Injecting a sidecar proxy into workloads in your cluster enhances network security, reliability, and observability for service calls. This document describes how to configure sidecar proxy settings—such as resources, lifecycle, traffic interception, and observability.
Sidecar proxy configuration levels
Different sidecar proxy configuration levels have different scopes and priorities. More specific configurations take precedence over less specific ones. The configuration levels, from lowest to highest priority, are: global, namespace, workload, and Pod.
You can define sidecar proxy settings at multiple levels. When ASM injects a sidecar proxy, it applies the settings from the highest-priority level to determine the final configuration. For example, if you define settings at both the global level and for the default namespace, new workloads in the default namespace use the namespace-level settings, which take precedence over the global settings.
|
Configuration level
|
Description
|
|
Global
|
This setting applies globally to any Pod with an injected sidecar proxy.
|
|
Namespace
|
This setting applies to all Pods within a specified namespace. To configure at this level, you must select a namespace.
|
|
Workload
|
This setting applies to workloads that match a specified label selector. To configure at this level, you must specify a label selector.
|
|
Pod
|
While you cannot configure settings at this level in the ASM console, you can apply them by adding an annotation to the Pod. For more information, see Configure a sidecar proxy by adding resource annotations.
|
Procedure
This section explains how to configure a sidecar proxy at different levels. To apply the new configuration, you must redeploy the workload's Pods. For more information, see Redeploy a workload.
Global level
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
-
On the Configure the agent parameters of the injected Sidecar page, click the global tab, configure the sidecar proxy as needed, and then click Update Settings.
For more information about the configuration items, see Sidecar proxy configuration items.
-
Verify that the configuration has taken effect.
-
In the left-side navigation pane, choose .
-
In the Basic Information section, check the Status of the mesh.
A Status of Running indicates that the global-level sidecar proxy configuration has taken effect.
Namespace level
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
-
On the Configure the agent parameters of the injected Sidecar page, click the Namespace tab, select the Namespace where the configuration will apply, click the target sidecar configuration, select and configure the required items, and then click Update Settings.
Configuration items at the namespace level inherit their default values from the global level. After you click Update Settings, the namespace-level configuration takes effect immediately. For more information about the configuration items, see Sidecar proxy configuration items.
Workload level
In the same namespace, you can create multiple workload-level sidecar proxy configurations for different workloads.
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
-
On the Configure the agent parameters of the injected Sidecar page, click the workload tab, and then click Create.
-
On the workload tab, select the Namespace where the configuration will apply, enter a Name for the configuration, use the match labels section to create a Match Label for the target workload, click the target sidecar configuration, select and configure the required items, and then click Create.
Configuration items at the workload level inherit their default values from the global level. After you click Create, the workload-level sidecar proxy configuration is created immediately. For more information about the configuration items, see Sidecar proxy configuration items.
After a configuration is created, you can also update or delete it.
-
To update a workload-level sidecar proxy configuration: On the workload tab, find the target configuration and click Update in the Actions column. Modify the Match Label and sidecar proxy settings, and then click Update.
-
To delete a workload-level sidecar proxy configuration: On the workload tab, find the target configuration and click Delete in the Actions column. In the Confirm dialog box, click OK.
(Optional) Redeploy workloads
Because Pod specifications are immutable, changes to the sidecar proxy configuration do not take effect until you redeploy the Pods. Redeploying a Pod applies the new configuration to its injected sidecar proxy.
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
-
On the Deployments page, redeploy one or more workloads by using one of the following methods:
|
Scenario
|
Actions
|
|
Single workload
|
In the Actions column, click for the target workload, and then in the Redeploy dialog box, click OK.
|
|
Multiple workloads
|
In the Name column, select multiple target workloads. At the bottom of the page, click Batch Redeploy. In the Confirm dialog box, click OK.
|
Sidecar proxy parameter version support
The features available in ASM may vary by version. Newer ASM versions typically offer more features and configuration options for sidecar proxies. If you cannot find a specific sidecar proxy configuration item, consult the table below to determine whether you need to upgrade your ASM instance. For instructions, see Upgrade an ASM instance.
Click the links in the Parameter column to view descriptions and configuration examples for each item.
Important
If your ASM instance is version 1.22 or later and your data plane cluster is version 1.30 or later, sidecar proxies are deployed as native sidecar containers. In this case, the Kubernetes cluster directly manages the lifecycle of the sidecar proxy container, overriding all of its lifecycle management configurations.
Sidecar proxy parameters
This topic describes how to configure the sidecar proxy's resource usage, traffic interception policy, DNS proxy, and lifecycle, and provides examples.
Resource settings for injected Istio proxies
Description and configuration example
Parameters
This setting specifies the minimum required CPU and memory (resource requests) and the maximum allowed CPU and memory (resource limits) for the sidecar proxy container.
|
Parameter
|
Description
|
|
Limits on Resources
|
The maximum CPU and memory the sidecar proxy container can use. The unit for CPU is cores, and the unit for memory is MiB.
|
|
Required Resources
|
The minimum CPU and memory the sidecar proxy container needs to run. The unit for CPU is cores, and the unit for memory is MiB.
|
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Resource Settings.
