Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Release Notes

Red Hat OpenShift Service Mesh 3.0

OpenShift Service Mesh release notes

Red Hat OpenShift Documentation Team

Abstract

This documentation provides information about each Red Hat OpenShift Service Mesh release.

Chapter 1. OpenShift Service Mesh release notes
Copy link

Red Hat OpenShift Service Mesh release notes contain information about new features and enhancements, deprecated features, technology preview features, bug fixes, and known issues. They contain a set of tables for supported component versions and Istio features, and are organized by OpenShift Service Mesh version.

Note

For additional information about the Red Hat OpenShift Service Mesh life cycle and supported platforms, refer to the OpenShift Operator Life Cycles.

1.1. Red Hat OpenShift Service Mesh version 3.0.5
Copy link

This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.0.5 and is supported on OpenShift Container Platform 4.16 and later. This release addresses enhancements and Common Vulnerabilities and Exposures (CVEs). For supported component versions for 3.0.5, see "Service Mesh version support tables".

1.1.1. Enhancements
Copy link

  • This enhancement updates Kiali server to version 2.4.9.

1.2. Red Hat OpenShift Service Mesh version 3.0.4
Copy link

This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.0.4 and is supported on OpenShift Container Platform 4.14 and later. This release addresses enhancements and Common Vulnerabilities and Exposures (CVEs). For supported component versions for 3.0.4, see "Service Mesh version support tables".

1.2.1. Enhancements
Copy link

  • This enhancement updates Istio to version 1.24.6.
  • This enhancement updates Kiali operator to version 2.4.8.

1.3. Red Hat OpenShift Service Mesh version 3.0.3
Copy link

This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.0.3 and is supported on OpenShift Container Platform 4.14 and later. This release addresses Common Vulnerabilities and Exposures (CVEs) and is supported on OpenShift Container Platform 4.14 and later. For supported component versions for 3.0.3, see "Service Mesh version support tables".

1.3.1. Enhancements
Copy link

  • This enhancement updates Istio to version 1.24.6. For more information, see OSSM-9758
  • This enhancement updates Kiali operator to version 2.4.7.

1.3.2. Bug fixes
Copy link

  • Previously, the Kiali Operator provided by Red Hat used the k8s_cluster_info Ansible module from the kubernetes.core collection, which could fail in some environments with a result code of -9. This failure occurred during the Get api version information from the cluster Ansible task and prevented the Operator from reconciling Kiali custom resources (CRs). Now, the fix removes the use of the k8s_cluster_info Ansible module to prevent this error. (OSSM-9659)

1.4. Red Hat OpenShift Service Mesh version 3.0.2
Copy link

This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.0.2 and is supported on OpenShift Container Platform 4.14 and later. This release addresses Common Vulnerabilities and Exposures (CVEs) and is supported on OpenShift Container Platform 4.14 and later. For supported component versions for 3.0.2, see "Service Mesh version support tables".

1.5. Red Hat OpenShift Service Mesh version 3.0.1
Copy link

This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.0.1 and is supported on OpenShift Container Platform 4.14 and later. This release addresses Common Vulnerabilities and Exposures (CVEs) and is supported on OpenShift Container Platform 4.14 and later. For supported component versions for 3.0.1, see "Service Mesh version support tables".

This release makes Red Hat OpenShift Service Mesh 3.0 generally available, adds new features, addresses Common Vulnerabilities and Exposures (CVEs), and is supported on OpenShift Container Platform 4.14 and later.

For a list of supported component versions and support features, see "Service Mesh 3.0 feature support tables".

For a complete list of changes between OpenShift Service Mesh 2 and OpenShift Service Mesh 3, see "Important information to know if you are migrating from OpenShift Service Mesh 2.6".

1.6.1. Migration guides
Copy link

This release adds a set of checklists and migration guides to help you migrate from OpenShift Service Mesh 2 to OpenShift Service Mesh 3.0.

You must complete the checklists first. The checklists help you set up and configure OpenShift Service Mesh 2 and the ServiceMeshControlPlane resource to migrate to OpenShift Service Mesh 3.0 and the Istio control plane resource.

Your migration depends on your deployment model:

  • Multitenant
  • Multitenant with cert-manager
  • Cluster-wide
  • Cluster-wide with cert-manager

You can also migrate gateways. For more information, see "Migrating from Service Mesh 2 to Service Mesh 3".

