OpenShift Ambient Mesh Setup
This is a short demonstration of Istio Ambient Mesh on OpenShift 4.19 via the OpenShift Service Mesh operator.
You can install Istio ambient mode on OpenShift Container Platform 4.19 or later and Red Hat OpenShift Service Mesh 3.1.0 or later with the required Gateway API custom resource definitions (CRDs).
This is currently a Technology Preview feature of OpenShift.
Pre-requisites
Before we begin, let's ensure we are logged into our cluster in the terminal and the cluster meets our version requirements.
Verify cluster auth status
oc version && oc whoamiClient Version: 4.19.7 Kustomize Version: v5.5.0 Server Version: 4.19.9 Kubernetes Version: v1.32.7 admin
Upgrade cluster
The Red Hat demo system environment available was not yet running OpenShift 4.19 so I needed to upgrade it before performing any demo preparation steps.
The first step is to acknowledge the k8s api deprecations between 4.18 and 4.19.
oc -n openshift-config patch cm admin-acks --patch '{"data":{"ack-4.18-kube-1.32-api-removals-in-4.19":"true"}}' --type=merge
Once admin acks are in place we can set the upgrade channel to fast-.419.
oc adm upgrade channel fast-4.19Now we're ready to trigger the upgrade.
oc adm upgrade --to 4.19.9Before proceeding with any further steps let's wait for the cluster upgrade to complete.
oc adm wait-for-stable-clusterInstall service mesh operator
Our first step to prepare the demonstration is to install the service mesh operator.
cat << EOF | oc apply --filename -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: servicemeshoperator3
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: servicemeshoperator3
source: redhat-operators
sourceNamespace: openshift-marketplace
EOFOnce the operator has completed installation we should see new Custom Resources available for use:
oc get crd | grep sail| istiocnis.sailoperator.io | 2025-08-21T00:30:28Z |
| istiorevisions.sailoperator.io | 2025-08-21T00:30:28Z |
| istiorevisiontags.sailoperator.io | 2025-08-21T00:30:29Z |
| istios.sailoperator.io | 2025-08-21T00:30:28Z |
| ztunnels.sailoperator.io | 2025-08-21T00:30:28Z |