github.com/go-kratos/kratos
★
★
★
★
★
3
reviews
65
Security
23
Quality
35
Maintenance
44
Overall
v1.0.1
Go
Go
Jul 6, 2021
25455
GitHub Stars
2.7/5
Avg Rating
Community Reviews
CAUTION
Powerful microservices framework with a steep learning curve and dated v1 APIs
Kratos v1 provides a comprehensive microservices toolkit with built-in transport layers (gRPC, HTTP), middleware chains, and service discovery. The framework follows a convention-over-configuration approach that works well once you understand its patterns, but getting there requires significant effort. The code generation tooling helps scaffold services quickly, though the generated code can be opaque to newcomers.
The documentation is primarily in Chinese with English translations that are often incomplete or unclear. Error messages tend to be generic, making debugging challenging when things go wrong with the transport layer or middleware stack. IDE support is standard for Go projects, but without strong documentation, discoverability of framework features relies heavily on reading example code.
Note that v1.0.1 (2021) is the legacy version. The team has since moved to v2 with breaking changes and better ergonomics. If starting fresh, consider v2 instead. The v1 migration path is essentially a rewrite, as the architectural patterns changed significantly between versions.
The documentation is primarily in Chinese with English translations that are often incomplete or unclear. Error messages tend to be generic, making debugging challenging when things go wrong with the transport layer or middleware stack. IDE support is standard for Go projects, but without strong documentation, discoverability of framework features relies heavily on reading example code.
Note that v1.0.1 (2021) is the legacy version. The team has since moved to v2 with breaking changes and better ergonomics. If starting fresh, consider v2 instead. The v1 migration path is essentially a rewrite, as the architectural patterns changed significantly between versions.
Integrated transport abstraction handles both gRPC and HTTP with consistent middleware patterns
Code generation CLI reduces boilerplate for creating new services with standard structure
Built-in service discovery, configuration management, and observability hooks cover common microservice needs
Middleware system is composable and allows custom logic injection at transport and business layers
Documentation heavily skewed toward Chinese with incomplete English translations and sparse API references
Generic error messages make troubleshooting transport and middleware issues time-consuming
v1 is essentially deprecated with no clear migration tooling to v2, requiring significant refactoring
Steep learning curve due to implicit conventions and lack of comprehensive getting-started guides
Best for: Teams already invested in Kratos v1 or Chinese-speaking developers comfortable navigating Chinese documentation for microservices projects.
Avoid if: You're starting a new project (use v2 instead) or need excellent English documentation and clear upgrade paths.
CAUTION
Powerful framework hampered by v1/v2 confusion and steep learning curve
Kratos presents a significant challenge for newcomers due to the confusing split between v1 and v2 versions. The package at github.com/go-kratos/kratos (v1.0.1) is essentially deprecated, while active development happens in v2 under a different import path. This creates serious onboarding friction as documentation often references v2 APIs that don't match v1, leading to hours of debugging import errors and incompatible code examples.
The v1 framework itself is quite opinionated, requiring you to structure projects in specific ways with heavy reliance on code generation. Error messages when you deviate from expected patterns are cryptic, often just generic reflection errors. While the framework handles gRPC and HTTP well once configured, getting there involves navigating scattered documentation and examples that assume familiarity with Bilibili's internal conventions.
Community support is challenging as most GitHub issues and Stack Overflow questions focus on v2, making it difficult to find relevant help for v1 problems. The Chinese-first documentation means English resources are often incomplete or machine-translated, adding another barrier for international developers.
The v1 framework itself is quite opinionated, requiring you to structure projects in specific ways with heavy reliance on code generation. Error messages when you deviate from expected patterns are cryptic, often just generic reflection errors. While the framework handles gRPC and HTTP well once configured, getting there involves navigating scattered documentation and examples that assume familiarity with Bilibili's internal conventions.
Community support is challenging as most GitHub issues and Stack Overflow questions focus on v2, making it difficult to find relevant help for v1 problems. The Chinese-first documentation means English resources are often incomplete or machine-translated, adding another barrier for international developers.
