Using Anthos Service Mesh

You are currently viewing version 1.8 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

Starting with Apigee hybrid version 1.8, Apigee hybrid uses Apigee ingress gateway to provide an ingress gateway for your hybrid installation. If you prefer to use Anthos Service Mesh for ingress, follow these steps to install Anthos Service Mesh in your cluster.

Supported Anthos Service Mesh versions

SeeApigee hybrid: supported platforms for the Anthos Service Mesh versions supported in hybrid version 1.8.

If you are upgrading your hybrid installation, follow the instructions inUpgrade Anthos Service Mesh.

Install Anthos Service Mesh

Perform these steps on a fresh Apigee hybrid installation only if you are not using Apigee ingress gateway.

Perform the procedures using the Anthos Service Mesh documentation appropriate for your platform:

The instructions to install and configure Anthos Service Mesh are different depending on your platform. The platforms are divided into the following categories:

  • GKE: Google Kubernetes Engine clusters running on Google Cloud.
  • Outside Google Cloud: Anthos clusters running on:
    • Anthos clusters on VMware (GKE on-prem)
    • Anthos on bare metal
    • Anthos clusters on AWS
    • Amazon EKS
  • Other Kubernetes Platforms: Conformant clusters created and running on:
    • AKS
    • EKS
    • OpenShift

GKE

The sequence for installing Anthos Service Mesh is as follows:

  1. Prepare for the installation.
  2. Install the new version of Anthos Service Mesh.

Prepare to install Anthos Service Mesh

  1. Review the requirements inUpgrade Anthos Service Mesh, but do not perform the upgrade yet.
  2. Create a newoverlay.yaml file or verify that your existingoverlay.yaml contains the following contents:
    apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:components:ingressGateways:-name:istio-ingressgatewayenabled:truek8s:nodeSelector:# default node selector, if different or not using node selectors, change accordingly.cloud.google.com/gke-nodepool:apigee-runtimeresources:requests:cpu:1000mservice:type:LoadBalancerloadBalancerIP:STATIC_IP# If you do not have a reserved static IP, leave this out.ports:-name:http-status-portport:15021-name:http2port:80targetPort:8080-name:httpsport:443targetPort:8443meshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
  3. Follow the instructions in the following sections in the Anthos Service Mesh documentation:Important: Make sure to follow the instructions to upgrade Anthos Service Mesh with optional features, and to include youroverlay.yaml.
    1. Download asmcli
    2. Grant cluster admin permissions
    3. Validate project and cluster
    4. Upgrade with optional features. Stop before starting the "Upgrade Gateways section".

Outside Google Cloud

These instructions cover upgrading Anthos Service Mesh on:

  • Anthos clusters on VMware (GKE on-prem)
  • Anthos on bare metal
  • Anthos clusters on AWS
  • Amazon EKS

The sequence for installing Anthos Service Mesh is as follows:

  1. Prepare for the installation.
  2. Install the new version of Anthos Service Mesh.

Prepare to install Anthos Service Mesh

  1. Review the requirements inUpgrade Anthos Service Mesh, but do not perform the upgrade yet.
  2. Create a newoverlay.yaml file or verify that your existingoverlay.yaml contains the following contents:
    apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:components:ingressGateways:-name:istio-ingressgatewayenabled:truek8s:nodeSelector:# default node selector, if different or not using node selectors, change accordingly.cloud.google.com/gke-nodepool:apigee-runtimeresources:requests:cpu:1000mservice:type:LoadBalancerloadBalancerIP:STATIC_IP# If you do not have a reserved static IP, leave this out.ports:-name:http-status-portport:15021-name:http2port:80targetPort:8080-name:httpsport:443targetPort:8443values:gateways:istio-ingressgateway:runAsRoot:truemeshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
  3. Follow the instructions in the following sections in the Anthos Service Mesh documentation:Important: Make sure to follow the instructions to upgrade Anthos Service Mesh with optional features, and to include youroverlay.yaml.
    1. Download asmcli
    2. Grant cluster admin permissions
    3. Validate project and cluster
    4. Upgrade with optional features. Stop before starting the "Upgrade Gateways section".

