Provision managed Cloud Service Mesh on a GKE cluster in the Google Cloud console

Cloud Service Mesh is Google's service mesh offering, based on open source Istio. The Cloud Service Mesh feature in the GKE UI allows users to easily provision managed Cloud Service Mesh on a new GKE cluster or an existing GKE cluster. With managed Cloud Service Mesh Google hosts and manages the control plane and, optionally, the data plane for the mesh and handles its upgrades, scaling, and security in a backward-compatible manner.

Cloud Service Mesh provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code. Cloud Service Mesh also provides a set of management capabilities to simplify lifecycle management of the mesh.

You configure Istio access control, routing rules, and other features by using a custom Kubernetes API, either via kubectl or the Istio command-line tool istioctl, which provides extra validation.

For more information, see Cloud Service Mesh.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Kubernetes Engine API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the Kubernetes Engine API.

    Enable the API

Provision Cloud Service Mesh

The steps required to provision Cloud Service Mesh depend on whether you are creating a new GKE cluster or provisioning Cloud Service Mesh on an existing GKE cluster.

Create a GKE cluster with Cloud Service Mesh


To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me


  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. Click Configure next to your preferred option between GKE Standard and GKE Autopilot.

Standard

In the Cluster basics section, complete the following:

  1. Enter the Name for your cluster.
  2. For the Location type, select Regional, and then select the desired region for your cluster.

  3. From the navigation pane, under Cluster, click Features.

  4. In the Cloud Service Mesh section, check the box next to Enable Cloud Service Mesh.

    After you check the box, a screen detailing the requirements appears. The requirements include:

    • Cloud Monitoring is enabled on the cluster.
    • Cloud Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
    • Workload Identity is enabled on the cluster.
    • Cloud Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
    • In order to secure, monitor, and manage the service mesh, the mesh.googleapis.com API is enabled (if it hasn't been already).

    • The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled.

    • The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.

  5. Click Make changes to automatically enable the requirements.

  6. Click Create.

Autopilot

In the Cluster basics section, complete the following:

  1. Enter the Name for your cluster.
  2. Select the desired Region for your cluster.

  3. Expand the Advanced Options section dropdown.

  4. In the Cloud Service Mesh section, check the box next to Enable Cloud Service Mesh.

    After you check the box, a screen detailing the requirements appears. The requirements include:

    • In order to secure, monitor, and manage the service mesh, the mesh.googleapis.com API is enabled (if it hasn't been already).

    • The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled.

    • The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.

  5. Click Make changes to automatically enable the requirements.

  6. Click Create.

Provision Cloud Service Mesh on an existing GKE cluster

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. Select the cluster that you would like to provision Cloud Service Mesh on.

  3. In the Features section, click the edit button next to Cloud Service Mesh.

    After you click the edit button, a screen detailing the requirements will appear. The requirements include:

    • Cloud Monitoring is enabled on the cluster.

      • Cloud Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
    • Workload Identity is enabled on the cluster.

      • Cloud Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
    • In order to secure, monitor, and manage the service mesh, the mesh.googleapis.com API is enabled (if it hasn't been already).

    • The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled (if it hasn't been already).

    • The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.

  4. Click Make changes to automatically enable the requirements.

Next steps

Enabling Cloud Service Mesh on your cluster is only the first step. To fully take advantage of service mesh functionality, complete the following tasks:

  1. (Required) Inject sidecar proxies to enhance network security, reliability and observability.

  2. (Highly recommended) Deploy gateways to manage ingress and egress traffic.

  3. (Highly recommended) Configuring transport security to secure your mesh.

  4. (Optional) Enable Managed Data Plane to automatically upgrade the proxies.

Troubleshooting

To address problems when provisioning Cloud Service Mesh, see Resolving issues enabling Cloud Service Mesh through Google Cloud console.

What's next