You are viewing documentation for Anthos Service Mesh 1.5. View the latest documentation.

Supported features

This page describes features that are supported in Anthos Service Mesh 1.5.10. For the supported features in Anthos Service Mesh 1.4.10, see the Supported features page in the archive documentation.

In the following tables, any feature with the icon in a Supported column indicates that the feature is fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support.

  • Supported default indicates a feature that is either enabled by default or enabled in the configuration profile that you use when you install Anthos Service Mesh.

  • Supported optional indicates a feature that you can optionally enable when you install Anthos Service Mesh. For information on enabling a Supported optional feature, see Enabling optional features.

  • Not supported indicates that the feature is not supported in Anthos Service Mesh.

The supported features differ between Google Kubernetes Engine and GKE on-prem. A configuration profile is provided for each platform to enable the Supported default features when you install Anthos Service Mesh.

Install/upgrade/rollback

Not all of the tools that you use to install Anthos Service Mesh on GKE on-prem are supported.

Feature GKE GKE on-prem
istioctl install
istioctl upgrade and downgrade
Anthos CLI install
Anthos CLI upgrade and downgrade
helm install
Migration from Istio on GKE N/A

Security

Certificate distribution/rotation mechanisms

Feature GKE GKE on-prem
workload certificate management using Envoy SDS
external certificate management on ingress gateway using Envoy SDS
certificate provisioning using secret volume mount

Certificate authority (CA) support

Feature GKE GKE on-prem
Anthos Service Mesh certificate authority (Mesh CA)
Citadel CA
Integration with custom CAs

Authorization policy

Feature Supported default Supported optional Not supported
Authorization v1beta1 policy

Authentication policy

Peer authentication

Feature Supported default Supported optional Not supported
PERMISSIVE mTLS mode is enabled at mesh level
mTLS STRICT mode
Auto-mTLS

Request authentication

Feature Supported default Supported optional Not supported
JWT authentication

Telemetry

Metrics

Feature GKE GKE on-prem
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Mesh telemetry (in-proxy edge data)
Prometheus metrics export to Grafana
Prometheus metrics export to Kiali
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Access logging

Feature GKE GKE on-prem
Cloud Logging
Direct Envoy to stdout Supported optional Supported optional

Tracing

Feature GKE GKE on-prem
Cloud Trace Supported optional
Jaeger tracing
Zipkin tracing

Policy

Feature GKE GKE on-prem
Policy checks

Networking

Traffic interception/redirection mechanism

Feature Supported default Supported optional Not supported
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature Supported Not supported
IPv4
HTTP/1.1
HTTP/2
TCP byte streams (Note 1)
gRPC
IPv6
L7 support for WebSocket (Note 2)
L7 support for MongoDB (Note 2)
L7 support for Redis (Note 2)
L7 support for Kafka (Note 2)
L7 support for Cassandra (Note 2)
L7 support for RabbitMQ (Note 2)
L7 support for Cloud SQL (Note 2)

Notes:

  1. Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
  2. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature Supported default Supported optional Not supported
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways

CRD support

Feature Supported Not supported
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
custom Envoy filters

Load balancer for the Istio ingress gateway

For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on-prem. For information on configuring GKE on-prem, see Setting up your load balancer for GKE on-prem.

Feature Supported default Supported optional Not supported
Public load balancer
Internal load balancer

Load balancing policies

Feature Supported Not supported
round robin
least connections
random
passthrough
Consistent Hash
locality-weighted

User interface

Feature GKE GKE on-prem
Anthos Service Mesh dashboards in the Cloud Console
Cloud Monitoring
Cloud Logging
Grafana dashboards Installed, customer-managed
Kiali Installed, customer-managed

As a convenience, the configuration profile for GKE on-prem installs an instance of Grafana and Kiali, but Cloud Support can't provide help managing these these third-party products. See their documentation for help setting up and managing the dashboards.

Managed components

Currently Anthos Service Mesh certificate authority (Mesh CA) and the Anthos Service Mesh pages in the Cloud Console aren't available on GKE on-prem.

Supported environments

Anthos Service Mesh versions 1.4.1 to 1.5.10-asm.2 are supported with the following GKE and GKE on-prem versions:

GKE

Anthos Service Mesh 1.5 supports the following GKE versions: 1.14, 1.15, and 1.16.

GKE on-prem

GKE on-prem version 1.2.0-gke.6 and higher, which is included in Anthos 1.2.