AKS / EKS

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz
  2. Download the signature file and use OpenSSL to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig
    openssldgst-verify/dev/stdin-signature1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf 1.17.8-asm.4-distroless-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named1.17.8-asm.4-distroless that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd 1.17.8-asm.4-distroless
  5. For convenience, add the tools in the/bin directory to yourPATH:
    export PATH=$PWD/bin:$PATH

    6. Mac OS

  6. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz
  7. Download the signature file and use OpenSSL to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz.1.sig
    openssldgst-sha256-verify/dev/stdin-signature1.17.8-asm.4-distroless-osx.tar.gz.1.sig1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  8. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf 1.17.8-asm.4-distroless-osx.tar.gz

    The command creates an installation directory in your current working directory named1.17.8-asm.4-distroless that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  9. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd 1.17.8-asm.4-distroless
  10. For convenience, add the tools in the/bin directory to yourPATH:
    export PATH=$PWD/bin:$PATH

    11. Windows

  11. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip
  12. Download the signature file and use OpenSSL to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip.1.sig
    openssldgst-verify--signature1.17.8-asm.4-distroless-win.zip.1.sig1.17.8-asm.4-distroless.win.zip <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  13. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf 1.17.8-asm.4-distroless-win.zip

    The command creates an installation directory in your current working directory named1.17.8-asm.4-distroless that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests\profiles directory.
  14. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd 1.17.8-asm.4-distroless
  15. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  16. Now that Anthos Service Mesh Istio is installed, check the version ofistioctl:
    istioctl version
  17. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Installing Anthos Service Mesh

  1. Edit youroverlay.yaml file or create a new one with the following contents:
    apiVersion: install.istio.io/v1alpha1kind: IstioOperatorspec:  meshConfig:    accessLogFile: /dev/stdout    enableTracing: true    accessLogFormat:      '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'  components:    ingressGateways:    - name: istio-ingressgateway      enabled: true      k8s:        service:          type: LoadBalancer          ports:          - name: status-port            port: 15021            targetPort: 15021          - name: http2            port: 80            targetPort: 8080          - name: https            port: 443            targetPort: 8443
  2. Install Anthos Service Mesh withistioctl using theasm-multicloud profile:
    istioctl install \    --set profile=asm-multicloud \    --set revision="asm-1178-1" \    --filename overlay.yaml

    Your output should look something like:

    kubectl get pods -n istio-systemNAME                                   READY   STATUS    RESTARTS   AGEistio-ingressgateway-88b6fd976-flgp2   1/1     Running   0          3m13sistio-ingressgateway-88b6fd976-p5dl9   1/1     Running   0          2m57sistiod-asm-1178-1-798ffb964-2ls88       1/1     Running   0          3m21sistiod-asm-1178-1-798ffb964-fnj8c       1/1     Running   1          3m21s

    The--set revision argument adds a revision label in the formatistio.io/rev=asm-1178-1 toistiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particularistiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label onistiod.

  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGEistio-ingressgateway   LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35sistiod                 ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46sistiod-asm-1178-1       ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s

OpenShift

Preparing to install Anthos Service Mesh

  1. Before installing the new version, determine the current revision. You will need this information to delete thevalidating webhook andmutating webhook from your current Anthos Service Mesh installation. Use the following command to store the currentistiod revision to an environment variable:
    export DELETE_REV=$(kubectl get deploy -n istio-system -l app=istiod -o jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}')echo $DELETE_REV

    Your output should look something like1.16

    Note: If the command returns multiple values, set the value ofDELETE_REV to the oldest version and follow the procedure to delete the oldest version, then repeat the process until you have deleted all versions.

