We are delighted to announce the release of Kmesh v1.2.0, a milestone achieved through the collective efforts of our global community over the past three months. Special recognition goes to the contributors from the LXF Project, whose dedication has been pivotal in driving this release forward.
Kmesh v1.2.0 represents a significant step forward in service mesh capabilities, with improved DNS handling, better ServiceEntry support, enhanced upgrade processes, and expanded feature set in dual-engine mode. These improvements make Kmesh more robust and compatible with the latest service mesh standards.
Key Features and Enhancements
DNS Proxy
DNS Request Interception: Added dnsProxy capability to intercept DNS resolution requests for services managed by Kmesh. This allows Kmesh to gain better control over service discovery.
Domain-IP Mapping Table: Built a dedicated domain-to-address mapping table for Kmesh.
Enhance Ipsec
Improve the stability of IPsec: Fixed a critical interoperability issue in the eBPF IPSec implementation that previously caused communication failures between Kmesh-managed and unmanaged nodes across different hosts. This was addressed by redesigning the eBPF decryption logic and optimizing the configuration of xfrm state and policy.
Provide secret management capabilities in kmeshctl: Improved IPSec usability by enhancing kmeshctl to support secret resource management for encryption keys and simplifying the steps required to create and manage these secrets.
Enhanced ServiceEntry Support
Complete ServiceEntry Types: Fully completed the supported ServiceEntry types in Kmesh, providing comprehensive support for various external service integration scenarios. This enhancement allows users to seamlessly integrate a wider range of external services into the service mesh.
Non-Kubernetes Native Services: Leveraging dnsProxy, serviceEntry can now manage non-Kubernetes native services within the cluster through fake hostnames.
Zero-Downtime Upgrade Capability
Upgrade Without Connection Disruption: Building upon the v0.5.0 achievement where Kmesh restarts don't affect established connections, v1.2.0 ensures that upgrading the Kmesh daemon doesn't impact existing connections when BPF map structures remain unchanged. This improvement significantly reduces service downtime during maintenance operations and enhances overall system reliability.
NOTE: This feature is currently in the alpha phase.
Dual-Engine Mode Enhancements
Circuit Breaking and Local Rate Limiting: The dual-engine mode now supports circuit breaking and local rate limiting features. These capabilities provide better resilience and protection against service failures and traffic surges, allowing for more robust microservices architectures.The addition of these features in dual-engine mode enables more granular control over service-to-service communication, improving overall system stability and performance under varying load conditions.
Istio Compatibility Updates
Istio 1.26 Support: Full adaptation and compatibility with Istio 1.26, ensuring that Kmesh users can leverage the latest features and security enhancements from the Istio ecosystem.
Deprecation Notice: Istio 1.23 will no longer be supported in Kmesh E2E testing, encouraging users to upgrade to newer versions for better performance, security, and feature availability.
What's Changed
- chore: ut coverage for same src/dst but different direction by @yp969803 in #1399
- Changed the metric name of grafana to match the metric name reported by kmesh by @LiZhenCheng9527 in #1404
- refactored updateConnectionMetricCache to report connection-metrics correctly by @yp969803 in #1377
- fix flaky of
TestCrossNamespaceby @YaoZengzeng in #1413 - add YaoZengzeng as owner by @YaoZengzeng in #1405
- feat: add markdownlint for md documents by @Flying-Tom in #1417
- output kmesh log when e2e test failed by @YaoZengzeng in #1393
- Fix: wrong arg order of testify/assert by @Flying-Tom in #1421
- Fix: bump of containernetworking/plugins by @Flying-Tom in #1418
