Open Service Mesh (OSM) add-on in Azure Kubernetes Service (AKS)

Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows you to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

OSM runs an Envoy-based control plane on Kubernetes and can be configured with SMI APIs. OSM works by injecting an Envoy proxy as a sidecar container with each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures the Envoy proxies to ensure policies and routing rules are up to date and proxies are healthy.

Microsoft started the OSM project, but it's now governed by the Cloud Native Computing Foundation (CNCF).

Note

With the retirement of Open Service Mesh (OSM) by the Cloud Native Computing Foundation (CNCF), we recommend identifying your OSM configurations and migrating them to an equivalent Istio configuration. For information about migrating from OSM to Istio, see Migration guidance for Open Service Mesh (OSM) configurations to Istio.

Enable the OSM add-on

OSM can be added to your Azure Kubernetes Service (AKS) cluster by enabling the OSM add-on using the Azure CLI or a Bicep template. The OSM add-on provides a fully supported installation of OSM that's integrated with AKS.

Important

Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

Kubernetes version	OSM version installed
1.24.0 or greater	1.2.5
Between 1.23.5 and 1.24.0	1.1.3
Below 1.23.5	1.0.0

Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the AKS Kubernetes release calendar for information on AKS version support windows.

Capabilities and features

OSM provides the following capabilities and features:

• Secure service-to-service communication by enabling mutual TLS (mTLS).
• Onboard applications onto the OSM mesh using automatic sidecar injection of Envoy proxy.
• Transparently configure traffic shifting on deployments.
• Define and execute fine-grained access control policies for services.
• Monitor and debug services using observability and insights into application metrics.
• Encrypt communications between service endpoints deployed in the cluster.
• Enable traffic authorization of both HTTP/HTTPS and TCP traffic.
• Configure weighted traffic controls between two or more services for A/B testing or canary deployments.
• Collect and view KPIs from application traffic.
• Integrate with external certificate management.
• Integrate with existing ingress solutions such as NGINX, Contour, and Application Routing.

For more information on ingress and OSM, see Using ingress to manage external access to services within the cluster and Integrate OSM with Contour for ingress. For an example of how to integrate OSM with ingress controllers using the networking.k8s.io/v1 API, see Ingress with Kubernetes Nginx ingress controller. For more information on using Application Routing, which automatically integrates with OSM, see Application Routing.

Limitations

The OSM AKS add-on has the following limitations:

• After installation, you must enable Iptables redirection for port IP address and port range exclusion using kubectl patch. For more information, see iptables redirection.
• Any pods that need access to IMDS, Azure DNS, or the Kubernetes API server must have their IP addresses added to the global list of excluded outbound IP ranges using Global outbound IP range exclusions.

• The add-on doesn't work on AKS clusters that are using Istio based service mesh addon for AKS.

• OSM doesn't support Windows Server containers.

Next steps

After enabling the OSM add-on using the Azure CLI or a Bicep template, you can:

• Deploy a sample application
• Onboard an existing application