我的书签
添加书签
移除书签Installing the Sidecar
Injection
In order to take advantage of all of Istio’s features, pods in the mesh must be running an Istio sidecar proxy.
The following sections describe two ways of injecting the Istio sidecar into a pod: manually using the istioctl command or by enabling automatic Istio sidecar injection in the pod’s namespace.
Manual injection directly modifies configuration, like deployments, and injects the proxy configuration into it.
When enabled in a pod’s namespace, automatic injection injects the proxy configuration at pod creation time using an admission controller.
Injection occurs by applying a template defined in the istio-sidecar-injector ConfigMap.
Manual sidecar injection
To manually inject a deployment, use istioctl kube-inject:
$ istioctl kube-inject -f @samples/sleep/sleep.yaml@ | kubectl apply -f -
By default, this will use the in-cluster configuration. Alternatively, injection can be done using local copies of the configuration.
$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.config}' > inject-config.yaml$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.values}' > inject-values.yaml$ kubectl -n istio-system get configmap istio -o=jsonpath='{.data.mesh}' > mesh-config.yaml
Run kube-inject over the input file and deploy.
$ istioctl kube-inject \--injectConfigFile inject-config.yaml \--meshConfigFile mesh-config.yaml \--valuesFile inject-values.yaml \--filename @samples/sleep/sleep.yaml@ \| kubectl apply -f -
Verify that the sidecar has been injected into the sleep pod with 2/2 under the READY column.
$ kubectl get pod -l app=sleepNAME READY STATUS RESTARTS AGEsleep-64c6f57bc8-f5n4x 2/2 Running 0 24s
Automatic sidecar injection
Sidecars can be automatically added to applicable Kubernetes pods using a mutating webhook admission controller provided by Istio.
While admission controllers are enabled by default, some Kubernetes distributions may disable them. If this is the case, follow the instructions to turn on admission controllers.
When you set the istio-injection=enabled label on a namespace and the injection webhook is enabled, any new pods that are created in that namespace will automatically have a sidecar added to them.
Note that unlike manual injection, automatic injection occurs at the pod-level. You won’t see any change to the deployment itself. Instead you’ll want to check individual pods (via kubectl describe) to see the injected proxy.
Deploying an app
Deploy sleep app. Verify both deployment and pod have a single container.
$ kubectl apply -f @samples/sleep/sleep.yaml@$ kubectl get deployment -o wideNAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTORsleep 1/1 1 1 12s sleep governmentpaas/curl-ssl app=sleep
$ kubectl get podNAME READY STATUS RESTARTS AGEsleep-8f795f47d-hdcgs 1/1 Running 0 42s
Label the default namespace with istio-injection=enabled
$ kubectl label namespace default istio-injection=enabled$ kubectl get namespace -L istio-injectionNAME STATUS AGE ISTIO-INJECTIONdefault Active 5m9s enabledistio-system Active 4m58s disabledkube-node-lease Active 5m10skube-public Active 5m10skube-system Active 5m10slocal-path-storage Active 5m7s
Injection occurs at pod creation time. Kill the running pod and verify a new pod is created with the injected sidecar. The original pod has 1/1 READY containers and the pod with injected sidecar has 2/2 READY containers.
$ kubectl delete pod -l app=sleep$ kubectl get pod -l app=sleeppod "sleep-776b7bcdcd-7hpnk" deletedNAME READY STATUS RESTARTS AGEsleep-776b7bcdcd-7hpnk 1/1 Terminating 0 1msleep-776b7bcdcd-bhn9m 2/2 Running 0 7s
View detailed state of the injected pod. You should see the injected istio-proxy container and corresponding volumes. Be sure to substitute the correct name for the Running pod below.
$ kubectl describe pod -l app=sleep
Disable injection for the default namespace and verify new pods are created without the sidecar.
$ kubectl label namespace default istio-injection-$ kubectl delete pod -l app=sleep$ kubectl get podnamespace/default labeledpod "sleep-776b7bcdcd-bhn9m" deletedNAME READY STATUS RESTARTS AGEsleep-776b7bcdcd-bhn9m 2/2 Terminating 0 2msleep-776b7bcdcd-gmvnr 1/1 Running 0 2s
Understanding what happened
When Kubernetes invokes the webhook, the admissionregistration.k8s.io/v1beta1#MutatingWebhookConfiguration configuration is applied. The default configuration injects the sidecar into pods in any namespace with the istio-injection=enabled label. The istio-sidecar-injector configuration map specifies the configuration for the injected sidecar. To change how namespaces are selected for injection, you can edit the MutatingWebhookConfiguration with the following command:
$ kubectl edit mutatingwebhookconfiguration istio-sidecar-injector
You should restart the sidecar injector pod(s) after modifying the MutatingWebhookConfiguration.
For example, you can modify the MutatingWebhookConfiguration to always inject the sidecar into every namespace, unless a label is set. Editing this configuration is an advanced operation. Refer to the Kubernetes documentation for the MutatingWebhookConfiguration API for more information.
policy
disabled - The sidecar injector will not inject the sidecar into pods by default. Add the sidecar.istio.io/inject annotation with value true to the pod template spec to override the default and enable injection.
enabled - The sidecar injector will inject the sidecar into pods by default. Add the sidecar.istio.io/inject annotation with value false to the pod template spec to override the default and disable injection.
