In-cluster Cloud Service Mesh prerequisites

This page describes the prerequisites and the requirements for installing in-cluster Cloud Service Mesh on GKE, such as GKE Enterprise licensing, cluster requirements, fleet requirements, and general requirements.

Cloud project

Before you begin:

GKE Enterprise licensing

Cloud Service Mesh is available with GKE Enterprise or as a standalone service. Google APIs are used to determine how you are billed. To use Cloud Service Mesh as a standalone service, don't enable the GKE Enterprise API in your project. The asmcli enables all of the other required Google APIs for you. For information about Cloud Service Mesh pricing, see Pricing.

  • GKE Enterprise subscribers, be sure to enable the GKE Enterprise API.

    Enable the API

  • If you aren't a GKE Enterprise subscriber, you can still install Cloud Service Mesh, but certain UI elements and features in Google Cloud console are only available to GKE Enterprise subscribers. For information about what is available to subscribers and non-subscribers, see GKE Enterprise and Cloud Service Mesh UI differences.

  • If you enabled the GKE Enterprise API, but you want to use Cloud Service Mesh as a standalone service, disable the GKE Enterprise API.

General requirements

  • To be included in the service mesh, service ports must be named, and the name must include the port's protocol in the following syntax: name: protocol[-suffix] where the square brackets indicate an optional suffix that must start with a dash. For more information, see Naming service ports.

  • If you have created a service perimeter in your organization, you might need to add the Cloud Service Mesh certificate authority service to the perimeter. See Adding Cloud Service Mesh certificate authority to a service perimeter for more information.

  • If you want to change the default resource limits for the istio-proxy sidecar container, the new values must be greater than the default values to avoid out-of-memory (OOM) events.

  • A Google Cloud project can only have one mesh associated with it.

Cluster requirements

  • Verify that your cluster version is listed in Supported platforms.

  • Your GKE cluster must meet the following requirements:

    • The GKE cluster must be Standard. Autopilot clusters are only supported with managed Cloud Service Mesh.

    • A machine type that has at least 4 vCPUs, such as e2-standard-4. If the machine type for your cluster doesn't have at least 4 vCPUs, change the machine type as described in Migrating workloads to different machine types.

    • The minimum number of nodes depends on your machine type. Cloud Service Mesh requires at least 8 vCPUs. If the machine type has 4 vCPUs, your cluster must have at least 2 nodes. If the machine type has 8 vCPUs, the cluster only needs 1 node. If you need to add nodes, see Resizing a cluster.

  • GKE Workload Identity is required. We recommend that you enable Workload Identity before installing Cloud Service Mesh. Enabling Workload Identity changes the way calls from your workloads to Google APIs are secured, as described in Workload Identity limitations. Note that you do not need to enable the GKE Metadata Server on existing node pools.

  • Optional but recommended, enroll the cluster in a release channel. We recommend that you enroll in the Regular release channel because other channels might be based on a GKE version that isn't supported with Cloud Service Mesh 1.23.3. For more information, see Supported platforms. Follow the instructions in Enrolling an existing cluster in a release channel if you have a static GKE version.

  • If you are installing Cloud Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhooks used for automatic sidecar injection and configuration validation to work. For more information, see Opening a port on a private cluster.

  • Ensure that the client machine that you install Cloud Service Mesh from has network connectivity to the API server.

  • For Windows Server workloads, Cloud Service Mesh is not supported. If your cluster has both Linux and Windows Server node pools, you can still install Cloud Service Mesh and use it on your Linux workloads.

Fleet requirements

All clusters must be registered to a fleet, and fleet workload identity must be enabled. You can either setup up the clusters yourself, or you can let asmcli register the clusters as long as they meet the following requirements:

When you run asmcli install, you specify the project ID of the fleet host project. asmcli registers the cluster if it isn't already registered.

What's next?