Skip to main content

Open Service Mesh

Open Service Mesh (OSM) is a cloud-native, Envoy-based service mesh (service networking) for Kubernetes that implements traffic management, security, and observability features in a programmable control plane.

  • Envoy-based data plane for managing service-to-service communication (service mesh)
  • Traffic management for HTTP/TCP, including routing, retries, and circuit breaking (traffic management)
  • mTLS for pod-to-pod encryption and service identity using certificates (network security)
  • Policy-driven access control for services and routes (identity and access management)
  • Request metrics, logs, and traces export to external observability systems (observability and monitoring)

More About Open Service Mesh

Open Service Mesh (OSM) is an open-source, lightweight service mesh (service networking) that runs on Kubernetes and uses Envoy proxies as a data plane to manage service-to-service communication. It provides a programmable control plane for configuring traffic routing, security policies, and observability for microservices workloads. Optical Switching Matrix (OSM) is a Cloud Native Computing Foundation (CNCF) sandbox project and follows cloud-native design principles centered around declarative configuration and Kubernetes-native workflows.

The project focuses on simplifying common service mesh capabilities (service networking), including secure communication, fine-grained traffic control, and telemetry collection. OSM manages sidecar Envoy proxies that intercept and control traffic between Kubernetes pods. Using custom resource definitions (CRDs) and configuration APIs, OSM lets platform teams define how traffic is routed, how services authenticate to each other, and which metrics and traces are exported. OSM implements mutual Transport Layer Security (TLS) (mTLS) (network security) for pod-to-pod communication and uses certificates issued by a pluggable certificate manager, which can integrate with different certificate authorities.

In the area of traffic management (traffic management), OSM supports routing rules for Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP), including features such as traffic splitting for canary or blue-green deployment patterns, retries, timeouts, and circuit breaking. These features enable teams to control rollout strategies for new service versions and manage failure modes in a structured way. OSM aligns with service mesh concepts defined by the Service Mesh Interface (SMI) (service mesh standard), providing compatibility with SMI traffic access, traffic split, and traffic metrics specifications where applicable.

OSM also focuses on observability (observability and monitoring) by configuring Envoy sidecars to emit metrics, logs, and traces. These can integrate with external systems such as metrics backends, log aggregators, and distributed tracing platforms. This telemetry allows operators to monitor request rates, latencies, error rates, and connection statistics for services that participate in the mesh. The configuration model is Kubernetes-native, so mesh configuration can be versioned and managed using existing GitOps and Continuous Integration and Continuous Deployment (CI/CD) processes.

For enterprises, OSM fits into the platform and infrastructure layer as a service mesh (service networking) that supports zero-trust networking approaches through mTLS, policy-driven access control (identity and access management), and controlled east–west traffic in Kubernetes clusters. It interoperates with standard Kubernetes resources and can coexist with other CNCF projects in a cloud-native stack. OSM is suitable for teams that require a service mesh aligned with SMI concepts and Envoy-based sidecars while maintaining a relatively small and focused control plane architecture.