% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167k 100 167k 0 0 701k 0 --:--:-- --:--:-- --:--:-- 701k
將指令碼設定為可執行:
chmod +x asmcli
授予叢集管理員權限
請確認您已將背景資訊設為使用者叢集:
kubectl config use-context CONTEXT
將叢集管理員權限授予您的使用者帳戶 ( Google Cloud 登入電子郵件地址)。您需要這些權限來為 Cloud Service Mesh 建立必要的角色型存取控制 (RBAC) 規則:
asmcli: Setting up necessary files...
asmcli: Using asm_kubeconfig as the kubeconfig...
asmcli: Checking installation tool dependencies...
asmcli: Fetching/writing GCP credentials to kubeconfig file...
asmcli: Verifying connectivity (10s)...
asmcli: kubeconfig set to asm_kubeconfig
asmcli: using context gke_example-project-12345_us-central1_cluster-2
asmcli: Getting account information...
asmcli: Downloading ASM..
asmcli: Downloading ASM kpt package...
fetching package "/asm" from "https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages" to "asm"
asmcli: Checking required APIs...
asmcli: Checking for project example-project-12345...
asmcli: Reading labels for us-central1/cluster-2...
asmcli: Checking for istio-system namespace...
asmcli: Confirming node pool requirements for example-project-12345/us-central1/cluster-2...
asmcli: Checking Istio installations...
asmcli: [WARNING]: There is no way to validate that the meshconfig API has been initialized.
asmcli: [WARNING]: This needs to happen once per GCP project. If the API has not been initialized
asmcli: [WARNING]: for example-project-12345, please re-run this tool with the --enable_gcp_components
asmcli: [WARNING]: flag. Otherwise, installation will succeed but Anthos Service Mesh
asmcli: [WARNING]: will not function correctly.
asmcli: Successfully validated all requirements to install ASM.
如果其中一個測試失敗,asmcli 就會輸出錯誤訊息。舉例來說,如果您的專案未啟用所有必要的 Google API,您會看到以下錯誤:
ERROR: One or more APIs are not enabled. Please enable them and retry, or run
`asmcli` with the '--enable_gcp_apis' flag to allow `asmcli` to enable them
on your behalf.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["Install dependent tools and verify cluster **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n\nThis page shows you how to prepare your environment and cluster to install\nin-cluster Cloud Service Mesh on GKE.\n\nInstall required tools\n\nYou can run `asmcli` on [Cloud Shell](/shell/docs/launching-cloud-shell)\nor on your local machine running Linux. Cloud Shell pre-installs all\nthe required tools.\n| **Note:** macOS isn't supported.\n\nIf you are running `asmcli` locally, make sure you have the following tools\ninstalled:\n\n- The [Google Cloud CLI](/sdk/docs/install)\n- The standard command-line tools: `awk`, `curl`, `grep`, `sed`, and `tr`\n- [`git`](https://git-scm.com/downloads)\n- [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/)\n- [`jq`](https://stedolan.github.io/jq/)\n- (Optional, in order to test connectivity) netcat (`nc`)\n\nConfigure gcloud\n\nDo the following steps even if you are using Cloud Shell.\n\n1. Authenticate with the Google Cloud CLI:\n\n gcloud auth login --project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n2. Update the components:\n\n gcloud components update\n\n3. Configure `kubectl` to point to the cluster.\n\n gcloud container clusters get-credentials \u003cvar scope=\"CLUSTER_NAME\" translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --location \u003cvar scope=\"CLUSTER_LOCATION\" translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e \\\n --project \u003cvar scope=\"PROJECT_ID\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n| **Note:** You can also use service account impersonation by configuring your `gcloud\n| config` before running the tool. Run the command `gcloud config set auth/impersonate_service_account` \u003cvar translate=\"no\"\u003eSA-NAME\u003c/var\u003e`@`\u003cvar translate=\"no\"\u003eGCP-PROJECT\u003c/var\u003e`.iam.gserviceaccount.com`. To unset the impersonation after you've installed Cloud Service Mesh, run `gcloud config unset auth/impersonate_service_account`. For more information, see [gcloud config](/sdk/gcloud/reference/config/set).\n\nDownload asmcli\n\nThis section describes how to download the `asmcli`.\n\n1. Download the version that installs Cloud Service Mesh 1.26.4 to\n the current working directory:\n\n curl https://storage.googleapis.com/csm-artifacts/asm/asmcli_1.26 \u003e asmcli\n\n | **Note:** We recommend that you always download the latest version of `asmcli` when installing Cloud Service Mesh on a new GKE cluster. The command in the previous step downloads the latest version.\n\n Expected output: \n\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n 100 167k 100 167k 0 0 701k 0 --:--:-- --:--:-- --:--:-- 701k\n\n2. Make the script executable:\n\n chmod +x asmcli\n\nGrant cluster admin permissions\n\n1. Ensure you have set the context to your user cluster:\n\n **Note:** To check existing contexts, run `kubectl config get-contexts`. \n\n ```\n kubectl config use-context CONTEXT\n ```\n2. Grant cluster admin permissions to your user account (your Google Cloud login\n email address). You need these permissions to create the necessary\n [role based access control (RBAC)](/kubernetes-engine/docs/how-to/role-based-access-control)\n rules for Cloud Service Mesh:\n\n ```\n kubectl create clusterrolebinding cluster-admin-binding \\\n --clusterrole=cluster-admin \\\n --user=USER_ACCOUNT\n ```\n\nValidate project and cluster\n\nYou can run `asmcli validate` to make sure that your project and cluster are\nsetup as required to install Cloud Service Mesh. With this option, `asmcli` doesn't\nmake any changes to your project or cluster, and it doesn't install\nCloud Service Mesh.\n\n`asmcli` validates that:\n\n- Your environment has the\n [required tools](#install_required_tools).\n\n- The cluster meets the\n [minimum requirements](/service-mesh/legacy/in-cluster/cloud-service-mesh-prerequisites#cluster_requirements).