[7] feat: configure cloud service mesh for the federated learning use case #87

ferrarimarco · 2025-01-08T13:19:13Z

Configure Cloud Service Mesh for the federated learning use case:

Enable the core platform gke_enterprise/servicemesh service
Move Policy Controller constraints definitions in their own directory under common
Create Cloud Service Mesh configuration files in common/servicemesh
- Configure mesh-wide defaults
- Configure service entries for Private Google Access and the GKE Metadata server
- Configure the egress gateway
Configure tenant-specific authorization policies to only allow traffic within the tenant namespace

Core platform enhancements:

Configure the mesh block in google_gke_hub_feature_membership.cluster_servicemesh to match the fleet_default_member_config.mesh block in google_gke_hub_feature.servicemesh to avoid unnecessary diffs.

Notes:

Destroy doesn't complete because of dangling NEGs and related resources left over by Cloud Service Mesh. The current workaround is to open a support ticket as explained at the bottom of this page: https://cloud.google.com/service-mesh/docs/uninstall
Gateway pods aren't schedulable until GKE Core platform updates and enhancements #82 is merged.

ferrarimarco changed the base branch from main to namespace-configuration January 8, 2025 13:19

ferrarimarco self-assigned this Jan 8, 2025

ferrarimarco force-pushed the feature-fl-cloud-service-mesh branch from bdd84ae to 3565181 Compare January 9, 2025 09:43

ferrarimarco marked this pull request as ready for review January 9, 2025 14:39

ferrarimarco requested a review from arueth January 9, 2025 14:39

Base automatically changed from namespace-configuration to feature-fl-policy-controller January 10, 2025 07:38

Base automatically changed from feature-fl-policy-controller to feature-fl-node-pool January 10, 2025 07:40

Base automatically changed from feature-fl-node-pool to feature-fl-iam January 10, 2025 07:41

Base automatically changed from feature-fl-iam to fl-firewall January 10, 2025 07:42

ferrarimarco force-pushed the fl-firewall branch 2 times, most recently from 052b3bf to 4d73609 Compare January 10, 2025 08:15

ferrarimarco force-pushed the feature-fl-cloud-service-mesh branch from 3565181 to 2cbb14c Compare January 10, 2025 08:31

ferrarimarco force-pushed the fl-firewall branch 2 times, most recently from c68a80e to 8bdcb96 Compare January 13, 2025 17:13

ferrarimarco force-pushed the feature-fl-cloud-service-mesh branch from 2cbb14c to 0e679ba Compare January 13, 2025 17:14

ferrarimarco force-pushed the fl-firewall branch from 8bdcb96 to 1c2f4a0 Compare January 14, 2025 09:58

Base automatically changed from fl-firewall to int-federated-learning January 14, 2025 16:37

arueth force-pushed the int-federated-learning branch from 2bac60b to 9588c0b Compare January 14, 2025 16:42

ferrarimarco force-pushed the feature-fl-cloud-service-mesh branch from 0e679ba to 4ab5acd Compare January 14, 2025 16:44

feat: configure service mesh for the fl use case

92558bf

ferrarimarco force-pushed the feature-fl-cloud-service-mesh branch from 4ab5acd to 92558bf Compare January 14, 2025 16:47

Provide feedback