1.6.2. New Istio distribution and operator
Copy link

OpenShift Service Mesh 3.0 is based on a Red Hat distribution of the Istio project and is deployed with a new Operator for Istio based on the Sail Operator project that is part of the istio-ecosystem organization on GitHub. The Sail Operator includes a new set of custom resource definitions (CRDs) for managing Istio. For example, the Istio CRD replaces the ServiceMeshControlPlane CRD in previous releases of OpenShift Service Mesh.

This release adds support for select platforms and commands for Istioctl, the command line utility for the Istio project that includes many diagnostic and debugging utilities. For more information, see "Support for Istioctl".

Important

Installing Istio using the istioctl utility is not supported.

1.6.4. Support for multi-cluster deployment models
Copy link

This release introduces support for the following Istio multi-cluster deployment models:

  • Multi-primary
  • Primary-remote
  • An external control plane

The federation feature introduced in OpenShift Service Mesh 2.1 is not available in OpenShift Service Mesh 3.0.

1.6.5. Multiple control planes in a single cluster
Copy link

This release adds support for the Istio feature of multiple control planes in a single cluster. This replaces the MultiTenant deployment model (mode) in OpenShift Service Mesh 2.

1.6.6. Revision based updates
Copy link

This release adds support for canary-style updates of the Istio control plane using the Istio revision feature. This enables a new Istio control plane to be created alongside the existing Istio control plane so that workloads can be migrated incrementally. The update strategy is configured using the spec.updateStrategy parameter of the Istio resource.

For more information, see "About RevisionBased strategy".

1.6.7. IstioCNI custom resource definition
Copy link

This release introduces the IstioCNI custom resource definition (CRD), which is used to manage the lifecycle of the Istio Container Network Interface (CNI) daemon set. A single instance of this resource must be created per cluster to configure traffic redirection for pods in the mesh. The Istio CNI lifecycle is independent of the Istio control plane or planes.

1.6.8. IPv4/IPv6 dual-stack (Technology Preview)
Copy link

Important

IPv4/IPv6 dual-stack is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

This release includes IPv4/IPv6 dual-stack support as a technology preview feature. This aligns with the Alpha status of the Istio upstream project, and is feature-complete for Istio when using sidecars. Dual-stack helps organizations smoothly transition to IPv6, while still maintaining compatibility with their existing IPv4 setup.

In OpenShift Service Mesh 3.0, dual-stack is disabled by default in the Istio resource. You can enable it with specific configuration changes, such as the one shown in the following example:

Example YAML configuration for IPv4/IPv6 dual stack

apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  values:
    meshConfig:
      defaultConfig:
        proxyMetadata:
          ISTIO_DUAL_STACK: "true"
    pilot:
      ipFamilyPolicy: RequireDualStack
      env:
        ISTIO_DUAL_STACK: "true"
  namespace: istio-system
Copy to Clipboard Toggle word wrap

1.6.9. Istio Ambient mode (Developer Preview)
Copy link

Important

Istio Ambient mode is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

Istio Ambient mode provides a sidecarless service mesh architecture that reduces resource overhead, simplifies operations, and allows incremental adoption without application changes. It maintains security and observability through a layered security model with mTLS and authorization. The OpenShift Service Mesh 3 Operator includes deploying the Ambient profile as a developer preview feature using the community Ztunnel image. However, the Ambient profile should not be used on clusters with production workloads or for multi-control plane use cases.

The community Ztunnel image is unavailable on the following platforms:

  • IBM Power®
  • IBM Z®
  • OpenShift Container Platform clusters in FIPS mode
  • OSSM-8878 In Red Hat OpenShift Service Mesh 3.0, OpenShift Container Platform builder pods fail to create in namespaces with injection enabled. As a workaround, add injection labels to workloads instead of the namespace when creating the BuildConfigs resource.

Some features available in previous releases have been deprecated or removed.

Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of Red Hat OpenShift Service Mesh 3 and is not recommended for new deployments.

Removed functionality no longer exists in the product.

1.8.1. Istio OpenShift routes (IOR)
Copy link

This release removes the Istio OpenShift Route (IOR) for automatically creating and managing OpenShift Route resources with Istio Gateway resources. Istio Gateways are managed independent of the Istio control plane using either Gateway injection or Kubernetes Gateway API.

1.8.2. Metrics and tracing integrations
Copy link

OpenShift Service Mesh 3.0 no longer includes Prometheus and Grafana, and it does not manage the configuration of Jaeger and Elasticsearch. Both Jaeger and Elasticsearch are deprecated and will be removed in a future release.

