Istio: sidecar.istio.io/inject annotation does not work
Describe the bug
sidecar.istio.io/inject: "true" annotation does not seem to work, the created pod has only one container and there is no sidecar injection
Expected behavior
A sidecare injection after creating a pod that has annotation sidecar.istio.io/inject: "true" set into the metadata
Steps to reproduce the bug
- Cloning istio repo, I'm using
commit 0a432c2722b20c169ff5dd80256cd4b52a4fe420 (HEAD -> master, origin/master, origin/HEAD)
Author: Tyler Berry <[email protected]>
Date: Tue Jul 24 11:46:03 2018 -0700
Run dep ensure (#7370)
- Run helm
helm install {{ istio.dest }} --name istio --namespace istio-system \
--set gateways.istio-ingressgateway.type=NodePort \
--set global.proxy.autoInject=disabled
- Run sleep.yaml
apiVersion: v1
kind: Service
metadata:
name: sleep
labels:
app: sleep
spec:
ports:
- port: 80
name: http
selector:
app: sleep
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
template:
metadata:
labels:
app: sleep
annotations:
sidecar.istio.io/inject: "true"
spec:
containers:
- name: sleep
image: tutum/curl
command: ["/bin/sleep","infinity"]
imagePullPolicy: IfNotPresent
---
Version
root@node1:/home/arkan# k version -o yaml
clientVersion:
buildDate: 2018-07-17T18:53:20Z
compiler: gc
gitCommit: b1b29978270dc22fecc592ac55d903350454310a
gitTreeState: clean
gitVersion: v1.11.1
goVersion: go1.10.3
major: "1"
minor: "11"
platform: linux/amd64
serverVersion:
buildDate: 2018-06-27T20:08:34Z
compiler: gc
gitCommit: 91e7b4fd31fcd3d5f436da26c980becec37ceefe
gitTreeState: clean
gitVersion: v1.11.0
goVersion: go1.10.2
major: "1"
minor: "11"
platform: linux/amd64
Is Istio Auth enabled or not?
No auth
Environment
6 Nodes that are running by using VirtualBox installed on a laptop.
root@node1:/home/arkan# uname -a
Linux node1 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14 08:53:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@node1:/home/arkan# cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
root@node1:/home/arkan# k get all
NAME READY STATUS RESTARTS AGE
pod/sleep-9b989c67c-w64dw 1/1 Running 0 9m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 8d
service/sleep ClusterIP 10.99.24.175 <none> 80/TCP 9m
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/sleep 1 1 1 1 9m
NAME DESIRED CURRENT READY AGE
replicaset.apps/sleep-9b989c67c 1 1 1 9m
root@node1:/home/arkan# k get ns --show-labels
NAME STATUS AGE LABELS
default Active 23d <none>
istio-system Active 2h <none>
kube-public Active 23d <none>
kube-system Active 23d <none>
root@node1:/home/arkan# k -n istio-system get cm/istio-sidecar-injector -o yaml
apiVersion: v1
data:
config: "policy: disabled\ntemplate: |-\n initContainers:\n - name: istio-init\n
\ image: \"gcr.io/istio-release/proxy_init:release-1.0-latest-daily\"\n args:\n
\ - \"-p\"\n - [[ .MeshConfig.ProxyListenPort ]]\n - \"-u\"\n - 1337\n
\ - \"-m\"\n - [[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\")
.ProxyConfig.InterceptionMode.String ]]\n - \"-i\"\n [[ if (isset .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]\n - \"[[ index .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"\n [[ else -]]\n
\ - \"*\"\n [[ end -]]\n - \"-x\"\n [[ if (isset .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/excludeOutboundIPRanges\") -]]\n - \"[[ index .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/excludeOutboundIPRanges\" ]]\"\n [[ else -]]\n
\ - \"\"\n [[ end -]]\n - \"-b\"\n [[ if (isset .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/includeInboundPorts\") -]]\n - \"[[ index .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"\n [[ else -]]\n -
[[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end
-]][[ end -]][[ end]]\n - \"-d\"\n [[ if (isset .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/excludeInboundPorts\") -]]\n - \"[[ index .ObjectMeta.Annotations
\"traffic.sidecar.istio.io/excludeInboundPorts\" ]]\"\n [[ else -]]\n -
\"\"\n [[ end -]]\n imagePullPolicy: IfNotPresent\n securityContext:\n
\ capabilities:\n add:\n - NET_ADMIN\n privileged: true\n
\ restartPolicy: Always\n \n containers:\n - name: istio-proxy\n image:
[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]\n \"[[
index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"\n [[ else
-]]\n gcr.io/istio-release/proxyv2:release-1.0-latest-daily\n [[ end -]]\n
\ args:\n - proxy\n - sidecar\n - --configPath\n - [[ .ProxyConfig.ConfigPath
]]\n - --binaryPath\n - [[ .ProxyConfig.BinaryPath ]]\n - --serviceCluster\n
\ [[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]\n - [[ index .ObjectMeta.Labels
\"app\" ]]\n [[ else -]]\n - \"istio-proxy\"\n [[ end -]]\n - --drainDuration\n
