我的书签
添加书签
移除书签Installing the Sidecar
Injection
In order to take advantage of all of Istio’s features, pods in the mesh must be running an Istio sidecar proxy.
The following sections describe twoways of injecting the Istio sidecar into a pod: manually using the istioctlcommand or automatically using the Istio sidecar injector.
Manual injection directly modifies configuration, like deployments, and injects the proxy configuration into it.
Automatic injection injects at pod creation time using an admission controller.
Injection occurs by applying a template defined in the istio-sidecar-injector ConfigMap.
Manual sidecar injection
To manually inject a deployment, use istioctl kube-inject:
$ istioctl kube-inject -f @samples/sleep/sleep.yaml@ | kubectl apply -f -
By default, this will use the in-cluster configuration. Alternatively, injection can be done using local copies of the configuration.
$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.config}' > inject-config.yaml$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.values}' > inject-values.yaml$ kubectl -n istio-system get configmap istio -o=jsonpath='{.data.mesh}' > mesh-config.yaml
Run kube-inject over the input file and deploy.
$ istioctl kube-inject \--injectConfigFile inject-config.yaml \--meshConfigFile mesh-config.yaml \--valuesFile inject-values.yaml \--filename @samples/sleep/sleep.yaml@ \| kubectl apply -f -
Verify that the sidecar has been injected into the sleep pod with 2/2 under the READY column.
$ kubectl get pod -l app=sleepNAME READY STATUS RESTARTS AGEsleep-64c6f57bc8-f5n4x 2/2 Running 0 24s
Automatic sidecar injection
Sidecars can be automatically added to applicable Kubernetes pods using amutating webhook admission controller provided by Istio.
While admission controllers are enabled by default, some Kubernetes distributions may disable them. If this is the case, follow the instructions to turn on admission controllers.
When the injection webhook is enabled, any new pods that are created will automatically have a sidecar added to them.
Note that unlike manual injection, automatic injection occurs at the pod-level. You won’t see any change to the deployment itself. Instead you’ll want to check individual pods (via kubectl describe) to see the injected proxy.
Disabling or updating the webhook
The sidecar injecting webhook is enabled by default. If you wish to disable the webhook, you canuse Helm to set option sidecarInjectorWebhook.enabled to false.
There are also a variety of other options that can be configured.
Deploying an app
Deploy sleep app. Verify both deployment and pod have a single container.
$ kubectl apply -f @samples/sleep/sleep.yaml@$ kubectl get deployment -o wideNAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTORsleep 1 1 1 1 12m sleep tutum/curl app=sleep
$ kubectl get podNAME READY STATUS RESTARTS AGEsleep-776b7bcdcd-7hpnk 1/1 Running 0 4
Label the default namespace with istio-injection=enabled
$ kubectl label namespace default istio-injection=enabled$ kubectl get namespace -L istio-injectionNAME STATUS AGE ISTIO-INJECTIONdefault Active 1h enabledistio-system Active 1hkube-public Active 1hkube-system Active 1h
Injection occurs at pod creation time. Kill the running pod and verify a new pod is created with the injected sidecar. The original pod has 1/1 READY containers and the pod with injected sidecar has 2/2 READY containers.
$ kubectl delete pod -l app=sleep$ kubectl get pod -l app=sleepNAME READY STATUS RESTARTS AGEsleep-776b7bcdcd-7hpnk 1/1 Terminating 0 1msleep-776b7bcdcd-bhn9m 2/2 Running 0 7s
View detailed state of the injected pod. You should see the injected istio-proxy container and corresponding volumes. Be sure to substitute the correct name for the Running pod below.
$ kubectl describe pod -l app=sleep
Disable injection for the default namespace and verify new pods are created without the sidecar.
$ kubectl label namespace default istio-injection-$ kubectl delete pod -l app=sleep$ kubectl get podNAME READY STATUS RESTARTS AGEsleep-776b7bcdcd-bhn9m 2/2 Terminating 0 2msleep-776b7bcdcd-gmvnr 1/1 Running 0 2s
Understanding what happened
When Kubernetes invokes the webhook, the admissionregistration.k8s.io/v1beta1#MutatingWebhookConfigurationconfiguration is applied. The default configuration injects the sidecar intopods in any namespace with the istio-injection=enabled label. Theistio-sidecar-injector configuration map specifies the configuration for theinjected sidecar. To change how namespaces are selected for injection, you canedit the MutatingWebhookConfiguration with the following command:
$ kubectl edit mutatingwebhookconfiguration istio-sidecar-injector
You should restart the sidecar injector pod(s) after modifyingthe MutatingWebhookConfiguration.
For example, you can modify the MutatingWebhookConfiguration to always injectthe sidecar into every namespace, unless a label is set. Editing thisconfiguration is an advanced operation. Refer to the Kubernetes documentationfor the MutatingWebhookConfiguration APIfor more information.
policy
disabled - The sidecar injector will not inject the sidecar intopods by default. Add the sidecar.istio.io/inject annotation withvalue true to the pod template spec to override the default and enable injection.
enabled - The sidecar injector will inject the sidecar into pods bydefault. Add the sidecar.istio.io/inject annotation withvalue false to the pod template spec to override the default and disable injection.
