This page describes the available arguments to
Identify the cluster You have the following options to identify the cluster:
- The project ID that the cluster was created in.
- The name of the cluster.
- Either the zone (for single-zone clusters) or region (for regional clusters) that the cluster was created in.
The path to the kubeconfig file
The kubeconfig context to use. If not specified,
asmcli uses the default context.
The certificate authority (CA) to use to manage mutual TLS certificates. Specify either
mesh_cato use Anthos Service Mesh certificate authority (Mesh CA) or
citadelto use the Istio CA. Managed Anthos Service Mesh only supports Mesh CA, so you don't need to specify the
--caoption when deploying the Google-managed control plane. See the following for additional information:
--channel ANTHOS SERVICE MESH CHANNEL
--channelwith a specific Anthos Service Mesh release channel to provision the Control Plane revision associated with that release channel. For example,
--channel regular, and
--custom_overlywith the name of a YAML file (referred to as an overlay file) containing the
IstioOperatorcustom resource to configure the in-cluster control plane. You specify an overlay file to enable a feature that isn't enabled by default. Managed Anthos Service Mesh doesn't support the
IstioOperatorAPI, so you can't use
--custom_overlayto configure the Google-managed control plane.
asmclimust be able to locate the overlay file, so it either needs to be in the same directory as
asmcli, or you can specify a relative path. To add multiple files, specify
--co|--custom_overlayand the filename, for example:
--co overlay_file1.yaml --co overlay_file2.yaml --co overlay_file3.yaml
If using attached Amazon EKS clusters, use
--hub-registration-extra-flagsto register the cluster to the fleet if it isn't already registered.
--network_idto set the
topology.istio.io/networklabel applied to the
istio-systemnamespace. For GKE,
--network_iddefaults to the network name for the cluster. For other environments,
defaultwill be used.
The name of the overlay file (without the
asmclidownloads from the
anthos-service-meshrepository to enable an optional feature. You need internet connectivity to use
--custom_overlayoptions are similar, but they have slightly different behavior:
--custom_overlaywhen you need to change the settings in the overlay file.
--optionto enable a feature that doesn't require changes to the overlay file, for example, to configure audit policies for your services.
To add multiple files, specify
-o|--optionand the filename, for example:
-o option_file1 -o option_file2 -o option_file3
If not specified,
asmclicreates a temporary directory where it downloads files and configurations necessary for installing Anthos Service Mesh. Specify the
--output-dirflag to specify a relative path to a directory to use instead. Upon completion, the specified directory contains the
asmdirectory contains the configuration for the installation. The
istio-1.12.0-asm.4directory contains the extracted contents of installation file, which contains
istioctl, samples, and manifests. If you specify
--output-dirand the directory already contains the necessary files,
asmcliuses those files instead of downloading them again.
-r|--revision_name REVISION NAME
A revision label is a key-value pair that is set on the control plane. The revision label key is always
istio.io/rev. By default,
asmclisets the value for the revision label based on the Anthos Service Mesh version, for example:
asm-1120-4. Include this option if you want to override the default value and specify your own. The
REVISION NAMEargument must be a DNS-1035 label. This means the name must:
- contain at most 63 characters
- contain only lowercase alphanumeric characters or '-'
- start with an alphabetic character
- end with an alphanumeric character
The regex used for validation is:
- The name of a service account used to install Anthos Service Mesh. If not
specified, the active user account in the current
gcloudconfiguration is used. If you need to change the active user account, run gcloud auth login.
- The key file for a service account. Omit this option if you aren't using a service account.
Options for Istio CA custom certificate
If you specified
--ca citadel and you are using a custom CA, include the
--ca_cert FILE_PATH: The intermediate certificate
--ca_key FILE_PATH: The key for the intermediate certificate
--root_cert FILE_PATH: The root certificate
--cert_chain FILE_PATH: The certificate chain
For more information, see Plugging in existing CA Certificates.
The flags that start with
asmcli enable the required Google
required Identity and Access Management (IAM) permissions,
and update your cluster. If you prefer, you can
update your project and cluster yourself
asmcli. All of the enablement flags are incompatible with
asmcli validate. If you specify an enablement flag when you run
asmcli validate, the command terminates with an error.
asmclito perform all of the individual enable actions described below.
asmclito attempt to bind the GCP user or service account running
cluster-adminrole on your cluster.
asmclidetermines the user account from the
gcloud config get-value core/accountcommand. If you are running
asmclilocally with a user account, make sure that you call the
gcloud auth logincommand before running
asmcli. If you need to change the user account, run the
gcloud config set core/account GCP_EMAIL_ADDRESScommand where GCP_EMAIL_ADDRESS is the account that you use to log in to Google Cloud.
asmclito set required cluster labels.
asmclito enable the following required Google Cloud managed services and components:
asmclito enable all required Google APIs.
asmclito set the required IAM permissions.
asmclito register the cluster to the project that the cluster is in. If you don't include this flag, follow the steps in Registering a cluster to manually register the cluster. Note that unlike the other enablement flags,
--enable_registrationis only included in
--enable_allwhen you specify an option (such as
--option hub-meshca) that requires cluster registration. Otherwise, you need to specify this flag separately.
- Print commands, but don't execute them.
- Run validation but don't update the project or cluster and don't install
Anthos Service Mesh. This flag is incompatible with the
asmcliterminates with an error if you specify
--only_validatewith any enablement flag.
- Instead of installing Anthos Service Mesh, print all of the compiled YAML to
standard output (stdout). All other output is written to standard error
(stderr), even if it would normally go to stdout.
asmcliskips all validations and setup when you specify this flag.
- By default,
asmclideploys the Canonical Service controller to your cluster. If you don't want
asmclito deploy the controller, specify
--disable_canonical_service. For more information, refer to Enabling and disabling the Canonical Service controller.
- Show a help message describing the options and flags and exit.
asmcliruns, it prints the command that it will run next. With the
asmcliprints the command after execution as well.
- Print the version of
asmcliand exit. If you don't have the most recent version, you can download the most recent version of
Learn about setting up a multi-cluster mesh:
If your mesh consists entirely of GKE clusters, see Set up a multi-cluster mesh on GKE.
If you mesh consists of clusters outside of Google Cloud, see Set up a multi-cluster mesh outside of Google Cloud.