Release Notes
OpenShift Service Mesh release notes
Abstract
Chapter 1. OpenShift Service Mesh release notes
Review new features, compatibility updates, fixed issues, and known issues for Red Hat OpenShift Service Mesh to stay informed about changes across different product versions.
1.1. Red Hat OpenShift Service Mesh version 3.3.1
This release of Red Hat OpenShift Service Mesh is included with the Red Hat OpenShift Service Mesh Operator 3.3.1 and is supported on OpenShift Container Platform 4.18-4.21. This release addresses enhancements, fixed issues, and Common Vulnerabilities and Exposures (CVEs).
For supported component versions for 3.3.1, see "Service Mesh version support tables".
1.1.1. Fixed issues
- Smart load balancing issue in OpenShift AI and llm-d resolved
Before this update, a bug in Istio caused a smart load balancing issue in OpenShift AI and llm-d on OpenShift Container Platform 4.20 and possibly 4.21. As a consequence, improper load distribution affected user experience. With this release, the update fixes the smart load balancing issue. As a result, sharing a Gateway now provides greater stability for many models.
- Increased xDS keepalive timeout for FIPS-enabled clusters
Before this update, the proxy in Red Hat OpenShift Service Mesh processed a high volume of clusters with Transport Layer Security (TLS) contexts on a FIPS-enabled cluster. As a consequence, the Envoy main thread missed keepalive signals due to the additional cryptographic checks, which caused the xDS proxy downstream to stop with the following error:
xdsproxy downstream terminated with unexpected error … rpc error: code = Unavailable desc = transport is closingWith this release, the new default configuration extends the keepalive timeout to 2 minutes from 30 seconds. As a result, the proxy maintains a stable connection even during intensive configuration processing in FIPS environments.
1.2. Red Hat OpenShift Service Mesh version 3.3 new features and enhancements
This release makes Red Hat OpenShift Service Mesh 3.3 generally available, adds new features, addresses Common Vulnerabilities and Exposures (CVEs), and is supported on OpenShift Container Platform 4.18 and later.
For a list of supported component versions and support features, see "Service Mesh feature support tables".
When upgrading from OpenShift Service Mesh 2.x, first you must migrate to version 3.0. Then, you can upgrade to version 3.1 and incrementally to version 3.3. For more information see, Migrating from Service Mesh 2 to Service Mesh 3 in the OpenShift Service Mesh 3.0 documentation and Updating in the OpenShift Service Mesh 3.3 documentation.
- Support for post-quantum cryptography (PQC)
With this update, Red Hat OpenShift Service Mesh adds support for post-quantum cryptography (PQC) encryption algorithm
X25519MLKEM768with both Istio gateways and in-mesh traffic (for both sidecar and ambient modes).NoteThe PQC
X25519MLKEM768algorithm is not available in FIPS-enabled clusters.- Support for FIPS 140-2 Compliance for ztunnel in ambient mode
With this release, ztunnel supports FIPS 140-2 compliant clusters in ambient mode. This release adds TLS 1.2 support for secure communications with the existing TLS 1.3 support that enables
ztunnelandIstiodto communicate. As a result, the ambient mode functions correctly on FIPS-enabled clusters, ensuring a secure and compliant environment for end users.- Support for Gateway API 1.4.0 and Gateway API Inference Extensions 1.1
This update introduces support for Gateway API 1.4.0 and Gateway API Inference Extensions 1.1 to provide users with the latest networking standards and advanced traffic management capabilities.
- Health status pre-compute and caching in Kiali
Kiali now features health status pre-compute and caching by default to optimize performance as production mesh sizes grow. This enhancement shifts health status calculations from an on-demand model to a background process that pre-calculates data by using a configurable duration (five minutes by default).
As a result, users experience significantly faster render times and increased responsiveness on the Overview and List pages, where the Duration dropdown selector is now removed. Other pages, such as the Traffic graph and Detail pages continue to calculate health status on-demand, and based on the user’s selected duration.
