Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview .

Resolving configuration issues

This section explains common Cloud Service Mesh problems and how to resolve them. If you need additional assistance, see Getting support .

Checking MembershipState

At any time you can check the most recent status of the mesh by running the following command:

 gcloud container fleet mesh describe

The output is similar to:

 ...
membershipSpecs:
  projects/project_id/locations/global/memberships/cluster:
    mesh:
      management: MANAGEMENT_AUTOMATIC
membershipStates:
  projects/project_id/locations/global/memberships/cluster:
    servicemesh:
      ...
      conditions: - 
code: CONFIG_VALIDATION_WARNING
          documentationLink: https://cloud.google.com/...
          details: Application of one or more configs has failed. Error details are shown on individual config resources. See documentation link for more detail.
          severity: WARNING
...

MembershipState Error Codes

If Cloud Service Mesh reports conditions to the MembershipState for a cluster, it could mean Mesh configurations (such as Istio Custom Resources) were not able to be applied. The following error code descriptions give more information on how to address them.

Error Code	Cause	Resolution
`CONFIG_APPLY_INTERNAL_ERROR`	One or more configs failed to be applied due to an internal error.	Contact customer support.
`QUOTA_EXCEEDED_*`	One or more configs failed to be applied due to resources reaching a quota limit.	See Quotas for information on the specific quotas and how to raise them.
`CONFIG_VALIDATION_ERROR`	One or more configs failed to be applied due to invalid configuration.	Specific errors are written to the configs that caused them. More information on how to diagnose these is described in the section: Configuration Validation errors .
`CONFIG_VALIDATION_WARNING`	We encountered potential problems in one or more configs. These may not have been applied, and if they have been applied, there may be unintended behavior.	More information on how to diagnose these is described in the section: Configuration Validation errors .
`MULTICLUSTER_SECRET_WARNING`	The cluster is using a manually created Istio multi-cluster secret instead of using the declarative multi-cluster API for endpoint discovery.	Move multi-cluster endpoint discovery setup to the declarative implementation. More information can be seen in the Multi-cluster Secrets page.
`WORKLOAD_IDENTITY_REQUIRED`	Workload identity is not enabled for the cluster or at least one of the node pools.	Enable workload identity at cluster and nodepool level. For instructions, see Enable workload identity page.
`MANAGED_CNI_NOT_ENABLED`	Managed CNI is not enabled for this cluster.	Enable Managed CNI to maintain best practices within your mesh. More information can be seen in the Enable managed CNI page.
`NON_STANDARD_SIDECAR_BINARY_USAGE`	One or more commands within Istio containers are using binaries other than `envoy`, `pilot_agent`, or `iptables`.	Remove dependency on unsupported binaries. More information can be seen in the Unsupported binary usage page.
`UNSUPPORTED_GATEWAY_CLASS_USAGE`	The cluster is configured with gateway classes (Istio and Anthos Service Mesh) that require migration to the Istio Ingress Gateway to align with best practices.	Refer to the documentation for the detailed instructions
`UNSUPPORTED_MULTIPLE_CONTROL_PLANES`	The cluster has provisioned multiple multiple control plane channels. Cloud Service Mesh only supports one channel per cluster.	For more information, see Fix multiple control planes .

Configuration Validation Errors

CONFIG_VALIDATION_WARNING and CONFIG_VALIDATION_ERROR codes indicate problems were found on mesh configs (Istio or Kubernetes Custom Resources) and that a subset of configs may not have been properly applied.

Many per-resource error details are written to the applicable resource. The following command can be used to locate the invalid configs and view the specific error messages. (Note: these are specifically for Istio resources, and not all validation errors may be displayed here).

  for 
  
 resource 
  
 in 
  
 serviceentries 
  
 destinationrules 
  
 virtualservices 
  
 gateways 
  
 peerauthentications 
  
 authorizationpolicies 
  
 requestauthentications 
  
 sidecars 
  
 telemetries 
  
 envoyfilters 
 ; 
  
 do 
  
 kubectl 
  
 get 
  
 $ 
 resource 
  
 -- 
 all 
 - 
 namespaces 
  
 -- 
 output 
 = 
 json 
  
 | 
  
\  
 jq 
  
 ' 
 . 
 items 
 [] 
  
 | 
  
 select 
 (. 
 status 
 . 
 conditions 
  
 != 
  
 null 
  
 and 
  
 any 
 (. 
 status 
 . 
 conditions 
 []; 
  
 . 
 type 
  
 == 
  
 "Accepted" 
  
 and 
  
 . 
 status 
  
 == 
  
 "False" 
 )) 
  
 | 
  
 { 
 "name" 
 : 
  
 . 
 metadata 
 . 
 name 
 , 
  
 "namespace" 
 : 
  
 . 
 metadata 
 . 
 namespace 
 , 
  
 "kind" 
 : 
  
 . 
 kind 
 , 
  
 "conditions" 
 : 
  
 . 
 status 
 . 
 conditions 
 } 
 ' 
 ; 
 done

The output is similar to:

  { 
  
 "name" 
 : 
  
 "demo-envoy-filter" 
 , 
  
 "namespace" 
 : 
  
 "default" 
 , 
  
 "kind" 
 : 
  
 "EnvoyFilter" 
 , 
  
 "conditions" 
 : 
  
 [ 
  
 { 
  
 "lastTransitionTime" 
 : 
  
 "2024-04-04T21:10:18.046975988Z" 
 , 
  
 "message" 
 : 
  
 "This API is not supported" 
 , 
  
 "reason" 
 : 
  
 "Invalid" 
 , 
  
 "status" 
 : 
  
 "False" 
 , 
  
 "type" 
 : 
  
 "Accepted" 
  
 } 
  
 ] 
 }