You are viewing documentation for Anthos Service Mesh 1.5. View the latest documentation.

Enabling optional features

When you install Anthos Service Mesh, you specify the Anthos Service Mesh configuration profile, which enables the Supported default features listed on the Supported features page. The Anthos Service Mesh configuration profiles, asm.yaml and asm-onprem.yaml, are located in the install/kubernetes/operator/profiles subdirectory within the Anthos Service Mesh installation's root directory. The configuration profiles define and configure the features that are installed with Anthos Service Mesh.

You can override the ASM configuration profile and enable Supported optional features by using the IstioOperator API. You specify the IstioOperatorconfiguration in a YAML file and pass the file to the istioctl manifest apply command using the -f command-line option.

Although you can specify the configuration parameters on the command-line by using the --set option, we recommend that you use a YAML file for the configuration so that you can store the file in your version-control system along with your cluster resource configuration files.

The spec section in the YAML configuration corresponds to the --set command-line options. For example, the YAML to enableSTRICT mTLS mode is:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  global:
    mtls:
      enabled: true

The corresponding command-line option is: --set global.mtls.enabled=true

For more information, see Customizing the configuration.

When you enable optional features:

  • Make sure the feature that you enable is supported.

  • Specify the applicable configuration profile for your platform:

    • For Google Kubernetes Engine, use --set profile=asm
    • For GKE on-prem, use --set profile=asm-onprem
  • For GKE, prepare the istio-operator.yaml file as described in Preparing resource configuration files, and specify both the istio-operator.yaml file and your YAML file with the optional features on the command-line when you run istioctl manifest apply.

The following table provides the YAML to enable optional and supported features.

Feature YAML
mTLS STRICT mode
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  global:
    mtls:
      enabled: true
Direct Envoy to stdout
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  global:
    proxy:
      accessLogFile="/dev/stdout"

For more information, see Enable Envoy's access logging.

Cloud Trace
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  addonComponents:
    tracing:
      enabled: true
  values:
    global:
      proxy:
        tracer: "stackdriver"
Egress via egress gateways
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    egressGateways:
      - name: istio-egressgateway
        enabled: true

For more information, see Gateway.

GKE: Istio Container Network Interface (CNI) For GKE:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    cni:
      enabled: true
      namespace: kube-system
  values:
    cni:
      cniBinDir: /home/kubernetes/bin
      excludeNamespaces:
        - istio-system
        - kube-system

For GKE on-prem, add gke-system to excludeNamespaces and values.cni.cniBinDir is /opt/cni/bin:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    cni:
      enabled: true
      namespace: kube-system
  values:
    cni:
      cniBinDir: /opt/cni/bin
      excludeNamespaces:
        - istio-system
        - kube-system
        - gke-system

You also need to enable a network policy

.
Enable an internal load balancer

For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on-prem. For information on configuring GKE on-prem, see Setting up your load balancer for GKE on-prem

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: empty
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            cloud.google.com/load-balancer-type: "internal"
          service: your_service_name
            ports:
              - name: status-port
                port: 15020
              - name: http2
                port: 80
              - name: https
                port: 443