Kiali introduces a background health status pre-compute and caching mechanism that functions independently of user sessions. The
Kialicustom resource (CR) now includes the following new fields:-
spec.health_config.compute.duration -
spec.health_config.compute.refresh_interval -
spec.health_config.compute.TIMEOUT -
spec.kiali_internal.health_cache.enabled(Keep the health cache enabled as not all the features fall back to on-demand calculation.)
-
- Kiali traffic graph caching
Kiali now introduces traffic graph caching enabled by default to optimize the performance of the Service Mesh visualization. This enhancement allows Kiali to periodically regenerate and cache the traffic graph in the background based on the UI’s refresh interval. As a result, users experience significantly faster re-render times when navigating back to the traffic graph or during automatic refreshes, particularly within large and complex meshes.
The backend resource utilization might get affected, although it does not change significantly. The caching can be disabled in the
KialiCR by setting thespec.kiali_internal.traffic_cache.enabledfield tofalse.
1.3. Red Hat OpenShift Service Mesh version 3.3 Technology Preview features
This release includes some features that are currently in Technology Preview. These experimental features are not intended for production use.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
- Technology Preview for multi-cluster support in Istio ambient mode
Red Hat OpenShift Service Mesh introduces the Technology Preview (TP) of multi-cluster support for Istio’s ambient mode. The multi-cluster support provides the capability to manage and deploy applications across multiple clusters, focusing on multi-primary topologies. It is designed for testing and feedback to help identify potential limitations in experimental settings. Use the feature only in non-production environments. This feature is only available as a Technology Preview.
1.4. Red Hat OpenShift Service Mesh version 3.3 fixed issues
This release addresses the following fixed issues:
- Halting unnecessary OpenShift Service Mesh Console pod redeployments
Before this update, Kiali Operator provided by Red Hat was incorrectly reconciling OpenShift Service Mesh Console every ten hours due to a misconfigured watches setup. As a consequence, Kiali operator triggered unnecessary pod redeployment for OpenShift Service Mesh Console, affecting application stability in production. With this release, the Kiali Operator reconciliation period is changed to zero, halting periodic console pod redeployment. As a result, the Kiali Operator no longer triggers console pod redeployment every 10 hours, improving production environment stability.
- Removed false warnings for unmanaged namespaces in Kiali logs
Before this update, Kiali logged warnings for namespaces without the required sidecar label. As a consequence, users experienced excessive warnings in Kiali logs for namespaces not managed by the Istio control plane due to incorrect
GetRootNamespacedetermination. With this release, the false warnings in Kiali logs for namespaces not managed by the Istio control plane are removed. As a result, user experience is improved by reducing unnecessary log messages.
1.5. Red Hat OpenShift Service Mesh 3.3 known issues
This release has the following known issues:
- Performance issues when applying configuration changes in large FIPS clusters
There is currently a known issue where applying configuration changes takes longer than expected in environments with a large number of services and pods when FIPS mode is enabled. This delay occurs because Envoy performs additional certificate checks to maintain FIPS compliance.
There is currently no workaround for this issue. Wait for the configuration changes to complete; the process eventually succeeds.
- Increased Envoy validation time impacts OSSM proxy readiness
In the Red Hat OpenShift Service Mesh 3.3 FIPS release, a known issue arises due to extended validation time for
ISTIO_MUTUALTLS keys within Envoy, leading to a delay. The issue particularly affects the readiness time of Envoy proxies in Red Hat OpenShift Service Mesh 3.3 FIPS clusters, potentially increasing performance impact on the affected cluster.There is currently no workaround for this issue.
1.6. Additional resources
Chapter 2. Service Mesh version support tables
3.3.1 version support tables offer guidance on latest versions of components in OpenShift Service Mesh 3.
2.1. OpenShift Service Mesh supported versions
See the following table for information about OpenShift Service Mesh 3.3.1 supported versions.
2.1.1. OpenShift Service Mesh 3.3.1 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.3.1 |
|
OpenShift Service Mesh | 1.28.5 |
| OpenShift Container Platform | 4.18 and later |
| Envoy proxy | 1.36.5 |
|
| 1.28.5 |
|
| 1.28.5 |
| Kiali Operator | 2.22.1 |
| Kiali server | 2.22.1 |
See the following table for information about OpenShift Service Mesh 3.3.0 supported versions.
