mirror of https://github.com/istio/istio.io.git
Injection caveats docs (#4255)
* Remove 'things' in favor of more specific terms Explicitly spelling out that these are bits of configuration is more explicit. * Add clarification on namespace and host network limitations This adds clarifications on the limitations on sidecar injection for particular namespaces and for pods with host networking. The clarifications are in two spots because without either of them, the information provided is incomplete. Saying that whether the sidecar is injected or not is only dependant on three bits of config isn't really accurate. And including the troubleshooting steps without mentioning these hard limits isn't accurate either. * Remove whitespace and fix spelling error * Remove misplaced 'is' * Fix typo * Replace 'limitation' language with 'security rules' This emphasises that these restrictions are by design, and are intended to provide security to users. * Clarify the outcome of annotating pods that violate security rules This clarifies that if pods on the host network or in system namespaces will be ignored by the sidecar injector, as opposed to other failures or errors. * Update lists to use correct Hugo format * Indent paragraph to fix formatting and numbering This indentation should fix the formatting of this paragraph so that it appears correctly under the second element of the ordered list. It should also ensure that the ordered list continues at 3 with the next item. * Add whitespace to ensure correct formatting of lists
This commit is contained in:
Nik Skoufis
mergify[bot]
parent
2d5d6bf819
commit
94e9d95a59
|
|
@ -11,14 +11,21 @@ time. Injection can be scoped to particular sets of namespaces using
|
|||
the webhooks `namespaceSelector` mechanism. Injection can also be
|
||||
enabled and disabled per-pod with an annotation.
|
||||
|
||||
Whether or not a sidecar is injected is depends on three things:
|
||||
Whether or not a sidecar is injected depends on three pieces of configuration and two security rules:
|
||||
|
||||
* webhooks `namespaceSelector`
|
||||
* default `policy`
|
||||
* per-pod override annotation
|
||||
Configuration:
|
||||
|
||||
- webhooks `namespaceSelector`
|
||||
- default `policy`
|
||||
- per-pod override annotation
|
||||
|
||||
Security rules:
|
||||
|
||||
- sidecars cannot be injected in the `kube-system` or `kube-public` namespaces
|
||||
- sidecars cannot be injected into pods that use the host network
|
||||
|
||||
The following truth table shows the final injection status based on
|
||||
these three variables.
|
||||
the three configuration items. The security rules above cannot be overridden.
|
||||
|
||||
| `namespaceSelector` match | default `policy` | Pod override annotation `sidecar.istio.io/inject` | Sidecar injected? |
|
||||
|---------------------------|------------------|---------------------------------------------------|-----------|
|
||||
|
|
@ -40,6 +47,16 @@ these three variables.
|
|||
This includes an injected sidecar when it wasn't expected and a lack
|
||||
of injected sidecar when it was.
|
||||
|
||||
1. Ensure your pod is not in the `kube-system` or `kube-public` namespace.
|
||||
Automatic sidecar injection will be ignored for pods in these namespaces.
|
||||
|
||||
1. Ensure your pod does not have `hostNetwork: true` in its pod spec.
|
||||
Automatic sidecar injection will be ignored for pods that are on the host network.
|
||||
|
||||
The sidecar model assumes that the iptables changes required for Envoy to intercept
|
||||
traffic are within the pod. For pods on the host network this assumption is violated,
|
||||
and this can lead to routing failures at the host level.
|
||||
|
||||
1. Check the webhook's `namespaceSelector` to determine whether the
|
||||
webhook is scoped to opt-in or opt-out for the target namespace.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue