If you have created a service perimeter in your organization, you must add the Anthos Service Mesh certificate authority (Mesh CA) service to the perimeter, in the following cases:
- The cluster on which you have installed Anthos Service Mesh is in a project that is included in a service perimeter.
- The cluster on which you have installed Anthos Service Mesh is a service project in a Shared VPC network.
If you don't add Mesh CA to the service perimeter, it can't issue workload certificates properly. After you add Mesh CA to the service perimeter, issuance of workload identity certificates is restricted to within your cluster's Virtual Private Cloud (VPC) network.
Before you begin
The setup for the VPC Service Controls service perimeter is at the organization level. Ensure that you have been granted the proper roles for administering VPC Service Controls.
Adding Mesh CA to an existing service perimeter
- Follow the steps in Updating a service perimeter to edit the perimeter.
- On the Edit VPC Service Perimeter page, under Services to protect, click Add Services.
- On the Specify services to restrict dialog, click Filter services, and enter Cloud Service Mesh Certificate Authority API.
- Select the service's checkbox.
- Click Add Cloud Service Mesh Certificate Authority API.
- Click Save.
To update the list of restricted services, use the
update command and
specify the services to add as a comma-delimited list:
gcloud access-context-manager perimeters update PERIMETER_NAME \ --add-restricted-services=meshca.googleapis.com[,OTHER_SERVICES \ --policy=POLICY_NAME
PERIMETER_NAME is the name of the service perimeter that you want to update.
OTHER_SERVICES is an optional comma-separated list of one or more services to include in the perimeter in addition to
meshca.googleapis.com. For example:
POLICY_NAME is the numeric name of your organization's access policy. For example,
Updating a service perimeter
for additional information.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2022-01-25 UTC.