Stay organized with collections
Save and categorize content based on your preferences.
Supported features using Istio APIs (managed control plane)
This page describes the supported features and limitations for
Cloud Service Mesh using TRAFFIC_DIRECTOR or ISTIOD as the control plane and the
differences between each implementation. Note that these are not options you can
choose. The ISTIOD implementation is only available for existing users.
New installations use the TRAFFIC_DIRECTOR implementation when possible.
Migrations and upgrades are supported only from in-cluster Cloud Service Mesh
versions 1.9+ installed with Mesh CA. Installations with Istio CA (previously
known as Citadel) must first
migrate to Mesh CA.
Scale is limited to 1000 services and 5000 workloads per cluster.
Only multi-primary deployment option for multi-cluster is supported:
primary-remote deployment option for multi-cluster is not.
istioctl ps is not supported. Instead you can use the
gcloud beta container fleet mesh debug commands as described in
Troubleshooting.
Unsupported APIs:
EnvoyFilter API
WasmPlugin API
IstioOperator API
Kubernetes Ingress API
You can use the managed control plane without a GKE Enterprise subscription,
but certain UI elements and features in Google Cloud console are only available
to GKE Enterprise subscribers. For information about what is available
to subscribers and non-subscribers, see
GKE Enterprise and Cloud Service Mesh UI differences.
During the provisioning process for a managed control plane,
Istio CRDs corresponding to the selected channel are installed in the
specified cluster. If there are existing Istio CRDs in the cluster, they will
be overwritten.
Managed Cloud Service Mesh only supports the default DNS domain .cluster.local.
New installations of managed Cloud Service Mesh fetch JWKS only using
Envoys, unless the fleet contains other clusters for which that behavior is
not enabled. This is equivalent to the PILOT_JWT_ENABLE_REMOTE_JWKS=envoy
Istio option. Compared to installations that don't have VPCSC_GA_SUPPORTED
condition (see below), you might need extra configuration for ServiceEntry
and DestinationRule configurations. For an example, see
requestauthn-with-se.yaml.tmpl.
You can determine whether the current mode of operation is equivalent to
PILOT_JWT_ENABLE_REMOTE_JWKS=envoy by determining whether VPC Service
Controls are supported for the control
plane (ie. the VPCSC_GA_SUPPORTED condition is displayed).
Control plane differences
There are differences in supported features between the ISTIOD and TRAFFIC_DIRECTOR
control plane implementations. To check which implementation you are using, see
Identify control plane implementation.
– indicates the feature is available and
enabled by default.
† - indicates that feature APIs may
have differences between various platforms.
* – indicates the feature is supported for
the platform and can be enabled, as described in
Enable optional features
or the feature guide linked in the feature table.
§ – indicates that the feature is
supported by allowlist. Previous users of managed Anthos Service Mesh are
automatically allowlisted at the organization level.
Contact Google Cloud Support to request access
or to check your allowlist status.
– indicates either the feature isn't
available or it isn't supported.
The default and optional features are fully supported by Google Cloud
Support. Features not explicitly listed in the tables receive best-effort
support.
What determines control plane implementation
When you provision managed Cloud Service Mesh the first time in a fleet, we
determine which control plane implementation to use. The same implementation is
used for all clusters that provision managed Cloud Service Mesh in that fleet.
New fleets that onboard to managed Cloud Service Mesh receive the
TRAFFIC_DIRECTOR control plane implementation, with certain exceptions:
If you are an existing managed Cloud Service Mesh user, you receive the ISTIOD
control plane implementation when you onboard a new fleet in the same Google Cloud
Organization to managed Cloud Service Mesh, until at least June 30, 2024.
If you are one of these users, you can contact Support to fine-tune this behavior.
Users whose existing usage is not compatible with the TRAFFIC_DIRECTOR
implementation without changes will continue to receive the ISTIOD
implementation until September 8, 2024. (These users received a Service
Announcement.)
If any cluster in your fleet uses Certificate Authority Service when you provision managed
Cloud Service Mesh, you receive the ISTIOD control plane implementation.
If any GKE on Google Cloud cluster in your fleet contains an in-cluster Cloud Service Mesh
control plane when you provision managed Cloud Service Mesh, you will
receive the ISTIOD control plane implementation.
If any cluster in your fleet uses
GKE Sandbox,
when you provision managed Cloud Service Mesh, you receive the ISTIOD
control plane implementation.
