이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 1. OpenShift Service Mesh release notes


Review new features, compatibility updates, fixed issues, and known issues for Red Hat OpenShift Service Mesh to stay informed about changes across different product versions.

1.1. Red Hat OpenShift Service Mesh version 3.4 new features and enhancements

This release makes Red Hat OpenShift Service Mesh 3.4 generally available, adds new features, addresses Common Vulnerabilities and Exposures (CVEs), and is supported on OpenShift Container Platform 4.20 and later versions.

For a list of supported component versions and support features, see Service Mesh feature support tables.

Service Mesh compatibility with Red Hat Enterprise Linux 10

Red Hat OpenShift Service Mesh 3.4 introduces native nftables support for traffic management in both sidecar and ambient modes. This support is required for clusters running on Red Hat Enterprise Linux (RHEL) 10 or Red Hat Enterprise Linux CoreOS (RHCOS) 10, where the legacy iptables framework has been removed.

OpenShift Service Mesh relies on packet filtering rules to redirect network traffic to the proxy. Because RHEL 10 systems use nftables exclusively, you must enable native nftables support to ensure that the service mesh can initialize and manage network traffic correctly on these hosts.

To enable native nftables support, set the values.global.nativeNftables parameter to true when you install or update the Service Mesh control plane.

If you use ambient mode, you might need to reboot nodes after enabling nftables. For guidance, see Nftables migration in ambient mode.

OSSM-6748

OpenShift Service Mesh supports FIPS 140-3 compliance

On FIPS-enabled OpenShift Container Platform clusters, Service Mesh supports FIPS 140-3 for both sidecar and ambient modes, ensuring continued compliance after the FIPS 140-2 standard expires on September 21, 2026. This release adds TLS 1.3 support for all mesh traffic in addition to the existing TLS 1.2 support, providing stronger encryption for mesh communications. The minimum TLS version remains TLS 1.2.

OSSM-12531

OpenShift Service Mesh supports the coexistence of sidecar and ambient mode workloads

Service Mesh supports running sidecar proxy and ambient mode workloads simultaneously in separate namespaces within the same mesh (with limitations noted in the documentation). This coexistence enables an incremental migration to ambient mode. You can also maintain specific workloads in sidecar mode if they require features that ambient mode does not yet support.

For more information, see Coexistence of ambient and sidecar modes.

OSSM-11487

Kiali reduces false warnings in multi-cluster AuthorizationPolicies

In this release, Kiali validates trust domains in AuthorizationPolicies by checking the trustDomainAliases field in the Istio MeshConfig. This enhanced validation provides more accurate feedback when working with federated multi-cluster meshes.

This enhancement introduces two validation message changes:

  • New validation message KIA0108 - Unable to verify principal, trust domain is not known to Kiali appears when a trust domain is genuinely unknown.
  • Existing validation KIA0107 - Service Account for this principal found on a remote cluster was downgraded from Warning to Informational, eliminating false warnings for working multi-cluster configurations.

    OSSM-13864

Kiali supports stricter namespace access control for multi-tenancy environments

This release introduces a new configuration attribute, KialiFeatureFlags.Authz.RequireNamespaceGet, to improve multi-tenancy support in Kiali. By default, when Kiali runs in cluster-wide mode, it treats users with List permission to a namespace as also having Get permission, and displays all List namespaces in the Namespace dropdown. In environments where List and Get permissions differ, this can expose namespaces that users should not access. When you set KialiFeatureFlags.Authz.RequireNamespaceGet=true, Kiali limits the Namespace dropdown to only those namespaces for which users have Get permission, ensuring stricter access control. The default value is false, so existing deployments are not affected.

OSSM-13288

OpenShift Service Mesh supports Gateway API 1.5.1, in which the following features are now stable
  • ListenerSet for simplified gateway listener configuration
  • TLSRoute for routing encrypted non-HTTP traffic
  • HTTPRoute CORS configuration for cross-origin API access
  • Client certificate validation for mutual TLS authentication at the gateway
  • Certificate selection for multi-domain gateway TLS configurations
  • ReferenceGrant for cross-namespace access delegation

    Additionally, for teams serving AI/ML models with Red Hat OpenShift, this release supports Gateway API Inference Extension 1.4.0. This extension provides intelligent routing and load balancing optimized for GPU-accelerated inference workloads.

