이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 1. OpenShift Service Mesh release notes
Review new features, compatibility updates, fixed issues, and known issues for Red Hat OpenShift Service Mesh to stay informed about changes across different product versions.
1.1. Red Hat OpenShift Service Mesh version 3.4 new features and enhancements 링크 복사링크가 클립보드에 복사되었습니다!
This release makes Red Hat OpenShift Service Mesh 3.4 generally available, adds new features, addresses Common Vulnerabilities and Exposures (CVEs), and is supported on OpenShift Container Platform 4.20 and later versions.
For a list of supported component versions and support features, see Service Mesh feature support tables.
- Service Mesh compatibility with Red Hat Enterprise Linux 10
Red Hat OpenShift Service Mesh 3.4 introduces native
nftablessupport for traffic management in both sidecar and ambient modes. This support is required for clusters running on Red Hat Enterprise Linux (RHEL) 10 or Red Hat Enterprise Linux CoreOS (RHCOS) 10, where the legacyiptablesframework has been removed.OpenShift Service Mesh relies on packet filtering rules to redirect network traffic to the proxy. Because RHEL 10 systems use
nftablesexclusively, you must enable nativenftablessupport to ensure that the service mesh can initialize and manage network traffic correctly on these hosts.To enable native
nftablessupport, set thevalues.global.nativeNftablesparameter totruewhen you install or update the Service Mesh control plane.If you use ambient mode, you might need to reboot nodes after enabling
nftables. For guidance, see Nftables migration in ambient mode.- OpenShift Service Mesh supports FIPS 140-3 compliance
On FIPS-enabled OpenShift Container Platform clusters, Service Mesh supports FIPS 140-3 for both sidecar and ambient modes, ensuring continued compliance after the FIPS 140-2 standard expires on September 21, 2026. This release adds TLS 1.3 support for all mesh traffic in addition to the existing TLS 1.2 support, providing stronger encryption for mesh communications. The minimum TLS version remains TLS 1.2.
- OpenShift Service Mesh supports the coexistence of sidecar and ambient mode workloads
Service Mesh supports running sidecar proxy and ambient mode workloads simultaneously in separate namespaces within the same mesh (with limitations noted in the documentation). This coexistence enables an incremental migration to ambient mode. You can also maintain specific workloads in sidecar mode if they require features that ambient mode does not yet support.
For more information, see Coexistence of ambient and sidecar modes.
- Kiali reduces false warnings in multi-cluster AuthorizationPolicies
In this release, Kiali validates trust domains in
AuthorizationPoliciesby checking thetrustDomainAliasesfield in the IstioMeshConfig. This enhanced validation provides more accurate feedback when working with federated multi-cluster meshes.This enhancement introduces two validation message changes:
-
New validation message
KIA0108 - Unable to verify principal, trust domain is not known to Kialiappears when a trust domain is genuinely unknown. Existing validation
KIA0107 - Service Account for this principal found on a remote clusterwas downgraded from Warning to Informational, eliminating false warnings for working multi-cluster configurations.
-
New validation message
- Kiali supports stricter namespace access control for multi-tenancy environments
This release introduces a new configuration attribute,
KialiFeatureFlags.Authz.RequireNamespaceGet, to improve multi-tenancy support in Kiali. By default, when Kiali runs in cluster-wide mode, it treats users with List permission to a namespace as also having Get permission, and displays all List namespaces in the Namespace dropdown. In environments where List and Get permissions differ, this can expose namespaces that users should not access. When you setKialiFeatureFlags.Authz.RequireNamespaceGet=true, Kiali limits the Namespace dropdown to only those namespaces for which users have Get permission, ensuring stricter access control. The default value isfalse, so existing deployments are not affected.- OpenShift Service Mesh supports Gateway API 1.5.1, in which the following features are now stable
- ListenerSet for simplified gateway listener configuration
- TLSRoute for routing encrypted non-HTTP traffic
- HTTPRoute CORS configuration for cross-origin API access
- Client certificate validation for mutual TLS authentication at the gateway
- Certificate selection for multi-domain gateway TLS configurations
ReferenceGrant for cross-namespace access delegation
Additionally, for teams serving AI/ML models with Red Hat OpenShift, this release supports Gateway API Inference Extension 1.4.0. This extension provides intelligent routing and load balancing optimized for GPU-accelerated inference workloads.
