Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Prerequisiti di Cloud Service Mesh nel cluster
Questa pagina descrive i prerequisiti e i requisiti per l'installazione di Cloud Service Mesh in-cluster per i workload Kubernetes off- Google Cloud, ad esempio le licenze GKE Enterprise, i requisiti del cluster, i requisiti del parco risorse e i requisiti generali.
Per installare Cloud Service Mesh on-premise, su GKE su AWS, su
Amazon EKS, su GKE su Azure o su Microsoft AKS, devi essere
un cliente GKE Enterprise. Cloud Service Mesh non viene fatturato separatamente per i clienti GKE Enterprise perché è già incluso nel prezzo di GKE Enterprise. Per ulteriori informazioni, consulta la guida ai prezzi di GKE Enterprise.
Requisiti generali
Per essere incluse nel service mesh, le porte dei servizi devono essere denominate e il nome deve includere il protocollo della porta nella seguente sintassi:
name: protocol[-suffix]
dove le parentesi quadre indicano un suffisso facoltativo che deve iniziare con un trattino. Per ulteriori informazioni, consulta
Porte del servizio di denominazione.
Assicurati che il computer client da cui installi Cloud Service Mesh abbia connettività di rete con il server API.
Se esegui il deployment di sidecar nei pod di applicazioni in cui la connettività diretta ai servizi CA (come meshca.googleapis.com e privateca.googleapis.com) non è disponibile, devi configurare un proxy HTTPS esplicito basato su CONNECT.
Per i cluster pubblici con regole firewall in uscita impostate che bloccano le regole implicite, assicurati di aver configurato regole HTTP/HTTPS e DNS per raggiungere le API pubbliche di Google.
Cluster GKE esterni Google Cloud:
(si applica a Cloud Service Mesh all'interno del cluster)Google Distributed Cloud (solo software) per VMware,
Google Distributed Cloud (solo software) per bare metal,
GKE su AWS e
GKE su Azure vengono
registrati automaticamente al parco risorse del progetto al momento della creazione del cluster. A partire da GKE Enterprise 1.8, tutti questi tipi di cluster attivano automaticamente l'identità di carico di lavoro del parco risorse quando vengono registrati. I cluster registrati esistenti vengono aggiornati per utilizzare Workload Identity del parco risorse quando viene eseguito l'upgrade a GKE Enterprise 1.8.
Cluster Amazon EKS: (si applica a Cloud Service Mesh all'interno del cluster) Il cluster deve avere un provider di identità OIDC IAM pubblico. Segui le istruzioni riportate in Creare un provider OIDC IAM per il cluster per verificare se esiste un provider e, se necessario, creane uno.
Quando esegui asmcli install, specifica l'ID progetto
del
progetto host del parco risorse.
asmcli registra il cluster se non è già registrato.
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-04 UTC."],[],[],null,["In-cluster Cloud Service Mesh prerequisites **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.24/docs/overview).\n\nThis page describes the prerequisites and the requirements for installing\nin-cluster Cloud Service Mesh for Kubernetes workloads off Google Cloud, such\nas GKE Enterprise licensing, cluster requirements, fleet requirements, and\ngeneral requirements.\n\nCloud project\n\nBefore you begin:\n\n- [Select or create a Google Cloud project](https://console.cloud.google.com/projectselector2).\n\n- [Verify that billing is enabled](https://cloud.google.com/billing/docs/how-to/modify-project) for your project.\n\nGKE Enterprise licensing\n\nTo install Cloud Service Mesh on-premises, on GKE on AWS, on\nAmazon EKS, on GKE on Azure, or on Microsoft AKS, you have to be\nan GKE Enterprise customer. GKE Enterprise customers are not billed separately\nfor Cloud Service Mesh because it is already included in the GKE Enterprise\npricing. For more information, see the [GKE Enterprise Pricing guide](/kubernetes-engine/pricing).\n\nGeneral requirements\n\n- To be included in the service mesh, service ports must be named, and the name\n must include the port's protocol in the following syntax:\n `name: `\u003cvar translate=\"no\"\u003eprotocol\u003c/var\u003e`[-`\u003cvar translate=\"no\"\u003esuffix\u003c/var\u003e`]`\n where the square brackets indicate an optional suffix that must start with a\n dash. For more information, see\n [Naming service ports](/service-mesh/v1.24/docs/naming-service-ports).