Adding Cloud Service Mesh (In-cluster) services to the service perimeters

If you have created a service perimeter in your organization, you must add the Certificate Authority (Cloud Service Mesh certificate authority or Certificate Authority Service), Mesh Configuration, Stackdriver logging, Cloud Monitoring, and Cloud Trace services to the perimeter, in the following cases:

  • The cluster on which you have installed Cloud Service Mesh is in a project that is included in a service perimeter.
  • The cluster on which you have installed Cloud Service Mesh is a service project in a Shared VPC network.

By adding these services to the service perimeter, your Cloud Service Mesh cluster can access these services. Access to the services is also restricted within your cluster's Virtual Private Cloud (VPC) network.

Not adding the aforementioned services may cause the Cloud Service Mesh installation to fail or cause functions to be missing. For example, if you don't add Cloud Service Mesh certificate authority to the service perimeter, the workloads can not get certificates from the Cloud Service Mesh certificate authority.

Before you begin

The setup for the VPC Service Controls service perimeter is at the organization level. Ensure that you have been granted the proper roles for administering VPC Service Controls. If you have multiple projects, you can apply the service perimeter to all of the projects by adding each project to the service perimeter.

Adding Cloud Service Mesh services to an existing service perimeter

Console

  1. Follow the steps in Updating a service perimeter to edit the perimeter.
  2. On the Edit VPC Service Perimeter page, under Services to protect, click Add Services.
  3. On the Specify services to restrict dialog, click Filter services. Depending on your Certificate Authority (CA), enter either Cloud Service Mesh Certificate Authority API or Certificate Authority Service API.
  4. Select the service's checkbox.
  5. Click Add Cloud Service Mesh Certificate Authority API.
  6. Repeat steps 2 - 5, to add:
    • Mesh Configuration API
    • Cloud Monitoring API
    • Cloud Trace API
  7. Click Save.

gcloud

To update the list of restricted services, use the update command and specify the services to add as a comma-delimited list:

gcloud access-context-manager perimeters update PERIMETER_NAME \
  --add-restricted-services=meshconfig.googleapis.com,meshca.googleapis.com,monitoring.googleapis.com,cloudtrace.googleapis.com,OTHER_SERVICES \
  --policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of the service perimeter that you want to update.

  • OTHER_SERVICES is an optional comma-separated list of one or more services to include in the perimeter in addition to the services populated in the preceding command. For example: storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Refer to Updating a service perimeter for additional information.