-
(Optional) In the Resource Settings area, select Configure Resources for Injected Sidecar Proxy.
This step is required on the Namespace and workload tabs, but is optional on the global tab.
-
For Limits on Resources, set CPU to 2 cores and Memory to 1025 MiB. For Required Resources, set CPU to 0.1 cores and Memory to 128 MiB. Then, at the bottom of the page, click Update Settings.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Verify the configured resources for the Istio proxy.
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
- proxy
...
name: istio-proxy
...
resources:
limits:
cpu: '2'
memory: 1025Mi
requests:
cpu: 100m
memory: 128Mi
...
The istio-proxy container is the sidecar proxy container. The resources field for the container named istio-proxy is now set to the values you configured. This confirms that the Configure Resources for Injected Sidecar Proxy have been applied.
Scale sidecar resources proportionally
Description and examples
Description
This setting automatically calculates sidecar resources based on the resources of the application containers. When enabled, this setting overrides the Injected Istio proxy resource settings. This feature lets you dynamically adjust sidecar resources for different Pods by allocating resources based on the maximum resources configured for the application containers. The following calculation strategies are supported:
-
Maximum container resources: Uses the highest resource values from all containers in the Pod as the calculation baseline.
-
Specified container name: Uses the resources of a specific container within the Pod as the calculation baseline. When using this strategy, you must specify a container as the baseline. If the specified container is not found in the Pod, the system falls back to using the sidecar resources configured in the Injected Istio Proxy Resource Settings. If the Pod has the scaled-resource.inject.istio.alibabacloud.com/container-ref annotation, the container specified in the annotation takes precedence as the calculation baseline.
Important
Regardless of which strategy you choose:
-
If the baseline container has no limits configured, the system assumes the sidecar's resources are unbounded and does not configure limits for the sidecar.
-
If the baseline container has no configured requests, the system assigns minimum feasible resources to the sidecar to ensure it operates properly. The minimum for CPU requests is 100m, and the minimum for memory requests is 128Mi.
-
Minimum required resources for the sidecar: Both CPU requests and limits must be at least 100m, and memory must be at least 128Mi. If the calculated resources fall below these minimums, the sidecar resources are set to these minimum values.
Configuration examples
The following examples demonstrate how proportional scaling works. They are based on the sample container configurations shown below.
Standard configuration
resources:
requests:
cpu: 300m
memory: 512Mi
limits:
cpu: 500m
memory: 1Gi
requests not configured
resources:
limits:
cpu: 500m
memory: 1Gi
limits not configured
resources:
requests:
cpu: 300m
memory: 512Mi
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Resource Settings.
-
In the Resource Settings section, select Configure sidecar resources by ratio.
-
Configure the Proportion of Resources, select a Computing Policy (optional), and then click Update Settings.
Select either the Maximum Resource Capacity or Specify a container name. calculation strategy.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Verify the configured resources for the Istio proxy.
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
Standard configuration
|
Standard configuration
If the resource ratio is set to 50 (meaning the sidecar gets 50% of the application container's resources), the final sidecar allocation is as follows: ...
resources:
requests:
cpu: 150m
memory: 256Mi
limits:
cpu: 250m
memory: 512Mi
|
Minimum configuration
If the resource ratio is set to 20 (meaning the sidecar gets 20% of the application container's resources), the final sidecar allocation is as follows: ...
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 204Mi
|
requests not configured
If the resource ratio is set to 50 (meaning the sidecar gets 50% of the application container's resources), the final sidecar allocation is as follows:
...
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 512Mi
limits not configured
If the resource ratio is set to 50 (meaning the sidecar gets 50% of the application container's resources), the final sidecar allocation is as follows:
...
resources:
requests:
cpu: 150m
memory: 256Mi
Istio-init container resource settings
Description and configuration example
Description
Use this setting to configure resource requests (minimum CPU and memory) and resource limits (maximum CPU and memory) for the istio-init container in pods with an injected sidecar proxy. The istio-init container is an init container that runs at pod startup to set traffic interception rules for the sidecar proxy.
|
Parameter
|
Description
|
|
Limits on Resources
|
The maximum CPU and memory that the istio-init container can use. The unit for CPU is core, and the unit for memory is MiB.
|
|
Required Resources
|
The minimum CPU and memory required for the istio-init container to run. The unit for CPU is core, and the unit for memory is MiB.
|
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the target configuration tab, and then click Resource Settings.
-
In the Resource Settings section, select Configure Resources for istio-init Container.
This step is required on the Namespace and workload tabs, but not on the global tab.
-
Under Limits on Resources, set CPU to 1 core and Memory to 512 MiB. Under Required Resources, set CPU to 0.1 core and Memory to 128 MiB. At the bottom of the page, click Update Settings.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Verify the configured resources for the istio-init container.
