Understand Cloud Service Mesh API Resources
When you use Gateway API and Istio API to configure your service mesh on GKE, the KRM-based API resources you managed on GKE will be automatically translated to a set of Google Cloud API resources:
- They don't incur any additional billing to you.
- They are managed exclusively by the managed Cloud Service Mesh infrastructure(based on the API resources you create in your GKE clusters). You won't be able to modify or delete these Google Cloud API resources. Changes to the KRM API would trigger update or removal of the corresponding Google Cloud API resources. And the Google Cloud API resources will be automatically removed when you deprovision your Cloud Service Mesh service mesh.
- They are functionally equivalent to the API resources you managed on GKE. The Cloud Service Mesh infrastructure programs the dataplane in your GKE clusters based on these Google Cloud API resources.
- They are subjected to the standard Google Cloud API quota control. You can view the current quota usage in your Google Cloud project. Config propagation to the dataplane will be stalled when Google Cloud resource quota is exceeded. Note that Google Cloud enforces resource quota at project level and these Google Cloud API resources share quota with the same type of Google Cloud API resource managed by yourself.
The following is a high-level overview of how API resources on GKE are mapped to Google Cloud API resources. In most cases, understanding the API mapping is not a requirement to use your service mesh on GKE, as you will be managing your service mesh on GKE using Gateway API or Istio API. On the other hand, having a high level understanding of the API mapping helps you plan and manage your Google Cloud API quota more efficiently as your service mesh scales.
Istio API with Managed Cloud Service Mesh
The API resources you manage on GKE will be mapped to a set of Google Cloud API resources that control different aspects of the behaviors of the traffic in the dataplane. We recommend that you set up quota alerts for these resources.
| Item | Istio API Resources | Google Cloud API Resources | Scope | Quotas and Limits | Upper Bound |
|---|---|---|---|---|---|
| Traffic routing | VirtualService |
HTTPRoute TCPRoute TLSRoute |
Global |
HTTPRoute Quota TCPRoute Quota TLSRoute Quota |
1 per service port, and for each of Istio VirtualService HTTPRoute, TCPRoute, and TLSRoute. |
| Service representation(for route / policy attachment) |
Service ServiceEntry |
BackendService | Global | BackendService Quota | 1 per service port (include Istio ServiceEntry). |
| Workload properties(such as IP:port, locality) |
Service ServiceEntry |
NetworkEndpointGroup | Zonal | NetworkEndpointGroup Quota | 1 per (service port, zone). In a regional GKE cluster, a NetworkEndpointGroup is created in every single zone where the cluster has at least a node in, for a given service port. |
| Workload health monitoring | Service | HealthCheck | Zonal | HealthCheck Quota | 1 per GKE cluster. |
| Workload policy attachment point |
PeerAuthentication AuthorizationPolicy RequestAuthentication EnvoyFilter |
EndpointPolicy | Global | EndpointPolicy Quota | 1 per service port and for each of the workload policies. |
| Authentication | PeerAuthentication |
ClientTlsPolicy ServerTlsPolicy |
Global |
ClientTlsPolicy Quota ServerTlsPolicy Quota |
1 ClientTlsPolicy per service port. 1 ServerTlsPolicy for every TLS Gateway. |
| Authorization | AuthorizationPolicy | HttpFilter | Global | HttpFilter Quota | 1 per Istio AuthorizationPolicy |
| Gateway | Gateway | Gateway | Global | Gateway Quota | 1 per Istio Gateway server port |
| Traffic distribution policy | GCPTrafficDistributionPolicy 1 | ServiceLbPolicy | Global | ServiceLbPolicy Quota | 1 per GCPTrafficDistributionPolicy |
If your service mesh spans across multiple clusters in different projects, all Google Cloud resources will be created in the fleet project.
1GCPTrafficDistributionPolicy is not an Istio API. It enhances the Istio API to provide advanced traffic management.