Provision managed Cloud Service Mesh on a GKE cluster in the Google Cloud console
Cloud Service Mesh is Google's service mesh offering, based on open source Istio. The Cloud Service Mesh feature in the GKE UI allows users to easily provision managed Cloud Service Mesh on a new GKE cluster or an existing GKE cluster. With managed Cloud Service Mesh Google hosts and manages the control plane and, optionally, the data plane for the mesh and handles its upgrades, scaling, and security in a backward-compatible manner.
Cloud Service Mesh provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code. Cloud Service Mesh also provides a set of management capabilities to simplify lifecycle management of the mesh.
You configure Istio access control, routing rules, and other features by using a custom Kubernetes API, either via kubectl or the Istio command-line tool istioctl, which provides extra validation.
For more information, see Cloud Service Mesh.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine API.
Provision Cloud Service Mesh
The steps required to provision Cloud Service Mesh depend on whether you are creating a new GKE cluster or provisioning Cloud Service Mesh on an existing GKE cluster.
Create a GKE cluster with Cloud Service Mesh
To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:
Go to the Google Kubernetes Engine page in the Google Cloud console.
Click add_box Create.
Click Configure next to your preferred option between GKE Standard and GKE Autopilot.
Standard
In the Cluster basics section, complete the following:
- Enter the Name for your cluster.
For the Location type, select Regional, and then select the desired region for your cluster.
From the navigation pane, under Cluster, click Features.
In the Cloud Service Mesh section, check the box next to Enable Cloud Service Mesh.
After you check the box, a screen detailing the requirements appears. The requirements include:
- Cloud Monitoring is enabled on the cluster.
- Cloud Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
- Workload Identity is enabled on the cluster.
- Cloud Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
In order to secure, monitor, and manage the service mesh, the
mesh.googleapis.com
API is enabled (if it hasn't been already).The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled.
The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Click Create.
Autopilot
In the Cluster basics section, complete the following:
- Enter the Name for your cluster.
Select the desired Region for your cluster.
Expand the Advanced Options section dropdown.
In the Cloud Service Mesh section, check the box next to Enable Cloud Service Mesh.
After you check the box, a screen detailing the requirements appears. The requirements include:
In order to secure, monitor, and manage the service mesh, the
mesh.googleapis.com
API is enabled (if it hasn't been already).The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled.
The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Click Create.
Provision Cloud Service Mesh on an existing GKE cluster
Go to the Google Kubernetes Engine page in the Google Cloud console.
Select the cluster that you would like to provision Cloud Service Mesh on.
In the Features section, click the edit button next to Cloud Service Mesh.
After you click the edit button, a screen detailing the requirements will appear. The requirements include:
Cloud Monitoring is enabled on the cluster.
- Cloud Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
Workload Identity is enabled on the cluster.
- Cloud Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
In order to secure, monitor, and manage the service mesh, the
mesh.googleapis.com
API is enabled (if it hasn't been already).The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled (if it hasn't been already).
The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Next steps
Enabling Cloud Service Mesh on your cluster is only the first step. To fully take advantage of service mesh functionality, complete the following tasks:
(Required) Inject sidecar proxies to enhance network security, reliability and observability.
(Highly recommended) Deploy gateways to manage ingress and egress traffic.
(Highly recommended) Configuring transport security to secure your mesh.
(Optional) Enable Managed Data Plane to automatically upgrade the proxies.
Troubleshooting
To address problems when provisioning Cloud Service Mesh, see Resolving issues enabling Cloud Service Mesh through Google Cloud console.
What's next
- To find out more about Managed Cloud Service Mesh, see Provisioning managed Cloud Service Mesh
- For a quick introduction to the gcloud CLI used in this tutorial, see
gcloud
commands - To find out how to explore Cloud Service Mesh in the Google Cloud console, see Exploring Cloud Service Mesh in the Google Cloud console
- To explore Cloud Service Mesh optional features, such as Cloud Trace, distroless proxy images, and end user authentication, see Enable optional features on managed Cloud Service Mesh
- To learn more about Security in Cloud Service Mesh, see Cloud Service Mesh Security Overview and Cloud Service Mesh Security Best Practices
- To find out more about Telemetry in Cloud Service Mesh, see Observability Overview