Red Hat SummitRelease Notes
OpenShift Service Mesh release notes
Abstract
Chapter 1. OpenShift Service Mesh release notes
Red Hat OpenShift Service Mesh release notes contain information about new features and enhancements, and known issues. They contain a set of tables for supported component versions and Istio features, and are organized by OpenShift Service Mesh version.
For additional information about the Red Hat OpenShift Service Mesh life cycle and supported platforms, refer to the OpenShift Operator Life Cycles.
1.1. Red Hat OpenShift Service Mesh version 3.2 new features and enhancements
This release makes Red Hat OpenShift Service Mesh 3.2 generally available, adds new features, addresses Common Vulnerabilities and Exposures (CVEs), and is supported on OpenShift Container Platform 4.18 and later.
For a list of supported component versions and support features, see "Service Mesh 3.2 feature support tables".
When upgrading from OpenShift Service Mesh 2.x, you must first migrate to version 3.0 and then to version 3.1. Then, you can upgrade to version 3.2. For more information, see "Migrating from Service Mesh 2 to Service Mesh 3".
1.1.1. General availability of Istio ambient mode
This enhancement brings the core features of Istio ambient mode, ztunnel, and waypoint, to general availability. Ambient mode reduces the resource costs of running a service mesh by removing the need for sidecar proxies with a new data plane architecture that consists of the following two levels of proxy:
- The layer 4 node level ztunnel proxy
- The layer 7 application level waypoint proxy
1.1.2. Updated feature support matrix for ambient mode
This enhancement provides an updated feature support matrix for Istio ambient mode. Not all sidecar mode features are supported in ambient mode. For detailed information about supported and unsupported features, see "Service Mesh feature support tables".
1.1.3. Network policy updates may be required for ambient mode traffic
Istio ambient mode uses an application-layer tunnel (L7) called HBONE to carry TCP traffic (L4) securely between workloads. The ztunnel component tunnels pod traffic over TCP port 15008. If existing Kubernetes NetworkPolicy configurations block inbound traffic on this port, update them to allow inbound TCP traffic on port 15008 for ambient workloads. Sidecar workloads must also allow inbound traffic on this port to communicate with ambient workloads. For more information, see "Configuring network policies for ambient mode".
1.1.4. Ensuring probe reliability with OVN-Kubernetes local gateway mode
To ensure liveness and readiness probes continue to function correctly for workloads running in Istio ambient mode, you must enable OVN-Kubernetes local gateway mode by setting routingViaHost: true in the gatewayConfig specification. For more information, see the "OVN-Kubernetes documentation"
1.1.6. Enhanced NetworkPolicy Coverage for Ambient Mode Components
With the 3.2 release, enabling the global networkPolicy setting now extends NetworkPolicy creation to include istio-cni and ztunnel resources, in addition to the previously supported istiod and gateway resources.
1.2. Red Hat OpenShift Service Mesh 3.2 known issues
1.2.1. Ambient mode not supported on FIPS-enabled OpenShift clusters
Istio ambient mode does not currently support OpenShift clusters running in Federal Information Processing Standards (FIPS) mode. Deployments that require FIPS compliance must continue using sidecar mode until support becomes available in a future release.
1.2.2. Limitation due to ztunnel concurrency issue
A concurrency issue in ztunnel limits throughput scalability in Istio ambient mode. Performance remains comparable to sidecar mode in most scenarios, but the issue can limit the potential to scale throughput performance.
Chapter 2. Service Mesh version support tables
Red Hat OpenShift Service Mesh supports the OpenShift Service Mesh 3 Operator, OpenShift Service Mesh Istio control plane resource, Envoy proxy, and the IstioCNI resource on supported versions of OpenShift Container Platform.
2.1. OpenShift Service Mesh supported versions
See the following table for information about OpenShift Service Mesh 3.2.0 supported versions.
2.1.1. OpenShift Service Mesh 3.2.0 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.2.0 |
|
OpenShift Service Mesh | 1.27.3 |
| OpenShift Container Platform | 4.18 and later |
| Envoy proxy | 1.35.6 |
|
| 1.27.3 |
|
| 1.27.3 |
| Kiali Operator | 2.17.1 |
| Kiali control plane resource | 2.17.1 |
Chapter 3. Service Mesh feature support tables
3.2.0 feature support tables give guidance on feature availability in OpenShift Service Mesh 3.
3.1. Definitions
For Red Hat OpenShift Service Mesh 3, features that are Generally Available (GA) are fully supported and are suitable for production use.
Technology Preview (TP) features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features give early access to upcoming product features, enabling customers to test functionality and give feedback during the development process. See the Technology Preview scope of support on the Red Hat Customer Portal for more information about Technology Preview features.
Developer Preview (DP) features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features give early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and give feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might give ways to submit feedback on Developer Preview features without an associated SLA.
Not available (NA) features might not be available with Red Hat OpenShift Service Mesh 3.
3.2. Sail Operator APIs
| Feature | Status |
|---|---|
| Istio | GA |
| IstioRevision | GA |
| IstioCNI | GA |
| IstioRevisionTag | GA |
| ZTunnel | TP |
3.3. Istio deployment and lifecycle
| Feature | Status |
|---|---|
| Installation with the Red Hat OpenShift Service Mesh Operator | GA |
| Istio sidecar mode data plane | GA |
|
| GA |
| The Istio multicluster mesh deployment models | GA |
| The Istio external control plane deployment models | GA |
| Multiple control planes on a single OpenShift Container Platform cluster | GA |
|
| GA |
|
Istio configuration scoping: Sidecar API, | GA |
| IPv6 support | GA |
| Dual stack IPv4/IPv6 | GA [4] |
| Virtual machine (non-OpenShift) workload integration | NA |
| Istioctl for select commands | GA [1] |
| Helm or Istioctl installation | NA [2] |
| ProxyConfig | GA [3] |
- For more information, see "Support for Istioctl".
- Installation is only supported by using the OpenShift Service Mesh 3 Operator, which uses the Istio Helm chart values for managing configuration.
-
The
ProxyConfigAPI is supported with the exception of the image field, which is not supported. - Dual-Stack IPv4/IPv6 is supported on x86 environments only. On non-x86 environments, this feature remains a Technology Preview.
3.4. Istio traffic management
| Feature | Status |
|---|---|
| Protocols: HTTP1.1/HTTP2/HTTPS/gRPC/TCP/TLS | GA |
| Traffic control: label/content based routing, traffic shifting | GA |
|
| GA |
| Resilience features: timeouts, retries, connection pools, outlier detection | GA |
| Gateway: ingress, egress for all supported protocols | GA |
| Gateway injection | GA |
| TLS termination and SNI support in gateways | GA |
| Locality load balancing | GA |
| DNS proxying | GA |
| Kubernetes Multi-Cluster Service (MCS) discovery | DP |
3.5. Kubernetes Gateway API
| Feature | Status |
|---|---|
| Kubernetes Gateway APIs for ingress (Gateway parentRef) | GA |
| Kubernetes Gateway APIs for mesh (Service parentRef) | GA |
| Kubernetes Gateway API custom resource definitions (CRDs) | GA [1] |
| Kubernetes Gateway API manual deployment | NA |
| Gateway network topology configuration | DP |
| Gateway inference extensions | TP |
- The use of Kubernetes Gateway API requires custom resource definitions (CRDs). The CRDs are present by default and generally available on Red Hat OpenShift Service Mesh 4.19 and later releases. Red Hat OpenShift Service Mesh 4.18 and earlier releases do not include or provide support for these CRDs.
3.6. Security features
3.6.1. Encryption and certificate management
| Feature | Status |
|---|---|
| Service-to-service mutual TLS encryption | GA |
| Identity and certificate management for workloads | GA |
| Peer authentication | GA |
| Certificate management for ingress gateway | GA |
| Pluggable key/certificate support for Istio certificate authority (CA) | GA |
| Cert-Manager integration with the cert-manager Operator for Red Hat OpenShift | GA |
| Kubernetes ClusterTrustBundles | DP |
3.6.2. Authorization and policy enforcement
| Feature | Status |
|---|---|
| AuthorizationPolicy | GA |
| External authorization | GA |
| End user (JWT) authentication | GA |
| JWT claim based routing | GA |
| Authorization dry run | TP |
| Copy JWT claims to HTTP Headers | DP |
| RequestAuthentication | GA |
3.7. Observability features
OpenShift Service Mesh 3 provides end-to-end support for observability, including logs, metrics, and distributed tracing with Red Hat OpenShift Observability and the Kiali Operator provided by Red Hat.
+Integrations with other community projects (including community Prometheus) and third-party solutions can be configurable through Istio or Observability operators, but those solutions are not supported by Red Hat.
| Feature | Status |
|---|---|
| Integration with Red Hat OpenShift Observability - user workload monitoring | GA |
| Red Hat OpenShift distributed tracing platform (Tempo) | GA |
| Red Hat OpenShift distributed tracing data collection Operator | GA |
| Trace sampling configuration | GA |
| Istio Telemetry API for configuring logs, metrics, and traces | GA |
| Istio preconfigured Grafana dashboards | DP [1] |
| Request classification | NA |
- While Grafana is not included as part of OpenShift Service Mesh, the preconfigured dashboards for Grafana maintained by the Istio community can be use with OpenShift Service Mesh under a Developer Preview scope. These are best used as a starting point for building your own dashboards.
3.8. Consoles and dashboards
| Feature | Status |
|---|---|
| Kiali Operator provided by Red Hat | GA |
| Kiali Server | GA |
| OpenShift Service Mesh Console (OSSMC) plugin | GA |
3.9. Extensibility features
| Feature | Status |
|---|---|
| WebAssembly extension | GA [1] |
|
| DP [2] |
-
The
WasmPluginAPI for extending Istio using Web Assembly extensions is supported, but support is not provided for any Web Assembly extension modules unless explicitly documented. -
The
EnvoyFilterAPI is available for use with Red Hat OpenShift Service Mesh, but is not supported, except where explicitly documented. Due to tight coupling with the underlying Envoy APIs, backward compatibility cannot be maintained. Note thatEnvoyFilterpatches are very sensitive to the format of the Envoy configuration that is generated by Istio. If the configuration generated by Istio changes, it has the potential to break the application of theEnvoyFilterconfiguration. Any configuration provided through this API should be carefully monitored across Istio proxy version upgrades to ensure that deprecated fields are removed and replaced appropriately. If a support case is raised where anEnvoyFilterconfiguration is used, Red Hat might request that the issue be reproduced with theEnvoyFilterconfiguration removed.
3.10. Istio Ambient mode (sidecarless) data plane
| Feature | Status |
|---|---|
| Ztunnel: Core | GA |
| Waypoint: Core | GA |
| Waypoint: Gateway API Stable Channel (HTTPRoute, GRPCRoute) | GA |
| Gateway API Experimental Channel (TLSRoute, TCPRoute) | DP |
| Waypoint: DestinationRule | GA |
| Waypoint: VirtualService | TP |
| Waypoint: Cross-namespace usage | GA |
| Waypoint: WebAssembly extensibility (WasmPlugin) | DP |
| AuthorizationPolicy, PeerAuthentication, RequestAuthentication | GA |
| DNS Proxying | GA |
| Dual-stack and IPv6 single stack | TP |
| Mixing sidecar and ambient namespaces within a single mesh | DP |
| Deploying ambient mode on a cluster with an existing sidecar mesh | NA |
| Multiple “ambient mode” meshes in a single cluster | NA |
| Multi-Cluster - Multi-primary topology | DP |
| Multi-Cluster - Other topologies | NA |
| Upgrades: InPlace | GA |
| Upgrades: RevisionBased | NA |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}