asmcli를 사용하여 Cloud Service Mesh를 설치할 때 --enable_all 플래그나 더욱 세분화된 사용 설정 플래그가 포함된 경우 프로젝트 및 클러스터를 자동으로 구성할 수 있습니다.
asmcli를 변경하지 않고 직접 설정하려면 이 페이지의 단계를 따르세요.
이전 버전의 Cloud Service Mesh가 이미 설치되어 있는 경우 최신 Cloud Service Mesh 버전으로 업그레이드하기 위해 asmcli를 사용하기 전에 프로젝트나 클러스터를 변경할 필요가 없습니다.
기본적으로 asmcli는 istio-ingressgateway를 설치하지 않습니다. 컨트롤 플레인과 게이트웨이를 개별적으로 배포하고 관리하는 것이 좋습니다.
Cloud Service Mesh는 게이트웨이 배포에 자동 삽입을 지원하므로 Cloud Service Mesh 업그레이드가 더 쉬워집니다. Cloud Service Mesh를 업그레이드한 후 서비스와 마찬가지로 게이트웨이를 다시 시작하여 새 컨트롤 플레인 구성을 선택합니다.
자세한 내용은 게이트웨이 설치 및 업그레이드를 참조하세요.
페이지 상단의 프로젝트 드롭다운 목록을 클릭합니다. 선택 창이 나타나면 프로젝트를 선택합니다.
프로젝트 ID가 프로젝트 대시보드 프로젝트 정보 카드에 표시됩니다.
프로젝트 ID를 사용하여 워크로드 풀의 환경 변수를 만듭니다.
export WORKLOAD_POOL=PROJECT_ID.svc.id.goog
필요한 Identity and Access Management(IAM) 역할을 설정합니다. 프로젝트 소유자인 경우 설치를 완료하는 데 필요한 모든 권한이 있습니다. 프로젝트 소유자가 아닌 경우 다음과 같은 특정 IAM 역할을 부여할 사람이 필요합니다. 다음 명령어에서 PROJECT_ID를 이전 단계의 프로젝트 ID로 바꾸고 GCP_EMAIL_ADDRESS를 Google Cloud에 로그인하는 데 사용하는 계정으로 바꿉니다.
ROLES=(
'roles/servicemanagement.admin' \
'roles/serviceusage.serviceUsageAdmin' \
'roles/meshconfig.admin' \
'roles/compute.admin' \
'roles/container.admin' \
'roles/resourcemanager.projectIamAdmin' \
'roles/iam.serviceAccountAdmin' \
'roles/iam.serviceAccountKeyAdmin' \
'roles/gkehub.admin')
for role in "${ROLES[@]}"
do
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "user:GCP_EMAIL_ADDRESS" \
--role="$role"
done
asmcli를 실행할 때 --enable_all 또는 --enable_gcp_iam_roles 플래그를 포함하면 필수 IAM 역할이 자동으로 설정됩니다.
Cloud Service Mesh는 Mesh 구성 API를 사용하여 메시의 구성 데이터를 Google Cloud로 릴레이합니다. 또한 Mesh Configuration API를 사용 설정하면 Google Cloud 콘솔에서 Cloud Service Mesh 페이지에 액세스하고 Cloud Service Mesh 인증 기관을 사용할 수 있습니다.
아니요
meshca.googleapis.com
관리형 Cloud Service Mesh에서 사용하는 Cloud Service Mesh 인증 기관과 관련이 있습니다.
프로젝트를 설치할 수 있도록 초기화합니다. 무엇보다도 이 명령어는 사이드카 프록시와 같은 데이터 영역 구성요소가 프로젝트의 데이터 및 리소스에 안전하게 액세스할 수 있도록 서비스 계정을 만듭니다.
다음 명령어에서 FLEET_PROJECT_ID를 Fleet 호스트 프로젝트로 바꿉니다.
Google Cloud 기반 GKE 클러스터의 경우 Google Cloud CLI의 기본 영역 또는 리전을 설정합니다. 여기서 기본값을 설정하지 않으면 이 페이지의 gcloud container clusters 명령어에 --zone 또는 --region 옵션을 지정해야 합니다.
