GCP: determining whether ASM is installed via asmcli or gcloud fleet

Anthos Service Mesh for GKE can be installed in the following modes:

• In-cluster ASM using the asmcli utility
• Managed ASM using the asmcli utility
• Managed ASM using the ‘gcloud container fleet’ command
• Managed ASM using the Terraform asm submodule

If you need to determine the installation mode used on your GKE cluster, you can examine the Controlplanerevision CRD object located in the istio-system namespace.

kubectl get controlplanerevision -n istio-system --show-labels

If the controlplanerevision object:

• Throws an error because the CRD type does not exist, then ASM is not installed or the install failed
• Does not error but has no results, then it is an In-Cluster ASM deployment, installed using asmcli
• Has the label “app.kubernetes.io/created-by=asmcli-x.yy.z-asm.z.config1” it is Managed ASM, installed using asmcli
• Has the label “app.kubernetes.io/created-by=mesh.googleapis.com” it is Managed ASM, installed using ‘gcloud container fleet’
• Has the label “app.kubernetes.io/created-by=terraform-module” it is Managed ASM using the Terraform “asm” submodule

Below are other supporting objects and labels you will find in each installation type if you want to dig further.

In-cluster ASM with asmcli installer

# will be empty
kubectl get controlplanerevision -n istio-system --show-labels

$ kubectl get deployment -n istio-system -l=app=istiod --show-labels
NAME                READY   UP-TO-DATE   AVAILABLE   AGE   LABELS
istiod-asm-1172-8   2/2     2            2           20s   app=istiod,install.operator.istio.io/owning-resource-namespace=istio-system,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-1172-8,istio=pilot,operator.istio.io/component=Pilot,operator.istio.io/managed=Reconcile,operator.istio.io/version=1.17.2-asm.8,release=istio

# show version in use
$ kubectl get deployment -n istio-system -l=app=istiod --output=json | grep -Po '"image":\K.*'
 "gcr.io/gke-release/asm/pilot:1.17.2-asm.8",

# will be empty
kubectl get ds istio-cni-node -n kube-system

Managed ASM with asmcli installer

# label 'app.kubernetes.io/created-by' shows asmcli version used
$ kubectl get controlplanerevision -n istio-system --show-labels
NAME                RECONCILED   STALLED   AGE   LABELS
asm-managed-rapid   False        False     24s   app.kubernetes.io/created-by=asmcli-1.17.2-asm.8.config1,mesh.cloud.google.com/managed-cni-enabled=true

# daemonset will exist
$ kubectl get ds istio-cni-node -n kube-system --show-labels
NAME             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE   LABELS
istio-cni-node   5         5         4       5            4           kubernetes.io/os=linux   57s   istio.io/owned-by=mesh.googleapis.com,k8s-app=istio-cni-node

Managed ASM with gcloud fleet install

# label 'app.kubernetes.io/created-by=mesh.googleapis.com' indicates gcloud fleet install
$ kubectl get controlplanerevision -n istio-system --show-labels
NAME          RECONCILED   STALLED   AGE   LABELS
asm-managed   True         False     16m   app.kubernetes.io/created-by=mesh.googleapis.com,istio.io/owned-by=mesh.googleapis.com,mesh.cloud.google.com/managed-cni-enabled=true

# daemonset will exist
$ kubectl get ds istio-cni-node -n kube-system --show-labels
NAME             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE   LABELS
istio-cni-node   1         1         1       1            1           kubernetes.io/os=linux   17m   istio.io/owned-by=mesh.googleapis.com,k8s-app=istio-cni-node

Managed ASM with Terraform asm submodule

# label 'app.kubernetes.io/created-by=terraform-module' indicates Terraform asm submodule
$ kubectl get controlplanerevision -n istio-system --show-labels
NAME          RECONCILED   STALLED   AGE   LABELS
asm-managed   True         False     16m   app.kubernetes.io/created-by=terraform-module,mesh.googleapis.com,mesh.cloud.google.com/managed-cni-enabled=true

# daemonset will exist
$ kubectl get ds istio-cni-node -n kube-system --show-labels
NAME             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE   LABELS
istio-cni-node   1         1         1       1            1           kubernetes.io/os=linux   17m   istio.io/owned-by=mesh.googleapis.com,k8s-app=istio-cni-node

REFERENCES

google ref, In-Cluster ASM with asmcli

google ref, Managed ASM with gcloud container fleet

google ref, Managed ASM with asmcli

google ref, download asmcli

google ref, asmcli reference

Hil Liao, installing ASM on GKE Autopilot

Terraform asm submodule

Github source, terraform asm submodule

 

NOTES

For managed ASM on GKE AutoPilot, need to delete the below validating webhook to get virtualservices installed.

validatingwebhookconfiguration.admissionregistration.k8s.io \”istiod-istio-system-mcp\” deleted