The following example uses the sidecar.istio.io/inject annotation to disable sidecar injection.
apiVersion: apps/v1kind: Deploymentmetadata:name: ignoredspec:template:metadata:annotations:sidecar.istio.io/inject: "false"spec:containers:- name: ignoredimage: tutum/curlcommand: ["/bin/sleep","infinity"]
template
The sidecar injection template uses https://golang.org/pkg/text/template which,when parsed and executed, is decoded to the followingstruct containing the list of containers and volumes to inject into the pod.
type SidecarInjectionSpec struct {RewriteAppHTTPProbe bool `yaml:"rewriteAppHTTPProbe"`InitContainers []corev1.Container `yaml:"initContainers"`Containers []corev1.Container `yaml:"containers"`Volumes []corev1.Volume `yaml:"volumes"`DNSConfig *corev1.PodDNSConfig `yaml:"dnsConfig"`ImagePullSecrets []corev1.LocalObjectReference `yaml:"imagePullSecrets"`}
The template is applied to the following data structure at runtime.
type SidecarTemplateData struct {DeploymentMeta *metav1.ObjectMetaObjectMeta *metav1.ObjectMetaSpec *corev1.PodSpecProxyConfig *meshconfig.ProxyConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#proxyconfigMeshConfig *meshconfig.MeshConfig // Defined by https://istio.io/docs/reference/config/service-mesh.html#meshconfig}
ObjectMeta and Spec are from the pod. ProxyConfig and MeshConfigare from the istio ConfigMap in the istio-system namespace. Templates can conditionallydefine injected containers and volumes with this data.
For example, the following template
containers:- name: istio-proxyimage: istio.io/proxy:0.5.0args:- proxy- sidecar- --configPath- {{ .ProxyConfig.ConfigPath }}- --binaryPath- {{ .ProxyConfig.BinaryPath }}- --serviceCluster{{ if ne "" (index .ObjectMeta.Labels "app") -}}- {{ index .ObjectMeta.Labels "app" }}{{ else -}}- "istio-proxy"{{ end -}}
expands to
containers:- name: istio-proxyimage: istio.io/proxy:0.5.0args:- proxy- sidecar- --configPath- /etc/istio/proxy- --binaryPath- /usr/local/bin/envoy- --serviceCluster- sleep
when applied over a pod defined by the pod template spec in samples/sleep/sleep.yaml
More control: adding exceptions
There are cases where users do not have control of the pod creation, for instance, when they are created by someone else. Therefore they are unable to add the annotation sidecar.istio.io/inject in the pod, to explicitly instruct Istio whether to install the sidecar or not.
Think of auxiliary pods that might be created as an intermediate step while deploying an application. OpenShift Builds, for example, creates such pods for building the source code of an application. Once the binary artifact is built, the application pod is ready to run and the auxiliary pods are discarded. Those intermediate pods should not get an Istio sidecar, even if the policy is set to enabled and the namespace is properly labeled to get automatic injection.
For such cases you can instruct Istio to not inject the sidecar on those pods, based on labels that are present in those pods. You can do this by editing the istio-sidecar-injector ConfigMap and adding the entry neverInjectSelector. It is an array of Kubernetes label selectors. They are OR'd, stopping at the first match. See an example:
apiVersion: v1kind: ConfigMapmetadata:name: istio-sidecar-injectordata:config: |-policy: enabledneverInjectSelector:- matchExpressions:- {key: openshift.io/build.name, operator: Exists}- matchExpressions:- {key: openshift.io/deployer-pod-for.name, operator: Exists}template: |-initContainers:...
The above statement means: Never inject on pods that have the label openshift.io/build.name or openshift.io/deployer-pod-for.name – the values of the labels don’t matter, we are just checking if the keys exist. With this rule added, the OpenShift Builds use case illustrated above is covered, meaning auxiliary pods will not have sidecars injected (because source-to-image auxiliary pods do contain those labels).
For completeness, you can also use a field called alwaysInjectSelector, with similar syntax, which will always inject the sidecar on pods that match that label selector, regardless of the global policy.
The label selector approach gives a lot of flexibility on how to express those exceptions. Take a look at these docs to see what you can do with them!
It’s worth noting that annotations in the pods have higher precedence than the label selectors. If a pod is annotated with sidecar.istio.io/inject: "true/false" then it will be honored. So, the order of evaluation is:
Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy
Uninstalling the automatic sidecar injector
$ kubectl delete mutatingwebhookconfiguration istio-sidecar-injector$ kubectl -n istio-system delete service istio-sidecar-injector$ kubectl -n istio-system delete deployment istio-sidecar-injector$ kubectl -n istio-system delete serviceaccount istio-sidecar-injector-service-account$ kubectl delete clusterrole istio-sidecar-injector-istio-system$ kubectl delete clusterrolebinding istio-sidecar-injector-admin-role-binding-istio-system
The above command will not remove the injected sidecars from Pods. Arolling update or simply deleting the pods and forcing the deploymentto create them is required.
Optionally, it may also be desirable to clean-up other resources thatwere modified in this task.
$ kubectl label namespace default istio-injection-
See also
Prepare your Kubernetes pods and services to run in an Istio-enabled cluster.
Demystifying Istio's Sidecar Injection Model
De-mystify how Istio manages to plugin its data-plane components into an existing deployment.
Install Istio with the Istio CNI plugin
Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.
Provision and manage DNS certificates in Istio.
A more secure way to manage Istio webhooks.
Customizable Install with Helm
Install and configure Istio for in-depth evaluation or production use.
