Enable optional features on an in-cluster control plane
This page describes how to enable optional features on Cloud Service Meshwith an in-cluster control plane.
When you install in-cluster Cloud Service Mesh, thefeatures that are enabled by default differ by platform.You can override the default configuration and enable an optional feature byincluding anoverlay file when you install (or upgrade) Cloud Service Mesh. Anoverlay file is a YAML file containing anIstioOperator custom resource (CR)that you use to configure the control plane. Specify one feature per overlay file. You can layer on more overlays,and each overlay file overrides the configuration on the previous layers.
asmcli install overwrites the existing control planeconfiguration. When you enable optional features to an existing installation,make sure to specify all files that you want to keep in the originalconfiguration, as well as the overlay files for the features that you want toenable. We recommended that you store the overlay files that you use forinstallation in source control so that you can apply the same configurations toyour control plane with upgrades or when enabling additional optional features.This ensures no downtime when enabling optional features.About the overlay files
The overlay files on this page are in theanthos-service-mesh package in GitHub. These files contain common customizations to the defaultconfiguration. You can use these files as they are, or you can make additionalchanges to them as needed.
When you install Cloud Service Mesh usingasmcli script, youcan specify one or more overlay files with the--option or the--custom_overlay options. If you don't need to make any changes to thefiles in theanthos-service-mesh repository, you can use--option, andthe script fetches the file from GitHub for you. Otherwise, you can makechanges to the overlay file, and then use the--custom_overlay option topass it to theasmcli.
IstioOperator CR in an overlay filebecauseistioctl install only applies the first CR that it finds in the file.| Don't include multiple CRs in one overlay file | Create separate overlay files for each CR |
|---|---|
 |  |
How to enable optional features
The following examples are simplified to show only using the custom overlays toenable optional features. ReplaceOTHER_FLAGS with therequired installation flags.
Theasmcli install command provides two ways to enable an optional feature. Themethod that you use depends on whether you need to make changes to the overlayfile.
Use
--optionwhenyou don't need to make any changes to the overlay file. With--option,asmclifetches the file from the GitHub repository for you, so you musthave an internet connection../asmcliinstall\OTHER_FLAGS\--optionOPTION_NAMEReplace
OPTION_NAMEwith the option you want to enable.Be sure to omit the .yaml extension and only include the name of the overlayfile, such asiap-operatorandattached-cluster.For a list of options refer to theanthos-service-meshpackage.Use
--custom_overlaywhenyou need to customize the overlay file../asmcliinstall\OTHER_FLAGS\--custom_overlayPATH_TO_FILEReplace
PATH_TO_FILEwith the path to the overlayfile you want to use.
YAML for optional features
The following sections provide the YAML to enable optional and supportedfeatures.
mTLSSTRICT mode
Theglobal.mtls.enabled configuration was removed from theIstioOperatorCR to avoid issues with upgrades and to provide a more flexible installation.To enableSTRICT mTLS,configure apeer authentication policy instead.
Distroless proxy image
As a best practice, you should restrict the contents of a container runtime to only the necessary packages. This approach improves security and the signal-to-noise ratio of Common Vulnerabilities and Exposures (CVE) scanners.Istio provides proxy images based ondistroless base images.
The following configuration enables distroless images for the entire Cloud Service Mesh.An image type change requires each pod to restart and get re-injected to take effect.
apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:defaultConfig:image:imageType:distrolessThe distroless image does not contain any binaries other than the proxy. It is therefore not possible toexec a shell or usecurl,ping, or other debug utilities inside the container.
If you run a curl command, you see the following error:
error: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec "<container-id>"OCI runtime exec failed: exec failed: unable to start container process: exec: "curl": executable file not found in $PATH: unknownIf you run a shell command, you see the following error:
error: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec "<container-id>"OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknownIf you need access to these tools for specific pods, you may override theimageType by using the following pod annotation.
sidecar.istio.io/proxyImageType: debugAfter changing the image type of a deployment via the annotation, the deployment should be restarted.
kubectl rollout restart deployment -nNAMESPACEDEPLOYMENT_NAME
For most types of proxy debugging,istioctl proxy-cmd should be used which does not require a debug base image.
Use a custom overlay for custom registry
You can use a custom overlay for custom registries, such as if you need toinstall Cloud Service Mesh from a custom container registry. For example:
apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:hub:{private_registry_url}The following is a list of images for Cloud Service Mesh that you need to mirror tothe custom container registry:
- Install-cni -
gke.gcr.io/asm/install-cni:1.28.2-asm.4 - Managed Data Plane -
gke.gcr.io/asm/mdp:1.28.2-asm.4 - Pilot -
gke.gcr.io/asm/pilot:1.28.2-asm.4 - Proxyv2 -
gke.gcr.io/asm/proxyv2:1.28.2-asm.4
gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 andgke.gcr.io/asm/canonical-service-controller:1.10.3-asm.16.Add images to a private registry
To push Cloud Service Mesh images to a private registry, complete the followingsteps.