The following example uses the sidecar.istio.io/inject annotation to disable sidecar injection.
$ kubectl apply -f - <<EOFapiVersion: apps/v1kind: Deploymentmetadata:name: ignoredlabels:app: ignoredspec:selector:matchLabels:app: ignoredtemplate:metadata:labels:app: ignoredannotations:sidecar.istio.io/inject: "false"spec:containers:- name: ignoredimage: governmentpaas/curl-sslcommand: ["/bin/sleep","infinity"]EOF
template
The sidecar injection template uses https://golang.org/pkg/text/template which, when parsed and executed, is decoded to the following struct containing the list of containers and volumes to inject into the pod.
type SidecarInjectionSpec struct {RewriteAppHTTPProbe bool `yaml:"rewriteAppHTTPProbe"`InitContainers []corev1.Container `yaml:"initContainers"`Containers []corev1.Container `yaml:"containers"`Volumes []corev1.Volume `yaml:"volumes"`DNSConfig *corev1.PodDNSConfig `yaml:"dnsConfig"`ImagePullSecrets []corev1.LocalObjectReference `yaml:"imagePullSecrets"`}
The template is applied to the following data structure at runtime.
type SidecarTemplateData struct {DeploymentMeta *metav1.ObjectMetaObjectMeta *metav1.ObjectMetaSpec *corev1.PodSpecProxyConfig *meshconfig.ProxyConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#proxyconfigMeshConfig *meshconfig.MeshConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#meshconfig}
ObjectMeta and Spec are from the pod. ProxyConfig and MeshConfig are from the istio ConfigMap in the istio-system namespace. Templates can conditionally define injected containers and volumes with this data.
For example, the following template
containers:- name: istio-proxyimage: istio.io/proxy:0.5.0args:- proxy- sidecar- --configPath- {{ .ProxyConfig.ConfigPath }}- --binaryPath- {{ .ProxyConfig.BinaryPath }}- --serviceCluster{{ if ne "" (index .ObjectMeta.Labels "app") -}}- {{ index .ObjectMeta.Labels "app" }}{{ else -}}- "istio-proxy"{{ end -}}
expands to
containers:- name: istio-proxyimage: istio.io/proxy:0.5.0args:- proxy- sidecar- --configPath- /etc/istio/proxy- --binaryPath- /usr/local/bin/envoy- --serviceCluster- sleep
when applied over a pod defined by the pod template spec in samples/sleep/sleep.yaml
More control: adding exceptions
There are cases where users do not have control of the pod creation, for instance, when they are created by someone else. Therefore they are unable to add the annotation sidecar.istio.io/inject in the pod, to explicitly instruct Istio whether to install the sidecar or not.
Think of auxiliary pods that might be created as an intermediate step while deploying an application. OpenShift Source to Image Builds, for example, creates such pods for building the source code of an application. Once the binary artifact is built, the application pod is ready to run and the auxiliary pods are discarded. Those intermediate pods should not get an Istio sidecar, even if the policy is set to enabled and the namespace is properly labeled to get automatic injection.
For such cases you can instruct Istio to not inject the sidecar on those pods, based on labels that are present in those pods. You can do this by editing the istio-sidecar-injector ConfigMap and adding the entry neverInjectSelector. It is an array of Kubernetes label selectors. They are OR'd, stopping at the first match. See an example:
apiVersion: v1kind: ConfigMapmetadata:name: istio-sidecar-injectordata:config: |-policy: enabledneverInjectSelector:- matchExpressions:- {key: openshift.io/build.name, operator: Exists}- matchExpressions:- {key: openshift.io/deployer-pod-for.name, operator: Exists}template: |-initContainers:...
The above statement means: Never inject on pods that have the label openshift.io/build.name or openshift.io/deployer-pod-for.name – the values of the labels don’t matter, we are just checking if the keys exist. With this rule added, the OpenShift Builds use case illustrated above is covered, meaning auxiliary pods will not have sidecars injected (because source-to-image auxiliary pods do contain those labels).
For completeness, you can also use a field called alwaysInjectSelector, with similar syntax, which will always inject the sidecar on pods that match that label selector, regardless of the global policy.
The label selector approach gives a lot of flexibility on how to express those exceptions. Take a look at these docs to see what you can do with them!
It’s worth noting that annotations in the pods have higher precedence than the label selectors. If a pod is annotated with sidecar.istio.io/inject: "true/false" then it will be honored. So, the order of evaluation is:
Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy
Uninstalling the automatic sidecar injector
$ kubectl delete mutatingwebhookconfiguration istio-sidecar-injector
The above command will not remove the injected sidecars from Pods. A rolling update or simply deleting the pods and forcing the deployment to create them is required.
Optionally, it may also be desirable to clean-up other resources that were modified in this task.
$ kubectl label namespace default istio-injection-
See also
Requirements of applications deployed in an Istio-enabled cluster.
Demystifying Istio’s Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.
Install Istio with the Istio CNI plugin
Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.
Expanding into New Frontiers - Smart DNS Proxying in Istio
Workload Local DNS resolution to simplify VM integration, multicluster, and more.
Using MOSN with Istio: an alternative data plane
An alternative sidecar proxy for Istio.
Provision a certificate and key for an application without sidecars
A mechanism to acquire and share an application certificate and key through mounted files.