Managed control plane supported features
Install, upgrade, and rollback
Feature
Managed (TD)
Managed (istiod)
Installation on GKE clusters using fleet feature API
Upgrades from ASM 1.9 versions that use Mesh CA
Direct (skip-level) upgrades from Cloud Service Mesh versions prior to 1.9 (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio OSS (see notes for indirect upgrades)
Direct (skip-level) upgrades from Istio-on-GKE add-on (see notes for indirect upgrades)
Environments outside of Google Cloud (GKE Enterprise on-premises,
GKE Enterprise on other public clouds, Amazon EKS, Microsoft AKS,
or other Kubernetes clusters)
A multi-primary configuration means that the configuration must be replicated
in all clusters.
A primary-remote configuration means that a single cluster contains the
configuration and is considered the source of truth.
Cloud Service Mesh uses a simplified definition of network based on general
connectivity. Workload instances are on the same network if they are able to
communicate directly, without a gateway.
† Cloud Service Mesh with a managed (TD) control plane only supports
the distroless image type. You cannot change it.
Note that distroless images have minimal binaries, so you cannot exec the usual
commands like bash or curl because they are not present in the distroless image.
However, you can use ephemeral containers to attach to a running workload Pod to
be able to inspect it and run custom commands. For example, see
Collecting Cloud Service Mesh logs.
† The TRAFFIC_DIRECTOR control plane supports a subset of Istio telemetry API
used to configure access logs and
trace. The TRAFFIC_DIRECTOR
control plane does not support configuring the trace sampling rate.
Although TCP is a supported protocol for networking and TCP
metrics are collected, they are not reported. Metrics are displayed only for
HTTP services in the Google Cloud console.
Services that are configured with Layer 7 capabilities for
the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka,
Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by
using TCP byte stream support. If TCP byte stream cannot support the protocol
(for example, Kafka sends a redirect address in a protocol-specific reply and
this redirect is incompatible with Cloud Service Mesh's routing logic), then
the protocol isn't supported.
† IPv6 is available as a preview dual-stack networking feature. In
proxyless gRPC, dualstack features are supported only in gRPC 1.66.1 or newer
in C++ and Python or gRPC Node.js v1.12. If you try to configure dual-stack features with a version of
gRPC that doesn't support dual-stack, the clients will use only the first
address sent by Traffic Director.
Envoy deployments
Feature
Managed (TD)
Managed (istiod)
Sidecars
Ingress gateway
Egress directly out from sidecars
Egress using egress gateways
*
*
CRD support
Feature
Managed (TD)
Managed (istiod)
Sidecar resource
Service entry resource
Percentage, fault injection, path matching, redirects, retries, rewriting,
timeout, retry, mirroring, header manipulation, and CORS routing rules
† The TRAFFIC_DIRECTOR control plane implementation does not support following
fields and values in fields:
workloadSelector field
endpoints[].network field
endpoints[].locality field
endpoints[].weight field
endpoints[].serviceAccount field
DNS_ROUND_ROBIN value in resolution field
MESH_INTERNAL value in location field
Unix domain socket address in endpoints[].address field
subjectAltNames field
Destination rule
Feature
Managed (TD)
Managed (istiod)
DestinationRule v1beta1
†
† The TRAFFIC_DIRECTOR control plane implementation does not support following fields.
trafficPolicy.loadBalancer.localityLbSetting field
trafficPolicy.tunnel field
trafficPolicy.tls.credentialName field
trafficPolicy.portLevelSettings[].tls.credentialName field
Additionally, the TRAFFIC_DIRECTOR control plane implementation requires that the
destination rule defining subsets is in the same namespace and cluster with
the Kubernetes service or ServiceEntry.
Sidecar
Feature
Managed (TD)
Managed (istiod)
Sidecar v1beta1
†
† The TRAFFIC_DIRECTOR control plane implementation does not support following
fields and values in fields:
ingress field
egress.port field
egress.bind field
egress.captureMode field
inboundConnectionPool field
MeshConfig
Feature
Managed (TD)
Managed (istiod)
LocalityLB
§
ExtensionProviders
§
CACert
ImageType - distroless
§
OutboundTrafficPolicy
§
defaultProviders.accessLogging
defaultProviders.tracing
defaultConfig.tracing.stackdriver
§
accessLogFile
§
ProxyConfig
Feature
Managed (TD)
Managed (istiod)
DNS proxy (ISTIO_META_DNS_CAPTURE, ISTIO_META_DNS_AUTO_ALLOCATE)
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-01-17 UTC."],[],[]]