Version 1.7

Supported features

This page describes features that are supported in Anthos Service Mesh 1.7.3. For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:

Supported versions

Support for Anthos Service Mesh follows the Anthos Version Support Policy. Google supports Anthos Service Mesh versions for at least nine months from their original release date.

The following table shows the supported versions of Anthos Service Mesh and the earliest end-of-life (EOL) date for a version.

Release version Release date Earliest EOL date
1.4 December 20, 2019 Unsupported (September 18, 2020)
1.5 May 20, 2020 February 17, 2021
1.6 June 30, 2020 March 30, 2021
1.7 November 3, 2020 August 2, 2021

For more information about our support policies, refer to Getting support.

Upgrade path for 1.4

Anthos Service Mesh 1.4 is no longer supported. You must upgrade to Anthos Service Mesh 1.5 or later. See the following guides for more information to help plan your upgrade:

When you install Anthos Service Mesh, you use a configuration profile that is suitable for your environment:

  • asm-gcp: This profile configures the features for a mesh containing one or more GKE on Google Cloud clusters in the same Google Cloud project.

  • asm-gcp-multiproject beta: This profile configures the features for a mesh with multiple GKE on Google Cloud clusters in different Cloud projects.

  • asm-multicloud: This profile configures the features for a mesh on the following environments:

    • GKE on-prem
    • GKE on AWS
    • Amazon Elastic Kubernetes Service (Amazon EKS)
    • Microsoft Azure Kubernetes Service (Microsoft AKS)

The supported features differ between the profiles. In the following tables, any feature with the icon indicates that the feature is either enabled by default or enabled in the profile. Supported optional indicates that you can override the profile and enable the feature, as described in Enabling optional features.

The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported.

Install/upgrade/rollback

Using the install_asm script

For more information about the install_asm script, see Installation, migration, and upgrade on GKE on Google Cloud.

Feature asm-gcp asm-gcp-multiproject asm-multicloud
New installations
Upgrades
Migration from Istio and the Istio on GKE add-on
Enabling optional features

Using istioctl install

Feature asm-gcp asm-gcp-multiproject asm-multicloud
New installations
Upgrades
Migration from Istio and the Istio on GKE add-on
Enabling optional features

Note that you use the asm-multicloud when installing or upgrading Anthos Service Mesh on environments that aren't on Google Cloud, as described in the following guides:

Security

Certificate distribution/rotation mechanisms

Feature asm-gcp asm-gcp-multiproject asm-multicloud
workload certificate management using Envoy SDS
external certificate management on ingress gateway using Envoy SDS Supported optional Supported optional

Certificate authority (CA) support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Anthos Service Mesh certificate authority (Mesh CA)
Citadel CA
Integration with custom CAs

Authorization policy

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Authorization v1beta1 policy

Authentication policy

Peer authentication

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Auto-mTLS
mTLS PERMISSIVE mode Supported optional Supported optional Supported optional
mTLS STRICT mode Supported optional Supported optional Supported optional

Request authentication

Feature asm-gcp asm-gcp-multiproject asm-multicloud
JWT authentication

Telemetry

Metrics

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Cloud Monitoring (HTTP in-proxy metrics)
Cloud Monitoring (TCP in-proxy metrics)
Mesh telemetry (in-proxy edge data)
Prometheus metrics export to Grafana and Kiali Supported optional
Custom adapters/backends, in or out of process
Arbitrary telemetry and logging backends

Access logging

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Cloud Logging
Direct Envoy to stdout Supported optional Supported optional Supported optional

Tracing

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Cloud Trace Supported optional Supported optional
Jaeger tracing (allows use of customer-managed Jaeger) Supported optional Supported optional
Zipkin tracing (allows use of customer-managed Zipkin) Supported optional Supported optional

Policy

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Policy checks

Networking

Traffic interception/redirection mechanism

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
IPv4
HTTP/1.1
HTTP/2
TCP byte streams (Note 1)
gRPC
IPv6

Notes:

  1. Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
  2. Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.

Envoy deployments

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways Supported optional Supported optional Supported optional

CRD support

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
custom Envoy filters

Load balancer for the Istio ingress gateway

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Public load balancer
Google Cloud Internal load balancer Supported optional Supported optional Not supported. See the links below.

For information on configuring load balancers, see the following:

Load balancing policies

Feature asm-gcp asm-gcp-multiproject asm-multicloud
round robin
least connections
random
passthrough
Consistent Hash
locality-weighted

Multi-cluster support

Anthos Service Mesh supports multi-primary deployments for GKE on Google Cloud clusters in the same Google Cloud project and for GKE on Google Cloud clusters in different Cloud projects (referred to as multi-project in the following table). For multi-project deployments, all the clusters must be in a shared Virtual Private Cloud (VPC).

The profile that you use when installing Anthos Service Mesh on a GKE on Google Cloud cluster for a multi-primary deployment depends on whether the clusters are in the same or different projects:

  • When the clusters are in the same project, you use the asm-gcp profile.
  • When the clusters are in different projects, you use the asm-gcp-multiproject profile.

Platform environment

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Single network
Multi-network
Single project
Multi-project

Deployment model

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Multi-primary
Primary-remote

Notes on terminology

  • A primary cluster is a cluster with a control plane. A single mesh can have more than one primary cluster for high availability or to reduce latency. In the Istio 1.7 documentation, a multi-primary deployment is referred to as a replicated control plane.

  • A remote cluster is a cluster that connects to a control plane residing outside of the cluster. A remote cluster can connect to a control plane running in a primary cluster or to an external control plane.

  • Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.

User interface

Feature asm-gcp asm-gcp-multiproject asm-multicloud
Anthos Service Mesh dashboards in the Cloud Console
Cloud Monitoring
Cloud Logging
Grafana dashboards Optionally installed, customer-managed Installed, customer-managed
Kiali Optionally installed, customer-managed Installed, customer-managed

As a convenience, the asm-multicloud profile installs an instance of Grafana and Kiali, but Cloud Support can't provide help managing these these third-party products. See their documentation for help setting up and managing the dashboards.

Supported environments

Anthos Service Mesh 1.7.3 supports the following environments:

Environment Version
GKE on Google Cloud We recommend that you enroll GKE clusters in a release channel. When enrolling, use the Regular release channel because other channels might be based on a GKE version that isn't supported. Anthos Service Mesh 1.7.3 supports the following GKE versions: 1.15, 1.16, and 1.17. Note that GKE version 1.14 is not supported with Anthos Service Mesh 1.7.3.

For more information about the GKE versions included in each release channel see the following:

GKE on-prem Anthos 1.5, Kubernetes version 1.17
GKE on AWS Anthos 1.5, Kubernetes version 1.17
Amazon EKS Kubernetes version 1.17
Microsoft AKS Kubernetes version 1.17