\ - [[ formatDuration .ProxyConfig.DrainDuration ]]\n - --parentShutdownDuration\n
\ - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]\n - --discoveryAddress\n
\ - [[ .ProxyConfig.DiscoveryAddress ]]\n - --discoveryRefreshDelay\n -
[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]\n - --zipkinAddress\n
\ - [[ .ProxyConfig.ZipkinAddress ]]\n - --connectTimeout\n - [[ formatDuration
.ProxyConfig.ConnectTimeout ]]\n - --statsdUdpAddress\n - [[ .ProxyConfig.StatsdUdpAddress
]]\n - --proxyAdminPort\n - [[ .ProxyConfig.ProxyAdminPort ]]\n - --controlPlaneAuthPolicy\n
\ - [[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/controlPlaneAuthPolicy\")
.ProxyConfig.ControlPlaneAuthPolicy ]]\n env:\n - name: POD_NAME\n valueFrom:\n
\ fieldRef:\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n
\ valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n
\ - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n fieldPath:
status.podIP\n - name: ISTIO_META_POD_NAME\n valueFrom:\n fieldRef:\n
\ fieldPath: metadata.name\n - name: ISTIO_META_INTERCEPTION_MODE\n
\ value: [[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\")
.ProxyConfig.InterceptionMode.String ]]\n imagePullPolicy: IfNotPresent\n securityContext:\n
\ privileged: false\n readOnlyRootFilesystem: true\n [[ if eq (or
(index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String)
\"TPROXY\" -]]\n capabilities:\n add:\n - NET_ADMIN\n runAsGroup:
1337\n [[ else -]]\n runAsUser: 1337\n [[ end -]]\n restartPolicy:
Always\n resources:\n [[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\")
-]]\n requests:\n cpu: \"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\"
]]\"\n memory: \"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\"
]]\"\n [[ else -]]\n requests:\n cpu: 10m\n \n [[ end -]]\n
\ volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n
\ - mountPath: /etc/certs/\n name: istio-certs\n readOnly: true\n
\ volumes:\n - emptyDir:\n medium: Memory\n name: istio-envoy\n - name:
istio-certs\n secret:\n optional: true\n [[ if eq .Spec.ServiceAccountName
\"\" -]]\n secretName: istio.default\n [[ else -]]\n secretName:
[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]\n [[ end -]]"
kind: ConfigMap
metadata:
creationTimestamp: 2018-07-26T05:36:58Z
labels:
app: istio
chart: istio-1.0.0
heritage: Tiller
istio: sidecar-injector
release: istio
name: istio-sidecar-injector
namespace: istio-system
resourceVersion: "2657356"
selfLink: /api/v1/namespaces/istio-system/configmaps/istio-sidecar-injector
uid: e9c3b148-9095-11e8-8c3f-0800278459e6
When the namespace has a label 'istio-injection=enabled', then the injection will work
The idea here how can I put into one namespace other charts apps (not my apps, like elasticsearch, redis ...etc) with my apps charts (That I need them to be injected with istio), so my apps (injected with istio sidecars) communicate with elasticsearch, redis that are in the same namespace ?
I need to use the annotation only in my charts' apps to let istio inject them.
arkanmgerges
>All comments
Hi,
I found the solution after reading the other issues
Thanks to @tcnghia because he provided a table that helped me to solve the issue at #6476
I used the table mentioned by him and it solved the issue.
Please make the documentation clearer on section Installing the istio sidecar - Deploying an app
There in the example it is not clear if the policy is turned off or on, and also if sidecarInjectorWebhook.enabled is true of false.
Also to mention that defining the namespace with policy disabled it will not inject sidecar, but in the documention at Installing the istio sidecar - policy, this is not mentioned.
And this is where it created a confusing for the user of this platform.
arkanmgerges
on 26 Jul 2018
👍6
Was this page helpful?
0 / 5 - 0 ratings
Related issues
PigNatovsky
路
3Comments
vadimeisenbergibm
路
4Comments
iroller
路
3Comments
jilpansi
路
4Comments
2dev2
路
3Comments
Most helpful comment
Hi,
I found the solution after reading the other issues
Thanks to @tcnghia because he provided a table that helped me to solve the issue at #6476
I used the table mentioned by him and it solved the issue.
Please make the documentation clearer on section Installing the istio sidecar - Deploying an app
There in the example it is not clear if the policy is turned off or on, and also if sidecarInjectorWebhook.enabled is true of false.
Also to mention that defining the namespace with policy disabled it will not inject sidecar, but in the documention at Installing the istio sidecar - policy, this is not mentioned.
And this is where it created a confusing for the user of this platform.