Release v1.0.0

At the start of the New Year 2025, we are pleased to announce the release of Kmesh v1.0.0. We would like to express our sincere gratitude to the Kmesh community contributors for their dedication and hard work over the past three months.

In this v1.0.0 release, we have made significant improvements to Kmesh's east-west traffic governance capabilities, particularly in the area of security. We have added support for Encrypted Communication and Authorization, enhancing the overall security posture of the Kmesh.

Furthermore, we have introduced support for headless services and locality load balancing, providing users with more flexibility and control over their service. Additionally, we have added service topology diagrams and optimized observability features, empowering users with better visibility into their services in Kmesh.

In the Kernel-Native mode, we have support for advanced capabilities such as circuit breaker, rate limiting, fully restart support and more, ensuring a comprehensive and robust set of features for our users. In this release cycle, Kmesh has been updated to support Istio version 1.24, and we have addressed several critical bugs while also reconstructing many key components. To ensure the stability and reliability of the platform, we have significantly increased the coverage of end-to-end tests and unit tests. We are excited to share these improvements with the Kmesh community and look forward to continued collaboration and growth in the future.

Main Features

Encrypted Communication:

Data transmitted in an unencrypted state poses a significant security risk. To address this concern, Kmesh has introduced a node encryption mode in its v1.0.0 release. This feature utilizes IPsec to encrypt the communication traffic between nodes, effectively eliminating security risks during data transmission.

Kmesh leverages the encryption capabilities provided by IPsec to secure the traffic flowing between nodes. The data encryption behavior of IPsec is finely controlled through the use of Kubernetes Custom Resource Definitions (CRDs), empowering users with granular control over the encryption policies.

Furthermore, Kmesh has built its node-to-node information synchronization mechanism on top of the Kubernetes api-service. This integration ensures that the encryption configuration and key management are seamlessly integrated with the Kubernetes ecosystem, simplifying the deployment and management of the secure communication infrastructure.

Offload Authorization Execution into XDP Prog:

In Kmesh v0.5.0, the authorization functionality has been offloaded to XDP eBPF. This integration has been further enhanced in the Kmesh v1.0.0 release.

Kmesh now supports IP-based authorization, where the authorization rules are determined within the eBPF program. When the authorization results in a rejection, the XDP program simply drops the request, ensuring that the client can perceive the connection failure.
This efficient authorization mechanism provides a secure and high-performance solution for service-to-service communication. Kmesh will support more authorisation features in XDP in future releases. Welcome to provide the relevant requests of users.

Locality Load Balance:

Locality Load Balancing is a critical optimization for performance and reliability in distributed systems. By directing traffic to the nearest service instances, this approach reduces latency, enhances availability, and lowers the costs associated with cross-region data transfers.
Kmesh now supports Locality Load Balancing across five different scopes: region, zone, subZone, nodeName, and clusterId. This fine-grained control allows users to configure load balancing policies based on the most appropriate locality level for their specific deployment topology and requirements

Observability enhancement:

Kmesh v1.0.0 introduces enhanced observability features, including the addition of service topology maps. By integrating Kmesh with Kiali, users can now visualize their service topology in a clear and intuitive manner.

Furthermore, Kmesh has optimized the metrics labels, ensuring that the presented metrics are more reasonable and understandable. This improvement enhances the overall clarity and usability of Kmesh's observability data.

Leveraging the easy access to network-native data provided by eBPF, Kmesh has also introduced new metrics related to TTL (Time To Live) and retries. This provides users with deeper insights into the state of the network, enabling them to better understand and monitor the performance and reliability of their distributed applications.

Kernel-Native Mode Support Restart:

Kmesh has further enhanced its capabilities by introducing the ability to gracefully reload eBPF maps and programs after a system reboot. This feature ensures that there is no need to re-register namespaces or specific pods into Kmesh following a reboot.

As a result, the service traffic remains uninterrupted during the reboot process, providing a significant benefit to Kmesh customers. This seamless handling of reboot scenarios helps maintain the availability and stability of the service mesh, minimizing the impact on end-users and applications.

Support Rate Limit and Circuit Breaker:

Kmesh v1.0.0 introduces enhanced traffic governance capabilities for its Kernel-Native Mode. This latest release now supports local rate limiting and circuit breaker functionality, addressing the core traffic management requirements of service mesh deployments.

Users can leverage these traffic governance features in the Kernel-Native Mode in the same way they would utilize rate limiting and circuit breaker capabilities in the Dual-Engine Mode. This consistency across the different operating modes ensures a seamless experience for Kmesh operators, regardless of their chosen deployment architecture.