\n\n- You have the [required permissions](/service-mesh/legacy/in-cluster/install-in-cluster-cloud-service-mesh#roles-required)\n on the specified project.\n\n- The project has all the\n [required Google APIs](/service-mesh/docs/project-cluster-setup#set_up_your_project)\n enabled.\n\nBy default, `asmcli` downloads and extracts the installation file and\ndownloads the\n[`asm`](https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/tree/release-1.25/asm/)\nconfiguration package from GitHub to a temp directory. Before exiting,\n`asmcli` outputs a message that provides the name of the temp directory.\nWe recommend that you specify a directory for the downloads with the\n`--output_dir `\u003cvar translate=\"no\"\u003eDIR_PATH\u003c/var\u003e option. The `--output_dir`\noption makes it convenient for you to use the `istioctl` command-line tool. You\nmight need `istioctl` for\n[troubleshooting configuration issues](/service-mesh/docs/troubleshooting/troubleshoot-intro#use_automated_validation_tools)\nor\n[setting up a multi-cluster mesh on private GKE clusters](/service-mesh/docs/unified-install/gke-install-multi-cluster#private-clusters-endpoint)\nAdditionally, the configuration files to enable optional features using `asmcli`\nare included in the `asm/istio/options` directory.\n\nRun the following command to validate your configuration and download the\ninstallation file and `asm` package to the \u003cvar translate=\"no\"\u003eOUTPUT_DIR\u003c/var\u003e\ndirectory. \n\n ./asmcli validate \\\n --project_id \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --cluster_name \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --cluster_location \u003cvar translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e \\\n --fleet_id \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n --output_dir \u003cvar translate=\"no\"\u003eDIR_PATH\u003c/var\u003e\n\n- `--project_id`, `--cluster_name`, and `--cluster_location` Specify the\n project ID that the cluster is in, the cluster name, and either the\n cluster zone or region.\n\n- `--fleet_id` The project ID of the\n [fleet host project](/anthos/multicluster-management/fleets#fleet-host-project).\n `asmcli validate` checks that the cluster is registered to the specified\n fleet.\n\n- `--output_dir` Include this option to specify a directory\n where `asmcli` downloads the `asm` package and extracts the\n installation file, which contains `istioctl`, samples, and manifests.\n Otherwise `asmcli` downloads the files to a `tmp` directory.\n You can specify either a relative path or a full path. The environment\n variable `$PWD` doesn't work here.\n\nOn success, `asmcli` outputs the following: \n\n```\nasmcli: Setting up necessary files...\nasmcli: Using asm_kubeconfig as the kubeconfig...\nasmcli: Checking installation tool dependencies...\nasmcli: Fetching/writing GCP credentials to kubeconfig file...\nasmcli: Verifying connectivity (10s)...\nasmcli: kubeconfig set to asm_kubeconfig\nasmcli: using context gke_example-project-12345_us-central1_cluster-2\nasmcli: Getting account information...\nasmcli: Downloading ASM..\nasmcli: Downloading ASM kpt package...\nfetching package \"/asm\" from \"https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages\" to \"asm\"\nasmcli: Checking required APIs...\nasmcli: Checking for project example-project-12345...\nasmcli: Reading labels for us-central1/cluster-2...\nasmcli: Checking for istio-system namespace...\nasmcli: Confirming node pool requirements for example-project-12345/us-central1/cluster-2...\nasmcli: Checking Istio installations...\nasmcli: [WARNING]: There is no way to validate that the meshconfig API has been initialized.\nasmcli: [WARNING]: This needs to happen once per GCP project. If the API has not been initialized\nasmcli: [WARNING]: for example-project-12345, please re-run this tool with the --enable_gcp_components\nasmcli: [WARNING]: flag. Otherwise, installation will succeed but Anthos Service Mesh\nasmcli: [WARNING]: will not function correctly.\nasmcli: Successfully validated all requirements to install ASM.\n```\n\nIf one of the tests fails the validation, `asmcli` outputs an error message.\nFor example, if your project doesn't have all of the required Google APIs\nenabled, you see the following error: \n\n```\nERROR: One or more APIs are not enabled. Please enable them and retry, or run\n`asmcli` with the '--enable_gcp_apis' flag to allow `asmcli` to enable them\non your behalf.\n```\n\nIf you got an error message about needing to run `asmcli` with an\n[enablement flag](/service-mesh/docs/asmcli-reference#enablement-flags),\nyou have the following options:\n\n- Include the specific flag from the error message or the `--enable_all`\n flag when running `asmcli` to do the actual installation.\n\n- If you prefer, you can update your project and cluster yourself before\n running `asmcli` as described in\n [Set up your project and GKE cluster yourself](/service-mesh/docs/project-cluster-setup#set_up_your_project).\n\nNote that `asmcli validate` doesn't allow any enablement flags because it only\nvalidates that your project and cluster are ready for installation.\n\nInspect cluster install and upgrade requirements\n\nBefore upgrading you should check that your configuration is compatible with\nthe new version of Cloud Service Mesh.\n\n1. Change to the directory that you specified in `--output_dir`.\n\n2. Run the following command to inspect the Kubernetes cluster for install and\n upgrade requirements. Make sure you use the version of `istioctl` distributed\n with the new Cloud Service Mesh version.\n\n istioctl experimental precheck\n\nWhat's next?\n\n- [Install Cloud Service Mesh](/service-mesh/legacy/in-cluster/install-in-cluster-cloud-service-mesh)\n- [Upgrade Cloud Service Mesh](/service-mesh/docs/upgrade/upgrade)"]]
