% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167k 100 167k 0 0 701k 0 --:--:-- --:--:-- --:--:-- 701k
让该脚本可执行:
chmod +x asmcli
授予集群管理员权限
确保您已将上下文设置为您的用户集群:
kubectl config use-context CONTEXT
向您的用户账号(您的 Google Cloud 登录邮箱)授予集群管理员权限。您需要这些权限来创建 Cloud Service Mesh 所需的基于角色的访问控制 (RBAC) 规则:
asmcli: Setting up necessary files...
asmcli: Using asm_kubeconfig as the kubeconfig...
asmcli: Checking installation tool dependencies...
asmcli: Fetching/writing GCP credentials to kubeconfig file...
asmcli: Verifying connectivity (10s)...
asmcli: kubeconfig set to asm_kubeconfig
asmcli: using context gke_example-project-12345_us-central1_cluster-2
asmcli: Getting account information...
asmcli: Downloading ASM..
asmcli: Downloading ASM kpt package...
fetching package "/asm" from "https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" to "asm"
asmcli: Checking required APIs...
asmcli: Checking for project example-project-12345...
asmcli: Reading labels for us-central1/cluster-2...
asmcli: Checking for istio-system namespace...
asmcli: Confirming node pool requirements for example-project-12345/us-central1/cluster-2...
asmcli: Checking Istio installations...
asmcli: [WARNING]: There is no way to validate that the meshconfig API has been initialized.
asmcli: [WARNING]: This needs to happen once per GCP project. If the API has not been initialized
asmcli: [WARNING]: for example-project-12345, please re-run this tool with the --enable_gcp_components
asmcli: [WARNING]: flag. Otherwise, installation will succeed but Anthos Service Mesh
asmcli: [WARNING]: will not function correctly.
asmcli: Successfully validated all requirements to install ASM.
如果某一个测试未通过验证,asmcli 将输出错误消息。例如,如果您的项目未启用所有必需的 Google API,您会看到以下错误:
ERROR: One or more APIs are not enabled. Please enable them and retry, or run
`asmcli` with the '--enable_gcp_apis' flag to allow `asmcli` to enable them
on your behalf.
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["Install dependent tools and verify cluster **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n\nThis page shows you how to prepare your environment and cluster to install\nin-cluster Cloud Service Mesh on GKE.\n\nInstall required tools\n\nYou can run `asmcli` on [Cloud Shell](/shell/docs/launching-cloud-shell)\nor on your local machine running Linux. Cloud Shell pre-installs all\nthe required tools.\n| **Note:** macOS isn't supported.\n\nIf you are running `asmcli` locally, make sure you have the following tools\ninstalled:\n\n- The [Google Cloud CLI](/sdk/docs/install)\n- The standard command-line tools: `awk`, `curl`, `grep`, `sed`, and `tr`\n- [`git`](https://git-scm.com/downloads)\n- [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)\n- [`jq`](https://stedolan.github.io/jq/)\n- (Optional, in order to test connectivity) netcat (`nc`)\n\nConfigure gcloud\n\nDo the following steps even if you are using Cloud Shell.\n\n1. Authenticate with the Google Cloud CLI:\n\n gcloud auth login --project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n2. Update the components:\n\n gcloud components update\n\n3. Configure `kubectl` to point to the cluster.\n\n gcloud container clusters get-credentials \u003cvar scope=\"CLUSTER_NAME\" translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --location \u003cvar scope=\"CLUSTER_LOCATION\" translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e \\\n --project \u003cvar scope=\"PROJECT_ID\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n| **Note:** You can also use service account impersonation by configuring your `gcloud\n| config` before running the tool. Run the command `gcloud config set auth/impersonate_service_account` \u003cvar translate=\"no\"\u003eSA-NAME\u003c/var\u003e`@`\u003cvar translate=\"no\"\u003eGCP-PROJECT\u003c/var\u003e`.iam.gserviceaccount.com`. To unset the impersonation after you've installed Cloud Service Mesh, run `gcloud config unset auth/impersonate_service_account`. For more information, see [gcloud config](/sdk/gcloud/reference/config/set).\n\nDownload asmcli\n\nThis section describes how to download the `asmcli`.\n\n1. Download the version that installs Cloud Service Mesh 1.26.4 to\n the current working directory:\n\n curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.26 \u003e asmcli\n\n | **Note:** We recommend that you always download the latest version of `asmcli` when installing Cloud Service Mesh on a new GKE cluster. The command in the previous step downloads the latest version.\n\n Expected output: \n\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n 100 167k 100 167k 0 0 701k 0 --:--:-- --:--:-- --:--:-- 701k\n\n2. Make the script executable:\n\n chmod +x asmcli\n\nGrant cluster admin permissions\n\n1. Ensure you have set the context to your user cluster:\n\n **Note:** To check existing contexts, run `kubectl config get-contexts`. \n\n ```\n kubectl config use-context CONTEXT\n ```\n2. Grant cluster admin permissions to your user account (your Google Cloud login\n email address). You need these permissions to create the necessary\n [role based access control (RBAC)](/kubernetes-engine/docs/how-to/role-based-access-control)\n rules for Cloud Service Mesh:\n\n ```\n kubectl create clusterrolebinding cluster-admin-binding \\\n --clusterrole=cluster-admin \\\n --user=USER_ACCOUNT\n ```\n\nValidate project and cluster\n\nYou can run `asmcli validate` to make sure that your project and cluster are\nsetup as required to install Cloud Service Mesh. With this option, `asmcli` doesn't\nmake any changes to your project or cluster, and it doesn't install\nCloud Service Mesh.\n\n`asmcli` validates that:\n\n- Your environment has the\n [required tools](#install_required_tools).\n\n- The cluster meets the\n [minimum requirements](/service-mesh/legacy/in-cluster/cloud-service-mesh-prerequisites#cluster_requirements).