Adding Mesh CA to a service perimeter

If you have created a service perimeter in your organization, you must add the Anthos Service Mesh certificate authority (Mesh CA) service to the perimeter, in the following cases:

  • The cluster on which you have installed Anthos Service Mesh is in a project that is included in a service perimeter.
  • The cluster on which you have installed Anthos Service Mesh is a service project in a Shared VPC network.

If you don't add Mesh CA to the service perimeter, it can't issue workload certificates properly. After you add Mesh CA to the service perimeter, issuance of workload identity certificates is restricted to within your cluster's Virtual Private Cloud (VPC) network.

Before you begin

The setup for the VPC Service Controls service perimeter is at the organization level. Ensure that you have been granted the proper roles for administering VPC Service Controls.

Adding Mesh CA to an existing service perimeter

Console

  1. Follow the steps in Updating a service perimeter to edit the perimeter.
  2. On the Edit VPC Service Perimeter page, under Services to protect, click Add Services.
  3. On the Specify services to restrict dialog, click Filter services, and enter Cloud Service Mesh Certificate Authority API.
  4. Select the service's checkbox.
  5. Click Add Cloud Service Mesh Certificate Authority API.
  6. Click Save.

gcloud

To update the list of restricted services, use the update command and specify the services to add as a comma-delimited list:

gcloud access-context-manager perimeters update PERIMETER_NAME \
  --add-restricted-services=meshca.googleapis.com[,OTHER_SERVICES \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to update.

  • OTHER_SERVICES is an optional comma-separated list of one or more services to include in the perimeter in addition to meshca.googleapis.com. For example: meshca.googleapis.com,storage.googleapis.com or meshca.googleapis.com,storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Refer to Updating a service perimeter for additional information.