istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.8/docs/setup/kubernetes/sidecar-injection/index.html

8102 lines
131 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" itemscope itemtype="https://schema.org/WebPage">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="theme-color" content="#466BB0"/>
<meta name="title" content="Installing the Istio Sidecar">
<meta name="description" content="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.">
<meta name="og:title" content="Installing the Istio Sidecar">
<meta name="og:description" content="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.">
<meta name="og:url" content="/v0.8/docs/setup/kubernetes/sidecar-injection/">
<meta name="og.site_name" content="Istio">
<title>Istioldie 0.8 / Installing the Istio Sidecar</title>
<script>
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-98480406-2', 'auto');
ga('send', 'pageview');
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script>
var branchName = "release-0.8";
</script>
<link rel="alternate" type="application/rss+xml" title="Istio Blog" href="/v0.8/feed.xml">
<link rel="shortcut icon" href="/v0.8/favicons/favicon.ico" >
<link rel="apple-touch-icon" href="/v0.8/favicons/apple-touch-icon-180x180.png" sizes="180x180">
<link rel="icon" type="image/png" href="/v0.8/favicons/favicon-16x16.png" sizes="16x16">
<link rel="icon" type="image/png" href="/v0.8/favicons/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-36x36.png" sizes="36x36">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-48x48.png" sizes="48x48">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-72x72.png" sizes="72x72">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-96x196.png" sizes="96x196">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-144x144.png" sizes="144x144">
<link rel="icon" type="image/png" href="/v0.8/favicons/android-192x192.png" sizes="192x192">
<link rel="manifest" href="/v0.8/manifest.json">
<meta name="apple-mobile-web-app-title" content="Istio">
<meta name="application-name" content="Istio">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css">
<link rel="stylesheet" href="/v0.8/css/light_theme_archive.css" title="light">
<link rel="alternate stylesheet" href="/v0.8/css/dark_theme_archive.css" title="dark">
<script src="/v0.8/js/styleSwitcher.min.js"></script>
</head>
<body class="language-unknown">
<header>
<nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between">
<a class="navbar-brand" href="/v0.8/">
<span class="logo"><svg viewBox="0 0 300 300">
<circle cx="150" cy="150" r="150" stroke-width="2" />
<polygon points="65,240 225,240 125,270"/>
<polygon points="65,230 125,220 125,110"/>
<polygon points="135,220 225,230 135,30"/>
</svg>
</span>
<span class="brand-name">Istioldie 0.8</span>
</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse justify-content-end" id="navbarCollapse">
<ul id="navbar-links" class="navbar-nav active">
<li class="nav-item">
<a class="nav-link active" href="/v0.8/docs/">Docs</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/blog/2018/egress-monitoring-access-control/">Blog</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/help/">Help</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/community/">Community</a>
</li>
<li class="nav-item">
<a class="nav-link " href="/v0.8/about/">About</a>
</li>
<li class="nav-item dropdown" id="gearDropdown" style="white-space: nowrap">
<a href="" class="nav-link" data-toggle="dropdown" aria-label="Tools" aria-haspopup="true" aria-expanded="false">
<i style="width: 1em" class='fa fa-lg fa-cog'></i>
</a>
<div class="dropdown-menu dropdown-menu-right" aria-labelledby="gearDropdown">
<a class="dropdown-item" id="light-theme-item" href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class="dropdown-item" id="dark-theme-item" href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a>
<div class="dropdown-divider"></div>
<h6 class="dropdown-header">Other versions of this site</h6>
<a href="https://istio.io" class="dropdown-item">Current Release</a>
<a href="https://preliminary.istio.io" class="dropdown-item">Next Release</a>
<a href="https://archive.istio.io" class="dropdown-item">Older Releases</a>
</div>
</li>
<li class="nav-item">
<a id="search_show" class="nav-link" href="" aria-label="Search"><i style="width: 1em" class="fa fa-lg fa-search"></i></a>
</li>
</ul>
<form name="cse" id="search_form" class="form-inline mr-sm-2" role="search">
<input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" />
<input type="hidden" name="ie" value="utf-8" />
<input type="hidden" name="hl" value="en" />
<input type="hidden" id="search_page_url" value="/v0.8/search.html" />
<input id="search_textbox" class="form-control" name="q" type="text" aria-label="Search this site"/>
<button id="search_close" type="reset" aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button>
</form>
</div>
</nav>
</header>
<div class="container-fluid">
<div class="row row-offcanvas">
<div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas">
<nav class="sidebar d-print-none">
<div class="spacer"></div>
<div class="directory" role="tablist">
<div class="card">
<div class="card-header" role="tab" id="header7">
