Istio: can't do automatic proxy injection with sidecar.istio.io/inject=true
Expected behaviour
- When
istio-sidecar-injectoris deployed - When
istio-injection=disabledis set as a Namespace Label - When deploying a Pod or Deployment manifest with
sidecar.istio.io/inject: "true"annotation
I should have a Pod created with an Istio Proxy Sidecar
This is based on the documentation at https://istio.io/docs/setup/kubernetes/sidecar-injection#understanding-what-happened that states :
disabled - The sidecar injector will not inject the sidecar into pods by default. Add the sidecar.istio.io/inject annotation with value true to the pod template spec to enable injection.
Current behaviour
- When
istio-sidecar-injectoris deployed - When
istio-injection=disabledis set as a Namespace Label - When deploying a Pod or Deployment manifest with
sidecar.istio.io/inject: "true"annotation
I don't have an Istio Proxy Sidecar
What I do
My Namespace is NOT Labeled or is labeled with istio-injection=disabled (testing on default and dev namespace) :
kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 195d
dev Active 195d disabled
I use a Deployment with sidecar.istio.io/inject: "true" in a namespace like :
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
template:
metadata:
labels:
app: sleep
annotations:
sidecar.istio.io/inject: "true"
spec:
containers:
- name: sleep
image: tutum/curl
command: ["/bin/sleep","infinity"]
imagePullPolicy: IfNotPresent
The Deployment/Pod is created without a Sidecar
Discussion
In fact, looking at the Injector logs, it is not triggered if the namespace does NOT have the istio-injection=enabled Label.
That leads to EVERY pod to be added the Proxy, except if you explicitly set the sidecar.istio.io/inject: "false" Annotation on the Pod.
This is a little bit annoying as I have to go through all my templates, all my Helm charts... etc
Also, this behaviour does not comply with what I understand from the doc.
Is there another solution to configure the Injector to add the sidecar in any Namespace ONLY if I set the sidecar.istio.io/inject: "true" annotation ?
prune998
All 3 comments
Is there another solution to configure the Injector to add the sidecar in any Namespace ONLY if I set the sidecar.istio.io/inject: "true" annotation ?
The following should work:
- Change the default policy in the
istio-injectConfigMap to "disabled`. See https://istio.io/docs/setup/kubernetes/sidecar-injection#understanding-what-happened - Change the NamespaceSelector in your MutatingWebhookConfiguration to select _all_ namespaces that aren't explicitly labeled, e.g.
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: NotIn
values:
- disabled
- _IMPORTANT_: label all of the namespaces where you don't sidecars injected. For starters, label
kube-system,kube-public, andistio-systemwithistio-injection=disabled.
ayj
on 16 Mar 2018
Thanks for the answer @ayj. I'm testing your proposal right now.
What I understant is that the policy, which I thought was the label on the Namespace, is in fact the policy field in the Istio-Inject configmap !
If this is true (will confirm that soon), maybe I did not fully understood the doc, of it could be improved to clearly state that. If it's that simple, I'll try to PR to make it more strait-forward.
prune998
on 19 Mar 2018
BIG thanks @ayj, it's working as you stated. Will try to PR the doc to make it clear
prune998
on 19 Mar 2018
Related issues
vadimeisenbergibm
路
4Comments
hillbun
路
3Comments
starizard
路
3Comments
2dev2
路
3Comments
iroller
路
3Comments
Most helpful comment
The following should work:
istio-injectConfigMap to "disabled`. See https://istio.io/docs/setup/kubernetes/sidecar-injection#understanding-what-happenedkube-system,kube-public, andistio-systemwithistio-injection=disabled.