    OSSM-11956

Performance and security improvements from upstream Istio and the Sail Operator

As a distribution based on upstream Istio and the Sail Operator, OpenShift Service Mesh inherits enhancements from these projects. Review the following upstream changes in this release to determine whether your deployment needs configuration updates:

  • Circuit breaker metrics tracking is disabled by default to improve proxy memory usage. Before this update, this tracking was enabled by default. To reenable it, set the environment variable DISABLE_TRACK_REMAINING_CB_METRICS=false in istiod. This affects the track_remaining setting in Envoy’s circuit breaker configuration.
  • Debug endpoint authorization is now enabled by default. This change affects tools that access debug endpoints from non-system namespaces. For example, this change might affect Kiali if you deploy it in a different namespace from the Istio control plane. This release restricts non-system namespaces to specific debug endpoints only, with access limited to config_dump, ndsz, and edsz for same-namespace proxies. To restore the previous behavior, set the environment variable ENABLE_DEBUG_ENDPOINT_AUTH=false in istiod.
  • HTTP compression for Envoy metrics is now enabled by default. The sidecar.istio.io/statsCompression annotation was removed. This release replaces it with a new statsCompression option in proxyConfig that defaults to true. Envoy now compresses metrics using brotli, gzip, or zstd based on the Accept-Encoding header. You can override per-pod compression, if needed, by using the proxy.istio.io/config annotation.
  • DNS proxying is now enabled by default for workloads in an ambient mesh. This ensures that Istio correctly resolves and tracks ServiceEntry destinations. DNS traffic from already-running workloads is not automatically redirected through ztunnel when you enable or upgrade ambient mode. To enable DNS proxying for these existing pods, manually restart them. Alternatively, configure Istio CNI with --set cni.ambient.reconcileIptablesOnStartup=true to reconcile the required iptables rules automatically. This setting is enabled by default in Istio 1.29 and later versions. (Note that DNS capture is still not enabled by default in sidecar mode, as ServiceEntry resources are correctly handled at the sidecar proxy with default settings.)

1.2. Red Hat OpenShift Service Mesh version 3.4 Technology Preview features

This release includes some features that are currently in Technology Preview. These experimental features are not intended for production use.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

SPIRE integration enables zero-trust workload identity

Red Hat OpenShift Service Mesh integrates with the SPIFFE Runtime Environment (SPIRE) to provide stronger cryptographically verifiable workload identities. SPIFFE (Secure Production Identity Framework for Everyone) is an open standard for establishing trust between workloads in distributed systems.

While OpenShift Service Mesh already supports workload identity creation and management through the SPIFFE protocol, SPIRE extends this with:

  • Deep workload attestation - Verifies workload identity based on configurable criteria backed by hardware or cloud environment verification
  • Trust domain federation - Enables workloads from different trust domains to authenticate and communicate securely

    SPIRE is supported as part of the Open Shift Zero Trust Workload Identity Manager. Integration with OpenShift Service Mesh is a Technology Preview feature.

    For more information, see SPIRE integration for mesh security.

    OSSM-9387

Multi-cluster support in Istio ambient mode

Support for ambient mode in multi-primary multi-network topologies continues to be a Technology Preview feature.

For more information, see Installing a multi-primary multi-network mesh in ambient mode.

OSSM-12578

Multi-network ingress gateway support in ambient mode

This release adds cross-cluster networking for ingress gateways in multi-network ambient deployments. You can configure two environment variables in the Istio resource under spec.values.pilot.env:

  • AMBIENT_ENABLE_MULTI_NETWORK_INGRESS - Allows ingress gateways to route traffic to remote clusters. This enables load balancing across local and remote pods and ensures requests are served even when local pods are unavailable.
  • AMBIENT_ENABLE_BAGGAGE - Ensures service mesh telemetry metrics include accurate source and destination labels for cross-network traffic.

    Both variables support ambient mode in multi-primary multi-network topologies and are therefore Technology Preview features.

    OSSM-13455

1.3. Red Hat OpenShift Service Mesh version 3.4 fixed issues

This release addresses the following fixed issues:

Istiod containers include termination message policy for easier debugging

Before this update, istiod containers did not specify a terminationMessagePolicy. As a consequence, when an istiod container failed, you had to retrieve log information from log storage systems for troubleshooting. This release sets the terminationMessagePolicy to FallbackToLogsOnError. As a result, when a container fails, the last chunk of log output is captured in the pod status and accessible with oc describe pod, making initial debugging easier without requiring log storage access.

OSSM-13701

Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 문서 정보

Legal Notice

Theme

© 2026 Red Hat
맨 위로 이동