Supported features

This page describes features that are supported in Anthos Service Mesh.

In the following tables, any feature with a check mark in a Supported column indicates that the feature is fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support.

  • Supported default indicates a feature that is enabled by default when you install Anthos Service Mesh.

  • Supported optional indicates a feature that you can optionally enable when you install Anthos Service Mesh. For information on enabling a Supported optional feature, see Enabling optional features.

  • Not supported indicates that the feature is not supported in Anthos Service Mesh.

Install/upgrade/rollback

Feature Supported default Supported optional Not supported
istioctl install
helm install
Migration from Istio on GKE

Security

Certificate distribution/rotation mechanisms

Feature Supported default Supported optional Not supported
GKE: certificate provisioning using Envoy SDS
Anthos GKE on-prem: certificate provisioning using secret volume mount

Certificate authority (CA) support

Feature Supported default Supported optional Not supported
GKE: Anthos Service Mesh certificate authority (Mesh CA)
Anthos GKE on-prem: Citadel CA
Integration with custom CAs

Authorization policy

Feature Supported default Supported optional Not supported
Authorization v1beta1 policy
RBAC v1alpha1 policy

Authentication policy

Scope

Feature Supported Not supported
mesh-level policy
namespace-level policy
service-level policy

Transport security

Feature Supported default Supported optional Not supported
PERMISSIVE mTLS mode is enabled at mesh level
mTLS STRICT mode
Auto-mTLS

Request authentication (JWT)

Feature Supported default Supported optional Not supported
Policy with JWT must have origin_is_optional set to true and principal_binding set to USE_ORIGIN

Telemetry

Currently, Cloud Monitoring, Cloud Logging, Cloud Trace, and Anthos Service Mesh in the Google Cloud Console aren't available on GKE on-prem.

Metrics

Feature Supported default Supported optional Not supported
HTTP in-proxy metrics to Cloud Monitoring and Anthos Service Mesh in the Cloud Console
Prometheus as an alternative to Cloud Monitoring
Telemetry V2 using WebAssembly Sandbox
Custom adapters/backends, in or out of process
Arbitrary Telemetry and Logging backends
Telemetry V1 for any metrics
Telemetry Lite for any metrics

Access logging

Feature Supported default Supported optional Not supported
Cloud Logging
Direct Envoy to stdout

Tracing

Feature Supported default Supported optional Not supported
Cloud Trace
Jaeger tracing
Zipkin tracing

Policy

Feature Supported Not supported
Policy checks

Networking

Traffic interception/redirection mechanism

Feature Supported default Supported optional Not supported
Traditional use of iptables using init containers with CAP_NET_ADMIN
Istio Container Network Interface (CNI)
Whitebox sidecar

Protocol support

Feature Supported Not supported
IPv4
HTTP/1.1
HTTP/2
TCP byte streams
gRPC
IPv6

L7 support for protocols like WebSocket, MongoDB, Redis, Kafka (although you may be able to make them work by using TCP byte stream support).

If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Istio's routing logic), then we do not support the protocol.

Envoy deployments

Feature Supported default Supported optional Not supported
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways

CRD support

Feature Supported Not supported
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules
custom Envoy filters

Load balancer for the Istio ingress gateway

For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on-prem. For information on configuring GKE on-prem, see Setting up your load balancer for GKE on-prem.

Feature Supported default Supported optional Not supported
Public load balancer
Internal load balancer

Load balancing policies

Feature Supported Not supported
round robin
least connections
random
passthrough
Consistent Hash
locality-weighted

Multi-cluster support

Feature Supported Not supported
Shared control plane + shared Root CA + single network
Multiple federated control planes + independent Root CAs + multiple networks
Mesh expansion for VMs

User interface

Currently, Anthos Service Mesh in the Cloud Console isn't available on GKE on-prem.

Feature Supported default Supported optional Not supported
Anthos Service Mesh observability features in the Google Cloud Console with Telemetry V2
Cloud Monitoring and Cloud Logging
Prometheus/Grafana dashboards
Kiali

Managed components

Currently the managed components aren't available on GKE on-prem.

Anthos Service Mesh certificate authority (Mesh CA) is generally available for GKE on Google Cloud.

The following Anthos Service Mesh managed components are in beta:

Supported environments

Anthos Service Mesh versions 1.4.1 to 1.4.6 are supported with the following GKE and GKE on-prem versions:

  • GKE:

    • 1.13.11-gke.14+
    • 1.14.8-gke.18+
    • 1.15.4-gke.15+
  • GKE on-prem:

    • GKE on-prem version 1.2.0-gke.6 and higher, which is included in Anthos 1.2.

What's next

If you would like to participate in our beta program and try these features, contact us.