    2. Linux

  2. Grant theanyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  3. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz
  4. Download the signature file and use OpenSSL to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig
    openssldgst-verify/dev/stdin-signature1.17.8-asm.4-distroless-linux-amd64.tar.gz.1.sig1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  5. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf 1.17.8-asm.4-distroless-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named1.17.8-asm.4-distroless that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  6. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd 1.17.8-asm.4-distroless
  7. For convenience, add the tools in the/bin directory to yourPATH:
    export PATH=$PWD/bin:$PATH

    8. Mac OS

  8. Grant theanyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  9. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz
  10. Download the signature file and use OpenSSL to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-osx.tar.gz.1.sig
    openssldgst-sha256-verify/dev/stdin-signature1.17.8-asm.4-distroless-osx.tar.gz.1.sig1.17.8-asm.4-distroless.tar.gz <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  11. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf 1.17.8-asm.4-distroless-osx.tar.gz

    The command creates an installation directory in your current working directory named1.17.8-asm.4-distroless that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests/profiles directory.
  12. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd 1.17.8-asm.4-distroless
  13. For convenience, add the tools in the/bin directory to yourPATH:
    export PATH=$PWD/bin:$PATH

    14. Windows

  14. Grant theanyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  15. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip
  16. Download the signature file and use OpenSSL to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/1.17.8-asm.4-distroless-win.zip.1.sig
    openssldgst-verify--signature1.17.8-asm.4-distroless-win.zip.1.sig1.17.8-asm.4-distroless.win.zip <<'EOF'-----BEGINPUBLICKEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZwQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==-----ENDPUBLICKEY-----EOF
  17. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf 1.17.8-asm.4-distroless-win.zip

    The command creates an installation directory in your current working directory named1.17.8-asm.4-distroless that contains:

    • Sample applications in thesamples directory.
    • Theistioctl command-line tool that you use to install Anthos Service Mesh is in thebin directory.
    • The Anthos Service Mesh configuration profiles are in themanifests\profiles directory.
  18. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd 1.17.8-asm.4-distroless
  19. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  20. Now that Anthos Service Mesh Istio is installed, check the version ofistioctl:
    istioctl version
  21. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label onistiod. You need to set the same revision on the validating webhook.

  1. Create a file calledistiod-service.yaml with the following contents:
    apiVersion:v1kind:Servicemetadata:name:istiodnamespace:istio-systemlabels:istio.io/rev:asm-1178-1app:istiodistio:pilotrelease:istiospec:ports:-port:15010name:grpc-xds#plaintextprotocol:TCP-port:15012name:https-dns#mTLSwithk8s-signedcertprotocol:TCP-port:443name:https-webhook#validationandinjectiontargetPort:15017protocol:TCP-port:15014name:http-monitoring#prometheusstatsprotocol:TCPselector:app:istiodistio.io/rev:asm-1178-1meshConfig:accessLogFormat:'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
  2. Usekubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGEistiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s

Installing Anthos Service Mesh

  1. Edit youroverlay.yaml file or create a new one with the following contents:
    apiVersion: install.istio.io/v1alpha1kind: IstioOperatorspec:  meshConfig:    accessLogFile: /dev/stdout    enableTracing: true    accessLogFormat:      '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'  components:    ingressGateways:      - name: istio-ingressgateway        enabled: true        k8s:          service:            type: LoadBalancer            ports:            - name: status-port              port: 15021              targetPort: 15021            - name: http2              port: 80              targetPort: 8080            - name: https              port: 443              targetPort: 8443
  2. Install Anthos Service Mesh withistioctl using theasm-multicloud profile:
    istioctl install \    --set profile=asm-multicloud \    --set revision="asm-1178-1" \    --filename overlayfile.yaml

    Your output should look something like:

    kubectl get pods -n istio-systemNAME                                   READY   STATUS    RESTARTS   AGEistio-ingressgateway-88b6fd976-flgp2   1/1     Running   0          3m13sistio-ingressgateway-88b6fd976-p5dl9   1/1     Running   0          2m57sistiod-asm-1178-1-798ffb964-2ls88       1/1     Running   0          3m21sistiod-asm-1178-1-798ffb964-fnj8c       1/1     Running   1          3m21s

    The--set revision argument adds a revision label in the formatistio.io/rev=1.6.11-asm.1 toistiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particularistiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label onistiod.

  3. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGEistio-ingressgateway   LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35sistiod                 ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46sistiod-asm-1178-1       ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.