Deploying Kmesh as a High‑Performance Data Plane for Alibaba Cloud Service Mesh (ASM)

Alibaba Cloud Service Mesh (ASM) supports both Sidecar and Sidecarless modes; the Sidecarless approach reduces latency and resource overhead by moving traffic handling out of the sidecar proxy.

Kmesh is an eBPF‑based high‑performance data‑plane software that implements a dual‑engine mode, using kernel‑space eBPF for L4 traffic interception and a Waypoint proxy for L7 processing, achieving roughly 30% lower latency than Istio Ambient.

To use Kmesh with ASM, first create an ASM instance and add an ACK Kubernetes cluster as a managed cluster, then configure ASM as the control plane and deploy Kmesh as the data‑plane within the same cluster.

Installation steps :

1. Clone the Kmesh repository and enter the project directory.

git clone https://github.com/kmesh-net/kmesh.git && cd kmesh

2. Retrieve the ASM control‑plane Service name (istiod) to set the XDS_ADDRESS variable.

kubectl get svc -n istio-system | grep istiod

3. Create a DaemonSet manifest that sets XDS_ADDRESS and CLUSTER_ID environment variables, mounts required host paths, and runs the Kmesh container.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kmesh
  namespace: kmesh-system
spec:
  selector:
    matchLabels:
      app: kmesh
  template:
    metadata:
      labels:
        app: kmesh
    spec:
      containers:
      - name: kmesh
        image: registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/kmesh:latest
        env:
        - name: XDS_ADDRESS
          value: "istiod-1-22-6.istio-system.svc:15012"
        - name: CLUSTER_ID
          value: "
"
        securityContext:
          privileged: true
        volumeMounts:
        - name: mnt
          mountPath: /mnt
        - name: sys-fs-bpf
          mountPath: /sys/fs/bpf
        - name: lib-modules
          mountPath: /lib/modules
        - name: cni
          mountPath: /etc/cni/net.d
        - name: kmesh-cni-install-path
          mountPath: /opt/cni/bin
        - name: host-procfs
          mountPath: /host/proc
          readOnly: true
      volumes:
      - name: mnt
        hostPath:
          path: /mnt
      - name: sys-fs-bpf
        hostPath:
          path: /sys/fs/bpf
      - name: lib-modules
        hostPath:
          path: /lib/modules
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: kmesh-cni-install-path
        hostPath:
          path: /opt/cni/bin
      - name: host-procfs
        hostPath:
          path: /proc
          type: Directory

4. Apply the DaemonSet, along with the required RBAC resources and EnvoyFilter configurations that add the Kmesh listener and original‑dst cluster.

kubectl apply -f - <
5. Verify the Kmesh pods are running.
kubectl get pods -A | grep kmesh
6. Label the target namespace to enable Kmesh dataplane mode.
kubectl label namespace default istio.io/dataplane-mode=Kmesh
7. Deploy a sample application (e.g., Fortio) and a virtual‑service that routes 90% of traffic to version v1 and 10% to v2.
kubectl apply -f samples/fortio/fortio-route.yaml
kubectl apply -f samples/fortio/netutils.yaml
8. Test the traffic split by repeatedly curling the service endpoint and observing the
Server
header values.
for i in {1..20}; do kubectl exec -it $(kubectl get pod -l app=netutils -o jsonpath='{.items[0].metadata.name}') -- curl -s $(kubectl get svc fortio -o jsonpath='{.spec.clusterIP}'):80 | grep "Server:"; done
These steps enable a high‑performance, kernel‑accelerated service‑mesh data plane in an Alibaba Cloud ACK cluster, reducing latency and resource consumption while maintaining ASM control‑plane features.