Plan an installation

Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.

This page provides information to help you plan a new installationof in-cluster Cloud Service Mesh on GKE.

Note: If you need to install Cloud Service Mesh from a private or custom containerregistry, seeInstall Cloud Service Mesh from a custom container registry.

Customize the control plane

The features that Cloud Service Mesh supports differ between platforms. We recommendthat you review theSupported features tolearn which features are supported on your platform. Some features are enabledby default, and others you can optionally enable by creating anIstioOperatoroverlay file. When you runasmcli install, you can customize the control planeby specifying the--custom_overlayoption with the overlay file. As a best practice, we recommend that you savethe overlay files in your version control system.

Theanthos-service-mesh package in GitHub contains many overlay files. These files contain commoncustomizations to the default configuration. You can use these files as theyare, or you can make additional changes to them as needed. Some of the filesare required toenable optional Cloud Service Mesh features.Theanthos-service-mesh package is downloaded when you runasmcli tovalidate your project and cluster.

When you install Cloud Service Mesh usingasmcli install, youcan specify one or more overlay files with the--option or--custom_overlay.If you don't need to make any changes to the files in theanthos-service-meshrepository, you can use--option, and the script fetches the file from GitHubfor you. Otherwise, you can make changes to the overlay file, and then use the--custom_overlay option to pass it to theasmcli.

Choose a Certificate Authority

Depending on your use case and platform, you can choose one of the following asthe certificate authority (CA) for issuingmutual TLS (mTLS)certificates:

This section provides high-level information about each of these CA options andtheir use cases.

Mesh CA

Unless you require a custom CA, we recommend that you useCloud Service Mesh certificate authority for the following reasons:

  • Cloud Service Mesh certificate authority is a highly reliable and scalable service that isoptimized for dynamically scaled workloads.
  • With Cloud Service Mesh certificate authority, Google manages the security and availabilityof the CA backend.
  • Cloud Service Mesh certificate authority lets you rely on a single root of trust acrossclusters.

Certificates from Cloud Service Mesh certificate authority include the following data aboutyour application's services:

  • The Google Cloud project ID
  • The GKE namespace
  • The GKE service account name
Important: The certificates issued by Cloud Service Mesh certificate authority should only be used to enablesecure service-to-service communication within your service mesh, and not beused for any other purpose. These certificates are sent whenever servicesattempt to communicate with each other using mutual TLS. Make sure that youdon't inadvertently expose confidential information by using these certificateswhen communicating outside your service mesh.

CA Service

Platform note: CA Service is only supported on the following platforms: GKE clusters on Google Cloud, Google Distributed Cloud (software only) for VMware, and Distributed Cloud. If you runasmcli install and specify--ca gcp_cas on other platforms, the installation appears successful, but your workloads will fail to start.

In addition toCloud Service Mesh certificate authority,you can configure Cloud Service Mesh to useCertificate Authority Service. Thisguide provides you an opportunity to integrate with CA Service,which is recommended for the following use cases:

  • If you need different certificate authorities to sign workload certificateson different clusters.
  • If you need to back your signing keys in aCloud HSM.
  • If you are in a highly regulated industry and are subject to compliance.
  • If you want to chain up your Cloud Service Mesh CA to a custom enterprise rootcertificate to sign workload certificates.

The cost of Cloud Service Mesh certificate authority is included in theCloud Service Mesh pricing. TheCA Service isn't included in the base Cloud Service Mesh price and ischarged separately. Additionally,CA Service comes with anexplicit SLA, but the Cloud Service Mesh certificate authority does not.

Istio CA

We recommend that you use Istio CA if you meet the following criteria:

  • Your mesh already uses Istio CA and you do not require the benefits enabled byCloud Service Mesh certificate authority or CA Service.
  • You require a custom root CA.
  • You have off-Google Cloud workloads where aGoogle Cloud-managed CA service is not acceptable.

Prepare gateway configuration

Cloud Service Mesh gives you the option to deploy and manage gateways as part of yourservice mesh. A gateway describes a load balancer operating at the edge of themesh receiving incoming or outgoing HTTP/TCP connections. Gateways are Envoyproxies that provide you with fine-grained control over traffic entering andleaving the mesh.

asmcli doesn't install theistio-ingressgateway. We recommend that youdeploy and manage the control plane and gateways separately. For moreinformation, seeInstalling and upgrading gateways.

What's next?

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.