Anthos Service Mesh 1.6

Supported features

This page describes features that are supported in Anthos Service Mesh 1.6.8. For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:

When you install Anthos Service Mesh, you use a configuration profile that is suitable for your environment:

  • asm-gcp: Use this profile for installations on Google Kubernetes Engine.

  • asm-gcp-multiproject: Use this profile for installations on Google Kubernetes Engine with clusters in different projects.

  • asm-multicloud: Use this profile for installations on the following environments:

    • GKE on-prem
    • GKE on AWS
    • Amazon Elastic Kubernetes Service (Amazon EKS)
    • Microsoft Azure Kubernetes Service (Microsoft AKS)

The supported features differ between the profiles. In the following tables, any feature with the icon indicates that the feature is either enabled by default or enabled in the profile. Supported optional indicates that you can override the profile and enable the feature, as described in Enabling optional features.

The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported.

Install/upgrade/rollback

Feature asm-gcp asm-gcp-multiproject asm-multicloud
istioctl install
istioctl upgrade and downgrade
istioctl enable optional features
Anthos CLI install
Migration from Istio on GKE

Security

Certificate distribution/rotation mechanisms

Feature asm-gcp asm-gcp-multiproject asm-multicloud
workload certificate management using Envoy SDS
external certificate management on ingress gateway using Envoy SDS Supported optional Supported optional

Certificate authority (CA) support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Anthos Service Mesh certificate authority (Mesh CA)
Citadel CA
Integration with custom CAs

Authorization policy

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Authorization v1beta1 policy

Authentication policy

Peer authentication

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Auto-mTLS
mTLS PERMISSIVE mode Supported optional Supported optional Supported optional
mTLS STRICT mode Supported optional Supported optional Supported optional

Request authentication

Feature asm-gcp asm-gcp-multiproject asm-multicloud
JWT authentication

Telemetry

Metrics

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Mesh telemetry (in-proxy edge data)
Prometheus metrics export to Grafana and Kiali Supported optional
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Access logging

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Cloud Logging
Direct Envoy to stdout Supported optional Supported optional Supported optional

Tracing

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Cloud Trace Supported optional Supported optional
Jaeger tracing (allows use of customer-managed Jaeger) Supported optional Supported optional
Zipkin tracing (allows use of customer-managed Zipkin) Supported optional Supported optional

Policy

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Policy checks

Networking

Traffic interception/redirection mechanism

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
IPv4
HTTP/1.1
HTTP/2
TCP byte streams (Note 1)
gRPC
IPv6

Notes:

  1. Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
  2. Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways Supported optional Supported optional Supported optional

CRD support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
custom Envoy filters

Load balancer for the Istio ingress gateway

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Public load balancer
Google Cloud Internal load balancer Supported optional Supported optional Not supported. See the links below.

For information on configuring load balancers, see the following:

Load balancing policies

Feature asm-gcp asm-gcp-multiproject asm-multicloud
round robin
least connections
random
passthrough
Consistent Hash
locality-weighted

Multi-cluster support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Single network
Multi-network
Single project
Multi-project
Multi-primary (multiple clusters with control planes)

User interface

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Anthos Service Mesh dashboards in the Cloud Console
Cloud Monitoring
Cloud Logging
Grafana dashboards Optionally installed, customer-managed Installed, customer-managed
Kiali Optionally installed, customer-managed Installed, customer-managed

As a convenience, the asm-multicloud profile installs an instance of Grafana and Kiali, but Cloud Support can't provide help managing these these third-party products. See their documentation for help setting up and managing the dashboards.

Supported environments

Anthos Service Mesh 1.6.8 supports the following environments:

Environment Version
GKE on Google Cloud We recommend that you enroll GKE clusters in a release channel. When enrolling, use the Regular release channel because other channels might be based on a GKE version that isn't supported. Anthos Service Mesh 1.6.8 supports the following GKE versions: 1.15, 1.16, 1.17, and 1.18. Note that GKE version 1.14 is not supported with Anthos Service Mesh 1.6.8.

For more information about the GKE versions included in each release channel see the following:

GKE on-prem Anthos 1.4, Kubernetes version 1.16
GKE on AWS Anthos 1.4, Kubernetes version 1.16
Amazon EKS Kubernetes version 1.16
Microsoft AKS Kubernetes version 1.16