This page describes features that are supported in Anthos Service Mesh 1.9.8 with an in-cluster control plane. To see the supported features for Anthos Service Mesh 1.9.8 with a Google-managed control plane instead, see Google-managed control plane.
For the supported features in previous versions of Anthos Service Mesh, see the archive documentation:
- 1.8 Supported features
- 1.7 Supported features
- 1.6 Supported features
- 1.5 Supported features
- 1.4 Supported features
Supported versions
Support for Anthos Service Mesh follows the Anthos Version Support Policy. Google supports the current and previous two (n-2) minor versions of Anthos Service Mesh. The following table shows the supported versions of Anthos Service Mesh and the earliest end-of-life (EOL) date for a version.
Release version | Release date | Earliest EOL date |
---|---|---|
1.14 | July 20, 2022 | April 20, 2023 |
1.13 | March 30, 2022 | December 30, 2022 |
1.12 | December 9, 2021 | September 9, 2022 |
If you are on an unsupported version of Anthos Service Mesh, then you must upgrade to Anthos Service Mesh v1.12 or later. For information on how to upgrade, see Upgrade Anthos Service Mesh.
The following table shows the unsupported versions of Anthos Service Mesh and their end-of-life (EOL) date.
Release version | Release date | EOL date |
---|---|---|
1.11 | October 6, 2021 | Unsupported (July 20, 2022) |
1.10 | June 24, 2021 | Unsupported (March 30, 2022) |
1.9 | March 4, 2021 | Unsupported (December 14, 2021) |
1.8 | December 15, 2020 | Unsupported (December 14, 2021) |
1.7 | November 3, 2020 | Unsupported (December 14, 2021) |
1.6 | June 30, 2020 | Unsupported (March 30, 2021) |
1.5 | May 20, 2020 | Unsupported (February 17, 2021) |
1.4 | December 20, 2019 | Unsupported (September 18, 2020) |
For more information about our support policies, refer to Getting support.
Platform differences
The supported features differ between the supported platforms and whether the GKE on Google Cloud clusters are in the same project or in different projects. In the following tables, any feature with the icon indicates that the feature is enabled by default. Supported optional indicates that the feature is supported for the platform and can be enabled, as described in Enabling optional features.
The default and optional features are fully supported by Google Cloud Support. Features not explicitly listed in the tables receive best-effort support. Any feature with the icon indicates either the feature isn't available or it isn't supported. The Other Anthos clusters columns refer to clusters that are not GKE clusters on Google Cloud, for example Anthos clusters on VMware, bare metal, etc.
For information on installing Anthos Service Mesh on Anthos on bare metal, contact Cloud Support.
Install/upgrade/downgrades
Installations, upgrades, and downgrades of Anthos Service Mesh must be done using
istioctl install
. The other methods of
installing Istio
are unsupported.
Using the install_asm
script
The install_asm
script calls istioctl install
. For more information about
the install_asm
script, see
Installation, migration, and upgrade on GKE.
Feature | GKE clusters on Google Cloud same project | GKE clusters on Google Cloud different projects | Other Anthos clusters |
---|---|---|---|
New installations | |||
Upgrades | |||
Migration from Istio | |||
Enabling optional features |
Using istioctl install
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
New installations | ||
Upgrades | ||
Migration from Istio | ||
Enabling optional features |
To migrate from the 1.6 version of the Istio on GKE add-on, follow the Upgrade to Istio 1.6 with Operator to upgrade to Anthos Service Mesh 1.7.
Security
Certificate distribution/rotation mechanisms
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
workload certificate management using Envoy SDS | ||
external certificate management on ingress gateway using Envoy SDS | Supported optional |
Certificate authority (CA) support
Feature | GKE clusters on Google Cloud same project | GKE clusters on Google Cloud different projects | Other Anthos clusters |
---|---|---|---|
Anthos Service Mesh certificate authority (Mesh CA) | |||
Certificate Authority Service (preview) | |||
Istio CA (previously known as Citadel) | |||
Integration with custom CAs |
Authorization policy
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Authorization v1beta1 policy |
Authentication policy
Peer authentication
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Auto-mTLS | ||
mTLS PERMISSIVE mode | ||
mTLS STRICT mode | Supported optional | Supported optional |
Request authentication
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
JWT authentication |
Telemetry
Metrics
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Cloud Monitoring (HTTP in-proxy metrics) | ||
Cloud Monitoring (TCP in-proxy metrics) | ||
Mesh telemetry (in-proxy edge data) | ||
Prometheus metrics export to customer-installed Prometheus, Grafana, and Kiali dashboards | Compatible | Compatible |
Custom adapters/backends, in or out of process | ||
Arbitrary telemetry and logging backends |
The integration between Anthos Service Mesh and the third-party telemetry products is supported.
Access logging
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Cloud Logging | ||
Direct Envoy to stdout |
Supported optional | Supported optional |
Tracing
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Cloud Trace | Supported optional | |
Jaeger tracing (allows use of customer-managed Jaeger) | Compatible | Compatible |
Zipkin tracing (allows use of customer-managed Zipkin) | Compatible | Compatible |
The integration between Anthos Service Mesh and the third-party telemetry products is supported.
