This is a Preview version of the Cloud Run for Anthos documentation for use with Anthos fleets and Anthos Service Mesh. Learn more.

The current GA version of the Cloud Run for Anthos documentation remains available for existing users. New product evaluations during the free trial should use the Preview installation documentation.

Setting up Cloud Run for Anthos

Learn how to setup and configure your installation of Cloud Run for Anthos.

Before you begin

You must have Cloud Run for Anthos installed on your Anthos cluster. See the installation guide for details about Anthos cluster prerequisites and how to install Cloud Run for Anthos.

Setting up authentication with Workload Identity

You can use Workload Identity to authenticate your Cloud Run for Anthos services to access Google Cloud services. You must set up Workload Identity before you deploy services to your cluster, otherwise each service that exist on your cluster prior to enabling Workload Identity needs to be migrated. Learn more about using Workload Identity.

Enabling metrics with Workload Identity

To enable metrics, like reporting request count or request latency to Google Cloud's operations suite, you need to manually set write permissions for Cloud Monitoring. For details, see Enabling metrics with Workload Identity.

Configuring HTTPS and custom domains

To enable HTTPS and set a custom domain, see the following pages:

Setting up Anthos Service Mesh

To configure Anthos Service Mesh options for Cloud Run for Anthos, see the Google-managed control plane page.

Also see the other In-cluster control plane options, including how to set up a private, internal network.

Setting up a private, internal network

Deploying services on an internal network is useful for enterprises that provide internal apps to their staff, and for services that are used by clients that run outside the Cloud Run for Anthos cluster. This configuration allows other resources in your network to communicate with the service using a private, internal (RFC 1918) IP address that can't be accessed by the public.

To create your internal network, you configure Anthos Service Mesh to use Internal TCP/UDP Load Balancing instead of a public, external network load balancer. You can then deploy your Cloud Run for Anthos services on an internal IP address within your VPC network.

Before you begin

  • You must have admin permissions on your cluster.
  • If you configured a custom domain, you must disable the managed TLS feature because Managed TLS on Cloud Run for Anthos is currently unsupported by the internal load balancer.
  • Only Cloud SDK versions 310.0 or above are supported. For more details, see Setting up gcloud.

To set up the internal load balancer:

  1. Enable an internal load balancer.

  2. Run the following command to watch updates to your GKE cluster:

    kubectl -n INGRESS_NAMESPACE get svc istio-ingressgateway --watch
    

    Replace INGRESS_NAMESPACE with the namespace of your Anthos Service Mesh ingress service. Specify istio-system if you installed Anthos Service Mesh using its default configuration.

    1. Note the annotation cloud.google.com/load-balancer-type: Internal.
    2. Look for the value of IP in the Ingress load balancer to change to a private IP address.
    3. Press Ctrl+C to stop the updates once you see a private IP address in the IP field.
  3. For private clusters on Google Cloud, you must open ports. For details, see opening ports on your private cluster in the Anthos Service Mesh documentation.

To verify internal connectivity after your changes:

  1. Deploy a service called sample to Cloud Run for Anthos in the default namespace:

    gcloud run deploy sample \
    --image gcr.io/knative-samples/simple-api \
    --namespace default
    
  2. Create a Compute Engine virtual machine (VM) in the same zone as the GKE cluster:

    VM=cloudrun-gke-ilb-tutorial-vm
    
    gcloud compute instances create $VM
    
  3. Store the private IP address of the Istio Ingress Gateway in an environment variable called EXTERNAL_IP and a file called external-ip.txt:

    export EXTERNAL_IP=$(kubectl -n INGRESS_NAMESPACE get svc istio-ingressgateway \
        -o jsonpath='{.status.loadBalancer.ingress[0].ip}' | tee external-ip.txt)
    

    Replace INGRESS_NAMESPACE with the namespace of your Anthos Service Mesh ingress service. Specify istio-system if you installed Anthos Service Mesh using its default configuration.

  4. Copy the file containing the IP address to the VM:

    gcloud compute scp external-ip.txt $VM:~
    
  5. Connect to the VM using SSH:

    gcloud compute ssh $VM
    
  6. While in the SSH session, test the sample service:

    curl -s -w'\n' -H Host:sample.default.example.com $(cat external-ip.txt)
    

    The output is as follows:

    OK
    
  7. Leave the SSH session:

    exit
    

Setting up a multi-tenant environment

Currently

In multi-tenant use cases, you'll need to manage and deploy Cloud Run for Anthos services to a Google Kubernetes Engine cluster that is outside your current project. For more information about GKE multi-tenancy, see Cluster multi-tenancy.

To learn how to configure multi-tenancy for Cloud Run for Anthos, see Cross-project multi-tenancy.

What's next