In Kmesh v0.5.0 , Kmesh has moved some authorization functions to the XDP program. In v1.0.0, we moved more authorization capabilities to XDP, and now support IP-based authorization processing. The overall processing flow chart is shown below:
Kmesh divides the authorization process into four steps: policy, rule, clause, and match, and connects them in series through the tail-call mechanism. The entire authorization process is performed when TCP establishes a link. If the authentication is passed, the traffic will be sent to the corresponding IP address through the protocol stack; if the authentication is not passed, the SYN packet will be discarded, preventing the TCP link from being established.
By sinking authorization into the XDP program, Kmesh can perform authentication processing at the earliest stage when the network data packet enters the kernel protocol stack. This approach not only significantly kazakhstan phone number data reduces the context switching overhead between user mode and kernel mode, but also greatly improves the efficiency of data packet processing, thereby achieving high-speed, low-latency authentication. At the same time, this design ensures that data packets that fail authentication are directly discarded in the protocol stack, effectively reducing the consumption of system resources and further enhancing the security and performance of the system. In the subsequent version plan, Kmesh will sink more authorization functions into XDP Prog. Everyone is welcome to put forward their own requirements for related authorization so that the community can formulate an iteration plan.
Region-based load balancing
In version v1.0.0, Kmesh has the ability to load balance based on region. Region-based load balancing is a key optimization for performance and reliability in distributed systems. By routing traffic to the service instance with the highest regional priority, latency is reduced and availability is increased. The matching example of Kmesh's region-based load balancing is as follows.