Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview.

Understanding Feature State Conditions

Note: Canonical Services are supported automatically in Cloud Service Mesh version 1.6.8 and higher.

This page describes how to interpret and act upon Conditions reported on your Cloud Service Mesh cluster or fleet.

To check for conditions, run this command:

  gcloud container fleet mesh describe --project FLEET_PROJECT

The output may include conditions in membershipStates for a cluster, like:

  ...
  membershipStates:
    projects/test-project/locations/us-central1/memberships/my-membership:
      servicemesh:
        conditions:
          - code: <CONDITION_CODE>
            details: ...
            documentationLink: ....
            severity: ...

Values of code are described in more detail on this page.

NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED

You may see the NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED error code in the Conditions field of your membership:

    membershipStates:
      projects/test-project/locations/us-central1/memberships/my-membership:
        servicemesh:
          conditions:
          - code: NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED
            details: One or more node pools have workload identity federation disabled.
            documentationLink: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
            severity: ERROR
          controlPlaneManagement:
            details:
            - code: REVISION_FAILED_PRECONDITION
              details: Required in-cluster components are not ready. This will be retried
                within 15 minutes.
            implementation: TRAFFIC_DIRECTOR
            state: FAILED_PRECONDITION

This error is shown if the GKE cluster does not have Workload Identity Federation enabled on all node pools of that cluster, since this is a prerequisites for the installation of Cloud Service Mesh.

To resolve this error message, you must follow instructions to Enable Workload Identity Federation on all node pools. Note that enablement may vary depending on your specific cluster case.

After enablement, the error message should be automatically removed and your cluster should go back to ACTIVE state. If the issue persists and you need additional assistance, see Getting support.

MESH_IAM_PERMISSION_DENIED

This error indicates that the service account does not have enough permission to access your fleet project. Follow the steps for troubleshooting:

Verify if your service account has granted Anthos Service Mesh Service Agent role. For details on how to verify IAM permission and add it, go to Revision(s) reporting as unhealthy error and use the same steps there.
If permission is verified while issue persists, contact Google customer support for further assistance.

MESH_IAM_CROSS_PROJECT_PERMISSION_DENIED

This error indicates that the fleet project service account does not have enough permission to access a different project (the cluster project or the network project).

For Shared VPC, make sure to grant all the fleet projects service account Anthos Service Mesh Service Agent role in the Shared VPC network project.

For the GKE fleet project and cluster project scenarios, make sure to grant the fleet project service account Anthos Service Mesh Service Agent role in the cluster project.

Example troubleshooting command:

Verify if your network project or cluster project service account has granted Anthos Service Mesh Service Agent role to the fleet project service account. If not, run:
```
gcloud projects add-iam-policy-binding NETWORK_OR_CLUSTER_PROJECT_ID  \
    --member "serviceAccount:service-FLEET_PROJECT_NUMBER@gcp-sa-servicemesh.iam.gserviceaccount.com" \
    --role roles/anthosservicemesh.serviceAgent
```
In addition, confirm that you don't have automation that would remove this binding.
If permission is verified while issue persists, contact Google customer support for further assistance.