\n\n- If you have created a [service perimeter](/vpc-service-controls/docs/service-perimeters)\n in your organization, you might need to add the Cloud Service Mesh certificate authority service\n to the perimeter. See\n [Adding Cloud Service Mesh certificate authority to a service perimeter](/service-mesh/v1.24/docs/set-service-perimeter)\n for more information.\n\n- If you want to change the default [resource limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits)\n for the `istio-proxy` sidecar container, the new values must be greater than the\n default values to\n [avoid out-of-memory (OOM) events](/service-mesh/v1.24/docs/troubleshooting/troubleshoot-sidecar-proxies).\n\n-\n A Google Cloud project can only have one mesh associated with it.\n\nCluster requirements\n\n- Ensure that the user cluster that you install Cloud Service Mesh on has at\n least 4 vCPUs, 15 GB memory, and 4 nodes.\n\n- Verify that your cluster version is listed in\n [Supported platforms](/service-mesh/v1.24/docs/supported-platforms).\n\n- Ensure that the client machine that you install Cloud Service Mesh from has\n network connectivity to the API server.\n\n- If you are deploying sidecars in application pods where direct connectivity\n to CA services (such as `meshca.googleapis.com` and\n `privateca.googleapis.com`) is not available, you must\n [configure an explicit `CONNECT`-based HTTPS proxy](/service-mesh/v1.24/docs/unified-install/options/configure-ca-through-proxy).\n\n- For public clusters with egress firewall rules set that are blocking\n [implied rules](/vpc/docs/firewalls#default_firewall_rules), ensure you have\n configured HTTP/HTTPS and DNS rules to reach public Google APIs.\n\nFleet requirements\n\nAll clusters must be registered to a\n[fleet](/kubernetes-engine/docs/fleets-overview), and\n[fleet workload identity](/kubernetes-engine/fleet-management/docs/use-workload-identity)\nmust be enabled. You can either\n[setup up the clusters](/kubernetes-engine/fleet-management/docs/use-workload-identity#cluster_setup)\nyourself, or you can let `asmcli` register the clusters as long as they\nmeet the following requirements:\n| **Caution:** All Cloud Service Mesh clusters for one mesh must be registered to the same fleet at all times to use Cloud Service Mesh. Other clusters in the project of a Cloud Service Mesh cluster must not be registered to a different fleet.\n\n- **GKE clusters outside Google Cloud** : *(applies to in-cluster Cloud Service Mesh)* [Google Distributed Cloud (software only) for VMware](/anthos/clusters/docs/on-prem), [Google Distributed Cloud (software only) for bare metal](/kubernetes-engine/distributed-cloud/bare-metal/docs), [GKE on AWS](/anthos/clusters/docs/aws), and [GKE on Azure](/anthos/clusters/docs/multi-cloud/azure) are automatically registered to your project fleet at cluster creation time. As of GKE Enterprise 1.8, all these cluster types automatically enable fleet Workload Identity when registered. Existing registered clusters are updated to use fleet Workload Identity when they are upgraded to GKE Enterprise 1.8.\n- **Amazon EKS clusters** : *(applies to in-cluster Cloud Service Mesh)* The cluster must have a public IAM OIDC Identity Provider. Follow the instructions in [Create an IAM OIDC provider for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) to check if a provider exists, and create a provider if necessary.\n\nWhen you run `asmcli install`, you specify the project ID\nof the\n[fleet host project](/kubernetes-engine/fleet-management/docs/fleet-concepts#fleet-host-project).\n`asmcli` registers the cluster if it isn't already registered.\n| **Note:** If you have not registered a cluster from a project to a fleet hosted in a different project before, there are extra steps required to configure fleet permissions. For detailed instructions, see [Grant permissions for registering a cluster into a different project](/anthos/fleet-management/docs/before-you-begin#gke-cross-project).\n\nWhat's next?\n\n- [Plan a new installation](/service-mesh/v1.24/docs/onboarding/kubernetes-off-gcp/install/plan-install)\n- [Plan an upgrade](/service-mesh/v1.24/docs/upgrade/plan-upgrade)"]]