Support Headless Service and ServiceEntry:

In the Kmesh Dual-Engine Mode, support for headless services and service entries has now been introduced.

Adopt istio 1.24:

Kmesh has been supported for istio 1.24 and there are e2e tests to ensure the stability of Kmesh in istio 1.24. Currently Kmesh is compatible with istio versions 1.22, 1.23 and 1.24.

Critical Bug Fix:

We have also made some big bug fix:

1.Support hostname type waypoint in workload
2.Check whether pods should be managed when ns is managed
3.Fix bpf ins over 100w

What's Changed

• [release-0.5] update VERSION by @hzxuzhonghu in #896
• Fix build warning and remove docker pull explicitly by @hzxuzhonghu in #893
• Revert "update VERSION" by @hzxuzhonghu in #902
• support large scale for ads mode by @nlgwcy in #610
• Update kmesh_deploy_and_develop_in_kind.md by @derekwin in #904
• Enhanced kernel: Build 2 series of eBPF objects(kernel ver. <5.13 & >=5.13) and load eBPF dynamically when Kmesh starts up by @tacslon in #914
• kmeshctl waypoint framework by @YaoZengzeng in #901
• fix slow restart in workload mode by @nlgwcy in #924
• infra(ci): update copyright check ci by @yuluo-yx in #932
• Bump google.golang.org/protobuf from 1.34.2 to 1.35.1 by @dependabot in #933
• Fix argument list too long in manage controller by @tacslon in #711
• upgrade golang to 1.23 by @tjons in #929
• Add maintainers file by @hzxuzhonghu in #934
• Update contributing guide by @hzxuzhonghu in #936
• implement kmeshctl version by @YaoZengzeng in #919
• Refactor bpf loader by @hzxuzhonghu in #864
• enable/disable accesslog with kmeshctl by @LiZhenCheng9527 in #935
• change ads->kernel-native and workload->duel-engine in code by @LiZhenCheng9527 in #940
• Add a github action to publish release assets automatically by @LiZhenCheng9527 in #938
• fix format error of kmeshctl waypoint status --help by @YaoZengzeng in #942
• rm depends/include/bpf_helper_defs_ext.h by @hzxuzhonghu in #916
• Fix github action arm image built by @hzxuzhonghu in #948
• Fix when bpf loader failed, it should have a chance to dettach bpf pr… by @hzxuzhonghu in #952
• Ignore key not exist error when delete bpf map by @hzxuzhonghu in #957
• if sourceworkload is nil, not print metrics by @LiZhenCheng9527 in #960
• check whether pods should be managed when ns is managed by @YaoZengzeng in #958
• adjust log level for userspace authz by @hzxuzhonghu in #959
• Bump istio dependencies by @hzxuzhonghu in #950
• install istioctl in tmp dir when running E2E tests by @YaoZengzeng in #974
• Fix MAINTAINERS file misspelling by @wbc6080 in #976
• E2E Enhancement Draft by @noobwei in #906
• add clusterid in grpc stream context by @Kuromesi in #982
• g_inner_map_mng.inner_map support persist in restart by @lec-bit in #980
• Bump the k8s-io group with 3 updates by @dependabot in #979
• Fix the typo by @noobwei in #986
• update readme.md. by @LiZhenCheng9527 in #983
• Static compile cni and ctl by @hzxuzhonghu in #989
• Bump github.com/prometheus/common from 0.60.0 to 0.60.1 by @dependabot in #990
• Add locality loadbalance to kmesh workload mode. by @derekwin in #900
• maintain cluster active connection counter for circuit breaker by @Okabe-Rintarou-0 in #570
• fix cannot get RDS after grpc reconnect by @lec-bit in #973
• add xdp test by @yanchaomei in #920
• Add proposal for circuit breaker by @Okabe-Rintarou-0 in #397
• add unit_test_framework proposal by @yanchaomei in #778
• Add Performance Monitoring by @skwwwwww in #887
• Kmesh ads mode cluster add consistent hash lb by @bfforever in #888
• ads: support envoy filter local ratelimit. by @yuanqijing in #859
• ut: fix local ratelimit code cause other failed. by @yuanqijing in #1009
• A constant map is used to pass constants by @LiZhenCheng9527 in #968
• handle hostname type waypoint for istio 1.24 by @YaoZengzeng in #995
• Add a env flag to allow skip installing dependencies when run ./build.sh by @codesmith25103 in #997