<a data-toggle="collapse" href="#collapse7" title="Concepts help you learn about the different parts of the Istio system and the abstractions it uses." role="button" aria-controls="collapse7">
<div>
Concepts
</div>
</a>
</div>
<div id="collapse7" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header7">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="A broad overview of the Istio system." href="/v0.8/docs/concepts/what-is-istio/">What is Istio? </a>
</label>
<ul class="tree collapse">
<li>
<a title="Provides a conceptual introduction to Istio, including the problems it solves and its high-level architecture." href="/v0.8/docs/concepts/what-is-istio/overview/">Overview</a>
</li>
<li>
<a title="Describes the core principles that Istio&#39;s design adheres to." href="/v0.8/docs/concepts/what-is-istio/goals/">Design Goals</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes the various Istio features focused on traffic routing and control." href="/v0.8/docs/concepts/traffic-management/">Traffic Management </a>
</label>
<ul class="tree collapse">
<li>
<a title="Provides a conceptual overview of traffic management in Istio and the features it enables." href="/v0.8/docs/concepts/traffic-management/overview/">Overview</a>
</li>
<li>
<a title="Introduces Pilot, the component responsible for managing a distributed deployment of Envoy proxies in the service mesh." href="/v0.8/docs/concepts/traffic-management/pilot/">Pilot</a>
</li>
<li>
<a title="Describes how requests are routed between services in an Istio service mesh." href="/v0.8/docs/concepts/traffic-management/request-routing/">Request Routing</a>
</li>
<li>
<a title="Describes how traffic is load balanced across instances of a service in the mesh." href="/v0.8/docs/concepts/traffic-management/load-balancing/">Discovery &amp; Load Balancing</a>
</li>
<li>
<a title="An overview of failure recovery capabilities in Envoy that can be leveraged by unmodified applications to improve robustness and prevent cascading failures." href="/v0.8/docs/concepts/traffic-management/handling-failures/">Handling Failures</a>
</li>
<li>
<a title="Introduces the idea of systematic fault injection that can be used to uncover conflicting failure recovery policies across services." href="/v0.8/docs/concepts/traffic-management/fault-injection/">Fault Injection</a>
</li>
<li>
<a title="Provides a high-level overview of the configuration model used by Istio to configure traffic management rules in the service mesh." href="/v0.8/docs/concepts/traffic-management/rules-configuration/">Rules Configuration</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes Istio&#39;s authorization and authentication functionality." href="/v0.8/docs/concepts/security/">Security </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes Istio&#39;s authentication policy" href="/v0.8/docs/concepts/security/authn-policy/">Authentication Policy</a>
</li>
<li>
<a title="Describes Istio&#39;s mutual TLS authentication architecture which provides a strong service identity and secure communication channels between services." href="/v0.8/docs/concepts/security/mutual-tls/">Mutual TLS Authentication</a>
</li>
<li>
<a title="Describes Istio RBAC which provides access control for services in Istio Mesh." href="/v0.8/docs/concepts/security/rbac/">Istio Role-Based Access Control (RBAC)</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Introduces the policy control snd telemetry collection mechanisms." href="/v0.8/docs/concepts/policies-and-telemetry/">Policies and Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes the design of the policy and telemetry mechanisms." href="/v0.8/docs/concepts/policies-and-telemetry/overview/">Overview</a>
</li>
<li>
<a title="An overview of the key concepts used to configure Istio&#39;s policy enforcement and telemetry collection features." href="/v0.8/docs/concepts/policies-and-telemetry/config/">Configuration</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header22">
<a data-toggle="collapse" href="#collapse22" title="Setup contains instructions for installing the Istio control plane in various environments (e.g., Kubernetes, Consul, etc.), as well as instructions for installing the sidecar in the application deployment." role="button" aria-controls="collapse22">
<div>
Setup
</div>
</a>
</div>
<div id="collapse22" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header22">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-down'></i>
<a title="Instructions for installing the Istio control plane on Kubernetes and adding VMs into the mesh." href="/v0.8/docs/setup/kubernetes/">Kubernetes </a>
</label>
<ul class="tree">
<li>
<a title="Quick start instructions to setup the Istio service mesh in a Kubernetes cluster." href="/v0.8/docs/setup/kubernetes/quick-start/">Quick Start</a>
</li>
<li>
<a title="Quick Start instructions to setup the Istio service using Google Kubernetes Engine (GKE)" href="/v0.8/docs/setup/kubernetes/quick-start-gke-dm/">Quick Start with Google Kubernetes Engine</a>
</li>
<li>
<a title="Install Istio with the included Helm chart." href="/v0.8/docs/setup/kubernetes/helm-install/">Installation with Helm</a>
</li>
<li>
<a title="Install Istio with the included Ansible playbook." href="/v0.8/docs/setup/kubernetes/ansible-install/">Installation with Ansible</a>
