Enable optional features on managed control plane

Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.

This page describes how to enable optional features on managedCloud Service Mesh. For information on the in-cluster control plane, seeEnabling optional features on the in-cluster control plane.

Caution: There is a known issue with the TRAFFIC_DIRECTOR control planeimplementation. If you are using that implementation, then you must make changesin theistio-asm-managed-rapid configmap, even if you are using a channelother than rapid.

When you provision managed Cloud Service Mesh, supported features differbased on the control plane implementation, and certain features are onlyavailable via allowlist. Seesupported features for details.If you are using anIstioOperator based configuration today, theMigrate from IstioOperator tool can helpconvert to the configuration supported by the managed control plane.

Distroless proxy image

  • If you directly onboarded to Cloud Service Mesh with a managedTRAFFIC_DIRECTORcontrol plane implementation,then only the distroless image type is supported. You cannot change it.

  • If your fleet originally used theISTIOD control plane implementation and wasmigrated to theTRAFFIC_DIRECTOR implementation, your image type was left unchangedduring migration, and you can change the image type to distroless yourself.

As a best practice, you should restrict the contents of a container runtime toonly the necessary packages. This approach improves security and thesignal-to-noise ratio of Common Vulnerabilities and Exposures (CVE) scanners.Istio provides proxy images based ondistroless base images.

The distroless proxy image does not contain any binaries other than the proxy.It is therefore not possible toexec a shell or usecurl,ping, or otherdebug utilities inside the container. However, you can use ephemeral containersto attach to a running workload Pod to be able to inspect it and run customcommands. For example, seeCollecting Cloud Service Mesh logs.

The following configuration enables distroless images for the entire Cloud Service Mesh.An image type change requires each pod to restart and get re-injected to take effect.

apiVersion:v1kind:ConfigMapmetadata:name:istio-release-channelnamespace:istio-systemdata:mesh:|-defaultConfig:image:imageType: distroless

You may override theimageType by using the following pod annotation.

sidecar.istio.io/proxyImageType:debug

After changing the image type of a deployment using the annotation, thedeployment should be restarted.

kubectl rollout restart deployment -nNAMESPACEDEPLOYMENT_NAME

Because it does not require a debug base image, most types of proxy debuggingshould usegcloud beta container fleet mesh debug proxy-status / proxy-config(details).

Outbound Traffic Policy

By defaultoutboundTrafficPolicy is set toALLOW_ANY. In this mode, alltraffic to any external service is allowed. To control and restrict the trafficto only the external services for whichservice entriesare defined you can change the default behavior ofALLOW_ANY toREGISTRY_ONLY.

Warning: You can overwrite your own changes. If you already have an existingconfig map, you must include all previous customization settings within themesh: section to preserve your changes.

  1. The following configuration configures theoutboundTrafficPolicy toREGISTRY_ONLY:

    apiVersion:v1kind:ConfigMapmetadata:name:istio-release-channelnamespace:istio-systemdata:mesh:|-outboundTrafficPolicy:mode: REGISTRY_ONLY

    whererelease-channel is yourrelease channel(asm-managed,asm-managed-stable, orasm-managed-rapid).

  2. You can make the previous necessary config changes in the configmap using thefollowing command:

    kubectl edit configmap istio-release-channel -n istio-system -o yaml

  3. Run the following command to view the configmap:

    kubectl get configmap istio-release-channel -n istio-system -o yaml

  4. To verify thatoutboundTrafficPolicy is enabled withREGISTRY_ONLY, ensurethe following lines appear in themesh: section.

    ...apiVersion:v1data:mesh:|outboundTrafficPolicy:mode: REGISTRY_ONLY...

End user authentication

You can configure managed Cloud Service Mesh user authentication forbrowser-based end-user authentication and access control to your deployedworkloads. For more information, seeConfiguring Cloud Service Mesh user authentication.

Configure the minimum TLS version for your workloads

If you directly onboarded to Cloud Service Mesh with a managedTRAFFIC_DIRECTORcontrol plane implementation,then you cannot change this setting.

You can use theminProtocolVersion field to specify the minimum TLS versionfor the TLS connections among your workloads. For more information on settingthe minimum TLS version and checking the TLS configuration of your workloads,seeIstio Workload Minimum TLS Version Configuration.

Warning: The Istio guide linked in the preceding paragraph usesIstioOperator,which is not supported by managed Cloud Service Mesh. You must convert theIstioOperator to an equivalentConfigMap, such as the following example.

The following example shows aConfigMap setting the minimum TLS version forworkloads to 1.3:

apiVersion:v1kind:ConfigMapmetadata:name:istio-release-channelnamespace:istio-systemdata:mesh:|-meshMTLS:minProtocolVersion: TLSV1_3

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.