단일 영역 클러스터가 있는 경우 기본 영역을 설정합니다.
gcloud config set compute/zone CLUSTER_LOCATION
리전 클러스터가 있는 경우 기본 리전을 설정합니다.
gcloud config set compute/region CLUSTER_LOCATION
Google Cloud 기반 GKE 클러스터의 경우 워크로드 아이덴티티를 사용 설정합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Set up your project and cluster yourself\n========================================\n\nWhen you install Cloud Service Mesh using\n[`asmcli`](/service-mesh/v1.25/docs/asmcli-reference), it can\nconfigure your project and your cluster for\nyou if you include the `--enable_all` flag or the more granular\n[enablement flags](/service-mesh/v1.25/docs/asmcli-reference#enablement_flags).\nIf you prefer to do the setup yourself rather than having `asmcli` make the\nchanges, follow the steps on this page.\n\nIf you already have a previous version of Cloud Service Mesh installed, you don't\nneed to make any changes to your project or cluster before using\n[`asmcli` to upgrade](/service-mesh/v1.25/docs/upgrade/upgrade) to the latest\nCloud Service Mesh version.\n\nBy default, `asmcli` doesn't install the `istio-ingressgateway`. We\nrecommend that you deploy and manage the control plane and gateways separately.\nCloud Service Mesh supports auto-injection for gateway deployments, which makes\nCloud Service Mesh upgrades easier. After upgrading Cloud Service Mesh, you restart the\ngateways just like your services to pick up the new control plane configuration.\nFor more information, see\n[Installing and upgrading gateways](/service-mesh/v1.25/docs/operate-and-maintain/gateways).\n| **Warning:** On upgrades, `asmcli` removes the default `istio-ingressgateway` from the `istio-system` namespace. If you need the default `istio-ingressgateway` installed with the in-cluster control plane, include the `--option legacy-default-ingressgateway` argument.\n\nBefore you begin\n----------------\n\n- Review the prerequisites and requirements ([outside Google Cloud](/service-mesh/v1.25/docs/onboarding/kubernetes-off-gcp/install/cloud-service-mesh-prerequisites), [GKE](/service-mesh/v1.25/docs/../legacy/in-cluster/cloud-service-mesh-prerequisites))\n- Plan the installation ([outside Google Cloud](/service-mesh/v1.25/docs/onboarding/kubernetes-off-gcp/install/plan-install), [GKE](/service-mesh/v1.25/docs/../legacy/in-cluster/plan-install)) or the [upgrade](/service-mesh/v1.25/docs/unified-install/plan-upgrade)\n- Install the required tools ([outside Google Cloud](/service-mesh/v1.25/docs/onboarding/kubernetes-off-gcp/install/install-dependent-tools), [GKE](/service-mesh/v1.25/docs/../legacy/in-cluster/install-dependent-tools))\n\nSet up your project\n-------------------\n\n1. Get the project ID for the project that the cluster was\n created in.\n\n ### gcloud\n\n Run the following command: \n\n gcloud projects list\n\n ### Console\n\n 1. Go to the [**Dashboard** page](https://console.cloud.google.com/home) in the\n Google Cloud console.\n\n [Go to the Dashboard page](https://console.cloud.google.com/home)\n 2. Click the drop-down list at the top of the page. In the\n **Select from** window that appears, select your project.\n\n The project ID is displayed on the project Dashboard **Project info**\n card.\n2. Create an environment variable for the workload pool using the project ID:\n\n export WORKLOAD_POOL=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog\n\n3. Set the required Identity and Access Management (IAM) roles. If you are a\n *Project Owner* , you have all the necessary permissions to complete\n the installation. If you aren't a *Project Owner* , you need someone who is\n to grant you the following specific IAM roles. In the\n following command, replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the\n project ID from the previous step and \u003cvar translate=\"no\"\u003eGCP_EMAIL_ADDRESS\u003c/var\u003e\n with the account that you use to sign in to Google Cloud.\n\n ROLES=(\n 'roles/servicemanagement.admin' \\\n 'roles/serviceusage.serviceUsageAdmin' \\\n 'roles/meshconfig.admin' \\\n 'roles/compute.admin' \\\n 'roles/container.admin' \\\n 'roles/resourcemanager.projectIamAdmin' \\\n 'roles/iam.serviceAccountAdmin' \\\n 'roles/iam.serviceAccountKeyAdmin' \\\n 'roles/gkehub.admin')\n for role in \"${ROLES[@]}\"\n do\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member \"user:\u003cvar translate=\"no\"\u003eGCP_EMAIL_ADDRESS\u003c/var\u003e\" \\\n --role=\"$role\"\n done\n\n If you include the `--enable_all` or `--enable_gcp_iam_roles` flag when\n you run `asmcli`, it sets the required IAM roles for you.