Policy
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Policy checks |
Networking
Traffic interception/redirection mechanism
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Traditional use of iptables using init containers
with CAP_NET_ADMIN |
||
Istio Container Network Interface (CNI) | Supported optional | Supported optional |
Whitebox sidecar |
Protocol support
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
IPv4 | ||
HTTP/1.1 | ||
HTTP/2 | ||
TCP byte streams (Note 1) | ||
gRPC | ||
IPv6 |
Notes:
- Although TCP is a supported protocol for networking, TCP metrics aren't collected or reported. Metrics are displayed only for HTTP services in the console.
- Services that are configured with Layer 7 capabilities for the following protocols are not supported: WebSocket, MongoDB, Redis, Kafka, Cassandra, RabbitMQ, Cloud SQL. You might be able to make the protocol work by using TCP byte stream support. If TCP byte stream cannot support the protocol (for example, Kafka sends a redirect address in a protocol-specific reply and this redirect is incompatible with Anthos Service Mesh's routing logic), then the protocol isn't supported.
Envoy deployments
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Sidecars | ||
Ingress gateway | ||
Egress directly out from sidecars | ||
Egress using egress gateways | Supported optional | Supported optional |
CRD support
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Sidecar resource | ||
Service entry resource | ||
Percentage, fault injection, path matching, redirects, retries, rewriting, timeout, retry, mirroring, header manipulation, and CORS routing rules | ||
custom Envoy filters |
Load balancer for the Istio ingress gateway
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
Public load balancer | ||
Google Cloud Internal load balancer | Supported optional | Not supported. See the links below. |
For information on configuring load balancers, see the following:
- Setting up your load balancer for Anthos clusters on VMware
- Anthos clusters on AWS: Creating a load balancer
Load balancing policies
Feature | GKE clusters on Google Cloud | Other Anthos clusters |
---|---|---|
round robin | ||
least connections | ||
random | ||
passthrough | ||
Consistent Hash | ||
locality-weighted |
Multi-cluster support
For multi-primary deployments of GKE clusters in different projects, all the clusters must be in a shared Virtual Private Cloud (VPC).
Network
Feature | GKE clusters on Google Cloud | Anthos clusters on-premises | Other Anthos clusters |
---|---|---|---|
Single network | |||
Multi-network |
Deployment model
Feature | GKE clusters on Google Cloud | Anthos clusters on-premises | Other Anthos clusters |
---|---|---|---|
Multi-primary | |||
Primary-remote |
Notes on terminology
A primary cluster is a cluster with a control plane. A single mesh can have more than one primary cluster for high availability or to reduce latency. In the Istio 1.7 documentation, a multi-primary deployment is referred to as a replicated control plane.
A remote cluster is a cluster that connects to a control plane residing outside of the cluster. A remote cluster can connect to a control plane running in a primary cluster or to an external control plane.
Anthos Service Mesh uses a simplified definition of network based on general connectivity. Workload instances are on the same network if they are able to communicate directly, without a gateway.
User interface
Feature | GKE clusters on Google Cloud same project | GKE clusters on Google Cloud different projects | Other Anthos clusters |
---|---|---|---|
Anthos Service Mesh dashboards in the console | |||
Cloud Monitoring | |||
Cloud Logging | |||
Cloud Trace |
Installation of the Zipkin and Kiali addon components can no longer be done
using istioctl install
. If you
enable metrics export to Prometheus,
you can install your own instance of Grafana and Kiali. The integration
between Anthos Service Mesh and the third-party telemetry add-ons is supported.
Supported platforms
Only the following environments are supported with Anthos Service Mesh 1.9.8. All other environments are unsupported.
Platform | Version |
---|---|
GKE on Google Cloud |
We recommend that you enroll GKE clusters on Google Cloud in a
release
channel. When enrolling, use the Regular release channel because other
channels might be based on a GKE version that isn't
supported. Anthos Service Mesh 1.9.8 supports the following
GKE versions: 1.15, 1.16, 1.17, and 1.18.
Note that GKE version 1.14 is not supported with
Anthos Service Mesh 1.9.8.
For more information about the GKE versions included in each release channel see the following:
The GKE cluster must be Standard, because Autopilot clusters
have
Webhooks limitations
that don't allow the |
Anthos clusters on VMware 1.7 | Kubernetes version 1.19 |
Anthos on bare metal 1.7 | Kubernetes version 1.19 |
Anthos clusters on AWS 1.7 | Kubernetes version 1.19 |
Anthos attached clusters | Anthos Service Mesh 1.9.8-asm.6 hasn't been qualified on Anthos attached clusters (Amazon EKS and Microsoft AKS) and is unsupported. These platforms were qualified and are fully supported on Anthos Service Mesh 1.7 with Kubernetes 1.17. If you have Anthos Service Mesh 1.7 installed on these platforms, don't upgrade to Anthos Service Mesh 1.9.8-asm.6. See Installing Anthos Service Mesh 1.7 on Anthos attached clusters for details. |