This page describes features that are supported in Anthos Service Mesh 1.8.1. For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:
Support for Anthos Service Mesh follows the Anthos Version Support Policy. Google supports Anthos Service Mesh versions for at least nine months from their original release date.
The following table shows the supported versions of Anthos Service Mesh and the earliest end-of-life (EOL) date for a version.
|Release version||Release date||Earliest EOL date|
|1.4||December 20, 2019||Unsupported (September 18, 2020)|
|1.5||May 20, 2020||February 17, 2021|
|1.6||June 30, 2020||March 30, 2021|
|1.7||November 3, 2020||August 2, 2021|
|1.8||December 15, 2020||September 15, 2021|
For more information about our support policies, refer to Getting support.
Upgrade path for 1.4
Anthos Service Mesh 1.4 is no longer supported. You must upgrade to Anthos Service Mesh 1.5 or later. See the following guides for more information to help plan your upgrade:
Upgrading from 1.4 to 1.5:
Upgrading from 1.5 to 1.6:
Upgrading from 1.6 to 1.7:
Upgrading from 1.7 to 1.8:
When you install Anthos Service Mesh, you use a configuration profile that is suitable for your environment:
asm-gcp: This profile configures the features for a mesh containing one or more GKE clusters in the same Google Cloud project.
asm-gcp-multiprojectbeta: This profile configures the features for a mesh with multiple GKE clusters in different Cloud projects.
asm-multicloud: This profile configures the features for a mesh on the following environments:
- Anthos clusters on VMware
- Anthos clusters on AWS
- Attached clusters:
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Microsoft Azure Kubernetes Service (Microsoft AKS)
The supported features differ between the profiles. In the following tables, any feature with the icon indicates that the feature is either enabled by default or enabled in the profile. Supported optional indicates that you can override the profile and enable the feature, as described in Enabling optional features.
The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported.
Installations, upgrades, and downgrades of Anthos Service Mesh must be done using
istioctl install. The other methods of
install_asm script calls
istioctl install. For more information about
install_asm script, see
Installation, migration, and upgrade on GKE.
|Migration from Istio|
|Enabling optional features|
|Migration from Istio|
|Enabling optional features|
To migrate from the 1.6 version of the Istio on GKE add-on, follow the Upgrade to Istio 1.6 with Operator to upgrade to Anthos Service Mesh 1.7.
Certificate distribution/rotation mechanisms
|workload certificate management using Envoy SDS|
|external certificate management on ingress gateway using Envoy SDS||Supported optional||Supported optional|
Certificate authority (CA) support
|Anthos Service Mesh certificate authority (Mesh CA)|
|Integration with custom CAs|
|Authorization v1beta1 policy|
|mTLS PERMISSIVE mode||Supported optional||Supported optional||Supported optional|
|mTLS STRICT mode||Supported optional||Supported optional||Supported optional|
|Cloud Monitoring (HTTP in-proxy metrics)|
|Cloud Monitoring (TCP in-proxy metrics)|
|Mesh telemetry (in-proxy edge data)|
|Prometheus metrics export to customer-installed Prometheus, Grafana and Kiali dashboards||Supported optional|
|Custom adapters/backends, in or out of process|
|Arbitrary telemetry and logging backends|
|Direct Envoy to
||Supported optional||Supported optional||Supported optional|
|Cloud Trace||Supported optional||Supported optional|
|Jaeger tracing (allows use of customer-managed Jaeger)||Supported optional||Supported optional|
|Zipkin tracing (allows use of customer-managed Zipkin)||Supported optional||Supported optional|
Traffic interception/redirection mechanism
|Traditional use of
|Istio Container Network Interface (CNI)|
|TCP byte streams (Note 1)|
- Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the Cloud Console.
- Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.
|Egress directly out from sidecars|
|Egress using egress gateways||Supported optional||Supported optional||Supported optional|
|Service entry resource|
|Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules|
|custom Envoy filters|
Load balancer for the Istio ingress gateway
|Public load balancer|
|Google Cloud Internal load balancer||Supported optional||Supported optional||Not supported. See the links below.|
For information on configuring load balancers, see the following:
- Setting up your load balancer for Anthos clusters on VMware
- Use an internal load balancer with Azure Kubernetes Service (AKS)
- Amazon EKS Load Balancing
Load balancing policies
Anthos Service Mesh supports multi-primary deployments for GKE clusters in the same Google Cloud project and for GKE clusters in different Cloud projects (referred to as multi-project in the following table). For multi-project deployments, all the clusters must be in a shared Virtual Private Cloud (VPC).
The profile that you use when installing Anthos Service Mesh on a GKE cluster for a multi-primary deployment depends on whether the clusters are in the same or different projects:
- When the clusters are in the same project, you use the
- When the clusters are in different projects, you use the
Notes on terminology
A primary cluster is a cluster with a control plane. A single mesh can have more than one primary cluster for high availability or to reduce latency. In the Istio 1.7 documentation, a multi-primary deployment is referred to as a replicated control plane.
A remote cluster is a cluster that connects to a control plane residing outside of the cluster. A remote cluster can connect to a control plane running in a primary cluster or to an external control plane.
Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.
|Anthos Service Mesh dashboards in the Cloud Console|
The Prometheus, Zipkin, and Kiali addon components were removed from the
profiles because the installation of telemetry addons can no longer be done
istioctl install. As a convenience, the YAML files to install an
instance of Prometheus, Grafana, and Kiali via
kubectl apply are
available in GitHub in the
repository. Note that Cloud Support can't provide help managing these
third-party products. For information on deploying the add-ons, see
Integrating with third-party add-ons.
Only the following environments are supported with Anthos Service Mesh 1.8.1. All other environments are unsupported.
|GKE on Google Cloud||
We recommend that you enroll GKE clusters in a
channel. When enrolling, use the Regular release channel because other
channels might be based on a GKE version that isn't
supported. Anthos Service Mesh 1.8.1 supports the following
GKE versions: 1.15, 1.16, and 1.17.
Note that GKE version 1.14 is not supported with
Anthos Service Mesh 1.8.1.
For more information about the GKE versions included in each release channel see the following:
|Anthos clusters on VMware||Anthos 1.5, Kubernetes version 1.17|
Anthos Service Mesh 1.8.1-asm.5 hasn't been qualified on the following environments:
- Anthos clusters on AWS
- Amazon EKS
- Microsoft AKS.
These environments were qualified and are fully supported on Anthos Service Mesh versions 1.6 and 1.7. If you have Anthos Service Mesh 1.6 or 1.7 installed on these environments, don't upgrade to Anthos Service Mesh 1.8.1-asm.5.
See the following installation guides for details:
- Installing Anthos Service Mesh 1.7 on Anthos clusters on AWS
- Installing Anthos Service Mesh 1.6 on Anthos clusters on AWS
- Installing Anthos Service Mesh 1.7 on Anthos attached clusters
- Installing Anthos Service Mesh 1.6 on Anthos attached clusters