Supported integrations are provided with Red Hat OpenShift Observability, including user-workload monitoring and distributed tracing. For more information, see "Red Hat OpenShift Observability and Service Mesh". Support is also provided for the Kiali Operator provided by Red Hat. For more information, see "Using Kiali Operator provided by Red Hat".

Chapter 2. Service Mesh version support tables
Copy link

Red Hat OpenShift Service Mesh supports the OpenShift Service Mesh 3 Operator, OpenShift Service Mesh Istio control plane resource, Envoy proxy, and the IstioCNI resource on supported versions of OpenShift Container Platform.

2.1. OpenShift Service Mesh supported versions
Copy link

See the following table for information about OpenShift Service Mesh 3.0.5 supported versions.

Expand
FeatureSupported versions

OpenShift Service Mesh 3 Operator

3.0.5

OpenShift Service Mesh Istio control plane resource

1.24.6

OpenShift Container Platform

4.16 and later

Envoy proxy

1.32.11

IstioCNI resource

1.24.6

Kiali Operator

2.11.3

Kiali control plane resource

2.4.9

See the following table for information about OpenShift Service Mesh 3.0.4 supported versions.

Expand
FeatureSupported versions

OpenShift Service Mesh 3 Operator

3.0.4

OpenShift Service Mesh Istio control plane resource

1.24.6

OpenShift Container Platform

4.14 and later

Envoy proxy

1.32.6

IstioCNI resource

1.24.6

Kiali Operator

2.4.8

See the following table for information about OpenShift Service Mesh 3.0.3 supported versions.

Expand
FeatureSupported versions

OpenShift Service Mesh 3 Operator

3.0.3

OpenShift Service Mesh Istio control plane resource

1.24.6

OpenShift Container Platform

4.14 and later

Envoy proxy

1.32.6

IstioCNI resource

1.24.6 [1]

Kiali Operator

2.4.7

  1. The Istio control plane and IstioCNI resources can be upgraded in any order, as long as their version difference is within one minor version.

See the following table for information about OpenShift Service Mesh 3.0.2 supported versions.

Expand
FeatureSupported versions

OpenShift Service Mesh 3 Operator

3.0.2

OpenShift Service Mesh Istio control plane resource

1.24.5

OpenShift Container Platform

4.14 and later

Envoy proxy

1.32.6

IstioCNI resource

1.24.5 [1]

See the following table for information about OpenShift Service Mesh 3.0.1 supported versions.

Expand
FeatureSupported versions

OpenShift Service Mesh 3 Operator

3.0.1

OpenShift Service Mesh Istio control plane resource

1.24.4

OpenShift Container Platform

4.14 and later

Envoy proxy

1.32.4

IstioCNI resource

1.24.4 [1]

See the following table for information about OpenShift Service Mesh 3 supported versions.

Expand
FeatureSupported versions

OpenShift Service Mesh 3 Operator

3.0

OpenShift Service Mesh Istio control plane resource

1.24.3

OpenShift Container Platform

4.14 and later

Envoy proxy

1.32.4

IstioCNI resource

1.24.3 [1]

3.0.5 feature support tables provide guidance on feature availability in OpenShift Service Mesh 3.

3.1. Definitions
Copy link

For Red Hat OpenShift Service Mesh 3, features that are Generally Available (GA) are fully supported and are suitable for production use.

Technology Preview (TP) features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the Technology Preview scope of support on the Red Hat Customer Portal for more information about Technology Preview features.

Developer Preview (DP) features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

Not available (NA) features might not be available with Red Hat OpenShift Service Mesh 3.

3.2. Sail Operator APIs
Copy link

Expand
FeatureStatus

Istio

GA

IstioRevision

GA

IstioCNI

GA

IstioRevisionTag

GA

ZTunnel

DP

3.3. Istio deployment and lifecycle
Copy link

Expand
FeatureStatus

Installation with the Red Hat OpenShift Service Mesh Operator

GA

Istio sidecar mode data plane

GA

InPlace and RevisionBased control plane upgrades with the Red Hat OpenShift Service Mesh Operator

GA

The Istio multicluster mesh deployment models

GA

The Istio external control plane deployment models

GA

Multiple control planes on a single OpenShift Container Platform cluster

GA

IstioCNI plugin

GA

Istio configuration scoping: Sidecar API, exportTo and discovery selectors

GA

IPv6 support

GA

Dual stack IPv4/IPv6

TP

Virtual machine (non-OpenShift) workload integration

NA

Istioctl for select commands

GA [1]

Helm or Istioctl installation

NA [2]

ProxyConfig

GA [3]

  1. For more information, see "Support for Istioctl".
  2. Installation is only supported by using the OpenShift Service Mesh 3 Operator, which uses the Istio Helm chart values for managing configuration.
  3. The ProxyConfig API is supported with the exception of the image field, which is not supported.

