VPC Service Controls for Cloud Service Mesh (Managed)

Cloud Service Mesh (Managed) supportsVPC Service Controlsas a generally available (GA) feature for new control planes.

To check whether your control plane supports VPC Service Controls GA, check the mesh featurestate of your membership for the VPCSC_GA_SUPPORTED condition.

gcloudcontainerfleetmeshdescribe--projectFLEET_PROJECT_ID

The output is similar to:

(...)membershipStates:projects/FLEET_PROJECT_NUMBER/locations/MEMBERSHIP_LOCATION/memberships/MEMBERSHIP_ID:servicemesh:conditions:-code:VPCSC_GA_SUPPORTEDdetails:ThiscontrolplanesupportsVPCServiceControlsGA.documentationLink:http://cloud.google.com/service-mesh/v1.27/docs/managed/VPCServiceControlsseverity:INFO(...)

If you have an existing control plane that does not report theVPCSC_GA_SUPPORTED condition and want to rely on VPC Service Controls, contact support.

Before you begin

The VPC Service Controls org-policy and service perimeter are configured at theorganization level.Ensure that you have been granted theproper roles for administering VPC Service Controls.

Set up your VPC Service Controls service perimeter

Create or update yourservice perimeter:

1. Add your cluster project(s) and fleet project to the service perimeter. Having a service mesh spread across multiple VPC Service Controlsperimeters is not supported.

2. Add restricted services to the service perimeter.

   You must add specific services to the allowed and restricted services lists inthe service perimeter, so that your Cloud Service Mesh cluster can access them.Access to these services is also restricted within your cluster'sVirtual Private Cloud (VPC) network.

   Not adding these services may cause the Cloud Service Mesh installation to fail or tonot function properly. For example, if you don't add theMesh Configuration API to the service perimeter, the installation will failand the workloads won't receive their Envoy configuration from the managedcontrol plane.

   Console

   1. Follow the steps inUpdating a service perimeterto edit the perimeter.
   2. Click theEdit VPC Service Perimeter page.
   3. UnderRestricted Services,Services to protect, clickAdd Services.
   4. On theSpecify services to restrict dialog, clickFilterservices, and enterMesh Configuration API.
   5. Select the service's checkbox.
   6. ClickAdd Mesh Configuration API.
   7. Repeat steps c - f, to add:
      • Cloud Service Mesh Certificate Authority API
      • GKE Hub API
      • Cloud IAM API
      • Cloud Monitoring API
      • Cloud Trace API
      • Cloud Monitoring API
      • Google Cloud Resource Manager API
      • Google Compute Engine API
      • Google Container Registry API
      • Artifact Registry API
      • Google Cloud Storage API
      • Cloud Logging API
      • Security Token Service API
   8. ClickSave.

   gcloud

   To update the list of restricted services, use theupdate command andspecify the services to add as a comma-delimited list:

   gcloudaccess-context-managerperimetersupdatePERIMETER_NAME\--add-restricted-services=meshconfig.googleapis.com,meshca.googleapis.com,gkehub.googleapis.com,iam.googleapis.com,monitoring.googleapis.com,cloudtrace.googleapis.com,monitoring.googleapis.com,cloudresourcemanager.googleapis.com,compute.googleapis.com,containerregistry.googleapis.com,artifactregistry.googleapis.com,storage.googleapis.com,logging.googleapis.com,sts.googleapis.com\--policy=POLICY_NAME

   Where:

   • PERIMETER_NAME is the name of the service perimeter that youwant to update.

   • POLICY_NAME is the numeric name of your organization's accesspolicy. For example,330193482019.

3. Click onVPC Accessible services and set it to 'All restricted services', so that services restricted at the step above are still accessible from within the VPC Service Controls perimeter.

4. Unless you are installing Cloud Service Mesh from an in-perimeter network, add aningress rule to allow the identity running theasmcli command access to theservice perimeter.

   For more information, seeUpdating a service perimeter.

Install the managed Cloud Service Mesh in a VPC Service Controls perimeter

Follow the steps inConfigure managed Cloud Service Meshpage. Then,verify the control plane has been successfully provisionedand there are no VPC Service Controls related errors.

Troubleshooting

Cannot create cluster with the latest GKE 1.22 image

There is a known issue preventing the creation of a cluster with the latest1.22 image in a VPC Service Controls restricted environment. The workaround is to create thiscluster first with the default GKE channel image, and then upgrade the image:

gcloudcontainerclusterscreateCLUSTER\--regionREGION\--release-channel=rapid\--workload-pool=PROJECT_ID.svc.id.goog\--projectPROJECT_ID

gcloudcontainerclustersupgradeCLUSTER\--regionREGION\--master--cluster-version1.22\--projectPROJECT_ID

Containers are not able to download their images.

This may happen if the images are located outside of the service perimeter.Either move the images to a bucket located inside the perimeter, or update theperimeter to add an Egress rule. Typically, the Egress rule may allow selectedidentities to access theContainer Registry API,Artifact Registry API,andCloud Storage API.

The Status field of theControlPlaneRevision CRD displays VPC Service Controls errors

Run this command to get more info about the error:

gcloudloggingread--project=PROJECT_ID\'protoPayload.metadata.@type=type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata'

Where:

• PROJECT_ID is the project ID of the project encountering errors.