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
...
name: istio-init
resources:
limits:
cpu: '1'
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
...
The resources field of the istio-init init container in the Pod is set to the target resource value, which indicates that the Configure Resources for istio-init Container configuration has taken effect.
Configure ACK dynamic overcommitment for a sidecar
Description and configuration example
Description
This setting allocates ACK dynamic overcommitment resources to the injected Istio proxy and the istio-init init container. For more information about dynamic overcommitment resources, see Enable dynamic resource overcommitment.
The configuration method is the same as for Resource settings for an injected Istio proxy and Resource settings for an istio-init init container. After you apply this configuration, Pods with the ACK dynamic overcommitment label koordinator.sh/qosClass use ACK dynamic overcommitment resources for their Istio proxy and istio-init init containers instead of standard Kubernetes CPU and memory resources.
Note
When you configure ACK dynamic overcommitment resources for a sidecar, the unit for CPU resources is millicores.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the desired configuration level, click Resource Settings, select Set ACK Resources That Can Be Dynamically Overcommitted for Sidecar Proxy, configure the parameters as described in the following table, and then click Update Settings at the bottom of the page.
|
Parameter
|
Subparameter
|
Description
|
|
Configure Resources for Injected Sidecar Proxy (ACK Dynamically Overcommitted Resources)
|
Limits on Resources
|
Set CPU to 2000 millicores and Memory to 2048 MiB.
|
|
Required Resources
|
Set CPU to 200 millicores and Memory to 256 MiB.
|
|
istio-init container resource (ACK dynamic oversold resource)
|
Limits on Resources
|
Set CPU to 1000 millicores and Memory to 1024 MiB.
|
|
Required Resources
|
Set CPU to 100 millicores and Memory to 128 MiB.
|
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured resources:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
metadata:
...
labels:
koordinator.sh/qosClass: BE
spec:
containers:
- args:
...
name: istio-proxy
...
resources:
limits:
kubernetes.io/batch-cpu: 2k
kubernetes.io/batch-memory: 2Gi
requests:
kubernetes.io/batch-cpu: '200'
kubernetes.io/batch-memory: 256Mi
...
initContainers:
- args:
...
name: istio-init
resources:
limits:
kubernetes.io/batch-cpu: 1k
kubernetes.io/batch-memory: 1Gi
requests:
kubernetes.io/batch-cpu: '100'
kubernetes.io/batch-memory: 128Mi
...
The output shows that both the istio-proxy container and the istio-init init container have a resources field with the specified values. This confirms that the Set ACK Resources That Can Be Dynamically Overcommitted for Sidecar Proxy settings have taken effect.
Istio-Proxy concurrency
Description and configuration example
Description
This setting specifies the number of worker threads for the sidecar proxy container. You must set this to a non-negative integer. If you set the value to 0, the system automatically determines the number of worker threads based on the CPU requests or limits of the sidecar proxy container. Limits take precedence over requests.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the desired configuration level tab, and then click Resource Settings.
-
(Optional) In the Resource Settings area, select Number of Sidecar Proxy Threads.
This step is required for the Namespace and workload tabs. You can skip this step for the global tab.
-
Set Number of Sidecar Proxy Threads to 3, and then click Update Settings at the bottom of the page.
This configures the sidecar proxy container to run with 3 worker threads.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured Istio-Proxy concurrency.
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
- args:
- proxy
- sidecar
- '--domain'
- $(POD_NAMESPACE).svc.cluster.local
- '--proxyLogLevel=warning'
- '--proxyComponentLogLevel=misc:error'
- '--log_output_level=default:info'
- '--concurrency'
- '3'
...
name: istio-proxy
...
The istio-proxy container's --concurrency argument is set to 3, confirming that the Number of Sidecar Proxy Threads setting has been applied.
Outbound traffic interception IP ranges
Description and examples for outbound traffic interception IP ranges
Parameter
Specify a comma-separated list of IP address ranges in CIDR notation. When a workload with an injected sidecar proxy accesses other services, the sidecar proxy container intercepts only requests to destination IP addresses within these ranges. All other requests bypass the sidecar proxy and go directly to their destination. By default, this setting is *, which means the sidecar proxy container intercepts all outbound traffic from the workload.
Example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Enable/Disable Sidecar Proxy by Ports or IP Addresses.
-
In the Enable/Disable Sidecar Proxy by Ports or IP Addresses section, select Addresses to Which External Access Is Redirected to Sidecar Proxy.
This step is required for the Namespace and workload tabs but is optional for the global tab.
-
Set Addresses to Which External Access Is Redirected to Sidecar Proxy to 192.168.0.0/16,10.1.0.0/24, and then at the bottom of the page, click Update Settings.
This configures the sidecar proxy container to intercept requests to IP addresses in the 192.168.0.0/16 and 10.1.0.0/24 CIDR blocks.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured outbound traffic interception IP ranges.