2.1.2. OpenShift Service Mesh 3.3.0 supported versions
| Feature | Supported versions |
|---|---|
| OpenShift Service Mesh 3 Operator | 3.3.0 |
|
OpenShift Service Mesh | 1.28.4 |
| OpenShift Container Platform | 4.18 and later |
| Envoy proxy | 1.36.4 |
|
| 1.28.4 |
|
| 1.28.4 |
| Kiali Operator | 2.22.1 |
| Kiali server | 2.22.1 |
2.2. Additional resources
Chapter 3. Service Mesh feature support tables
3.3.1 feature support tables offer guidance on feature availability in OpenShift Service Mesh 3.
3.1. Release notes definitions
For Red Hat OpenShift Service Mesh 3, features that are Generally Available (GA) are fully supported and are suitable for production use.
Technology Preview (TP) features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. See the Technology Preview scope of support on the Red Hat Customer Portal for more information about Technology Preview features.
Developer Preview (DP) features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.
Not available (NA) features might not be available with Red Hat OpenShift Service Mesh 3.
3.2. Sail Operator APIs
| Feature | Status |
|---|---|
| Istio | GA |
| IstioRevision | GA |
| IstioCNI | GA |
| IstioRevisionTag | GA |
| ZTunnel | GA |
3.3. Istio deployment and lifecycle
| Feature | Status |
|---|---|
| Installation with the Red Hat OpenShift Service Mesh Operator | GA |
| Istio sidecar mode data plane | GA |
|
| GA |
| The Istio multicluster mesh deployment models | GA |
| The Istio external control plane deployment models | GA |
| Multiple control planes on a single OpenShift Container Platform cluster | GA |
|
| GA |
|
Istio configuration scoping: Sidecar API, | GA |
| IPv6 support | GA |
| Dual stack IPv4/IPv6 | GA [4] |
| Virtual machine (non-OpenShift) workload integration | DP |
| Istioctl for select commands | GA [1] |
| Helm or Istioctl installation | NA [2] |
| ProxyConfig | GA [3] |
- For more information, see "Support for Istioctl".
- Installation is only supported by using the OpenShift Service Mesh 3 Operator, which uses the Istio Helm chart values for managing configuration.
-
The
ProxyConfigAPI is supported with the exception of the image field, which is not supported. - Dual-Stack IPv4/IPv6 is supported on x86 environments only. On non-x86 environments, this feature remains a Technology Preview.
3.4. Istio traffic management
| Feature | Status |
|---|---|
| Protocols: HTTP1.1/HTTP2/HTTPS/gRPC/TCP/TLS | GA |
| Traffic control: label/content based routing, traffic shifting | GA |
|
| GA |
| Resilience features: timeouts, retries, connection pools, outlier detection | GA |
| Gateway: ingress, egress for all supported protocols | GA |
| Gateway injection | GA |
| TLS termination and SNI support in gateways | GA |
| Locality load balancing | GA |
| DNS proxying | GA |
| Kubernetes Multi-Cluster Service (MCS) discovery | DP |
3.5. Kubernetes Gateway API
| Feature | Status |
|---|---|
| Kubernetes Gateway APIs for ingress (Gateway parentRef) | GA |
| Kubernetes Gateway APIs for mesh (Service parentRef) | GA |
| Kubernetes Gateway API custom resource definitions (CRDs) | GA [1] |
| Kubernetes Gateway API manual deployment | NA |
| Gateway network topology configuration | DP |
| Gateway inference extensions | TP |
- The use of Kubernetes Gateway API requires custom resource definitions (CRDs). The CRDs are present by default and generally available on Red Hat OpenShift Service Mesh 4.19 and later releases. Red Hat OpenShift Service Mesh 4.18 and earlier releases do not include or provide support for these CRDs.
