Anthos Service Mesh 1.10 has reached end of life and is no longer supported. See Upgrading from earlier versions.

View the latest documentation or select another available version:

Set up a GKE cluster

This page explains how to set up an existing GKE cluster with the options required by Anthos Service Mesh. If you want to add clusters from different Cloud projects to Anthos Service Mesh, the clusters must be in a Shared Virtual Private Cloud (VPC). See Setting up clusters with Shared VPC for more information.

If you are upgrading from 1.9 or a 1.10 patch release, the project and cluster requirements haven't changed. To upgrade, see Multi-project upgrade.

Before you begin

Before you start setting up a cluster, make sure that you have:

Setting up an existing cluster

  1. Create the following environment variables:

    • Set the cluster name:


    • Set the CLUSTER_LOCATION to either your cluster zone or cluster region:


    • Set the workload pool:


    • Set the mesh ID:

      export MESH_ID="proj-${FLEET_PROJECT_NUMBER}"

  2. Set the default zone or region for the Google Cloud CLI. If you don't set the default here, be sure to specify either the --zone or --region option in the gcloud container clusters commands on this page.

    • If you have a single-zone cluster, set the default zone:

      gcloud config set compute/zone ${CLUSTER_LOCATION}
    • If you have a regional cluster, set the default region:

      gcloud config set compute/region ${CLUSTER_LOCATION}

    Tip: To make setting up your shell environment easier in the future, you can copy and paste the export statements for each environment variable to a simple shell script that you source when you start a new shell. You can also add the gcloud commands that set default values to the script. Or you can use gcloud init to create and activate a named gcloud configuration.

  3. Set the mesh_id label on the cluster. If your cluster has existing labels that you want to keep, you must include those labels when adding the mesh_id label.

    1. To see if your cluster has existing labels:

      gcloud container clusters describe ${CLUSTER_NAME} \
        --project ${PROJECT_ID}

      Look for the resourceLabels field in the output. Each label is stored on a separate line under the resourceLabels field, for example:

        csm: ''
        env: dev
        release: stable

      If the csm label is in the output, you don't need to preserve it. The mesh_id label replaces the csm label.

      For convenience, you can add the labels to an environment variable. In the following, replace YOUR_EXISTING_LABELS with a comma-separated list of the existing labels on your cluster in the format KEY=VALUE, for example: env=dev,release=stable

    2. Set the mesh_id label:

      • If your cluster has existing labels that you want to keep, update the cluster with the mesh_id and the existing labels:

        gcloud container clusters update ${CLUSTER_NAME} \
          --project ${PROJECT_ID} \
      • If you cluster doesn't have any existing labels, update the cluster with only the mesh_id label:

        gcloud container clusters update ${CLUSTER_NAME} \
          --project=${PROJECT_ID} \
  4. Enable Workload Identity:

    gcloud container clusters update ${CLUSTER_NAME} \
       --project=${PROJECT_ID} \

    Enabling Workload Identity can take up to 10 to 15 minutes.

  5. Enable Cloud Monitoring and Cloud Logging on GKE:

    gcloud container clusters update ${CLUSTER_NAME} \
       --project=${PROJECT_ID} \

What do you want to do next?