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- REDIRECT
- '-i'
- '192.168.0.0/16,10.1.0.0/24'
- '-x'
- 192.168.0.1/32
- '-b'
- '*'
- '-d'
- '15090,15021,15081,9191,15020'
- '--log_output_level=default:info'
...
name: istio-init
...
The istio-init container confirms that the -i 192.168.0.0/16,10.1.0.0/24 argument for the Addresses to Which External Access Is Redirected to Sidecar Proxy configuration is in effect.
Exclude outbound IP ranges
Description and example
Description
Specify a comma-separated list of IP address ranges in CIDR notation. When a workload initiates outbound traffic, any request destined for an IP address in these ranges bypasses the sidecar proxy container.
Important
If Exclude Outbound IP Ranges includes an address that is also specified in Addresses to Which External Access Is Redirected to Sidecar Proxy, the exclusion rule takes precedence, and the sidecar proxy will not intercept requests to that address. For more information, see Include Outbound IP Ranges.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the desired configuration level, and then click Enable/Disable Sidecar Proxy by Ports or IP Addresses.
-
(Optional) In the Enable/Disable Sidecar Proxy by Ports or IP Addresses section, select Addresses to Which External Access Is Not Redirected to Sidecar Proxy.
This step is required for the Namespace and workload tabs. You can skip this step for the global tab.
-
Set Addresses to Which External Access Is Not Redirected to Sidecar Proxy to 10.1.0.0/24, and then at the bottom of the page, click Update Settings.
This configuration ensures that the sidecar proxy container will not intercept requests destined for IP addresses within the 10.1.0.0/24 CIDR block.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to verify the outbound IP range exclusion:
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- REDIRECT
- '-i'
- '*'
- '-x'
- '192.168.0.1/32,10.1.0.0/24'
- '-b'
- '*'
- '-d'
- '15090,15021,15081,9191,15020'
- '--log_output_level=default:info'
...
name: istio-init
...
The arguments for the istio-init container now include -x 192.168.0.1/32,10.1.0.0/24. The 192.168.0.1/32 is the default host address CIDR. The presence of 10.1.0.0/24 confirms that the Addresses to Which External Access Is Not Redirected to Sidecar Proxy setting is in effect.
Configure inbound interception ports
Description and example
Description
Specify a comma-separated list of port numbers. The sidecar proxy container intercepts traffic destined for a port in this list. By default, this is set to *, which means the sidecar proxy container intercepts all inbound traffic to the workload.
Example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Enable/Disable Sidecar Proxy by Ports or IP Addresses.
-
(Optional) In the Enable/Disable Sidecar Proxy by Ports or IP Addresses section, select Ports on Which Inbound Traffic Redirected to Sidecar Proxy.
This step applies to the Namespace and workload tabs. You can skip this step on the global tab.
-
Set Ports on Which Inbound Traffic Redirected to Sidecar Proxy to 80,443, and then click Update Settings.
This setting means the sidecar proxy container intercepts only requests sent to ports 80 and 443 of this workload.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured inbound interception ports:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- REDIRECT
- '-i'
- '*'
- '-x'
- 192.168.0.1/32
- '-b'
- '80,443'
- '-d'
- '15090,15021,15081,9191,15020'
- '--log_output_level=default:info'
...
name: istio-init
...
The arguments for the istio-init container now include -b 80,443, which matches the inbound ports you configured. This confirms that the Ports on Which Inbound Traffic Redirected to Sidecar Proxy setting is in effect.
Intercept outbound traffic on specific ports
Parameter
Specify a comma-separated list of destination port numbers. The sidecar proxy container intercepts all outbound traffic to services on these ports.
Important
If you configure this option with Addresses to Which External Access Is Not Redirected to Sidecar Proxy or Ports on Which Outbound Traffic Not Redirected to Sidecar Proxy, exclusion rules take precedence. The sidecar proxy does not intercept requests if the destination IP address is in an excluded CIDR range or the destination port is in an excluded port list, even if that port is also listed for interception. For more information, see IP ranges to exclude from interception and Exclude ports from Sidecar proxy interception.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Enable/Disable Sidecar Proxy by Ports or IP Addresses.
-
(Optional) In the Enable/Disable Sidecar Proxy by Ports or IP Addresses section, select Ports on Which Outbound Traffic Redirected to Sidecar Proxy.
This step is required for the Namespace and workload tabs. You can skip this step for the global tab.
-
Set Ports on Which Outbound Traffic Redirected to Sidecar Proxy to 80,443, and then at the bottom of the page, click Update Settings.
This configuration directs the sidecar proxy container to intercept requests sent to services on ports 80 and 443.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to verify the configured interception ports.
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- REDIRECT
- '-i'
- '*'
- '-x'
- 192.168.0.1/32
- '-b'
- '*'
- '-d'
- '15090,15021,15081,9191,15020'
- '--log_output_level=default:info'
- '-q'
- '80,443'
- '--log_output_level=default:info'
...
name: istio-init
...
The arguments for the istio-init container now include -q 80,443, which matches the outbound ports you configured. This confirms that the Ports on Which Outbound Traffic Redirected to Sidecar Proxy setting has taken effect.
Exclude inbound ports from interception
Description and example
Parameter
Specify a comma-separated list of port numbers. Traffic to the ports in this list bypasses the sidecar proxy container.
Important
This configuration option takes effect only when Ports on Which Inbound Traffic Redirected to Sidecar Proxy is set to *, which means the sidecar proxy container intercepts all inbound traffic by default.
Example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Enable/Disable Sidecar Proxy by Ports or IP Addresses.
-
(Optional) In the Enable/Disable Sidecar Proxy by Ports or IP Addresses section, select Ports on Which Inbound Traffic Not Redirected to Sidecar Proxy.
Perform this step on the Namespace and workload tabs. You can skip this step for the global tab.
-
Set Ports on Which Inbound Traffic Not Redirected to Sidecar Proxy to 8000, and then at the bottom of the page, click Update Settings.
This setting prevents the sidecar proxy container from intercepting requests sent to port 8000 of this workload.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the inbound ports excluded from interception:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- REDIRECT
- '-i'
- '*'
- '-x'
- 192.168.0.1/32
- '-b'
- '*'
- '-d'
- '15090,15021,15081,9191,15020,8000'
- '--log_output_level=default:info'
...
name: istio-init
...
The arguments for the istio-init container now include -d 15090,15021,15081,9191,15020,8000. Ports 15090,15021,15081,9191,15020 are application ports for the sidecar proxy and are excluded from interception by default. The presence of port 8000 confirms that the Ports on Which Inbound Traffic Not Redirected to Sidecar Proxy setting has taken effect.
Exclude outbound ports from interception
Description and example
Description
Specify a comma-separated list of destination port numbers for all outbound traffic. The sidecar proxy container will not intercept requests to any port in this list. This exclusion applies regardless of whether the destination service's IP address or port is included in any interception rules.
Example
-
On the Configure the agent parameters of the injected Sidecar page, click the target sidecar proxy configuration level tab, and then click Enable/Disable Sidecar Proxy by Ports or IP Addresses.
-
(Optional) In the Enable/Disable Sidecar Proxy by Ports or IP Addresses section, select Ports on Which Outbound Traffic Not Redirected to Sidecar Proxy.
This step is required on the Namespace and workload tabs. You can skip it on the global tab.
-
Set Ports on Which Outbound Traffic Not Redirected to Sidecar Proxy to 8000, and then click Update Configurations.
This configuration prevents the sidecar proxy container from intercepting requests to services on port 8000.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured outbound ports that are excluded from interception:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- REDIRECT
- '-i'
- '*'
- '-x'
- 192.168.0.1/32
- '-b'
- '*'
- '-d'
- '15090,15021,15081,9191,15020'
- '--log_output_level=default:info'
- '-o'
- '8000'
...
name: istio-init
...
The arguments for the istio-init container include -o 8000, matching the outbound port you configured. This confirms the Ports on Which Outbound Traffic Not Redirected to Sidecar Proxy setting is active.
Enable DNS proxy
Description and example
Description
You can enable or disable the DNS proxy for the sidecar proxy. When enabled, the sidecar proxy intercepts DNS requests from the workload to improve Service Mesh performance and availability. All DNS requests from the workload are redirected to the sidecar proxy. The sidecar proxy stores a local map of IP addresses to domain names, allowing it to return DNS responses directly to the workload without querying upstream DNS servers. If the sidecar proxy cannot resolve a DNS request, it forwards the request. For more information, see Use DNS Proxy in ASM.
Important
Due to network permission issues, the DNS proxy is not supported for sidecar proxies in ACK Serverless clusters or in ACK clusters that run ECI pods.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click DNS Proxy.
-
In the DNS Proxy section, turn on the Enable DNS Proxy switch, and then click Update Settings.
This step is required on the Namespace and workload tabs but is optional on the global tab. Turning on the switch enables the DNS proxy for the sidecar proxy.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the DNS proxy settings:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
spec:
containers:
- args:
- proxy
- sidecar
- '--domain'
- $(POD_NAMESPACE).svc.cluster.local
- '--proxyLogLevel=warning'
- '--proxyComponentLogLevel=misc:error'
- '--log_output_level=default:info'
- '--concurrency'
- '3'
env:
...
- name: ISTIO_META_DNS_AUTO_ALLOCATE
value: 'true'
- name: ISTIO_META_DNS_CAPTURE
value: 'true'
...
name: istio-proxy
The ISTIO_META_DNS_AUTO_ALLOCATE and ISTIO_META_DNS_CAPTURE environment variables for the istio-proxy container are set to true. This confirms that the DNS Proxy configuration is active.
Sidecar proxy environment variables
Expand to view the description and configuration examples for Sidecar Proxy Environment Variable Management.
Parameters
This setting adds environment variables to the sidecar proxy container.
|
Parameter
|
Description
|
|
Sidecar Graceful Shutdown (EXIT_ON_ZERO_ACTIVE_CONNECTIONS)
|
Enabling this option adds the environment variable EXIT_ON_ZERO_ACTIVE_CONNECTIONS: "true" to the sidecar proxy container. This variable alters the shutdown behavior as follows:
By default, when a sidecar proxy container stops, the pilot-agent process stops Envoy from listening for new inbound traffic. It then waits for the period specified by the sidecar proxy termination wait time setting before stopping the Envoy process.
When EXIT_ON_ZERO_ACTIVE_CONNECTIONS is set, the pilot-agent process stops the Envoy proxy from listening for inbound traffic and waits for a default of 5 seconds. It then polls Envoy's active connections and stops the Envoy proxy process only when the number of active connections drops to zero. In common scenarios, setting EXIT_ON_ZERO_ACTIVE_CONNECTIONS improves the graceful termination process by minimizing shutdown time while reducing dropped in-flight requests.
Important
When you configure this option, the Sidecar Proxy Drain Duration at Pod Termination setting is ignored. For more information, see sidecar proxy termination wait time.
|
Example configuration
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Manage Environment Variables for Sidecar Proxy.
-
(Optional) In the Manage Environment Variables for Sidecar Proxy section, select Sidecar Graceful Shutdown (EXIT_ON_ZERO_ACTIVE_CONNECTIONS).
This step is required for the Namespace and workload tabs. You can skip this step for the global tab.
-
Enable the Sidecar Graceful Shutdown (EXIT_ON_ZERO_ACTIVE_CONNECTIONS) option, and then click Update Configurations.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to verify the configured environment variables for the sidecar proxy.
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
...
env:
- name: EXIT_ON_ZERO_ACTIVE_CONNECTIONS
value: 'true'
name: istio-proxy
...
The EXIT_ON_ZERO_ACTIVE_CONNECTIONS environment variable is added to the istio-proxy container in the Pod. This confirms that the Manage Environment Variables for Sidecar Proxy configuration is in effect.
Sidecar graceful start (HoldApplicationUntilProxyStarts)
Description and configuration example
Description
HoldApplicationUntilProxyStarts is a lifecycle setting for the sidecar proxy. Enabled by default, it ensures that in pods with an injected sidecar, the sidecar proxy container starts successfully before the application containers. This prevents traffic loss that can occur if an application container starts before its sidecar proxy is ready.
If this option is disabled, the sidecar proxy container and application containers start concurrently. When deploying a large number of pods in a cluster, the sidecar proxy container might start slowly if the API server is under heavy load. You can disable the HoldApplicationUntilProxyStarts setting to improve deployment speed.
Configuration example
The following example shows how to disable HoldApplicationUntilProxyStarts on the global tab.
-
On the Configure the agent parameters of the injected Sidecar page, click the global tab, and then click Lifecycle Management.
-
Turn off the switch for Sidecar Graceful Startup (HoldApplicationUntilProxyStarts), and then click Update Settings.
This disables the HoldApplicationUntilProxyStarts feature.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to verify the HoldApplicationUntilProxyStarts setting.
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- command:
...
name: sleep
...
env:
- name: PROXY_CONFIG
value: >-
{..."holdApplicationUntilProxyStarts":false,...}
...
name: istio-proxy
...
When the holdApplicationUntilProxyStarts feature is disabled, the istio-proxy container is no longer required to be declared before the application container, and the default lifecycle field is no longer declared. In this case, the Service Mesh no longer ensures that the sidecar proxy container starts successfully before the application container starts.
Termination drain duration for sidecar proxy
Description and example
Description
Termination drain duration is a lifecycle management setting for the sidecar proxy. After you inject a sidecar proxy into a Pod, the sidecar proxy container intercepts traffic to the application Pod.
When a Pod starts to terminate, the corresponding Service stops forwarding traffic to the Pod. After the sidecar proxy container receives a termination signal, it waits for a period of time. This period is called the termination drain duration. During this time, the proxy stops accepting new inbound traffic but continues to process existing inbound traffic. Outbound traffic is not affected and can be initiated normally. The default termination drain duration for the sidecar proxy container is 5s. You can configure this value in seconds by using the unit s, for example, 10s.
If your application handles long-running requests that exceed the termination drain duration, existing inbound and outbound connections might be terminated before they are complete, resulting in dropped requests. In such cases, you can extend the termination drain duration to allow these connections to finish processing.
The termination drain duration must be configured in seconds, for example, 10s.
Example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Lifecycle Management.
-
(Optional) In the Lifecycle Management section, select Sidecar Proxy Drain Duration at Pod Termination.
Perform this step on the Namespace and workload tabs. You can skip this step for the global tab.
-
Set Sidecar Proxy Drain Duration at Pod Termination to 10s, and then click Update Settings.
This configures the sidecar proxy to wait for 10 seconds to process in-flight connections during termination.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to verify the configured termination drain duration:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
...
env:
- name: TERMINATION_DRAIN_DURATION_SECONDS
value: '10'
...
- name: PROXY_CONFIG
value: >-
{..."terminationDrainDuration":"10s"}
...
name: istio-proxy
...
The istio-proxy container in the Pod is configured with the TERMINATION_DRAIN_DURATION_SECONDS environment variable set to 10, and the PROXY_CONFIG environment variable shows a terminationDrainDuration of 10s. This confirms that the Sidecar Proxy Drain Duration at Pod Termination setting has been applied.
Sidecar proxy lifecycle
Description and example
Description
The Sidecar proxy lifecycle setting lets you customize the container lifecycle hooks for the sidecar proxy container. The lifecycle field accepts a JSON object that overrides the default container lifecycle hook configuration. For more information, see Container lifecycle hooks.
Example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Lifecycle Management.
-
(Optional) In the Lifecycle Management section, select Lifecycle of Sidecar Proxy.
This step is required for the Namespace and workload tabs but can be skipped for the global tab.
-
Under Lifecycle of Sidecar Proxy, enter the following JSON and click Update Settings.
This JSON configures the postStart and preStop hook handlers.
{
"postStart": {
"exec": {
"command": [
"pilot-agent",
"wait"
]
}
},
"preStop": {
"exec": {
"command": [
"/bin/sh",
"-c",
"sleep 13"
]
}
}
}
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured sidecar proxy lifecycle:
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
...
...
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
preStop:
exec:
command:
- /bin/sh
- -c
- sleep 13
name: istio-proxy
...
The change to the lifecycle field of the istio-proxy container in the Pod confirms that the Lifecycle of Sidecar Proxy configuration was applied.
External service access policy
Description and example
Parameters
This setting configures the policy for the sidecar proxy to access external services. An external service is any service that is not registered in the Service Mesh. By default, all services within a Kubernetes cluster managed by the Service Mesh are registered services. You can also manually add services to the mesh registry by creating a Service Mesh resource. Any service not in the registry is an external service.
The following policies are supported:
-
ALLOW_ANY: The default external service access policy. The sidecar proxy allows requests to any external service and forwards them as-is.
-
REGISTRY_ONLY: The sidecar proxy blocks requests to external services, preventing the workload from establishing connections to them.
Note
This is a global setting and can only be configured at the global level. To set the external service access policy at the namespace or workload level, log on to the ASM console and navigate to the page.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, on the global tab, click Outbound Traffic Policy. To the right of Outbound Traffic Policy, click REGISTRY_ONLY, and then click Update Settings.
This configuration restricts services in the mesh from accessing external services.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Create a file named sleep.yaml with the following content.
apiVersion: v1
kind: ServiceAccount
metadata:
name: sleep
---
apiVersion: v1
kind: Service
metadata:
name: sleep
labels:
app: sleep
service: sleep
spec:
ports:
- port: 80
name: http
selector:
app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sleep
spec:
replicas: 1
selector:
matchLabels:
app: sleep
template:
metadata:
labels:
app: sleep
spec:
terminationGracePeriodSeconds: 0
serviceAccountName: sleep
containers:
- name: sleep
image: curlimages/curl
command: ["/bin/sleep", "3650d"]
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/sleep/tls
name: secret-volume
volumes:
- name: secret-volume
secret:
secretName: sleep-secret
optional: true
---
-
Run the following command to deploy the sleep application:
kubectl apply -f sleep.yaml -n default
-
Run the following command to access an external service from the sleep application:
kubectl exec -it <sleep-pod-name> -c sleep -- curl www.aliyun.com -v
Expected output:
* Trying *********...
* Connected to www.aliyun.com (********) port 80 (#0)
> GET / HTTP/1.1
> Host: www.aliyun.com
> User-Agent: curl/7.87.0-DEV
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< date: Mon,********* 03:25:00 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host www.aliyun.com left intact
The 502 response confirms that the sleep application, with its injected sidecar proxy, is blocked from accessing the external service www.aliyun.com. This verifies that the Outbound Traffic Policy has taken effect.
Sidecar inbound traffic interception policy
This topic describes the sidecar inbound traffic interception policy and provides a configuration example.
Description
This setting controls how the sidecar proxy intercepts inbound traffic. By default, the sidecar proxy uses an iptables redirect policy to intercept inbound traffic to the application workload. When traffic is redirected, the application sees the sidecar proxy's IP as the request's source IP, not the original client IP.
Changing the inbound traffic interception policy to the transparent proxy policy (TPROXY) enables the Service Mesh sidecar proxy to use the TPROXY mode of iptables for inbound traffic. This configuration lets the application see the original client IP. For more information, see How server-side applications obtain client source IPs in a service mesh.
Important
The transparent proxy policy is not supported on nodes running the CentOS operating system. If your pod is scheduled on a CentOS node, use the redirect policy.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, select the tab for the desired configuration level, and then click Sidecar Traffic Interception Mode.
-
(Optional) In the Sidecar Traffic Interception Mode area, enable the Sidecar Traffic Interception Mode option.
This step is required for the Namespace and workload tabs but can be skipped for the global tab.
-
For Sidecar Traffic Interception Mode, select TPROXY, and then click Update Settings.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
To verify the configured sidecar inbound traffic interception policy, run the following command.
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
...
- name: PROXY_CONFIG
value: >-
{..."interceptionMode":"TPROXY",...}
- name: ISTIO_META_POD_PORTS
value: |-
[
]
...
name: istio-proxy
...
initContainers:
- args:
- istio-iptables
- '-p'
- '15001'
- '-z'
- '15006'
- '-u'
- '1337'
- '-m'
- TPROXY
...
name: istio-init
...
The PROXY_CONFIG environment variable for the istio-proxy container in the pod includes "interceptionMode":"TPROXY", and the istio-init container uses the TPROXY parameter during initialization. These settings confirm that the Sidecar Traffic Interception Mode is in effect.
Log level
Description and configuration example
Description
This setting configures the log level for the sidecar proxy container. By default, the sidecar proxy uses the info log level. To control log verbosity, set the log level to one of the following values: info, debug, trace, warning, error, critical, or off.
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Monitoring Statistics.
-
(Optional) In the Monitoring Statistics area, select Log Level.
This step is required for the Namespace and workload tabs but can be skipped for the global tab.
-
Next to Log Level, select error, and then click Update Settings.
This configuration sets the sidecar proxy to output logs at the error level. Only logs at the error level or higher are logged.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the configured sidecar proxy log level.
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
- proxy
- sidecar
- '--domain'
- $(POD_NAMESPACE).svc.cluster.local
- '--proxyLogLevel=error'
...
name: istio-proxy
...
The runtime arguments for the istio-proxy container now include --proxyLogLevel=error, which confirms that the Log Level configuration has taken effect.
proxyStatsMatcher
Description and configuration example
Parameter
The Sidecar proxy, implemented with Envoy, can report a wide range of metrics. By default, the Service Mesh enables only a subset of these metrics to reduce performance overhead. Use this parameter to specify additional metrics to report, using prefix match, suffix match, or regex match.
Example
-
On the Configure the agent parameters of the injected Sidecar page, select the target configuration level tab, and then click Monitoring Statistics.
-
In the Monitoring Statistics area, for proxyStatsMatcher, select Regular Expression Match and set the value to .*outlier_detection.*.
This configuration enables circuit breaking metrics for the Sidecar proxy.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to verify the custom metrics configured for the Sidecar proxy.
kubectl get pod -n <namespace-name> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
...
- name: PROXY_CONFIG
value: >-
{..."proxyStatsMatcher":{"inclusionRegexps":[".*outlier_detection.*"]},...}
...
The PROXY_CONFIG environment variable for the istio-proxy container in the Pod is updated with the custom metrics configuration. This confirms that the proxyStatsMatcher configuration has taken effect.
Envoy runtime parameters
Envoy runtime parameters: description and configuration example
Parameters
Use this setting to configure the following runtime parameter for the Envoy process in the sidecar proxy container.
|
Parameter
|
Description
|
|
Downstream connection limit
|
By default, the sidecar proxy does not limit downstream connections, leaving it vulnerable to malicious attacks. For more information, see security bulletin 2020-007. You can limit the number of downstream connections that the sidecar proxy accepts.
|
Configuration example
-
On the Configure the agent parameters of the injected Sidecar page, click the tab for the target configuration level, and then click Manage Environment Variables for Sidecar Proxy.
-
(Optional) In the Envoy Runtime Parameters section, enter 5000 in the input box next to Limits on Downstream Connections, and then click Update Configurations.
-
Redeploy the workload to apply the sidecar proxy configuration.
-
Run the following command to check the sidecar proxy's environment variables.
kubectl get pod -n <namespace> <pod-name> -o yaml
Expected output:
apiVersion: v1
kind: Pod
...
spec:
containers:
- args:
...
env:
- name: PROXY_CONFIG
value: >-
{"concurrency":2,"configPath":"/etc/istio/proxy","discoveryAddress":"istiod-1-22-6.istio-system.svc:15012","holdApplicationUntilProxyStarts":true,"interceptionMode":"REDIRECT","proxyMetadata":{"BOOTSTRAP_XDS_AGENT":"false","DNS_AGENT":"","EXIT_ON_ZERO_ACTIVE_CONNECTIONS":"true"},"runtimeValues":{"overload.global_downstream_max_connections":"5000"},"terminationDrainDuration":"5s","tracing":{"zipkin":{"address":"zipkin.istio-system:9411"}}}
name: istio-proxy
...
The "runtimeValues":{"overload.global_downstream_max_connections":"5000"} field in the PROXY_CONFIG environment variable for the Pod's istio-proxy container confirms that the Envoy runtime parameters configuration has taken effect.