3.6. Security features
3.6.1. Encryption and certificate management
| Feature | Status |
|---|---|
| Service-to-service mutual TLS encryption | GA |
| Identity and certificate management for workloads | GA |
| Peer authentication | GA |
| Certificate management for ingress gateway | GA |
| Pluggable key/certificate support for Istio certificate authority (CA) | GA |
| Cert-Manager integration with the cert-manager Operator for Red Hat OpenShift | GA |
| Kubernetes ClusterTrustBundles | DP |
| Post Quantum Cryptography (PQC) with the X25519MLKEM768 key exchange | GA |
3.6.2. Authorization and policy enforcement
| Feature | Status |
|---|---|
| AuthorizationPolicy | GA |
| External authorization | GA |
| End user (JWT) authentication | GA |
| JWT claim based routing | GA |
| Authorization dry run | TP |
| Copy JWT claims to HTTP Headers | DP |
| RequestAuthentication | GA |
3.7. Observability features
OpenShift Service Mesh 3 provides end-to-end support for observability, including logs, metrics, and distributed tracing with Red Hat OpenShift Observability and the Kiali Operator provided by Red Hat.
+Integrations with other community projects (including community Prometheus) and third-party solutions can be configurable through Istio or Observability operators, but those solutions are not supported by Red Hat.
| Feature | Status |
|---|---|
| Integration with Red Hat OpenShift Observability - user workload monitoring | GA |
| Red Hat OpenShift distributed tracing platform (Tempo) | GA |
| Red Hat OpenShift distributed tracing data collection Operator | GA |
| Trace sampling configuration | GA |
| Istio Telemetry API for configuring logs, metrics, and traces | GA |
| Istio preconfigured Grafana dashboards | DP [1] |
| Request classification | NA |
- While Grafana is not included as part of OpenShift Service Mesh, the preconfigured dashboards for Grafana maintained by the Istio community can be use with OpenShift Service Mesh under a Developer Preview scope. These are best used as a starting point for building your own dashboards.
3.8. Consoles and dashboards
| Feature | Status |
|---|---|
| Kiali Operator provided by Red Hat | GA |
| Kiali Server | GA |
| OpenShift Service Mesh Console (OSSMC) plugin | GA |
3.9. Extensibility features
| Feature | Status |
|---|---|
| WebAssembly extension | GA [1] |
|
| DP [2] |
-
The
WasmPluginAPI for extending Istio using Web Assembly extensions is supported, but support is not provided for any Web Assembly extension modules unless explicitly documented. -
The
EnvoyFilterAPI is available for use with Red Hat OpenShift Service Mesh, but is not supported, except where explicitly documented. Due to tight coupling with the underlying Envoy APIs, backward compatibility cannot be maintained. Note thatEnvoyFilterpatches are very sensitive to the format of the Envoy configuration that is generated by Istio. If the configuration generated by Istio changes, it has the potential to break the application of theEnvoyFilterconfiguration. Any configuration provided through this API should be carefully monitored across Istio proxy version upgrades to ensure that deprecated fields are removed and replaced appropriately. If a support case is raised where anEnvoyFilterconfiguration is used, Red Hat might request that the issue be reproduced with theEnvoyFilterconfiguration removed.
3.10. Istio Ambient mode (sidecarless) data plane
| Feature | Status |
|---|---|
| Ztunnel: Core | GA |
| Waypoint: Core | GA |
| Waypoint: Gateway API Stable Channel (HTTPRoute, GRPCRoute) | GA |
| Gateway API Experimental Channel (TLSRoute, TCPRoute) | DP |
| Waypoint: DestinationRule | GA |
| Waypoint: VirtualService | TP |
| Waypoint: Cross-namespace usage | GA |
| Waypoint: WebAssembly extensibility (WasmPlugin) | DP |
| AuthorizationPolicy, PeerAuthentication, RequestAuthentication | GA |
| DNS Proxying | GA |
| Dual-stack and IPv6 single stack | TP |
| Mixing sidecar and ambient namespaces within a single mesh | DP |
| Deploying ambient mode on a cluster with an existing sidecar mesh | NA |
| Multiple “ambient mode” meshes in a single cluster | NA |
| Multi-Cluster - Multi-primary topology | TP |
| Multi-Cluster - Other topologies | NA |
| Upgrades: InPlace | GA |
| Upgrades: RevisionBased | NA |