Cloud Run API reference
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.This page provides a reference for the APIs that are used to configureCloud Service Mesh for Cloud Run workloads.
Cloud Run API
v1 API
Cloud Service Mesh is enabled using aRevision level annotation.The value of this annotation is the backing mesh name of theCloud Service Mesh Istio cluster.
| Annotation | Value |
|---|---|
| run.googleapis.com/mesh | projects/PROJECT/locations/global/meshes/MESH |
v2 API
Cloud Service Mesh is enabled using theserviceMesh field in theService resource
Cloud Service Mesh Istio API
VirtualService API
| Field Name | Type | Field Description |
|---|---|---|
| gateways | String [] | If the gateways include an "external-mesh" then the virtual service applies to only non-GKE workloads. If "mesh" is specified along with "external-mesh", the virtual service will apply to both non-GKE and GKE workloads. |
| exportTo | string | Considering that non-GKE workloads have no concept of a namespace, "external-mesh" virtual services will ignore the exportTo field. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| httpRoute.HTTPMatchRequest.SourceLabels | map | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| httpRoute.HTTPMatchRequest.SourceNamespace | string | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| httpRoute.HTTPMatchRequest.Gateways | string[] | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| tls | tlsRoute[] | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| tcp | tcpRoute[] | Will be ignored for external-mesh virtual service. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
Istio Auto MTLS and Secure Naming
Currently, Cloud Service Mesh supports Automatic Istio MutualTLS and SecureNaming for requests between GKE Services.
For Preview, non-GKE workloads communicating withGKE workloads/services will not use Istio Auto MTLS nor SecureNaming. The traffic will be in plain text. Make sure that GKEServices have a permissive MTLS policy (which is the Istio API default) whichaccepts MTLS traffic from GKE workloads and plain text fromnon-GKE workloads.
Use the following command to check if PeerAuthentication is in permissive mode:
# list PeerAuthentication resources in a namespace# If no PeerAuthentication resource exists in the namespace,# then it's PERMISSIVE mode (Istio API default)kubectlgetPeerAuthentication-n$NAMESPACE# for each of the above run the following commandkubectlgetPeerAuthentication$PEER-AUTHN-n$NAMESPACE# Expected Output is as follows:# MTLS Mode must be PERMISSIVE.# If the output says STRICT, then please update the policy to PERMISSIVE.apiVersion:security.istio.io/v1kind:PeerAuthenticationmetadata:name:$PEER-AUTHNnamespace:$NAMESPACEspec:mtls:mode:PERMISSIVEMeshConfig Telemetry
Cloud Service Mesh supports MeshConfig telemetry API to enable and disableCloud Logging and Cloud Monitoring for GKE workloads.This will work similarly for non-GKE workloads as well.
Destination Rule
For Preview,DestinationRule targeting the "external-mesh" virtual serviceswill be supported except following fields:trafficPolicy.tls
Sidecar API
Sidecar API will not be applicable to non-GKE workloads.Non-GKE workloads will be able to see all the virtual servicesscoped to "external-mesh" without being filtered by any Sidecar visibility rules.
Security API - Authorization Policy, Request Authentication Policy
These will not apply to non-GKE workloads which act as Clientssending outbound traffic. They will continue to apply GKEworkloads that receive inbound traffic.
GCPBackend API
Note: This is a Kubernetes Custom Resource.| Field Name | Type | Field Description |
|---|---|---|
| GCPBackend | struct | Schema for the GCPBackend resource. |
| TypeMeta | metav1.TypeMeta | Embedded struct for storing metadata information like kind and API version. |
| ObjectMeta | metav1.ObjectMeta | Embedded struct for storing metadata information like name, namespace, labels, annotations, etc. |
| Spec | GCPBackendSpec | Specification for the GCPBackend resource, defining its desired state. |
| GCPBackendSpec | struct | Defines the desired state of the GRPCRoute. |
| CloudRun | *CloudRunBackend | Defines a backend running in CloudRun (optional). |
| CloudRunBackend | struct | Identifies a service running on Cloud Run. |
| Service | string | CloudRun service name. Must be between 1 and 49 characters, follow a specific pattern, and consist only of lowercase letters, hyphens, and numbers. |
| Regions | []Region | Regions of the CloudRun service. Exactly one region must be provided. |
| Project | string | Project ID of the CloudRun service. Defaults to the same project as the GKE cluster. Must be between 6 and 30 characters and follow a specific pattern. Currently, Cloud Run Service and the GKE Cluster must be in the same project. |
| GCPBackendList | struct | Contains a list of GCPBackends. |
| Items | []*GCPBackend | Array of GCPBackend pointers representing the list of GCPBackend resources. |
| ListMeta | metav1.ListMeta | Embedded struct for storing list metadata information like resource version and continue token for pagination. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.