The Cloud Storage FUSE CSI driver works with Istio service mesh. Istio is not a supported Google product. We recommend running managed Cloud Service Mesh instead. You can also follow the documentation Secure Kubernetes Services with Istio to install unmanaged Istio on a GKE cluster.

To use the Cloud Storage FUSE CSI driver with Istio, you'll need to adjust the following settings.

1. Pod annotations

   Add the following Pod-level annotations.

   apiVersion: v1
   kind: Pod
   metadata:
     labels:
       sidecar.istio.io/inject: "true"
     annotations:
       gke-gcsfuse/volumes: "true"
       proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'
       traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
     name: gcsfuse-istio-test
   spec:
   ...

2. Istio ServiceEntry

   When the outboundTrafficPolicy mode is configured to REGISTRY_ONLY, you need to create a ServiceEntry to communicate with the Storage Google API. Below is an example.

   apiVersion: networking.istio.io/v1beta1
   kind: ServiceEntry
   metadata:
     name: googleapi
   spec:
     hosts:
     - storage.googleapis.com
     location: MESH_EXTERNAL
     ports:
     - name: https
       number: 443
       protocol: TLS
     resolution: DNS