You are viewing documentation for Anthos Service Mesh 1.9. View the latest documentation or select another available version:

Configuring the Google-managed control plane


Anthos Service Mesh Google-managed control plane is a Google Cloud managed service that you only need to configure, while Google handles its reliability, upgrades, scaling and security for you in a backward-compatible manner. This guide explains how to set up or migrate applications to Google-managed control plane in a single or multi-cluster configuration.

You can use a single Google-managed control plane for multiple GKE clusters in a single Google Cloud project.

To learn about the supported features and limitations of Anthos Service Mesh managed control plane, see Anthos Service Mesh Google-managed control plane supported features.


This guide assumes that you have:

If Workload Identity isn't enabled, you can enable it by using the following command:

gcloud container clusters update CLUSTER_NAME \
    --zone LOCATION \

Download the installation script

  1. Download the latest version of the script that installs Anthos Service Mesh 1.9.8 to the current working directory:

    curl > install_asm
  2. Download the SHA-256 of the file to the current working directory:

    curl > install_asm.sha256
  3. With both files in the same directory, verify the download:

    sha256sum -c --ignore-missing install_asm.sha256

    If the verification is successful, the command outputs: install_asm: OK

    For compatibility, the install_asm.sha256 file includes the checksum twice to allow any version of the script to be renamed to install_asm. If you get an error that --ignore-missing does not exist, rerun the previous command without the --ignore-missing flag.

  4. Make the script executable:

    chmod +x install_asm

Configure each cluster

Use the following steps to configure the Google-managed control plane for each cluster in your mesh.

Get cluster credentials

Retrieve the appropriate credentials. The following command will also point the kubectl context to the target cluster.

gcloud container clusters get-credentials  CLUSTER_NAME \
    --zone LOCATION \
    --project PROJECT_ID

Apply the Google-managed control plane

Run the installation script for each cluster that will use the Google-managed control plane:

If you do not require Istio Container Network Interface (CNI), omit the --option cni-managed flag on the install_asm command shown in the following example. CNI is an option for Google-managed control plane to configure Istio interception and low level networking using the CNCF CNI interface instead of using high-privilege init container.

./install_asm --mode install --managed \
    -p PROJECT_ID \
    -l LOCATION \
    --verbose \
    --output_dir CLUSTER_NAME \
    --enable-all \
    --option cni-managed

The script will download to the specified --output_dir all the files for configuring the managed control plane, installing an Istio Gateway, along with the istioctl tool and sample applications.

Install Istio Gateways (optional)

Optionally, you can install one or more Istio Gateways in your cluster to handle typical ingress traffic, by using the following steps:

  1. Choose one of these two options to set up the namespace where you will deploy the gateway in later steps.

    • Enable the namespace for injection:
      kubectl label namespace GATEWAY_NAMESPACE istio-injection- --overwrite


    • Enable injection only for the gateway pod, but not all pods in the namespace. This command removes all injection labels and later you will enable injection on the pod itself:
      kubectl label namespace GATEWAY_NAMESPACE istio-injection-
  2. Create a Deployment and Service for the gateway, by using the following minimal example:

    kubectl apply -f - << EOF
    apiVersion: v1
    kind: Service
      name: istio-ingressgateway
      namespace: GATEWAY_NAMESPACE
      type: LoadBalancer
        istio: ingressgateway
      - port: 80
        name: http
      - port: 443
        name: https
    apiVersion: apps/v1
    kind: Deployment
      name: istio-ingressgateway
      namespace: GATEWAY_NAMESPACE
          istio: ingressgateway
            # This is required to tell Anthos Service Mesh to inject the gateway with the
            # required configuration.
            istio: ingressgateway
   asm-managed # This is required only if the namespace is not labeled.
          - name: istio-proxy
            image: auto # The image will automatically update each time the pod starts.
    kind: Role
      name: istio-ingressgateway-sds
      namespace: GATEWAY_NAMESPACE
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["get", "watch", "list"]
    kind: RoleBinding
      name: istio-ingressgateway-sds
      namespace: GATEWAY_NAMESPACE
      kind: Role
      name: istio-ingressgateway-sds
    - kind: ServiceAccount
      name: default
  3. After you create the deployment, verify that the new services are working correctly:

    kubectl get pod,service -n GATEWAY_NAMESPACE

    Verify the output similar to the following:

    NAME                                      READY   STATUS    RESTARTS   AGE
    pod/istio-ingressgateway-856b7c77-bdb77   1/1     Running   0          3s
    NAME                           TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)        AGE
    service/istio-ingressgateway   LoadBalancer      80:31904/TCP   3s

Configure endpoint discovery (only for multi-cluster installations)

Anthos Service Mesh managed control plane supports a single-project, single-network, multi-primary configuration, with the difference that the control plane is not installed in the cluster. A multi-primary configuration means that each cluster is configured with secrets to all other clusters, which allows each cluster to discover endpoints from all the other clusters.

Before you continue, you should have already run the install script on each cluster as described in the previous steps. There is no need to indicate that a cluster is a primary cluster, this is the default behavior.

For every cluster, enable endpoints discovery by running the following commands once for every other cluster i=1..N in the mesh:

  1. For every cluster, ensure the kubectl config context points to the current cluster:

  2. Enable endpoints discovery by running the following commands once for every other cluster i=1..N in the mesh:

    ./bin/istioctl x create-remote-secret --context=${CTX_i} --name=CLUSTER_NAME_i | \
      kubectl apply -f - --context=${CTX}
  3. Verify the secret has been created by running the command:

    kubectl get secret istio-remote-secret-CLUSTER_NAME_i -n istio-system

    Verify the expected output:

    NAME                                   TYPE     DATA   AGE
    istio-remote-secret-CLUSTER_NAME_i   Opaque   1      44s
  4. If the current cluster is added to an existing multi-cluster mesh, let all the other clusters discover its endpoints by creating a secret corresponding to the current cluster in all the other clusters:

    ./bin/istioctl x create-remote-secret --context=${CTX} --name=CLUSTER_NAME | \
      kubectl apply -f - --context=${CTX_i}
  5. In addition, you can verify the secret for the other cluster also:

    kubectl get secret istio-remote-secret-CLUSTER_NAME -n istio-system --context ${CTX_i}

    Verify the expected output:

    NAME                            TYPE     DATA   AGE
    istio-remote-secret-CLUSTER_NAME   Opaque   1      44s

For more details and an example with two clusters, see enable endpoint discovery.

Deploy applications

Before you deploy applications, remove any previous istio-injection labels from their namespaces, and set the label instead:

kubectl label namespace NAMESPACE istio-injection- --overwrite

At this point, you have successfully configured Anthos Service Mesh managed control plane. You are now ready to deploy your applications or you can deploy the Bookinfo sample application.

If you deploy an application in a multi-cluster setup, replicate the Kubernetes and control plane configuration in all clusters, unless you plan to limit that particular config to a subset of clusters. The configuration applied to a particular cluster is the source of truth for that cluster. In addition, if the cluster also runs Anthos Service Mesh 1.7, 1.8 or higher with Mesh CA in other namespaces, verify the application can communicate with the other applications controlled by the in-cluster control plane.

Verify control plane metrics

To verify that your configuration works correctly:

  1. In the Cloud Console, view the control plane metrics:

    Go to Metrics Explorer

  2. Choose your workspace and add a custom query using the following parameters:

    • Resource type: Kubernetes Container
    • Metric: Proxy Clients
    • Filter: container_name="cr-asm-managed"
    • Group By: revision label and proxy_version label
    • Aggregator sum
    • Period: 1 minute

    When you run Anthos Service Mesh with both a Google-managed and an in-cluster control plane, you can tell the metrics apart by their container name. For example, managed metrics have container_name="cr-asm-managed", while unmanaged metrics have container_name="discovery". To display metrics from both, remove the Filter on container_name="cr-asm-managed".