- Performance and security improvements from upstream Istio and the Sail Operator
As a distribution based on upstream Istio and the Sail Operator, OpenShift Service Mesh inherits enhancements from these projects. Review the following upstream changes in this release to determine whether your deployment needs configuration updates:
-
Circuit breaker metrics tracking is disabled by default to improve proxy memory usage. Before this update, this tracking was enabled by default. To reenable it, set the environment variable
DISABLE_TRACK_REMAINING_CB_METRICS=falseinistiod. This affects thetrack_remainingsetting in Envoy’s circuit breaker configuration. -
Debug endpoint authorization is now enabled by default. This change affects tools that access debug endpoints from non-system namespaces. For example, this change might affect Kiali if you deploy it in a different namespace from the Istio control plane. This release restricts non-system namespaces to specific debug endpoints only, with access limited to
config_dump,ndsz, andedszfor same-namespace proxies. To restore the previous behavior, set the environment variableENABLE_DEBUG_ENDPOINT_AUTH=falseinistiod. -
HTTP compression for Envoy metrics is now enabled by default. The
sidecar.istio.io/statsCompressionannotation was removed. This release replaces it with a newstatsCompressionoption inproxyConfigthat defaults totrue. Envoy now compresses metrics using brotli, gzip, or zstd based on theAccept-Encodingheader. You can override per-pod compression, if needed, by using theproxy.istio.io/configannotation. -
DNS proxying is now enabled by default for workloads in an ambient mesh. This ensures that Istio correctly resolves and tracks
ServiceEntrydestinations. DNS traffic from already-running workloads is not automatically redirected through ztunnel when you enable or upgrade ambient mode. To enable DNS proxying for these existing pods, manually restart them. Alternatively, configure Istio CNI with--set cni.ambient.reconcileIptablesOnStartup=trueto reconcile the requirediptablesrules automatically. This setting is enabled by default in Istio 1.29 and later versions. (Note that DNS capture is still not enabled by default in sidecar mode, asServiceEntryresources are correctly handled at the sidecar proxy with default settings.)
-
Circuit breaker metrics tracking is disabled by default to improve proxy memory usage. Before this update, this tracking was enabled by default. To reenable it, set the environment variable
1.2. Red Hat OpenShift Service Mesh version 3.4 Technology Preview features 링크 복사링크가 클립보드에 복사되었습니다!
This release includes some features that are currently in Technology Preview. These experimental features are not intended for production use.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
- SPIRE integration enables zero-trust workload identity
Red Hat OpenShift Service Mesh integrates with the SPIFFE Runtime Environment (SPIRE) to provide stronger cryptographically verifiable workload identities. SPIFFE (Secure Production Identity Framework for Everyone) is an open standard for establishing trust between workloads in distributed systems.
While OpenShift Service Mesh already supports workload identity creation and management through the SPIFFE protocol, SPIRE extends this with:
- Deep workload attestation - Verifies workload identity based on configurable criteria backed by hardware or cloud environment verification
Trust domain federation - Enables workloads from different trust domains to authenticate and communicate securely
SPIRE is supported as part of the Open Shift Zero Trust Workload Identity Manager. Integration with OpenShift Service Mesh is a Technology Preview feature.
For more information, see SPIRE integration for mesh security.
- Multi-cluster support in Istio ambient mode
Support for ambient mode in multi-primary multi-network topologies continues to be a Technology Preview feature.
For more information, see Installing a multi-primary multi-network mesh in ambient mode.
- Multi-network ingress gateway support in ambient mode
This release adds cross-cluster networking for ingress gateways in multi-network ambient deployments. You can configure two environment variables in the Istio resource under
spec.values.pilot.env:-
AMBIENT_ENABLE_MULTI_NETWORK_INGRESS- Allows ingress gateways to route traffic to remote clusters. This enables load balancing across local and remote pods and ensures requests are served even when local pods are unavailable. AMBIENT_ENABLE_BAGGAGE- Ensures service mesh telemetry metrics include accurate source and destination labels for cross-network traffic.Both variables support ambient mode in multi-primary multi-network topologies and are therefore Technology Preview features.
-
1.3. Red Hat OpenShift Service Mesh version 3.4 fixed issues 링크 복사링크가 클립보드에 복사되었습니다!
This release addresses the following fixed issues:
- Istiod containers include termination message policy for easier debugging
Before this update, istiod containers did not specify a
terminationMessagePolicy. As a consequence, when an istiod container failed, you had to retrieve log information from log storage systems for troubleshooting. This release sets theterminationMessagePolicytoFallbackToLogsOnError. As a result, when a container fails, the last chunk of log output is captured in the pod status and accessible withoc describe pod, making initial debugging easier without requiring log storage access.