- feat: add prepare-dev in Makefile by @Flying-Tom in #1426
- update kmesh regular meeting link by @LiZhenCheng9527 in #1415
- Fix: make build should build kmeshctl by @Flying-Tom in #1419
- ENH: refactor ctl/docs generation by @Flying-Tom in #1425
- Upgrading dependencies to avoid vulnerable vulnerabilities by @LiZhenCheng9527 in #1434
- Fix: make format with too many containers by @Flying-Tom in #1435
- eBPF unit test: Remove expired codes & Add framework doc by @sancppp in #1406
- Sort dump output by name by @zrggw in #1432
- update golang.org/x/oauth2 to resolve Input vulnerability by @LiZhenCheng9527 in #1447
- fix markdownlint error by @zrggw in #1448
- add ipsec test case by @zrggw in #1449
- Chore: bump github.com/spf13/pflag & lint fix by @Flying-Tom in #1446
- Tune gemini review severity threshold to HIGH by @hzxuzhonghu in #1445
- add ipsec controller unit test by @zrggw in #1461
- Bump golang.org/x/sys from 0.32.0 to 0.34.0 by @dependabot[bot] in #1471
- add(proposal): Added proposal for Kmesh website automation by @yashisrani in #1433
- fix file non-existent error when kmesh start with --enable-ipsec=true by @zrggw in #1473
- update broken documentation links in CONTRIBUTING.md by @AkarshSahlot in #1480
- Organize documentation by language by @yashisrani in #1478
- Fix typo : Duel to Dual by @mdimado in #1483
- feature(workflow): added chinese docs grammer checker by @yashisrani in #1484
- feat(kmeshctl):automatic key generation for ipsec secrets by @Vinnu124 in #1487
- support dns proxy by @Kuromesi in #1470
- new kmeshctl secret command by @zrggw in #1495
- Resolving communication issue between pods after enabling IPsec by @zrggw in #1496
- feat: add cgroup_skb eBPF program by @wxnzb in #1474
- feature(workflow): added Kmeshctl doc syncing workflow by @yashisrani in #1498
- ut_sendmsg by @wxnzb in #1452
- change Kmesh deploy yaml by @LiZhenCheng9527 in #1507
- fix an error of kmeshctl waypoint by @LiZhenCheng9527 in #1508
- adapt to istio 1.26 by @YaoZengzeng in #1513
- Proposal: Kmesh-daemon upgrades traffic without disruption by @072020127 in #1441
- ut_cgroup_sock by @wxnzb in #1453
- Add IPsec document content and remove unnecessary OutputMark for egress by @zrggw in #1499
- Feat: Add Workload DnsController by @Flying-Tom in #1438
- Proposal UT_Init by @wxnzb in #1440
- add LiZhenCheng9527 to the maintainer list by @LiZhenCheng9527 in #1516
- Feat: support no traffic disruption during kmesh upgrade by @072020127 in #1503
- add authz and ipsec E2E test by @xiaojiangao123 in #1489
- Proposal: Dns support for Dual-Engine by @Flying-Tom in #1436
- add YaoZengzeng to the maintainer list by @YaoZengzeng in #1517
- update Kmesh supported istiod version by @LiZhenCheng9527 in #1519
- update the ubuntu version used in github CI by @LiZhenCheng9527 in #1518
- Add license scan badge by @LiZhenCheng9527 in #1521
- [clean] only install istiod when kmesh run e2e test by @LiZhenCheng9527 in #1524
- Remove unnecessary images in e2e test by @LiZhenCheng9527 in #1526
- fix e2e shell script error by @LiZhenCheng9527 in #1527
- Fix waypoint address missing in ebpf/endpoints when LocalityInfo is nil by @Copilot in #1534
- Add Free Disk Space step to CI workflows by @Copilot in #1537
- fix kernel-native enhanced mode build failed by @lec-bit in #1535
- refactor kmeshctl secret command by @LiZhenCheng9527 in #1545
- Bump github.com/quic-go/quic-go from 0.48.2 to 0.49.1 by @dependabot[bot] in #1523
- fix error of ipsec handler unit test by @LiZhenCheng9527 in #1546
New Contributors
- @Flying-Tom made their first contribution in #1417
- @zrggw made their first contribution in #1432
- @yashisrani made their first contribution in #1433
- @AkarshSahlot made their first contribution in #1480
- @mdimado made their first contribution in #1483
- @Vinnu124 made their first contribution in #1487
- @wxnzb made their first contribution in #1474
- @072020127 made their first contribution in #1441
- @xiaojiangao123 made their first contribution in #1489
- @Copilot made their first contribution in #1534
Full Changelog: v1.1.0...v1.2.0
