Red Hat SummitRelease Notes
OpenShift Service Mesh release notes
Abstract
Chapter 1. OpenShift Service Mesh release notes
The Red Hat OpenShift Service Mesh release notes provide details about new features and enhancements, deprecated features, technology preview features, fixed issues, and known issues. The release notes also include tables for supported component versions and Istio features, organized by OpenShift Service Mesh version.
For additional information about the Red Hat OpenShift Service Mesh life cycle and supported platforms, refer to the OpenShift Operator Life Cycles.
1.1. Red Hat OpenShift Service Mesh version 3.1.3
This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.1.3 and is supported on OpenShift Container Platform 4.16 and later. This release addresses enhancements, fixed issues, and Common Vulnerabilities and Exposures (CVEs).
For supported component versions for 3.1.3, see "Service Mesh version support tables".
1.1.1. Enhancements
- This enhancement updates Kiali Operator and Kiali server to version 2.11.4.
1.1.2. Fixed issues
- Before this update, images were incorrectly switched to use the newer manifest format, causing mirroring issues with older registries. As a consequence, the users experienced mirroring failures due to incompatible manifest formats. With this release, images now use the expected, older manifest format for mirroring to older registries. As a result, end users can now successfully mirror images to older registries. (OSSM-11139)
1.2. Red Hat OpenShift Service Mesh version 3.1.2
This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.1.2 and is supported on OpenShift Container Platform 4.16 and later. This release addresses enhancements, fixed issues, and Common Vulnerabilities and Exposures (CVEs).
For supported component versions for 3.1.2, see "Service Mesh version support tables".
1.2.1. Enhancements
- This enhancement updates Istio to version 1.26.4.
- This enhancement updates Kiali operator and Kiali server to version 2.11.3.
1.3. Red Hat OpenShift Service Mesh version 3.1.1
This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.1.1 and is supported on OpenShift Container Platform 4.16 and later. This release addresses enhancements, fixed issues, and Common Vulnerabilities and Exposures (CVEs).
For supported component versions for 3.1.1, see "Service Mesh version support tables".
1.3.1. Enhancements
- This enhancement updates Istio to version 1.26.3.
- This enhancement updates Kiali operator to version 2.11.2.
1.3.2. Fixed issues
-
Before this update, enabling
NetworkPolicyfield globally in theIstiocustom resource (CR) failed to create the correspondingNetworkPolicyresource due to incorrect resource handling. This issue prevented users from applying network policies when Istio was enabled globally. With this update,NetworkPolicyresource creation is enabled uponIstioCR update, allowing end users to consistently apply network policy rules in Istio. (OSSM-10595) -
Before this update, creating a
PodDisruptionBudgetfor a singleistiodpod with aminAvailablevalue of1caused an upgrade to fail, preventing node restart during upgrade. As a consequence, the upgrade was unsuccessful. With this update, the Istio Operator disables the defaultpodDisruptionBudgetfor the singleistiodpod in the Istio 1.24.3 configuration. As a result, the node can now restart during an upgrade without being prevented by the singleistiodpod. (OSSM-9392)
1.4. Red Hat OpenShift Service Mesh version 3.1 new features and enhancements
This release makes Red Hat OpenShift Service Mesh 3.1 generally available, adds new features, addresses Common Vulnerabilities and Exposures (CVEs), and is supported on OpenShift Container Platform 4.16 and later.
For a list of supported component versions and support features, see "Service Mesh 3.0 feature support tables".
When upgrading from OpenShift Service Mesh 2.x, first you must migrate to version 3.0. Then, you can upgrade to version 3.1. For more information see, "Migrating from Service Mesh 2 to Service Mesh 3".
1.4.1. Support for Kubernetes Gateway API
This release introduces support for Kubernetes Gateway API custom resource definitions (CRDs). You can now use these CRDs to configure OpenShift Service Mesh with the Kubernetes Gateway API. This feature is available with Red Hat OpenShift Service Mesh 4.19.
1.4.2. Support for OpenShift Service Mesh on x86 dual-stack clusters
This release introduces support for OpenShift Service Mesh on x86 dual-stack clusters. This feature remains a technology preview on all other platforms.