\n\n- You have the [required permissions](/service-mesh/legacy/in-cluster/install-in-cluster-cloud-service-mesh#roles-required)\n on the specified project.\n\n- The project has all the\n [required Google APIs](/service-mesh/docs/project-cluster-setup#set_up_your_project)\n enabled.\n\nBy default, `asmcli` downloads and extracts the installation file and\ndownloads the\n[`asm`](https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/tree/release-1.25/asm/)\nconfiguration package from GitHub to a temp directory. Before exiting,\n`asmcli` outputs a message that provides the name of the temp directory.\nWe recommend that you specify a directory for the downloads with the\n`--output_dir `\u003cvar translate=\"no\"\u003eDIR_PATH\u003c/var\u003e option. The `--output_dir`\noption makes it convenient for you to use the `istioctl` command-line tool. You\nmight need `istioctl` for\n[troubleshooting configuration issues](/service-mesh/docs/troubleshooting/troubleshoot-intro#use_automated_validation_tools)\nor\n[setting up a multi-cluster mesh on private GKE clusters](/service-mesh/docs/unified-install/gke-install-multi-cluster#private-clusters-endpoint)\nAdditionally, the configuration files to enable optional features using `asmcli`\nare included in the `asm/istio/options` directory.\n\nRun the following command to validate your configuration and download the\ninstallation file and `asm` package to the \u003cvar translate=\"no\"\u003eOUTPUT_DIR\u003c/var\u003e\ndirectory. \n\n ./asmcli validate \\\n --project_id \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --cluster_name \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --cluster_location \u003cvar translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e \\\n --fleet_id \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n --output_dir \u003cvar translate=\"no\"\u003eDIR_PATH\u003c/var\u003e\n\n- `--project_id`, `--cluster_name`, and `--cluster_location` Specify the\n project ID that the cluster is in, the cluster name, and either the\n cluster zone or region.\n\n- `--fleet_id` The project ID of the\n [fleet host project](/anthos/multicluster-management/fleets#fleet-host-project).\n `asmcli validate` checks that the cluster is registered to the specified\n fleet.\n\n- `--output_dir` Include this option to specify a directory\n where `asmcli` downloads the `asm` package and extracts the\n installation file, which contains `istioctl`, samples, and manifests.\n Otherwise `asmcli` downloads the files to a `tmp` directory.\n You can specify either a relative path or a full path. The environment\n variable `$PWD` doesn't work here.\n\nOn success, `asmcli` outputs the following: \n\n```\nasmcli: Setting up necessary files...\nasmcli: Using asm_kubeconfig as the kubeconfig...\nasmcli: Checking installation tool dependencies...\nasmcli: Fetching/writing GCP credentials to kubeconfig file...\nasmcli: Verifying connectivity (10s)...\nasmcli: kubeconfig set to asm_kubeconfig\nasmcli: using context gke_example-project-12345_us-central1_cluster-2\nasmcli: Getting account information...\nasmcli: Downloading ASM..\nasmcli: Downloading ASM kpt package...\nfetching package \"/asm\" from \"https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages\" to \"asm\"\nasmcli: Checking required APIs...\nasmcli: Checking for project example-project-12345...\nasmcli: Reading labels for us-central1/cluster-2...\nasmcli: Checking for istio-system namespace...\nasmcli: Confirming node pool requirements for example-project-12345/us-central1/cluster-2...\nasmcli: Checking Istio installations...\nasmcli: [WARNING]: There is no way to validate that the meshconfig API has been initialized.\nasmcli: [WARNING]: This needs to happen once per GCP project. If the API has not been initialized\nasmcli: [WARNING]: for example-project-12345, please re-run this tool with the --enable_gcp_components\nasmcli: [WARNING]: flag. Otherwise, installation will succeed but Anthos Service Mesh\nasmcli: [WARNING]: will not function correctly.\nasmcli: Successfully validated all requirements to install ASM.\n```\n\nIf one of the tests fails the validation, `asmcli` outputs an error message.\nFor example, if your project doesn't have all of the required Google APIs\nenabled, you see the following error: \n\n```\nERROR: One or more APIs are not enabled. Please enable them and retry, or run\n`asmcli` with the '--enable_gcp_apis' flag to allow `asmcli` to enable them\non your behalf.\n```\n\nIf you got an error message about needing to run `asmcli` with an\n[enablement flag](/service-mesh/docs/asmcli-reference#enablement-flags),\nyou have the following options:\n\n- Include the specific flag from the error message or the `--enable_all`\n flag when running `asmcli` to do the actual installation.\n\n- If you prefer, you can update your project and cluster yourself before\n running `asmcli` as described in\n [Set up your project and GKE cluster yourself](/service-mesh/docs/project-cluster-setup#set_up_your_project).\n\nNote that `asmcli validate` doesn't allow any enablement flags because it only\nvalidates that your project and cluster are ready for installation.\n\nInspect cluster install and upgrade requirements\n\nBefore upgrading you should check that your configuration is compatible with\nthe new version of Cloud Service Mesh.\n\n1. Change to the directory that you specified in `--output_dir`.\n\n2. Run the following command to inspect the Kubernetes cluster for install and\n upgrade requirements. Make sure you use the version of `istioctl` distributed\n with the new Cloud Service Mesh version.\n\n istioctl experimental precheck\n\nWhat's next?\n\n- [Install Cloud Service Mesh](/service-mesh/legacy/in-cluster/install-in-cluster-cloud-service-mesh)\n- [Upgrade Cloud Service Mesh](/service-mesh/docs/upgrade/upgrade)"]]
