Version 1.11

Prerequisites

This page describes the prerequisites and the requirements for installing Anthos Service Mesh.

Cloud project

Before you begin:

Anthos licensing

GKE

Anthos Service Mesh is available with Anthos or as a standalone service. Google APIs are used to determine how you are billed. To use Anthos Service Mesh as a standalone service, don't enable the Anthos API in your project. The asmcli enables all of the other required Google APIs for you. For information about Anthos Service Mesh pricing, see Pricing.

  • Anthos subscribers, be sure to enable the Anthos API.

Enable the API

  • If you aren't an Anthos subscriber, you can still install Anthos Service Mesh, but certain UI elements and features in Google Cloud Console are only available to Anthos subscribers. For information about what is available to subscribers and non-subscribers, see Anthos and Anthos Service Mesh UI differences.

  • If you enabled the Anthos API, but you want to use Anthos Service Mesh as a standalone service, disable the Anthos API.

Outside Google Cloud

To install Anthos Service Mesh on-premises, on Anthos clusters on AWS, or on Amazon EKS, you have to be an Anthos customer. Anthos customers are not billed separately for Anthos Service Mesh because it is already included in the Anthos pricing. For more information, see the Anthos Pricing guide.

General requirements

  • To be included in the service mesh, service ports must be named, and the name must include the port's protocol in the following syntax: name: protocol[-suffix] where the square brackets indicate an optional suffix that must start with a dash. For more information, see Naming service ports.

  • If you have created a service perimeter in your organization, you might need to add the Mesh CA service to the perimeter. See Adding Mesh CA to a service perimeter for more information.

  • If you want to change the default resource limits for the istio-proxy sidecar container, the new values must be greater than the default values to avoid out-of-memory (OOM) events.

  • A Google Cloud project can only have one mesh associated with it.

Cluster requirements

GKE

  • Verify that your cluster version is listed in Supported environments.

  • Your GKE cluster must meet the following requirements:

    • The GKE cluster must be Standard, because Autopilot clusters have Webhooks limitations that don't allow the MutatingWebhookConfiguration for the istio-sidecar-injector.

    • A machine type that has at least 4 vCPUs, such as e2-standard-4. If the machine type for your cluster doesn't have at least 4 vCPUs, change the machine type as described in Migrating workloads to different machine types.

    • The minimum number of nodes depends on your machine type. Anthos Service Mesh requires at least 8 vCPUs. If the machine type has 4 vCPUs, your cluster must have at least 2 nodes. If the machine type has 8 vCPUs, the cluster only needs 1 node. If you need to add nodes, see Resizing a cluster.

  • GKE Workload Identity is required. We recommend that you enable Workload Identity before installing Anthos Service Mesh. Enabling Workload Identity changes the way calls from your workloads to Google APIs are secured, as described in Workload Identity limitations.

  • Optional but recommended, enroll the cluster in a release channel. We recommend that you enroll in the Regular release channel because other channels might be based on a GKE version that isn't supported with Anthos Service Mesh 1.11.2. For more information, see Supported environments. Follow the instructions in Enrolling an existing cluster in a release channel if you have a static GKE version.

  • If you are installing Anthos Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhooks used for automatic sidecar injection and configuration validation to work. For more information, see Opening a port on a private cluster.

  • For Windows Server workloads, Anthos Service Mesh is not supported. If your cluster has both Linux and Windows Server node pools, you can still install Anthos Service Mesh and use it on your Linux workloads.

Outside Google Cloud

  • Make sure that the user cluster that you install Anthos Service Mesh on has at least 4 vCPUs, 15 GB memory, and 4 nodes.

  • Verify that your cluster version is listed in Supported environments.

  • Your user cluster nodes need the Internet to complete Anthos Service Mesh installation successfully. Internet access via a HTTP proxy is not possible.

Fleet requirements

With Anthos Service Mesh 1.11 and later, all clusters must be registered to a fleet, and fleet workload identity must be enabled. You can either setup up the clusters yourself, or you can let asmcli register the clusters as long as they meet the following requirements:

  • GKE: Enable GKE Workload Identity on your Google Kubernetes Engine cluster, if it is not already enabled.

  • Anthos clusters outside Google Cloud: Anthos clusters on VMware, Anthos clusters on bare metal, and Anthos clusters on AWS are automatically registered to your project fleet at cluster creation time. As of Anthos 1.8, all these cluster types automatically enable fleet Workload Identity when registered. Existing registered clusters are updated to use fleet Workload Identity when they are upgraded to Anthos 1.8.

  • Amazon EKS clusters: The cluster must have a public IAM OIDC Identity Provider. Follow the instructions in Create an IAM OIDC provider for your cluster to check if a provider exists, and create a provider if necessary.

When you run asmcli install, you specify the project ID of the fleet host project. asmcli registers the cluster if it isn't already registered.

NOTE: If you have not registered a cluster from a project to a Fleet hosted in a different project before, there are extra steps required to configure Fleet permissions. For detailed instructions, see Grant permissions for registering a cluster into a different project.

Note the following limitations:

  • All clusters that are in the same project must be registered to the same fleet at all times to use Anthos Service Mesh.

  • Migrating a mesh from one Fleet to another is not supported.

What's next?