1.4.3. Kubernetes Traffic Distribution Support
This release introduces support for the Kubernetes traffic distribution feature, part of the Kubernetes Service API, within OpenShift Service Mesh. As of Red Hat OpenShift Service Mesh 4.19, this is a Beta feature and requires enabling the ServiceTrafficDistribution parameter in the Istio Custom Resources (CRs).
1.4.4. Developer Preview for Kubernetes ClusterTrustBundle
This release introduces developer preview support for the experimental Kubernetes ClusterTrustBundle feature. This feature provides a new way of distributing X.509 trust anchors (root certificates) to workloads within the cluster. As of Red Hat OpenShift Service Mesh 4.19, this is an Alpha feature and requires enabling the ClusterTrustBundle feature.
1.4.5. UBI-micro base containers
This release updates OpenShift Service Mesh to use UBI-micro base containers for most container images. The UBI-micro image is the smallest possible Universal Base Image (UBI), which excludes a package manager and all of its dependencies normally included in a container image. This change minimizes the attack surface of container images that use the UBI-micro base.
1.5. Red Hat OpenShift Service Mesh version 3.1 Technology Preview features
This release includes some features that are currently in Technology Preview. These experimental features are not intended for production use. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
1.5.1. Istio ambient mode
This release updates the status of Istio ambient mode to Technology Preview. Istio ambient mode provides a sidecar-less alternative data plane to the traditional sidecar-based data plane. By default, ambient mode splits the data plane into node-level L4 ZTunnels and namespace-scoped L7 Waypoint proxies.
Istio ambient mode requires Kubernetes Gateway API custom resource definitions (CRDs). Use OpenShift Service Mesh 4.19 or later, which includes the CRDs by default.
To avoid potential conflicts, you must install Istio ambient mode only on clusters that do not have an existing Red Hat OpenShift Service Mesh installation. Istio ambient mode is not compatible with clusters that use Red Hat OpenShift Service Mesh 2.6 or earlier.
When you use Istio ambient mode, pods that rely on liveness or readiness probes require you to set the OVN-Kubernetes gateway mode to local instead of the default shared mode. In local mode, traffic routes through the host and the host processes it using the routing table, ensuring that probes function correctly. For more information, see the "Configuring gateway mode" section in the OVN-Kubernetes documentation.
To start using Istio ambient mode, see the "Istio ambient mode" section in the OpenShift Service Mesh 3 installation documentation.
1.5.2. Kubernetes Gateway API Inference Extensions
This release provides technology preview support for Kubernetes Gateway API Inference Extensions. These extensions build on Kubernetes Gateway API to provide inference-specific routing capabilities that optimize for self-hosted generative-AI workloads. This implementation was backported to OpenShift Service Mesh 3.1 from Istio 1.27.
1.6. Red Hat OpenShift Service Mesh version 3.1 fixed issues
1.6.1. Kiali fixed issue
-
Before this update, the Kiali Operator provided by Red Hat used the
k8s_cluster_infoAnsible module from thekubernetes.corecollection, which caused failures in certain environments during theGet API version information from the clustertask. As a result, Kiali deployment failure occurred, affecting service visibility and management. With this update, the Kiali Operator provided by Red Hat avoids thek8s_cluster_infomodule, resolving the issue and ensuring smooth Kiali installation for users. (OSSM-9659)
1.7. Red Hat OpenShift Service Mesh 3.1 known issues
1.7.1. podDisruptionBudget object that prevents nodes from upgrading
There is currently a known issue that prevents OpenShift Container Platform nodes from upgrading. The podDisruptionBudget resource prevents the draining of the node where the istiod pod is running, unless there are multiple replicas of the istiod pod.
Workaround: Set the .spec.values.global.defaultPodDisruptionBudget.enabled field in the Istio CR to false. Alternatively, you can temporarily increase the number of replicas for the istiod deployment. OSSM-9392
1.8. Red Hat OpenShift Service Mesh version 3.1 deprecated features
Some features available in previous releases have been deprecated or removed.
Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of Red Hat OpenShift Service Mesh 3 and is not recommended for new deployments.
Removed functionality no longer exists in the product.
1.8.1. DNS auto-allocation in ProxyMetadata
This release removes the use of ISTIO_META_DNS_AUTO_ALLOCATE option in the proxyMetadata configuration. You can use the DNS auto-allocation label in the ServiceEntry resource instead. A future release will remove support for the ISTIO_META_DNS_AUTO_ALLOCATE option.
For more information about using the DNS auto-allocation label in the ServiceEntry resource, see the "Address auto-collection" section in the Istio documentation.
Chapter 2. Service Mesh version support tables
Red Hat OpenShift Service Mesh supports the OpenShift Service Mesh 3 Operator, OpenShift Service Mesh Istio control plane resource, Envoy proxy, and the IstioCNI resource on supported versions of OpenShift Container Platform.
2.1. OpenShift Service Mesh supported versions
See the following table for information about OpenShift Service Mesh 3.1.3 supported versions.
2.1.1. OpenShift Service Mesh 3.1.3 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.1.3 |
|
OpenShift Service Mesh | 1.26.4 |
| OpenShift Container Platform | 4.16 and later |
| Envoy proxy | 1.34.6 |
|
| 1.26.4 |
| Kiali Operator | 2.11.4 |
| Kiali control plane resource | 2.11.4 |
See the following table for information about OpenShift Service Mesh 3.1.2 supported versions.
2.1.2. OpenShift Service Mesh 3.1.2 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.1.2 |
|
OpenShift Service Mesh | 1.26.4 |
| OpenShift Container Platform | 4.16 and later |
| Envoy proxy | 1.34.6 |
|
| 1.26.4 |
| Kiali Operator | 2.11.3 |
| Kiali control plane resource | 2.11.3 |
See the following table for information about OpenShift Service Mesh 3.1.1 supported versions.
2.1.3. OpenShift Service Mesh 3.1.1 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.1.1 |
|
OpenShift Service Mesh | 1.26.3 |
| OpenShift Container Platform | 4.16 and later |
| Envoy proxy | 1.34.3 |
|
| 1.26.3 |
| Kiali Operator | 2.11.2 |
See the following table for information about OpenShift Service Mesh 3.1.0 supported versions.
2.1.4. OpenShift Service Mesh 3.1.0 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.1.0 |
|
OpenShift Service Mesh | 1.26.2 |
| OpenShift Container Platform | 4.16 and later |
| Envoy proxy | 1.34.2 |
|
| 1.26.2 |
| Kiali Operator | 2.11.1 |
Chapter 3. Service Mesh feature support tables
3.1.3 feature support tables provide guidance on feature availability in OpenShift Service Mesh 3.
3.1. Definitions
For Red Hat OpenShift Service Mesh 3, features that are Generally Available (GA) are fully supported and are suitable for production use.
Technology Preview (TP) features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the Technology Preview scope of support on the Red Hat Customer Portal for more information about Technology Preview features.
Developer Preview (DP) features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.
Not available (NA) features might not be available with Red Hat OpenShift Service Mesh 3.
3.2. Sail Operator APIs
| Feature | Status |
|---|---|
| Istio | GA |
| IstioRevision | GA |
| IstioCNI | GA |
| IstioRevisionTag | GA |
| ZTunnel | TP |
3.3. Istio deployment and lifecycle
| Feature | Status |
|---|---|
| Installation with the Red Hat OpenShift Service Mesh Operator | GA |
| Istio sidecar mode data plane | GA |
|
| GA |
| The Istio multicluster mesh deployment models | GA |
| The Istio external control plane deployment models | GA |
| Multiple control planes on a single OpenShift Container Platform cluster | GA |
|
| GA |
|
Istio configuration scoping: Sidecar API, | GA |
| IPv6 support | GA |
| Dual stack IPv4/IPv6 | GA [4] |
| Virtual machine (non-OpenShift) workload integration | NA |
| Istioctl for select commands | GA [1] |
| Helm or Istioctl installation | NA [2] |
| ProxyConfig | GA [3] |
- For more information, see "Support for Istioctl".
- Installation is only supported by using the OpenShift Service Mesh 3 Operator, which uses the Istio Helm chart values for managing configuration.
-
The
ProxyConfigAPI is supported with the exception of the image field, which is not supported. - Dual-Stack IPv4/IPv6 is supported on x86 environments only. On non-x86 environments, this feature remains a Technology Preview.
3.4. Istio traffic management
| Feature | Status |
|---|---|
| Protocols: HTTP1.1/HTTP2/HTTPS/gRPC/TCP/TLS | GA |
| Traffic control: label/content based routing, traffic shifting | GA |
|
| GA |
| Resilience features: timeouts, retries, connection pools, outlier detection | GA |
| Gateway: ingress, egress for all supported protocols | GA |
| Gateway injection | GA |
| TLS termination and SNI support in gateways | GA |
| Locality load balancing | GA |
| DNS proxying | GA |
| Kubernetes Multi-Cluster Service (MCS) discovery | DP |
3.5. Kubernetes Gateway API
| Feature | Status |
|---|---|
| Kubernetes Gateway APIs for ingress (Gateway parentRef) | GA |
| Kubernetes Gateway APIs for mesh (Service parentRef) | GA |
| Kubernetes Gateway API custom resource definitions (CRDs) | GA [1] |
| Kubernetes Gateway API manual deployment | NA |
| Gateway network topology configuration | DP |
| Gateway inference extensions | TP |
- The use of Kubernetes Gateway API requires custom resource definitions (CRDs). The CRDs are present by default and generally available on Red Hat OpenShift Service Mesh 4.19 and later releases. Red Hat OpenShift Service Mesh 4.18 and earlier releases do not include or provide support for these CRDs.
3.6. Security features
3.6.1. Encryption and certificate management
| Feature | Status |
|---|---|
| Service-to-service mutual TLS encryption | GA |
| Identity and certificate management for workloads | GA |
| Peer authentication | GA |
| Certificate management for ingress gateway | GA |
| Pluggable key/certificate support for Istio certificate authority (CA) | GA |
| Cert-Manager integration with the cert-manager Operator for Red Hat OpenShift | GA |
| Kubernetes ClusterTrustBundles | DP |
3.6.2. Authorization and policy enforcement
| Feature | Status |
|---|---|
| AuthorizationPolicy | GA |
| External authorization | GA |
| End user (JWT) authentication | GA |
| JWT claim based routing | GA |
| Authorization dry run | TP |
| Copy JWT claims to HTTP Headers | DP |
| RequestAuthentication | GA |
3.7. Observability features
OpenShift Service Mesh 3 provides end-to-end support for observability, including logs, metrics, and distributed tracing with Red Hat OpenShift Observability and the Kiali Operator provided by Red Hat.
+Integrations with other community projects (including community Prometheus) and third-party solutions can be configurable through Istio or Observability operators, but those solutions are not supported by Red Hat.
| Feature | Status |
|---|---|
| Integration with Red Hat OpenShift Observability - user workload monitoring | GA |
| Red Hat OpenShift distributed tracing platform (Tempo) | GA |
| Red Hat OpenShift distributed tracing data collection Operator | GA |
| Trace sampling configuration | GA |
| Istio Telemetry API for configuring logs, metrics, and traces | GA |
| Istio preconfigured Grafana dashboards | DP [1] |
| Request classification | NA |
- While Grafana is not included as part of OpenShift Service Mesh, you can use the preconfigured dashboards for Grafana maintained by the Istio community with OpenShift Service Mesh under a Developer Preview scope.
3.8. Consoles and dashboards
| Feature | Status |
|---|---|
| Kiali Operator provided by Red Hat | GA |
| Kiali Server | GA |
| OpenShift Service Mesh Console (OSSMC) plugin | GA |
3.9. Extensibility features
| Feature | Status |
|---|---|
| WebAssembly extension | GA [1] |
|
| DP [2] |
-
The
WasmPluginAPI for extending Istio using Web Assembly extensions is supported, but support is not provided for any Web Assembly extension modules unless explicitly documented. -
The
EnvoyFilterAPI is available for use with Red Hat OpenShift Service Mesh, but is not supported, except where explicitly documented. Due to tight coupling with the underlying Envoy APIs, backward compatibility cannot be maintained. Note thatEnvoyFilterpatches are very sensitive to the format of the Envoy configuration that is generated by Istio. If the configuration generated by Istio changes, it has the potential to break the application of theEnvoyFilterconfiguration. Any configuration provided through this API should be carefully monitored across Istio proxy version upgrades to ensure that deprecated fields are removed and replaced appropriately. If a support case is raised where anEnvoyFilterconfiguration is used, Red Hat might request that the issue be reproduced with theEnvoyFilterconfiguration removed.
3.10. Istio Ambient mode (sidecarless) data plane
| Feature | Status |
|---|---|
| Istio ambient mode - all features | TP |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}