3.4. Istio traffic management
Copy link

Expand
FeatureStatus

Protocols: HTTP1.1/HTTP2/HTTPS/gRPC/TCP/TLS

GA

Traffic control: label/content based routing, traffic shifting

GA

VirtualService, DestinationRule and ServiceEntry

GA

Resilience features: timeouts, retries, connection pools, outlier detection

GA

Gateway: ingress, egress for all supported protocols

GA

Gateway injection

GA

TLS termination and SNI support in gateways

GA

Locality load balancing

GA

DNS proxying

GA

Kubernetes Multi-Cluster Service (MCS) discovery

DP

3.5. Kubernetes Gateway API
Copy link

Expand
FeatureStatus

Kubernetes Gateway APIs for ingress (Gateway parentRef)

GA

Kubernetes Gateway APIs for mesh (Service parentRef)

GA

Kubernetes Gateway API custom resource definitions (CRDs)

DP [1]

Kubernetes Gateway API manual deployment

NA

Gateway network topology configuration

DP

  1. The use of Kubernetes Gateway API requires custom resource definitions (CRDs) that are not installed with OpenShift Container Platform 4.18 and earlier releases.

3.6. Security features
Copy link

3.6.1. Encryption and certificate management
Copy link

Expand
FeatureStatus

Service-to-service mutual TLS encryption

GA

Identity and certificate management for workloads

GA

Peer authentication

GA

Certificate management for ingress gateway

GA

Pluggable key/certificate support for Istio certificate authority (CA)

GA

Cert-Manager integration with the cert-manager Operator for Red Hat OpenShift

GA

3.6.2. Authorization and policy enforcement
Copy link

Expand
FeatureStatus

AuthorizationPolicy

GA

External authorization

GA

End user (JWT) authentication

GA

JWT claim based routing

GA

Authorization dry run

TP

Copy JWT claims to HTTP Headers

DP

RequestAuthentication

GA

3.7. Observability features
Copy link

OpenShift Service Mesh 3 provides end-to-end support for observability, including logs, metrics, and distributed tracing with Red Hat OpenShift Observability and the Kiali Operator provided by Red Hat.

+Integrations with other community projects (including community Prometheus) and third-party solutions can be configurable through Istio or Observability operators, but those solutions are not supported by Red Hat.

Expand
FeatureStatus

Integration with Red Hat OpenShift Observability - user workload monitoring

GA

Red Hat OpenShift distributed tracing platform (Tempo)

GA

Red Hat OpenShift distributed tracing data collection Operator

GA

Trace sampling configuration

GA

Istio Telemetry API for configuring logs, metrics, and traces

GA

Istio preconfigured Grafana dashboards

DP [1]

Request classification

NA

  1. While Grafana is not included as part of OpenShift Service Mesh, the preconfigured dashboards for Grafana maintained by the Istio community can be use with OpenShift Service Mesh under a Developer Preview scope. These are best used as a starting point for building your own dashboards.

3.8. Consoles and dashboards
Copy link

Expand
FeatureStatus

Kiali Operator provided by Red Hat

GA

Kiali Server

GA

OpenShift Service Mesh Console (OSSMC) plugin

GA

3.9. Extensibility features
Copy link

Expand
FeatureStatus

WebAssembly extension

GA [1]

EnvoyFilter API

DP [2]

  1. The WasmPlugin API for extending Istio using Web Assembly extensions is supported, but support is not provided for any Web Assembly extension modules unless explicitly documented.
  2. The EnvoyFilter API is available for use with Red Hat OpenShift Service Mesh, but is not supported, except where explicitly documented. Due to tight coupling with the underlying Envoy APIs, backward compatibility cannot be maintained. Note that EnvoyFilter patches are very sensitive to the format of the Envoy configuration that is generated by Istio. If the configuration generated by Istio changes, it has the potential to break the application of the EnvoyFilter configuration. Any configuration provided through this API should be carefully monitored across Istio proxy version upgrades to ensure that deprecated fields are removed and replaced appropriately. If a support case is raised where an EnvoyFilter configuration is used, Red Hat might request that the issue be reproduced with the EnvoyFilter configuration removed.

3.10. Istio Ambient mode (sidecarless) data plane
Copy link

Expand
FeatureStatus

Istio ambient mode - all features

DP

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat