Sidecar Proxy
Istio requires to run a sidecar proxy next to every instance of your containers that needs to participate in the service mesh. There are 2 ways of adding the sidecar proxy:
- 1.Automatic sidecar injection
- 2.Manual sidecar injection
You can inject the Istio sidecar automatically for every pod that's deployed into a specific namespace. You can enable automatic injection by annotating the namespace you want to use the service mesh.
kubectl label namespace default istio-injection=enabled
kubectl apply -f k8s/deployment.yaml
Verify that the Helloworld pod has 2 containers rather than only 1:
kubectl get pods
Each container within a pod is named. Now that the pod has multiple containers, you can specify a container within the pod using
-c containername parameter:POD_NAME=$(kubectl get pods -lapp=helloworld -o jsonpath='{.items[0].metadata.name}')
kubectl logs ${POD_NAME} -c helloworld
kubectl logs ${POD_NAME} -c istio-proxy
If, for some reason, a workload do not want to participate in the mesh, then you can explicitly turn off automatic sidecar injection using annotation:
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld
...
spec:
template:
metadata:
labels:
...
annotations:
# Explicitly turn off automatic sidecar injection
sidecar.istio.io/inject: "false"
spec:
...
You can use
istioctl to filter your existing Kubernetes deployment file and it'll produce the enhanced deployment manifest.istioctl kube-inject -f k8s/deployment.yaml
In addition to your original manifest, the enhanced manifest now has an additional
istio-proxycontainer.You can save the enhanced manifest into a file for future deployments. Or, you can filter and apply in one command:
istioctl kube-inject -f k8s/deployment.yaml| kubectl apply -f
In most cases, Automatic Sidecar Injection is what you need.
Last modified 2yr ago