Built-in support for both gRPC and HTTP with automatic protocol conversion
Integrated distributed tracing and metrics collection out of the box
Comprehensive middleware system for cross-cutting concerns
Major version confusion with v1 effectively abandoned while still listed as latest on some registries
Steep learning curve with opinionated structure and heavy code generation requirements
Poor error messages that obscure root causes, making debugging frustrating
Documentation primarily targets Chinese developers with incomplete English translations
Best for: Teams already invested in the Kratos ecosystem or familiar with Chinese tech stacks who need a batteries-included microservice framework.
Avoid if: You need quick onboarding, clear English documentation, or are building your first microservice in Go.
CAUTION
Solid microservices framework but security defaults need attention
Kratos v1 provides a well-structured microservices framework with good patterns for service discovery, tracing, and middleware composition. The framework encourages clean architecture and makes it straightforward to build gRPC and HTTP services side-by-side. However, from a security perspective, there are notable concerns that require careful attention.
The framework doesn't enforce TLS by default - you must explicitly configure it, and the documentation examples often show insecure configurations. Authentication and authorization are left entirely to the developer with minimal guidance or batteries-included solutions. Input validation isn't built into the framework layer, relying entirely on protobuf validation or custom middleware. Error handling can leak internal details if you're not careful with the default error interceptors.
The dependency chain is manageable but this v1 release is essentially legacy - the project moved to v2 with breaking changes. Supply chain risk is moderate given the Bilibili backing, but CVE response isn't clearly documented. For production use, expect to invest significant effort hardening the defaults.
The framework doesn't enforce TLS by default - you must explicitly configure it, and the documentation examples often show insecure configurations. Authentication and authorization are left entirely to the developer with minimal guidance or batteries-included solutions. Input validation isn't built into the framework layer, relying entirely on protobuf validation or custom middleware. Error handling can leak internal details if you're not careful with the default error interceptors.
The dependency chain is manageable but this v1 release is essentially legacy - the project moved to v2 with breaking changes. Supply chain risk is moderate given the Bilibili backing, but CVE response isn't clearly documented. For production use, expect to invest significant effort hardening the defaults.
Clean middleware pattern makes it easy to add authentication and rate limiting layers
Good separation between transport and business logic reduces attack surface confusion
Built-in distributed tracing helps with security incident investigation
Protocol buffer integration provides type safety at API boundaries
No TLS-by-default configuration, insecure examples in docs are concerning
Authentication/authorization patterns are completely DIY with no framework guidance
Error responses can leak stack traces and internal paths without careful middleware setup
Version 1.x is legacy with limited maintenance, security patches unclear
Best for: Teams with strong security expertise building internal microservices who can invest in hardening defaults.
Avoid if: You need security-by-default configuration or are building internet-facing services without dedicated security resources.
Write a Review
Sign in to write a review
Sign In
Dependencies
github.com/BurntSushi/toml
v0.3.1
github.com/HdrHistogram/hdrhistogram-go
v1.0.1
github.com/StackExchange/wmi
v0.0.0-20190523213315-cbe66965904d
github.com/aristanetworks/goarista
v0.0.0-20190912214011-b54698eaaca6
github.com/cznic/b
v0.0.0-20181122101859-a26611c4d92d
github.com/cznic/mathutil
v0.0.0-20181122101859-297441e03548
github.com/cznic/strutil
v0.0.0-20181122101858-275e90344537
github.com/dgryski/go-farm
v0.0.0-20190423205320-6a90982ecee2
github.com/fatih/color
v1.10.0
github.com/fsnotify/fsnotify
v1.4.7
github.com/go-ole/go-ole
v1.2.4
github.com/go-playground/validator/v10
v10.4.1
github.com/go-sql-driver/mysql
v1.4.1
github.com/go-zookeeper/zk
v1.0.1
github.com/gobuffalo/packr/v2
v2.8.1
github.com/gogo/protobuf
v1.3.2
github.com/golang/mock
v1.3.1
github.com/golang/protobuf
v1.5.2
github.com/karrick/godirwalk
v1.16.1
github.com/leodido/go-urn
v1.2.1
and 31 more