DocsICP FilingConsole
官方文档
首页

Configure sidecar injection policies

更新时间:
复制 MD 格式
产品详情
我的收藏

ASM includes a sidecar injector that automatically adds a sidecar proxy to new pods. You can configure injection policies to control which pods receive a sidecar, to use resources more efficiently and simplify management. You can also adjust the injector's resource configuration to match your cluster's size and load.

Prerequisites

You have added a cluster to an ASM instance.

Configure automatic injection policies

You can use namespace labels, or pod labels and annotations, to control which pods receive a sidecar.

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > Sidecar Proxy injection.

  3. On the Sidecar Proxy injection page, in the Injection strategy configuration management section, configure the automatic injection policy.

    A sidecar is automatically injected into a pod only when the pod matches both the The labels of the pod's namespace must meet the conditions. and the The pod's own labels/annotations must meet the conditions..

    Matching condition

    Description

    The labels of the pod's namespace must meet the conditions.

    The condition for the labels of the pod's namespace.

    • Include istio-injection: enabled: When the namespace of a pod contains the istio-injection: enabled label, the pod is eligible for automatic injection.

    • A sidecar is injected if the pod's namespace does not have the istio-injection: disabled label.

    The pod's own labels/annotations must meet the conditions.

    The condition for the pod's labels or annotations.

    • A sidecar is injected if the pod does not have the sidecar.istio.io/inject: "false" label or annotation.

    • Include sidecar.istio.io/inject: "true" or Selected by AlwaysInjectSelector: When a pod contains the sidecar.istio.io/inject: "true" label or annotation, the pod meets the criteria for automatic injection.

      Note

      • For ASM instances earlier than v1.12, automatic injection is supported only by matching pod annotations.

      • For ASM instances v1.12 and later, automatic injection is supported by matching both pod labels and pod annotations.

        Labels take precedence over annotations. For example, if a pod has both the sidecar.istio.io/inject: "true" label and the sidecar.istio.io/inject: "false" annotation, the pod is considered to have the sidecar.istio.io/inject: "true" label.
    Note

    If you configure the policy to inject unless a namespace has the istio-injection: disabled label or a pod has the sidecar.istio.io/inject: false label, ASM automatically adds the istio-injection: disabled label to the kube-system namespace to protect system components.

  4. (Optional) Below the Injection strategy configuration management section, click Show Advanced Settings to configure advanced options.

    Parameter

    Description

    The label selector which selector pods to be injected istio-proxy (AlwaysInjectSelector)

    A configurable pod label selector. Pods that match this selector are always injected, as if they had the sidecar.istio.io/inject:"true" label or annotation.

    The label selector which selector pods which will never be injected (NeverInjectSelector)

    A configurable pod label selector. Pods that match this selector are never injected, as if they had the sidecar.istio.io/inject:"false" label or annotation.
    Note

    Both AlwaysInjectSelector and NeverInjectSelector are pod label selectors and are configured in the same way. Each selector can have multiple label selection expressions, one per line. A pod is selected if its labels match any of the expressions.

    Each label selection expression consists of three parts:

    • Key: The key of the pod label to match.

    • Operator: The matching operator. The following four operators are available:

      • In: Matches if the pod's label value is in the specified set of values.

      • NotIn: Matches if the pod's label value is not in the specified set of values.

      • Exists: Matches if the pod has a label with the specified key.

      • DoesNotExist: Matches if the pod does not have a label with the specified key.

    • Value: The set of values to match against when using the In or NotIn operator.

  5. At the bottom of the page, click Update Settings.

Configure the sidecar injector

The sidecar injector is an admission webhook service deployed in the data plane Kubernetes cluster. It automatically injects sidecar proxies and is not a sidecar proxy itself. The services and workloads of the sidecar injector are deployed in the istio-system namespace of the Kubernetes cluster, and their names start with istio-sidecar-injector. You can adjust the resource settings and number of replicas for the sidecar injector components to ensure availability when injecting a large number of pods simultaneously. Configure metric monitoring and alert rules for the sidecar injector's admission webhook service by referring to Container Service alert management and kube-apiserver component monitoring metrics.

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > Sidecar Proxy injection.

  3. On the Sidecar Proxy injection page, in the Injection service section, configure the sidecar injector and click Update Settings at the bottom of the page.

    Parameter

    Description

    Resource Settings for Sidecar Injection

    Configure the Limits on Resources and Required Resources for the sidecar injector container.

    • Limits on Resources: Configure the CPU and memory resource limits for the sidecar injector container. The unit for CPU resource limits is cores, and the unit for memory resource limits is MiB.

    • Required Resources: Configure the CPU and memory resource requests for the sidecar injector container. The unit for CPU resource requests is cores, and the unit for memory resource requests is MiB.

    pod replicas

    The number of replicas for the sidecar injector.

    Note

    Increasing the number of sidecar injector replicas improves the availability of the sidecar injection service when injecting a large number of pods simultaneously. For high availability, set the number of replicas to 2 or more.

    Rewrite App Probe

    Specifies whether to rewrite the health checks for the pod during injection. To determine if you need to enable health check rewriting, see Enable health check redirection for applications in a service mesh.

    Sidecar-injector NodeSelector

    Specifies node labels to control where sidecar injector pods are deployed.

    Click Add Match Label and enter the Name and Value of a node label in the data plane cluster to specify the deployment nodes.

Example 1: Disable injection for specific pods

  1. Configure the automatic injection policy.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > Sidecar Proxy injection.

    3. On the Sidecar Proxy injection page, in the Injection strategy configuration management section, configure the settings.

      The following configuration automatically injects a sidecar into all pods within a namespace that has the istio-injection: enabled label, unless a pod has the sidecar.istio.io/inject: "false" label or annotation.

      Parameter

      Description

      The labels of the pod's namespace must meet the conditions.

      Select Include istio-injection: enabled.

      The pod's own labels/annotations must meet the conditions.

      Select Not Include sidecar.istio.io/inject: "false" or Selected by NeverInjectSelector.

  2. Create a global namespace and enable automatic injection for it.

    1. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the page that appears, click Create.

    2. In the Create Namespace panel, enter a Name for the namespace (for example, test1). Click Add next to Tag, set the Name to istio-injection and the Value to enabled, and click OK.

    3. At the top of the page, click Sync Automatic Sidecar Injection to Kubernetes Cluster to sync the global namespace to the data plane Kubernetes cluster.

  3. Create an application.

    1. Deploy the details application in the test1 namespace of the ACK cluster on the data plane. For more information, see Deploy an application in a cluster associated with an ASM instance.

    2. Verify whether a sidecar proxy is injected into the application's pod.

      1. Log on to the ACK console. In the left navigation pane, click Clusters.

      2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

      3. At the top of the Deployments page, set the Namespace to test1 and click the name of the details application.

        On the Pods tab, you can see that the details-v1 pod contains two images: the Istio sidecar proxy image (proxyv2) and the application image (examples-bookinfo-details-v1). The status is Running, which indicates that the sidecar has been successfully injected.

  4. Add a label to the pod to disable automatic injection.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

    3. On the Deployments page, in the test1 namespace, find the details application and click More > View YAML in the Actions column.

    4. In the Edit dialog box, modify the YAML configuration and click Update.

      • For ASM versions 1.12.4 and later: in the labels parameter, add a label with the Key sidecar.istio.io/inject and the Value "false", specified as sidecar.istio.io/inject: 'false'.

        spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: details
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        sidecar.istio.io/inject: "false"
        app: details
        version: v1

      • For ASM versions earlier than 1.12.4: In the annotations parameter, add an annotation with the Key sidecar.istio.io/inject and the Value "false", which is sidecar.istio.io/inject: "false".

  5. Verify that automatic injection is disabled for the details service pod while it remains enabled for the test1 namespace.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

    3. At the top of the Deployments page, set the Namespace to test1 and click the name of the details application.

      On the Pods tab, you can see that the details-v1 pod is in the Running state and contains only the docker.io/istio/examples-bookinfo-details-v1:1.16.2 image. This confirms that the Istio sidecar was not injected into this pod.

Example 2: Configure per-pod injection

You can set an injection policy for an individual pod instead of for an entire namespace.

  1. Configure the automatic injection policy.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Data Plane Component Management > Sidecar Proxy injection.

    3. On the Injection strategy configuration management page, configure the settings in the Injection strategy configuration management section and click Update Settings at the bottom of the page.

      The following configuration automatically injects a sidecar into pods that have the sidecar.istio.io/inject: "true" label in any namespace, except for pods in namespaces with the istio-injection: disabled label.

      Parameter

      Description

      The labels of the pod's namespace must meet the conditions.

      Select Not include istio-injection: disabled.

      The pod's own labels/annotations must meet the conditions.

      Select Include sidecar.istio.io/inject: "true" or Selected by AlwaysInjectSelector.

  2. In the ACK cluster, create a namespace named test2 without any labels. For more information, see Manage namespaces and quotas.

  3. In the test2 namespace of the ACK cluster, create the reviews application. For more information, see Deploy an application in a cluster associated with an ASM instance.

  4. Add a label to the pod to enable automatic injection.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

    3. At the top of the Deployments page, set the Namespace to test2. In the row for the reviews service, click More > View YAML in the Actions column.

    4. In the Edit YAML dialog box, under the labels parameter, add the sidecar.istio.io/inject: "true" label, and then click Update.

      Note

      To configure automatic Pod injection by using labels, the Service Mesh ASM version must be 1.12.4 or later. For more information about how to upgrade an instance, see Upgrade an ASM instance.

      spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: reviews
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: reviews
        sidecar.istio.io/inject: 'true'
        version: v1

  5. Verify that the automatic injection policy for the pod was successfully configured.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Workloads > Deployments.

    3. At the top of the Deployments page, set the Namespace to test2 and click the name of the reviews application.

      On the Pods tab, the image list for the reviews-v1 pod contains both the Istio sidecar proxy image (proxyv2) and the application container image (examples-bookinfo-reviews-v1). The status is Running, which indicates that the sidecar has been successfully injected.

Related documents

  • Injection policies only apply to newly created pods. You must restart running pods for the policy to take effect. For more information, see Restart a pod.

  • If your Istio-enabled applications are still using an older version of the sidecar proxy after a control plane upgrade, see Upgrade sidecar proxies to upgrade them.

  • You can configure the resource consumption, traffic interception policy, DNS proxy, and lifecycle of a sidecar proxy at different levels, such as global, namespace, workload, and pod. For more information, see Configure a sidecar proxy.

Previous:Upgrade sidecar proxiesNext:Deploy mesh proxy in native sidecar mode