Anthos Service Mesh 1.4 has reached end of life and is no longer supported. For more information, see Upgrade path for 1.4.

Supported features

This page describes features that are supported in Anthos Service Mesh 1.4.9.

In the following tables, any feature with a check mark in a Supported column indicates that the feature is fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support.

  • Supported default indicates a feature that is enabled by default when you install Anthos Service Mesh.

  • Supported optional indicates a feature that you can optionally enable when you install Anthos Service Mesh. For information on enabling a Supported optional feature, see Enabling optional features.

  • Not supported indicates that the feature is not supported in Anthos Service Mesh.

Install/upgrade/rollback

Feature Supported default Supported optional Not supported
istioctl install
helm install
Migration from Istio on GKE

Security

Certificate distribution/rotation mechanisms

Feature Supported default Supported optional Not supported
GKE: workload certificate management using Envoy SDS
GKE: external certificate management on ingress gateway using Envoy SDS
GKE on-prem: certificate provisioning using secret volume mount

Certificate authority (CA) support

Feature Supported default Supported optional Not supported
GKE: Anthos Service Mesh certificate authority (Mesh CA)
GKE on-prem: Citadel CA
Integration with custom CAs

Authorization policy

Feature Supported default Supported optional Not supported
Authorization v1beta1 policy
RBAC v1alpha1 policy

Authentication policy

Scope

Feature Supported Not supported
mesh-level policy
namespace-level policy
service-level policy

Transport security

Feature Supported default Supported optional Not supported
PERMISSIVE mTLS mode is enabled at mesh level
mTLS STRICT mode
Auto-mTLS

Request authentication (JWT)

Feature Supported default Supported optional Not supported
Policy with JWT must have origin_is_optional set to true and principal_binding set to USE_ORIGIN

Telemetry

Currently, Cloud Monitoring, Cloud Logging, Cloud Trace, and Anthos Service Mesh in the Google Cloud Console aren't available on GKE on-prem.

Metrics

Feature Supported default Supported optional Not supported
HTTP in-proxy metrics to Cloud Monitoring and Anthos Service Mesh in the Cloud Console
Prometheus as an alternative to Cloud Monitoring
Telemetry V2 using WebAssembly Sandbox
Custom adapters/backends, in or out of process
Arbitrary Telemetry and Logging backends
Telemetry V1 for any metrics
Telemetry Lite for any metrics

Access logging

Feature Supported default Supported optional Not supported
Cloud Logging
Direct Envoy to stdout

Tracing

Feature Supported default Supported optional Not supported
Cloud Trace
Jaeger tracing
Zipkin tracing

Policy

Feature Supported Not supported
Policy checks

Networking

Traffic interception/redirection mechanism

Feature Supported default Supported optional Not supported
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature Supported Not supported
IPv4
HTTP/1.1
HTTP/2

TCP byte streams

Although TCP is a supported protocol, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services on the Anthos Service Mesh pages in the Cloud Console.

gRPC
IPv6

L7 support for protocols like WebSocket, MongoDB, Redis, Kafka (although you may be able to make them work by using TCP byte stream support).

If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Istio's routing logic), then we do not support the protocol.

Envoy deployments

Feature Supported default Supported optional Not supported
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways

CRD support

Feature Supported Not supported
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
custom Envoy filters

Load balancer for the Istio ingress gateway

For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on-prem. For information on configuring GKE on-prem, see Setting up your load balancer for GKE on-prem.

Feature Supported default Supported optional Not supported
Public load balancer
Internal load balancer

Load balancing policies

Feature Supported Not supported
round robin
least connections
random
passthrough
Consistent Hash
locality-weighted

User interface

Currently, Anthos Service Mesh in the Cloud Console isn't available on GKE on-prem.

Feature Supported default Supported optional Not supported
Anthos Service Mesh observability features in the Google Cloud Console with Telemetry V2
Cloud Monitoring and Cloud Logging
Grafana dashboards Optionally installed, customer-managed
Kiali

As a convenience, the configuration profile for GKE on-prem installs an instance of Grafana, but Cloud Support can't provide help managing this third-party product. See Grafana documentation for help setting up and managing the dashboards.

Managed components

Currently Anthos Service Mesh certificate authority (Mesh CA) and the Anthos Service Mesh pages in the Cloud Console aren't available on GKE on-prem.

Supported environments

Anthos Service Mesh versions 1.4.1 to 1.7.3-asm.6 are supported with the following GKE and GKE on-prem versions:

GKE

Anthos Service Mesh 1.4 supports the following GKE versions: 1.14 and 1.15.

GKE on-prem

GKE on-prem version 1.2.0-gke.6 and higher, which is included in Anthos 1.2.