PickYourTechPickYourTech home
Kmesh logo

Kmesh

Kernel-native, sidecar-less service mesh with eBPF performance

Service Mesh

Kmesh delivers high-performance, low-overhead service-mesh data plane using eBPF and programmable kernel, providing traffic management, zero-trust security, and monitoring without sidecars or code changes.

Kmesh banner

Overview

Overview

Kmesh is a kernel-native service mesh data plane that leverages eBPF to intercept and forward traffic directly in the Linux kernel. By eliminating the sidecar proxy, it adds negligible latency and consumes far fewer CPU and memory resources, making it ideal for latency‑sensitive microservices.

Capabilities & Deployment

The platform offers L4 load balancing, simple L7 routing, mutual TLS, and policy enforcement through both eBPF programs and optional Waypoint components. It speaks standard xDS APIs and supports the Gateway API, allowing seamless integration with existing control planes. Operators can start with kernel‑level L4 security and incrementally enable full L7 governance via the dual‑engine mode, facilitating a smooth migration path.

Audience

Designed for Kubernetes clusters on Linux kernels with eBPF support, Kmesh targets teams that need high throughput, minimal resource footprints, and transparent security without modifying application code.

Highlights

Sidecar-less, kernel-native data plane with eBPF
60% lower forwarding latency and 40% faster startup
70% reduction in resource overhead vs traditional proxies
Zero-trust mutual TLS and policy enforcement in kernel and waypoint

Pros

  • Negligible latency added to traffic
  • Minimal CPU and memory footprint
  • Transparent to applications, no code changes required
  • Supports standard XDS and Gateway API

Considerations

  • Requires kernel version with eBPF support
  • Limited to Linux environments
  • Advanced L7 features need waypoint component
  • Observability tooling may be less mature than established meshes

Managed products teams compare with

When teams consider Kmesh, these hosted platforms usually appear on the same shortlist.

AWS App Mesh logo

AWS App Mesh

Managed service mesh that simplifies monitoring and controlling inter-service communication in microservices

Google Cloud Service Mesh logo

Google Cloud Service Mesh

Fully managed service mesh on Google Cloud for traffic management and observability

Tetrate Service Bridge logo

Tetrate Service Bridge

Enterprise service mesh management platform extending Istio across multi-cloud environments

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Latency-sensitive microservices needing near-zero overhead
  • Kubernetes clusters where sidecar injection is undesirable
  • Teams adopting zero-trust security without application refactoring
  • Operators looking to incrementally migrate from no mesh to full L7 governance

Not ideal when

  • Environments without eBPF-compatible kernels
  • Workloads requiring extensive L7 features out-of-the-box
  • Multi-cloud setups needing uniform proxy layer
  • Teams reliant on proprietary mesh extensions not yet supported

How teams use it

High-frequency trading platform

Achieves sub-millisecond request latency while enforcing mutual TLS without sidecars.

Edge microservices in resource-constrained nodes

Reduces CPU and memory usage, allowing higher pod density.

Gradual mesh adoption in existing Kubernetes cluster

Starts with L4 security via eBPF, then adds L7 policies via waypoint.

Zero-trust service communication in regulated industry

Provides kernel-level encryption and policy enforcement meeting compliance requirements.

Tech snapshot

Go65%
C30%
Shell3%
Makefile1%
Dockerfile1%
Smarty1%

Tags

high-performancekubernetesmicroservicelow-overheadservice-meshnetworkingebpfkerneltraffic-managementresiliency

Frequently asked questions

Does Kmesh require a sidecar proxy?

No, Kmesh operates in the kernel using eBPF, so no sidecar containers are deployed.

What Kubernetes versions are supported?

Kmesh works on Kubernetes clusters running on Linux kernels that support eBPF (typically 4.14+).

How is traffic encrypted?

Kmesh enables mutual TLS by default, with encryption performed in the eBPF data path and optional waypoint enforcement.

Can Kmesh interoperate with existing Istio control planes?

Kmesh subscribes to standard xDS APIs, allowing it to receive configuration from compatible control planes.

What monitoring metrics are available?

Kmesh exposes observability data through Prometheus metrics and integrates with standard service-mesh dashboards.

Project at a glance

Active
Visit siteView repo
Stars
700
Watchers
700
Forks
142
LicenseApache-2.0
Repo age2 years old
Last commit2 weeks ago
Primary languageGo

Last synced yesterday