Buoyant, the company behind the open-source Linkerd service mesh, announced that Linkerd now supports the Model Context Protocol (MCP), making it the first service mesh to natively manage, secure, and observe agentic AI traffic in Kubernetes environments. The move is designed to accelerate enterprise AI adoption by offering a stable, secure, and fully observable runtime for AI-driven workflows, which behave differently from traditional API-based applications.
The announcement comes as enterprises increasingly integrate AI agents that rely on MCP, a protocol enabling models to access external tools, data sources, and context through persistent, long-lived sessions. Unlike conventional request-response APIs, MCP-driven agentic workloads are unpredictable, stateful, and capable of generating intense resource spikes, creating challenges for organizations lacking visibility or security controls tailored to this new traffic pattern.
Buoyant CEO William Morgan emphasized the urgency:
“Enterprises are eager to innovate with AI, but they can’t do so at the expense of their security posture and application reliability. Linkerd solves this problem by extending its proven capabilities to MCP traffic… giving organizations the tools to accelerate their usage with confidence.”
Linkerd’s upcoming MCP support brings core mesh capabilities, including visibility, access control, and traffic shaping, to agentic AI workloads without requiring additional tools or architectural changes. Enterprises will gain metrics on prompt usage, latencies, failure rates, and resource consumption, along with zero-trust access control for all MCP calls based on cryptographic workload identities. By layering these capabilities into the mesh itself, Buoyant positions Linkerd as a unified control plane for both traditional microservice traffic and emerging AI agent communication.
Early users say this fills a gap in enterprise readiness for AI. Blake Romano, Senior Engineer at Imagine Learning, noted that concerns about MCP security initially slowed their internal rollout. He added that Linkerd’s existing security posture and observability features “removed a major barrier to adoption,” providing visibility into agent behavior and confidence to scale AI initiatives safely.
Buoyant recently showcased MCP support at KubeCon North America in Atlanta on November 10–13, 2025. Full availability has since started rolling out across both open-source Linkerd and Buoyant’s enterprise distribution. While other meshes and API platforms can proxy MCP traffic, none currently treat it as a first-class protocol, leaving enterprises to coordinate AI agents through infrastructures built for traditional, stateless APIs.
Istio, along with other Envoy-backed meshes such as Kuma and Kong Mesh, offers robust security and observability for microservices. However, these meshes lack direct awareness of MCP’s long-lived, stateful sessions. To manage AI agent workflows, organizations must layer in custom Envoy filters or sidecar extensions. This introduces operational complexity and still provides limited visibility into agent behavior, such as prompt flows, session lifecycles, or tool invocation patterns.
While Envoy’s extensibility theoretically enables deeper support, no current distribution provides out-of-the-box MCP capabilities. This leaves enterprises with security and observability gaps, particularly when AI workloads generate unpredictable traffic spikes beyond what these meshes were originally designed to handle.
HashiCorp’s Consul delivers strong application identity, service discovery, and ACL-based traffic authorization. Yet its mesh features remain centered around conventional microservices. MCP traffic is handled as generic L4 or L7 streams, without the protocol-specific semantics needed to track agent state, measure prompt behavior, or apply granular zero-trust policies to model-to-tool interactions. As a result, organizations using Consul still require additional tooling to safely deploy agentic workloads.
Modern gateways such as Kong, Apigee, NGINX, and Ambassador play a vital role in managing API ingress, but they are not equipped for MCP-driven AI traffic. Gateways excel at securing and shaping discrete HTTP requests; MCP, by contrast, relies on persistent sessions, streaming context, and multi-step agent workflows that can bypass gateway enforcement entirely. This limits their ability to enforce per-tool authorization, trace agent reasoning steps, or monitor token usage across long-running interactions.
By integrating MCP directly into the mesh dataplane, Linkerd introduces capabilities currently absent across the service networking ecosystem. These include cryptographically enforced zero-trust for AI agent calls, deep observability into prompt flows and session behavior, and adaptive traffic shaping designed for the bursty nature of agentic workloads.
