When you install Anthos Service Mesh, you specify the Anthos Service Mesh configuration
profile, which enables the Supported default features listed on the
Supported features page. The
Anthos Service Mesh configuration profiles, asm.yaml
and asm-onprem.yaml
, are
located in the install/kubernetes/operator/profiles
subdirectory within the
Anthos Service Mesh installation's root directory. The configuration profiles
define and configure the features that are installed with Anthos Service Mesh.
You can override the ASM configuration profile and enable
Supported optional features by using the
IstioOperator
API. You specify the IstioOperator
configuration in a YAML file and
pass the file to the istioctl manifest apply
command using the -f
command-line option.
Although you can specify the configuration parameters on the command-line by
using the --set
option, we recommend that you use a YAML file for the
configuration so that you can store the file in your version-control system
along with your cluster resource configuration files.
The spec
section in the YAML configuration corresponds to the --set
command-line options. For example, the YAML to enableSTRICT
mTLS mode is:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
global:
mtls:
enabled: true
The corresponding command-line option is:
--set global.mtls.enabled=true
For more information, see Customizing the configuration.
When you enable optional features:
Make sure the feature that you enable is supported.
Specify the applicable configuration profile for your platform:
- For Google Kubernetes Engine, use
--set profile=asm
- For GKE on VMware, use
--set profile=asm-onprem
- For Google Kubernetes Engine, use
For GKE, prepare the
istio-operator.yaml
file as described in Preparing resource configuration files, and specify both theistio-operator.yaml
file and your YAML file with the optional features on the command-line when you runistioctl manifest apply
.
The following table provides the YAML to enable optional and supported features.
Feature | YAML |
---|---|
mTLS STRICT mode |
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: global: mtls: enabled: true |
Direct Envoy to stdout |
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: global: proxy: accessLogFile="/dev/stdout" For more information, see Enable Envoy's access logging. |
Cloud Trace |
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: addonComponents: tracing: enabled: true values: global: proxy: tracer: "stackdriver" |
Egress via egress gateways |
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: egressGateways: - name: istio-egressgateway enabled: true For more information, see Gateway. |
GKE: Istio Container Network Interface (CNI) |
For GKE:
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: cni: enabled: true namespace: kube-system values: cni: cniBinDir: /home/kubernetes/bin excludeNamespaces: - istio-system - kube-system For GKE on VMware, add apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: cni: enabled: true namespace: kube-system values: cni: cniBinDir: /opt/cni/bin excludeNamespaces: - istio-system - kube-system - gke-system You also need to enable a network policy . |
Enable an internal load balancer
For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway. Internal load balancers aren't supported for GKE on VMware. For information on configuring GKE on VMware, see Setting up your load balancer for GKE on VMware |
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: profile: empty components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: serviceAnnotations: cloud.google.com/load-balancer-type: "internal" service: your_service_name ports: - name: status-port port: 15020 - name: http2 port: 80 - name: https port: 443 |