Istio sidecar injection - Site Reliability Engineer Blog

There are several ways to inject istio sidecar configuration into Pods. For example: automated injection, YAML/JSON deployment update, using Helm or Kustomize and update of existing live deployment. We will look into each of them.

Automatic Sidecar injection

Istio uses ValidatingAdmissionWebhooks for validating Istio configuration and MutatingAdmissionWebhooks for automatically injecting the sidecar proxy into user pods.

For automatic side car injection to work admissionregistration.k8s.io/v1beta1 should be enabled:

$ kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
admissionregistration.k8s.io/v1beta1

Step two is to verify MutatingAdmissionWebhook and ValidatingAdmissionWebhook plugins are listed in the kube-apiserver –enable-admission-plugins. That can be done by cluster administrators.

When the injection webhook is enabled, any new pods that are created will automatically have a sidecar added to them.

To enable namespace for sidecar injection label the namespace with istio-injection=enabled

$ kubectl label namespace default istio-injection=enabled
$ kubectl get namespace -L istio-injection
NAME           STATUS    AGE       ISTIO-INJECTION
default        Active    1h        enabled
istio-system   Active    1h
kube-public    Active    1h
kube-system    Active    1h

Sidecar injection with istioctl on YAML file

To manually inject side into deployment, use istioctl kube-inject

$ istioctl kube-inject -f deployment.yaml | kubectl apply -f -

Sidecar injection into existing deployment

$ kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -

Sidecar injection with istioctl and helm

Sidecar injection into helm release could be done in two steps. We will use helm install and helm template to inject sidecar. As down side some features as rollback of helm release wouldn’t work, only rolling forward would be possible.

First. Using helm install we install the package:

$ helm install nginx stable/nginx

Step two update the deployment with sidecar using helm template:

$ helm template stable/nginx | istioctl kube-inject -f - | kubectl apply -f -

Sidecar injection with kustomize

Deployment file:

resources:
- deployments.yaml

To inject istio sidecar into deployment Kustomize patch should be used

patches:
- path: sidcar.yaml
  target:
    kind: Deployment

Where sidecar.yaml is istio sidecar deployment.

Conclusions

There are many ways to install istio sidecar or any sidecar into deployment. The main idea is to render deployment file and wrap it up with istioctl for manual injection or setup automatic injection with Admission webhook.