkerd install: Render Linkerd Manifests

linkerd install renders the Kubernetes YAML for the Linkerd control plane to stdout, which you pipe to kubectl apply.

Unlike a one-shot installer, linkerd install prints manifests so you can review or GitOps them. Modern Linkerd splits CRDs and the control plane into two applies.

What it does

linkerd install generates the control-plane manifests (identity, destination, proxy-injector, and their config) as YAML on stdout. You apply them with kubectl. Recent versions require installing CRDs first with linkerd install --crds, then the control plane.

Common usage

Terminal
# 1) CRDs, 2) control plane
linkerd install --crds | kubectl apply -f -
linkerd install | kubectl apply -f -
# supply your own trust anchor and issuer
linkerd install \
  --identity-trust-anchors-file ca.crt \
  --identity-issuer-certificate-file issuer.crt \
  --identity-issuer-key-file issuer.key | kubectl apply -f -

Options

FlagWhat it does
--crdsRender only the CRDs (apply these first)
--identity-trust-anchors-file <f>Provide the trust anchor cert
--identity-issuer-certificate-file <f>Provide the issuer cert
--identity-issuer-key-file <f>Provide the issuer key
--set <path=value>Override a Helm value

In CI

Apply --crds before the control plane or the control-plane apply fails on missing custom resources. For reproducible installs, supply your own identity certs from a secret store instead of letting install generate self-signed ones that rotate on every run.

Common errors in CI

"no matches for kind \"...\" in version \"policy.linkerd.io/...\"" means the CRDs were not applied first; run linkerd install --crds. "you need to install the linkerd CRDs first" is the explicit form. If identity flags are omitted on a re-install, proxies fail mTLS because the trust anchor changed; pin the certs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →