Chapter 1. OpenShift Service Mesh release notes

This enhancement brings the core features of Istio ambient mode, ztunnel, and waypoint, to general availability. Ambient mode reduces the resource costs of running a service mesh by removing the need for sidecar proxies with a new data plane architecture that consists of the following two levels of proxy:

This enhancement provides an updated feature support matrix for Istio ambient mode. Not all sidecar mode features are supported in ambient mode. For detailed information about supported and unsupported features, see "Service Mesh feature support tables".

Istio ambient mode uses an application-layer tunnel (L7) called HBONE to carry TCP traffic (L4) securely between workloads. The ztunnel component tunnels pod traffic over TCP port 15008. If existing Kubernetes NetworkPolicy configurations block inbound traffic on this port, update them to allow inbound TCP traffic on port 15008 for ambient workloads. Sidecar workloads must also allow inbound traffic on this port to communicate with ambient workloads. For more information, see "Configuring network policies for ambient mode".

To ensure liveness and readiness probes continue to function correctly for workloads running in Istio ambient mode, you must enable OVN-Kubernetes local gateway mode by setting routingViaHost: true in the gatewayConfig specification. For more information, see the "OVN-Kubernetes documentation"

Before this update, OpenShift Service Mesh Console (OSSMC) plugin users could not navigate directly from Service Mesh to Network Traffic. With this update, users can now click a workload in the Service Mesh Traffic Graph and find a new Network Traffic link in the side panel. This feature gives users one-click access to network flow data for that specific workload. The link only appears if the NetObserv plugin is successfully installed and detected by the console.

With the 3.2 release, enabling the global networkPolicy setting now extends NetworkPolicy creation to include istio-cni and ztunnel resources, in addition to the previously supported istiod and gateway resources.

Istio ambient mode does not currently support OpenShift clusters running in Federal Information Processing Standards (FIPS) mode. Deployments that require FIPS compliance must continue using sidecar mode until support becomes available in a future release.

A concurrency issue in ztunnel limits throughput scalability in Istio ambient mode. Performance remains comparable to sidecar mode in most scenarios, but the issue can limit the potential to scale throughput performance.

OSSM-11132

Configuring Istio in sidecar mode with Transparent Proxy (TPROXY) on s390x and PowerPC hardware platforms causes the istio-proxy container to fail certificate signing and remain unready. As a consequence, the sidecar cannot reach the Istiod service and the connection times out. As a result, affected workloads cannot run successfully under these conditions.

Running Istio in ambient mode on the s390x hardware platform causes the waypoint proxy to emit incomplete telemetry after the namespace is enrolled. As a consequence, tools such as Kiali cannot generate accurate graphs or diagrams, resulting in missing edges, unknown fields, or no visualization data. As a result, telemetry-dependent observability features remain incomplete on affected clusters.

OSSM-11285