Note: Use a client from which you can pull fromgcr.io and push to your privateregistry.- Pull the Cloud Service Mesh images:
docker pull gke.gcr.io/asm/install-cni:1.28.2-asm.4docker pull gke.gcr.io/asm/mdp:1.28.2-asm.4docker pull gke.gcr.io/asm/pilot:1.28.2-asm.4docker pull gke.gcr.io/asm/proxyv2:1.28.2-asm.4
- Create a variable for your private registry URL:
export PRIVATE_REGISTRY_URL=PRIVATE_REGISTRY_URL
PRIVATE_REGISTRY_URLwith your private registryURL. - Tag the images with your private registry URL:
docker tag gke.gcr.io/asm/install-cni:1.28.2-asm.4 \ ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/install-cni:1.28.2-asm.4docker tag gke.gcr.io/asm/mdp:1.28.2-asm.4 \ ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/mdp:1.28.2-asm.4docker tag gke.gcr.io/asm/pilot:1.28.2-asm.4 \ ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/pilot:1.28.2-asm.4docker tag gke.gcr.io/asm/proxyv2:1.28.2-asm.4 \ ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/proxyv2:1.28.2-asm.4 - Push the tagged images to your private registry:
docker push ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/install-cni:1.28.2-asm.4docker push ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/mdp:1.28.2-asm.4docker push ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/pilot:1.28.2-asm.4docker push ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/proxyv2:1.28.2-asm.4 - (Optional) If you use acanonical service, then add thecanonical service images to your private registry.
- Pull the Cloud Service Mesh canonical service images:
docker pull gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 docker pull gke.gcr.io/asm/canonical-service-controller:1.10.3-asm.16
- Tag the images with your private registry URL:
docker tag gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 \ ${PRIVATE_REGISTRY_URL}/gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 docker tag gke.gcr.io/asm/canonical-service-controller:1.10.3-asm.16 \ ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/canonical-service-controller:1.10.3-asm.16 - Push the tagged images to your private registry:
docker push ${PRIVATE_REGISTRY_URL}/gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 docker push ${PRIVATE_REGISTRY_URL}/gke.gcr.io/asm/canonical-service-controller:1.10.3-asm.16
- Pull the Cloud Service Mesh canonical service images:
If you can pull the tagged images from your private registry, then the procedurewas successful.
Increase termination drain duration
By default Envoy will wait five seconds (5s) for existing connections to complete when a pod is terminating.
PodterminationGracePeriodSeconds must be greater thanterminationDrainDuration value.
For more information seeGlobal Mesh Options.
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:defaultConfig:terminationDrainDuration:30sEnable Access logs
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:accessLogFile:"/dev/stdout"For more information, seeEnable Envoy's access logging.
Cloud Trace
Cloud Trace is available with Cloud Service Mesh installations on the followingplatforms:
- GKE on Google Cloud
- GKE Enterprise clusters on-premises if you install withCloud Service Mesh certificate authority
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:enableTracing:truevalues:global:proxy:tracer:stackdriverFor more information, seeAccessing traces.
Egress via egress gateways
We recommend that you install an injected gateway as described inInstall and upgrade gateways.Injection, or auto-injection, refers to the use ofmutating webhooksto modify Pod specifications at creation time. You use injection to add theEnvoy proxy sidecar configuration for your mesh services or to configure theEnvoy proxy of gateways.
Istio Container Network Interface
How you enable the Istio Container Network Interface (CNI) depends onthe environment that Cloud Service Mesh is installed on.
Choose the overlay file that matches your platform.
Enable CNI on GKE
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:components:cni:enabled:truenamespace:kube-systemvalues:cni:cniBinDir:/home/kubernetes/binexcludeNamespaces:-istio-system-kube-systemEnable CNI on-premises
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:components:cni:enabled:truenamespace:kube-systemvalues:cni:cniBinDir:/opt/cni/binexcludeNamespaces:-istio-system-kube-system-gke-systemEnable Traffic logs for off-Google Cloud
Installing Cloud Service Mesh with Istio CA outside of Google Cloud reportsmetrics to Prometheus by default. Use this option to enable reporting Trafficlogs instead, or both Prometheus and Stackdriver, so you can use theCloud Service Mesh dashboards.
Only Stackdriver
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:values:telemetry:enabled:truev2:enabled:trueprometheus:enabled:falsestackdriver:enabled:trueStackdriver and Prometheus
---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:values:telemetry:enabled:truev2:enabled:trueprometheus:enabled:truestackdriver:enabled:trueEnable an internal load balancer
We recommend that you install aninjected gateway as described inInstall and upgrade gateways to set up an internalload balancer on GKE. When configuring the gateway Service,you include the annotation:networking.gke.io/load-balancer-type: "Internal"
External certificate management on the ingress gateway
For information on enabling external certificate management on the ingressgateway using Envoy SDS, seeSecure Gateways.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.