This documentation is for the Latest version of Knative serving, which uses fleets and Anthos Service Mesh. Learn more.

The past version (Cloud Run for Anthos) has been archived but the documentation remains available for existing users.

Available versions

Latest
Archive

Prerequisites for clusters outside Google Cloud

Before you install Knative serving in your cluster outside Google Cloud, you must first ensure that you meet the following requirements:

Review and understand the access permissions of components in Knative serving.
You must ensure that you have adequate permissions in your Google Cloud project to meet the installation requirements for your cluster, fleet, and Anthos Service Mesh:
- If you have the Owner role for the Google Cloud project, then you have more than the necessary permissions to create clusters, install, and then configure Knative serving.
- Your GKE clusters outside of Google Cloud might also require other permissions. See the documentation and requirements for your cluster.
- Note that the Anthos Service Mesh permissions requirements also meet all the permission requirements for installing and configuring Knative serving.
- Using other roles and the minimum requirements:
  
  Depending on your organization, you can also meet the permission requirements through a combination of the following predefined roles:
  - Google Cloud project permissions: Basic Editor role
  - GKE Enterprise fleet permissions: GKE Hub Admin or a role that includes the following permissions:
    - gkehub.features.create
    - gkehub.features.update
  - Cluster permissions: A Kubernetes Engine Admin Role:
    - Kubernetes Engine Admin
    - Kubernetes Engine Cluster Admin
An GKE Enterprise cluster with the following configuration is required:
- A supported Google Distributed Cloud Virtual cluster. For previous installations on Google Distributed Cloud Virtual clusters, you must migrate Knative serving on VMware to a fleet.
  
  Preview: Other GKE clusters environments outside Google Cloud are currently available as a "Preview". Learn more.
- Registered in your GKE Enterprise fleet:
  
  Go to GKE Enterprise clusters
  
  Tip: Workload Identity allows you to authenticate to Google Cloud services and it's also required by Anthos Service Mesh. Enabling fleet Workload Identity Federation in your cluster during fleet registration can reduce the configuration and deployment time.
  
  To learn how to register your cluster and enable Workload Identity in your fleet, see Registering a cluster
- In-cluster Anthos Service Mesh version 1.18 or later is installed. Additionally, note the following prerequisites:
  - The Google-managed Anthos Service Mesh control plane is currently not fully supported by Knative serving. Use the in-cluster control plane instead.
  - Anthos Service Mesh requires that your cluster use a machine type with at least 4 vCPUs, such as e2-standard-4. See the Anthos Service Mesh installation guide for details about requirements. If you need to change your existing cluster's machine type, see Migrating workloads to different machine types.
  - In order to benefit from the automated provisioning of test domains - Anthos Service Mesh uses an ingress gateway and a service named istio-ingress in namespace istio-system. To enable creation of the gateway during the feature installation use --option legacy-default-ingressgateway of asmcli installation script.
The command-line environment must be set up.
The following APIs must be enabled in your Google Cloud project:
- Google Kubernetes Engine API: Build and manage container-based applications.
- Cloud Build API: Create and manage builds.
- Container Registry API: Push and pull images in Container Registry.
Enable the APIs in the Google Cloud console