VPC Service Controls for Cloud Service Mesh (Managed)
Cloud Service Mesh (Managed) supports VPC Service Controls as a generally available (GA) feature for new control planes.
To check whether your control plane supports VPC Service Controls GA, check the mesh feature state of your membership for the VPCSC_GA_SUPPORTED condition.
gcloud container fleet mesh describe --project FLEET_PROJECT_ID
The output is similar to:
(...) membershipStates: projects/FLEET_PROJECT_NUMBER/locations/MEMBERSHIP_LOCATION/memberships/MEMBERSHIP_ID: servicemesh: conditions: - code: VPCSC_GA_SUPPORTED details: This control plane supports VPC Service Controls GA. documentationLink: http://cloud.google.com/service-mesh/docs/managed/VPC Service Controls severity: INFO (...)
If you have an existing control plane that does not report the VPCSC_GA_SUPPORTED condition and want to rely on VPC Service Controls, contact support.
Before you begin
The VPC Service Controls org-policy and service perimeter are configured at the organization level. Ensure that you have been granted the proper roles for administering VPC Service Controls.
Set up your VPC Service Controls service perimeter
Create or update your service perimeter:
Add your cluster project(s) and fleet project to the service perimeter. Having a service mesh spread across multiple VPC Service Controls perimeters is not supported.
Add restricted services to the service perimeter.
You must add specific services to the allowed and restricted services lists in the service perimeter, so that your Cloud Service Mesh cluster can access them. Access to these services is also restricted within your cluster's Virtual Private Cloud (VPC) network.
Not adding these services may cause the Cloud Service Mesh installation to fail or to not function properly. For example, if you don't add the Mesh Configuration API to the service perimeter, the installation will fail and the workloads won't receive their Envoy configuration from the managed control plane.
Console
- Follow the steps in Updating a service perimeter to edit the perimeter.
- Click the Edit VPC Service Perimeter page.
- Under Restricted Services, Services to protect, click Add Services.
- On the Specify services to restrict dialog, click Filter services, and enter Mesh Configuration API.
- Select the service's checkbox.
- Click Add Mesh Configuration API.
- Repeat steps c - f, to add:
- Cloud Service Mesh Certificate Authority API
- GKE Hub API
- Cloud IAM API
- Cloud Monitoring API
- Cloud Trace API
- Cloud Monitoring API
- Google Cloud Resource Manager API
- Google Compute Engine API
- Google Container Registry API
- Artifact Registry API
- Google Cloud Storage API
- Cloud Logging API
- Security Token Service API
- Click Save.
gcloud
To update the list of restricted services, use the
update
command and specify the services to add as a comma-delimited list:gcloud access-context-manager perimeters update PERIMETER_NAME \ --add-restricted-services=meshconfig.googleapis.com,meshca.googleapis.com,gkehub.googleapis.com,iam.googleapis.com,monitoring.googleapis.com,cloudtrace.googleapis.com,monitoring.googleapis.com,cloudresourcemanager.googleapis.com,compute.googleapis.com,containerregistry.googleapis.com,artifactregistry.googleapis.com,storage.googleapis.com,logging.googleapis.com,sts.googleapis.com \ --policy=POLICY_NAME
Where:
PERIMETER_NAME is the name of the service perimeter that you want to update.
POLICY_NAME is the numeric name of your organization's access policy. For example,
330193482019
.
Click on VPC Accessible services and set it to 'All restricted services', so that services restricted at the step above are still accessible from within the VPC Service Controls perimeter.
Unless you are installing Cloud Service Mesh from an in-perimeter network, add an ingress rule to allow the identity running the
asmcli
command access to the service perimeter.For more information, see Updating a service perimeter.
Install the managed Cloud Service Mesh in a VPC Service Controls perimeter
Follow the steps in Configure managed Cloud Service Mesh page. Then, verify the control plane has been successfully provisioned and there are no VPC Service Controls related errors.
Troubleshooting
Cannot create cluster with the latest GKE 1.22 image
There is a known issue preventing the creation of a cluster with the latest 1.22 image in a VPC Service Controls restricted environment. The workaround is to create this cluster first with the default GKE channel image, and then upgrade the image:
gcloud container clusters create CLUSTER \ --region REGION \ --release-channel=rapid \ --workload-pool=PROJECT_ID.svc.id.goog \ --project PROJECT_ID
gcloud container clusters upgrade CLUSTER \ --region REGION \ --master --cluster-version 1.22 \ --project PROJECT_ID
Containers are not able to download their images.
This may happen if the images are located outside of the service perimeter. Either move the images to a bucket located inside the perimeter, or update the perimeter to add an Egress rule. Typically, the Egress rule may allow selected identities to access the Container Registry API, Artifact Registry API, and Cloud Storage API.
The Status field of the ControlPlaneRevision
CRD displays VPC Service Controls errors
Run this command to get more info about the error:
gcloud logging read --project=PROJECT_ID \ 'protoPayload.metadata.@type=type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata'
Where:
- PROJECT_ID is the project ID of the project encountering errors.