This page describes features that are supported in Anthos Service Mesh 1.4.9.
Supported versions
Support for Anthos Service Mesh follows the Anthos Version Support Policy. Google supports the current and previous two (n-2) minor versions of Anthos Service Mesh. The following table shows the supported versions of Anthos Service Mesh and the earliest end-of-life (EOL) date for a version.
| Release version | Release date | Earliest EOL date |
|---|---|---|
| 1.4 | December 20, 2019 | Unsupported (September 18, 2020) |
| 1.5 | May 20, 2020 | Unsupported (February 17, 2021) |
| 1.6 | June 30, 2020 | Unsupported (March 30, 2021) |
| 1.7 | November 3, 2020 | December 10, 2021 |
| 1.8 | December 15, 2020 | September 15, 2021 |
| 1.9 | March 4, 2021 | December 4, 2021 |
| 1.10 | June 24, 2021 | March 24, 2022 |
Anthos Service Mesh 1.6, 1.5, and 1.4 are no longer supported. You must upgrade to Anthos Service Mesh 1.7 or later. For information on how to upgrade, see the following guides:
About the supported features
In the following tables, any feature with a check mark in a Supported column indicates that the feature is fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support.
Supported default indicates a feature that is enabled by default when you install Anthos Service Mesh.
Supported optional indicates a feature that you can optionally enable when you install Anthos Service Mesh. For information on enabling a Supported optional feature, see Enabling optional features.
Not supported indicates that the feature is not supported in Anthos Service Mesh.
Install/upgrade/rollback
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
istioctl install |
|||
helm install |
|||
| Migration from Istio on GKE |
Security
Certificate distribution/rotation mechanisms
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| GKE: workload certificate management using Envoy SDS | |||
| GKE: external certificate management on ingress gateway using Envoy SDS | |||
| Anthos clusters on VMware: certificate provisioning using secret volume mount |
Certificate authority (CA) support
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| GKE: Anthos Service Mesh certificate authority (Mesh CA) | |||
| Anthos clusters on VMware: Citadel CA | |||
| Integration with custom CAs |
Authorization policy
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| Authorization v1beta1 policy | |||
| RBAC v1alpha1 policy |
Authentication policy
Scope
| Feature | Supported | Not supported |
|---|---|---|
| mesh-level policy | ||
| namespace-level policy | ||
| service-level policy |
Transport security
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| PERMISSIVE mTLS mode is enabled at mesh level | |||
| mTLS STRICT mode | |||
| Auto-mTLS |
Request authentication (JWT)
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
Policy with JWT must have origin_is_optional set to true
and principal_binding set to USE_ORIGIN |
Telemetry
Currently, Cloud Monitoring, Cloud Logging, Cloud Trace, and Anthos Service Mesh in the Google Cloud Console aren't available on Anthos clusters on VMware.
Metrics
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| HTTP in-proxy metrics to Cloud Monitoring and Anthos Service Mesh in the Cloud Console | |||
| Prometheus as an alternative to Cloud Monitoring | |||
| Telemetry V2 using WebAssembly Sandbox | |||
| Custom adapters/backends, in or out of process | |||
| Arbitrary Telemetry and Logging backends | |||
| Telemetry V1 for any metrics | |||
| Telemetry Lite for any metrics |
Access logging
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| Cloud Logging | |||
Direct Envoy to stdout |
Tracing
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| Cloud Trace | |||
| Jaeger tracing | |||
| Zipkin tracing |
Policy
| Feature | Supported | Not supported |
|---|---|---|
| Policy checks |
Networking
Traffic interception/redirection mechanism
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
Traditional use of iptables using init containers
with CAP_NET_ADMIN |
|||
| Istio Container Network Interface (CNI) | |||
| Whitebox sidecar |
Protocol support
| Feature | Supported | Not supported |
|---|---|---|
| IPv4 | ||
| HTTP/1.1 | ||
| HTTP/2 | ||
TCP byte streams Although TCP is a supported protocol, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services on the Anthos Service Mesh pages in the Cloud Console. |
||
| gRPC | ||
| IPv6 | ||
L7 support for protocols like WebSocket, MongoDB, Redis, Kafka (although you may be able to make them work by using TCP byte stream support). If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Istio's routing logic), then we do not support the protocol. |
Envoy deployments
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| Sidecars | |||
| Ingress gateway | |||
| Egress directly out from sidecars | |||
| Egress using egress gateways |
CRD support
| Feature | Supported | Not supported |
|---|---|---|
| Sidecar resource | ||
| Service entry resource | ||
| Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules | ||
| custom Envoy filters |
Load balancer for the Istio ingress gateway
For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for Anthos clusters on VMware. For information on configuring Anthos clusters on VMware, see Setting up your load balancer for Anthos clusters on VMware.
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| Public load balancer | |||
| Internal load balancer |
Load balancing policies
| Feature | Supported | Not supported |
|---|---|---|
| round robin | ||
| least connections | ||
| random | ||
| passthrough | ||
| Consistent Hash | ||
| locality-weighted |
User interface
Currently, Anthos Service Mesh in the Cloud Console isn't available on Anthos clusters on VMware.
| Feature | Supported default | Supported optional | Not supported |
|---|---|---|---|
| Anthos Service Mesh observability features in the Google Cloud Console with Telemetry V2 | |||
| Cloud Monitoring and Cloud Logging | |||
| Grafana dashboards | Optionally installed, customer-managed | ||
| Kiali |
As a convenience, the configuration profile for Anthos clusters on VMware installs an instance of Grafana, but Cloud Support can't provide help managing this third-party product. See Grafana documentation for help setting up and managing the dashboards.
Managed components
Currently Anthos Service Mesh certificate authority (Mesh CA) and the Anthos Service Mesh pages in the Cloud Console aren't available on Anthos clusters on VMware.
Supported environments
Anthos Service Mesh 1.4 is supported with the following GKE and Anthos clusters on VMware versions. All other environments are unsupported.
GKE
Anthos Service Mesh 1.4 supports the following GKE versions: 1.14 and 1.15.
Anthos clusters on VMware
Anthos clusters on VMware version 1.2.0-gke.6 and higher, which is included in Anthos 1.2.