\n4. Enable the required Google APIs:\n\n gcloud services enable \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n mesh.googleapis.com\n\n In addition to `mesh.googleapis.com`, this command also enables the\n following APIs:\n | **Note:** Some required APIs have transitive dependencies on other APIs.\n\n \u003cbr /\u003e\n\n | **Warning:** Disabling `connectgateway.googleapis.com`, `trafficdirector.googleapis.com`, `networkservices.googleapis.com`, and/or `networksecurity.googleapis.com` causes managed Cloud Service Mesh control plane to stop working. If the fleet does not use managed Cloud Service Mesh on any cluster, then these APIs can be disabled.\n\n Enabling the APIs can take a minute or more to complete. When the APIs\n are enabled, you see output similar to the following: \n\n ```\n Operation \"operations/acf.601db672-88e6-4f98-8ceb-aa3b5725533c\" finished\n successfully.\n ```\n\n If you include the `--enable_all` or `--enable_apis` flag when you run\n `asmcli`, it enables the required APIs for you.\n\nSet up your cluster\n-------------------\n\nIf you include the `--enable_all` flag, or one of the more granular\n[enablement flags](/service-mesh/v1.25/docs/unified-install/reference#enablement_flags),\n`asmcli` sets up your cluster for you.\n\n1. [Register the cluster to the fleet](/anthos/fleet-management/docs/fleet-creation).\n\n2. Initialize your project to ready it for installation. Among other things,\n this command creates a service account to let data plane components, such\n as the sidecar proxy, securely access your project's data and resources.\n In the following command replace \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e with\n the\n [fleet host project](/anthos/multicluster-management/fleets#fleet-host-project):\n\n **Warning:** If your `FLEET_PROJECT_ID` is the same as your `PROJECT_ID`, then remove the `\"FLEET_PROJECT_ID.hub.id.goog\",` from the following command. Otherwise, you will receive an error code due to `INVALID_ARGUMENT`. \n\n curl --request POST \\\n --header \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n --header \"Content-Type: application/json\" \\\n --data '{\"workloadIdentityPools\":[\"\u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e.hub.id.goog\",\"\u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e.svc.id.goog\",\"\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog\"]}' \\\n \"https://meshconfig.googleapis.com/v1alpha1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e:initialize\"\n\n The command responds with empty curly braces: `{}`\n3. For GKE on Google Cloud clusters,\n set the default zone or region for the Google Cloud CLI. If\n you don't set the default here, be sure to specify either the `--zone` or\n `--region` option in the `gcloud container clusters` commands on this page.\n\n - If you have a single-zone cluster, set the default zone:\n\n gcloud config set compute/zone \u003cvar translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e\n\n - If you have a regional cluster, set the default region:\n\n gcloud config set compute/region \u003cvar translate=\"no\"\u003eCLUSTER_LOCATION\u003c/var\u003e\n\n4. For GKE on Google Cloud clusters, enable\n [Workload Identity](/kubernetes-engine/docs/how-to/workload-identity):\n\n gcloud container clusters update \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --workload-pool=${WORKLOAD_POOL}\n\n Enabling Workload Identity can take up to 10 to 15 minutes.\n5. For GKE on Google Cloud clusters, enable\n [Cloud Monitoring and Cloud Logging on GKE](/monitoring/kubernetes-engine):\n\n gcloud container clusters update \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --enable-stackdriver-kubernetes\n\nYour project and cluster are now ready for a new installation using `asmcli`.\n\nWhat's next\n-----------\n\n- [Install dependent tools and validate cluster outside Google Cloud](/service-mesh/v1.25/docs/onboarding/kubernetes-off-gcp/install/install-dependent-tools)\n- [Install dependent tools and validate cluster on GKE](/service-mesh/v1.25/docs/../legacy/in-cluster/install-dependent-tools)"]]