  3. Verify the control plane version and proxy version by inspecting the following fields in Metrics Explorer:

    • The revision field indicates the control plane version.
    • The proxy_version field indicates the proxy_version.
    • The value field indicates the number of connected proxies.

Migrate applications to Google-managed control plane

The Anthos Service Mesh Google-managed control plane only supports migration from Anthos Service Mesh 1.9 that uses Mesh CA.

To migrate to Google-managed control plane, perform the following steps:

  1. Run the script as indicated in the Install the control plane section.

  2. Replace the current namespace label with the label:

    kubectl label namespace NAMESPACE istio-injection- \
  3. Perform a rolling upgrade of deployments in the namespace:

    kubectl rollout restart deployment -n NAMESPACE
  4. Test your application to verify that the workloads function correctly.

  5. If you have workloads in other namespaces, repeat the previous steps for each namespace.

  6. If you deployed the application in a multi-cluster setup, replicate the Kubernetes and Istio configuration in all clusters, unless there is a desire to limit that configuration to a subset of clusters only. The configuration applied to a particular cluster is the source of truth for that cluster.

  7. Check that the metrics appear as expected by following the steps in Verify control plane metrics.

A cluster can have a mix of revisions, for example Anthos Service Mesh 1.7 and 1.8, and in-cluster control plane together. You can mix namespaces using different Anthos Service Mesh control plane revisions indefinitely.

If you are satisfied that your application works as expected, you can remove the in-cluster istiod after you switch all namespaces to the in-cluster control plane, or keep them as a backup - istiod will automatically scale down to use fewer resources. To remove, skip to Delete old control plane.

If you encounter problems, you can identify and resolve them by using the information in Resolving managed control plane issues and if necessary, roll back to the previous version.

Delete old control plane

After you install and confirm that all namespaces use the Google-managed control plane, you can delete the old control plane.

kubectl delete Service,Deployment,HorizontalPodAutoscaler,PodDisruptionBudget istiod -n istio-system --ignore-not-found=true

If you used istioctl kube-inject instead of automatic injection, or if you installed additional gateways, check the metrics for the control plane, and verify that the number of connected endpoints is zero.

Roll back

Perform the following steps if you need to roll back to the previous control plane version:

  1. Update workloads to be injected with the previous version of the control plane. In the following command, the revision value asm-191-1 is used only as an example. Replace the example value with the revision label of your previous control plane.

    kubectl label namespace NAMESPACE istio-injection- --overwrite
  2. Restart the Pods to trigger re-injection so the proxies have the previous version:

    kubectl rollout restart deployment -n NAMESPACE

The managed control plane will automatically scale to zero and not use any resource when not in use. The mutating webhooks and provisioning will remain and do not affect cluster behavior.

The gateway is now set to the asm-managed revision. To roll back, re-run the Anthos Service Mesh install command, which will re-deploy gateway pointing back to your in-cluster control plane:

kubectl -n istio-system rollout undo deploy istio-ingressgateway

Expect this output on success:

deployment.apps/istio-ingressgateway rolled back

Migrate a gateway to Google-managed control plane

  1. Create a Kubernetes deployment for the new version of the gateway by using the documentation. You must configure the existing Kubernetes Gateway service to select both the old and the new version, by using the selector field in the service configuration.

  2. Using these kubectl scale, command, gradually scale up the new deployment, while you also scale down the old deployment and check for signs of any service interruption/downtime. If the migration is successful, you should reach zero old instances while experiencing no service interruption.


Google-managed control plane will auto-scale to zero when no namespaces are using it, therefore no uninstallation is required.


To identify and resolve problems when using managed control plane, see Resolving managed control plane issues.

What's next?