Chapter 3. Service Mesh 3.0.0 feature support tables


3.0.0 feature support tables provide guidance on feature availability in OpenShift Service Mesh 3.

3.1. Definitions

For Red Hat OpenShift Service Mesh 3, features that are Generally Available (GA) are fully supported and are suitable for production use.

Technology Preview (TP) features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the Technology Preview scope of support on the Red Hat Customer Portal for more information about Technology Preview features.

Developer Preview (DP) features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

Not available (NA) features might not be available with Red Hat OpenShift Service Mesh 3.

3.2. Sail Operator APIs

FeatureStatus

Istio

GA

IstioRevision

GA

IstioCNI

GA

IstioRevisionTag

GA

ZTunnel

DP

3.3. Istio deployment and lifecycle

FeatureStatus

Installation with the Red Hat OpenShift Service Mesh Operator

GA

Istio sidecar mode data plane

GA

InPlace and RevisionBased control plane upgrades with the Red Hat OpenShift Service Mesh Operator

GA

The Istio multicluster mesh deployment models

GA

The Istio external control plane deployment models

GA

Multiple control planes on a single OpenShift Container Platform cluster

GA

IstioCNI plugin

GA

Istio configuration scoping: Sidecar API, exportTo and discovery selectors

GA

IPv6 support

GA

Dual stack IPv4/IPv6

TP

Virtual machine (non-OpenShift) workload integration

NA

Istioctl for select commands

GA [1]

Helm or Istioctl installation

NA [2]

ProxyConfig

GA [3]

  1. For more information, see "Support for Istioctl".
  2. Installation is only supported by using the OpenShift Service Mesh 3 Operator, which uses the Istio Helm chart values for managing configuration.
  3. The ProxyConfig API is supported with the exception of the image field, which is not supported.

Additional resources

3.4. Istio traffic management

FeatureStatus

Protocols: HTTP1.1/HTTP2/HTTPS/gRPC/TCP/TLS

GA

Traffic control: label/content based routing, traffic shifting

GA

VirtualService, DestinationRule and ServiceEntry

GA

Resilience features: timeouts, retries, connection pools, outlier detection

GA

Gateway: ingress, egress for all supported protocols

GA

Gateway injection

GA

TLS termination and SNI support in gateways

GA

Locality load balancing

GA

DNS proxying

GA

Kubernetes Multi-Cluster Service (MCS) discovery

DP

3.5. Kubernetes Gateway API

FeatureStatus

Kubernetes Gateway APIs for ingress (Gateway parentRef)

GA

Kubernetes Gateway APIs for mesh (Service parentRef)

GA

Kubernetes Gateway API custom resource definitions (CRDs)

DP [1]

Kubernetes Gateway API manual deployment

NA

Gateway network topology configuration

DP

  1. The use of Kubernetes Gateway API requires custom resource definitions (CRDs) that are not installed with OpenShift Container Platform 4.18 and earlier releases.

3.6. Security features

3.6.1. Encryption and certificate management

FeatureStatus

Service-to-service mutual TLS encryption

GA

Identity and certificate management for workloads

GA

Peer authentication

GA

Certificate management for ingress gateway

GA

Pluggable key/certificate support for Istio certificate authority (CA)

GA

Cert-Manager integration with the cert-manager Operator for Red Hat OpenShift

GA

3.6.2. Authorization and policy enforcement

FeatureStatus

AuthorizationPolicy

GA

External authorization

GA

End user (JWT) authentication

GA

JWT claim based routing

GA

Authorization dry run

TP

Copy JWT claims to HTTP Headers

DP

RequestAuthentication

GA

3.7. Observability features

OpenShift Service Mesh 3 provides end-to-end support for observability, including logs, metrics, and distributed tracing with Red Hat OpenShift Observability and the Kiali Operator provided by Red Hat.

+Integrations with other community projects (including community Prometheus) and third-party solutions can be configurable through Istio or Observability operators, but those solutions are not supported by Red Hat.

FeatureStatus

Integration with Red Hat OpenShift Observability - user workload monitoring

GA

Red Hat OpenShift distributed tracing platform (Tempo)

GA

Red Hat OpenShift distributed tracing data collection Operator

GA

Trace sampling configuration

GA

Istio Telemetry API for configuring logs, metrics, and traces

GA

Istio preconfigured Grafana dashboards

DP [1]

Request classification

NA

  1. While Grafana is not included as part of OpenShift Service Mesh, the preconfigured dashboards for Grafana maintained by the Istio community can be use with OpenShift Service Mesh under a Developer Preview scope. These are best used as a starting point for building your own dashboards.

3.8. Consoles and dashboards

FeatureStatus

Kiali Operator provided by Red Hat

GA

Kiali Server

GA

OpenShift Service Mesh Console (OSSMC) plugin

GA

3.9. Extensibility features

FeatureStatus

WebAssembly extension

GA [1]

EnvoyFilter API

DP [2]

  1. The WasmPlugin API for extending Istio using Web Assembly extensions is supported, but support is not provided for any Web Assembly extension modules unless explicitly documented.
  2. The EnvoyFilter API is available for use with Red Hat OpenShift Service Mesh, but is not supported, except where explicitly documented. Due to tight coupling with the underlying Envoy APIs, backward compatibility cannot be maintained. Note that EnvoyFilter patches are very sensitive to the format of the Envoy configuration that is generated by Istio. If the configuration generated by Istio changes, it has the potential to break the application of the EnvoyFilter configuration. Any configuration provided through this API should be carefully monitored across Istio proxy version upgrades to ensure that deprecated fields are removed and replaced appropriately. If a support case is raised where an EnvoyFilter configuration is used, Red Hat might request that the issue be reproduced with the EnvoyFilter configuration removed.

3.10. Istio Ambient mode (sidecarless) data plane

FeatureStatus

Istio ambient mode - all features

DP

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.