• Add logging when grpc closed due to unexpected errors by @LiZhenCheng9527 in #1000
• Update Documentation by @codesmith25103 in #1019
• Some fix about circuit breaker by @Okabe-Rintarou-0 in #1017
• fix lb_ospp bug and add ref by @bfforever in #1003
• Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 by @dependabot in #1005
• separation bpf and binary in Makefile&provides bpf2go outputs files by @lec-bit in #971
• E2E test for ingress gateway by @YaoZengzeng in #1002
• Minor fixes by @hzxuzhonghu in #1007
• feat: reduce binary size of kmeshctl by @am6737 in #1013
• Bump google.golang.org/grpc from 1.67.1 to 1.68.0 by @dependabot in #1026
• Ratelimit bug fix. by @yuanqijing in #1018
• support generating cobra docs by @Okabe-Rintarou-0 in #1031
• fix docgen tag by @Okabe-Rintarou-0 in #1040
• Update --profiling flag in kmesh yaml by @hzxuzhonghu in #1035
• Fix kmesh_map_count_total label by @hzxuzhonghu in #1038
• Add more debug log by @hzxuzhonghu in #1039
• add e2e test for service entry with inlined workload entry by @YaoZengzeng in #1041
• Keep one Kube client create function by @hzxuzhonghu in #1043
• kmeshctl dump failed issue resolve by @codesmith25103 in #1045
• update prometheus image version by @LiZhenCheng9527 in #1046
• handle hostname type waypoint in workload by @YaoZengzeng in #1021
• optimize xDS bpf map by @nlgwcy in #1029
• Use bpf map to pass node IP and pod sub gateway. Skip kubelet probe traffic management from ebpf by @LiZhenCheng9527 in #1015
• support xdp auth in tailcall by @weli-l in #985
• fix bpf load failed in Ubuntu by @nlgwcy in #1054
• Add kmesh ut test on 5.15 by @hzxuzhonghu in #1056
• optimize: fix bpf ins over 100w by @nlgwcy in #1059
• fix sockops prog load failed in Ubuntu kernel-enhanced env by @nlgwcy in #1051
• Provides functions to get and update kmeshconfigMap. by @LiZhenCheng9527 in #1060
• Optimize service lb policy update by @hzxuzhonghu in #1049
• add E2E test for istio 1.24 to CI by @YaoZengzeng in #1063
• Changed log level for authz_offload=0 case by @LiZhenCheng9527 in #1068
• Improvement of metriclabels removal capability at workload granularity by @LiZhenCheng9527 in #1055
• fix Flake of TestAddRemovePodWaypoint by @YaoZengzeng in #1073
• Change enableAccesslog in the startup parameter to enableMetric by @LiZhenCheng9527 in #1067
• map_mertic and bpf_prog_metric test by @skwwwwww in #1070
• fix repeat string field proc by @nlgwcy in #1066
• kernel-native mode support restart by @lec-bit in #987
• fix kmeshctl auth command description by @LiZhenCheng9527 in #1079
• Correct Workload handle order by @hzxuzhonghu in #1047
• Remove enable-bpf-log from the startup parameters by @LiZhenCheng9527 in #1075
• add configuration to collect the Prometheus metrics from Kmesh and rename them into a format that Kiali can read. by @delavet in #1085
• remove spammy log from authz by @hzxuzhonghu in #1086
• add support for PROTOBUF_C_TYPE_BYTES by @weli-l in #1080
• add prefix km_ in almost all kmesh bpf map by @LiZhenCheng9527 in #1084
• Refact: Bpf log reader start by @hzxuzhonghu in #1087
• delete unnecessary kmeshctl handlers by @LiZhenCheng9527 in #1096
• update mapname in kernelnative enhanced by @lec-bit in #1097
• Add kiali addon sample and adjust prometheus_recording_istio sample by @delavet in #1101
• Support workload granularity metrics dynamicly turn on with kmeshctl by @LiZhenCheng9527 in #1093
• Optimised handling when no podCIDR is available by @LiZhenCheng9527 in #1102
• Skip matching svc again in backend_manager by @hzxuzhonghu in #1077
• update issue template by @LiZhenCheng9527 in #1109
• Expand the ringbuf size of tcp_info by @LiZhenCheng9527 in #1103
• update kmesh_support.md by @LiZhenCheng9527 in #1107
• add proposal for Locality LoadBalance by @derekwin in #574
• kmesh monitoring support for headless services by @LiZhenCheng9527 in #1078
• Add kmesh-daemon version subcommand and fix kmeshctl version by @hzxuzhonghu in #1114
• update hostname and record unknown services of service metrics by @Kuromesi in #1094
• combining repeating fucntion of UT together for workload by @Insomniac2904 in #1098
• fix start failed in enhanced kernel-native mode by @lec-bit in #1115
• Clean dead code in xdp loader by @hzxuzhonghu in #1122
• better bpf logging by @hzxuzhonghu in #1106
• Bump istio and k8s dependencies by @hzxuzhonghu in #1124
• Bump istio.io/api from 1.24.2-0.20241206152109-43afb8563706 to 1.24.2 by @dependabot in #1125
• fix Invalid size: -1 by @nlgwcy in #1136
• add E2E test "TestServiceEntrySelectsWorkloadEntry" by @YaoZengzeng in #1108
• rename bpf map names to be more explicit by @hzxuzhonghu in #1123
• misc bug fix in manage controller by @hzxuzhonghu in #1121
• Optimised kmeshConfigMap to avoid initialising it every time kmesh reboot. by @LiZhenCheng9527 in #1133
• Bump google.golang.org/protobuf from 1.36.0 to 1.36.1 by @dependabot in #1139
• remove spammy log cause by unknown service access by @hzxuzhonghu in #1127
• fix service DEBUG log report negative number by @LiZhenCheng9527 in #1143
• Fix after kmesh daemon restart, xdp should be re linked by @hzxuzhonghu in #1142
• refine destination service metrics generation by @Kuromesi in #1135
• Optimise the update logic of the frontend table to cope with duplicate service and workload addresses. by @LiZhenCheng9527 in #1148
• Modified log handling in workload_processor by @LiZhenCheng9527 in #1151
• change TestCompareIpByte to table driven test by @LiZhenCheng9527 in #1150
• support xdp auth of IPs by @weli-l in #1095
• add proposal for xdp authz by @weli-l in #1027
• handle service and workload conflicts in the frontend map by @LiZhenCheng9527 in #1153
• make sure uts in different pkg cannot be run in parallel by @hzxuzhonghu in #1145
• Clean up docker properly when ut fails by @LiZhenCheng9527 in #1155
• add meeting in readme by @LiZhenCheng9527 in #1156
• fix ebpf map elem nums grow abnormal by @lec-bit in #1161
• Filter unused authz by @hzxuzhonghu in #1166
• Kmesh enable ipsec by @bitcoffeeiux in #1030
• [release-1.0] update the VERSION to 1.0.0 in Makefile by @LiZhenCheng9527 in #1173
• [release-1.0] Ability to automatically push helm packages at publicize release by @kmesh-bot in #1175
• [release-1.0] improve xdp bpf log by @kmesh-bot in #1177
• [release-1.0] fix DATA RACE in TestCertRoute by @kmesh-bot in #1178
• [cherry-pick-release-1.0.0] can specify the out name for kmeshctl by @LiZhenCheng9527 in #1180
• [release-1.0] Change the version to v1.0.0-rc.0 in the makefile by @LiZhenCheng9527 in #1182
• [release-1.0] add scripts to change kmesh version automatically by @kmesh-bot in #1184
• [release-1.0] adapt MAP_SIZE_OF_LISTENER into 8192 by @kmesh-bot in #1189
• [release-1.0] fix Update mode failed by @kmesh-bot in #1190
• bump golang.org/x/net to address CVE by @hzxuzhonghu in #1195

New Contributors

• @derekwin made their first contribution in #904
• @yuluo-yx made their first contribution in #932
• @tjons made their first contribution in #929
• @wbc6080 made their first contribution in #976
• @Kuromesi made their first contribution in #982
• @yanchaomei made their first contribution in #920
• @skwwwwww made their first contribution in #887
• @codesmith25103 made their first contribution in #997
• @am6737 made their first contribution in #1013
• @delavet made their first contribution in #1085
• @Insomniac2904 made their first contribution in #1098

Thanks to:

We are delighted to welcome new developers to the Kmesh community and appreciate their valuable contributions to this release. A special thank you to: @delavet , @Kuromesi , @Okabe-Rintarou-0 , @bfforever , @yanchaomei , @noobwei , @derekwin , @skwwwwww , @yuanqijing and other developers who are new to the Kmesh community.

We also extend our sincere gratitude to the Kmesh community contributors who have consistently supported Kmesh. The successful launch of Kmesh v1.0.0 is a testament to the collective efforts of the entire team.