</li>
<li>
<span class="current" title="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI.">Installing the Istio Sidecar</span>
</li>
<li>
<a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href="/v0.8/docs/setup/kubernetes/mesh-expansion/">Mesh Expansion</a>
</li>
<li>
<a title="Install Istio with multicluster support." href="/v0.8/docs/setup/kubernetes/multicluster-install/">Istio Multicluster</a>
</li>
<li>
<a title="This guide demonstrates how to upgrade the Istio control plane and data plane independently." href="/v0.8/docs/setup/kubernetes/upgrading-istio/">Upgrading Istio</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.8/docs/setup/consul/">Nomad &amp; Consul </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.8/docs/setup/consul/quick-start/">Quick Start on Docker</a>
</li>
<li>
<a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.8/docs/setup/consul/install/">Installation</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Instructions for installing the Istio control plane in a Eureka based environment." href="/v0.8/docs/setup/eureka/">Eureka </a>
</label>
<ul class="tree collapse">
<li>
<a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.8/docs/setup/eureka/quick-start/">Quick Start on Docker</a>
</li>
<li>
<a title="Instructions for installing the Istio control plane in an Eureka based environment." href="/v0.8/docs/setup/eureka/install/">Installation</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header37">
<a data-toggle="collapse" href="#collapse37" title="Tasks show you how to do a single specific targeted activity with the Istio system." role="button" aria-controls="collapse37">
<div>
Tasks
</div>
</a>
</div>
<div id="collapse37" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header37">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes tasks that demonstrate traffic routing features of Istio service mesh." href="/v0.8/docs/tasks/traffic-management/">Traffic Management </a>
</label>
<ul class="tree collapse">
<li>
<a title="This task shows you how to configure dynamic request routing based on weights and HTTP headers." href="/v0.8/docs/tasks/traffic-management/request-routing/">Configuring Request Routing</a>
</li>
<li>
<a title="This task shows how to inject delays and test the resiliency of your application." href="/v0.8/docs/tasks/traffic-management/fault-injection/">Fault Injection</a>
</li>
<li>
<a title="Shows you how to migrate traffic from an old to new version of a service." href="/v0.8/docs/tasks/traffic-management/traffic-shifting/">Traffic Shifting</a>
</li>
<li>
<a title="This task shows you how to setup request timeouts in Envoy using Istio." href="/v0.8/docs/tasks/traffic-management/request-timeouts/">Setting Request Timeouts</a>
</li>
<li>
<a title="Describes how to configure Istio to expose a service outside of the service mesh." href="/v0.8/docs/tasks/traffic-management/ingress/">Control Ingress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS." href="/v0.8/docs/tasks/traffic-management/secure-ingress/">Securing Gateways with HTTPS</a>
</li>
<li>
<a title="Describes how to configure Istio to route traffic from services in the mesh to external services." href="/v0.8/docs/tasks/traffic-management/egress/">Control Egress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to perform TLS origination for traffic to external services" href="/v0.8/docs/tasks/traffic-management/egress-tls-origination/">TLS Origination for Egress Traffic</a>
</li>
<li>
<a title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway service" href="/v0.8/docs/tasks/traffic-management/egress-gateway/">Configure an Egress Gateway</a>
</li>
<li>
<a title="This task demonstrates the circuit-breaking capability for resilient applications" href="/v0.8/docs/tasks/traffic-management/circuit-breaking/">Circuit Breaking</a>
</li>
<li>
<a title="This task demonstrates the traffic shadowing/mirroring capabilities of Istio" href="/v0.8/docs/tasks/traffic-management/mirroring/">Mirroring</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates how to secure the mesh." href="/v0.8/docs/tasks/security/">Security </a>
</label>
<ul class="tree collapse">
<li>
<a title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href="/v0.8/docs/tasks/security/authn-policy/">Basic Authentication Policy</a>
</li>
<li>
<a title="Shows you how to verify and test Istio&#39;s automatic mutual TLS authentication." href="/v0.8/docs/tasks/security/mutual-tls/">Testing Mutual TLS</a>
</li>
<li>
<a title="Shows how to control access to a service using the Kubernetes labels." href="/v0.8/docs/tasks/security/basic-access-control/">Basic Access Control</a>
</li>
<li>
<a title="Shows how to securely control access to a service using service accounts." href="/v0.8/docs/tasks/security/secure-access-control/">Secure Access Control</a>
</li>
<li>
<a title="Shows how to set up role-based access control for services in Istio mesh." href="/v0.8/docs/tasks/security/role-based-access-control/">Role-Based Access Control</a>
</li>
<li>
<a title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href="/v0.8/docs/tasks/security/plugin-ca-cert/">Plugging in external CA key and certificate</a>
</li>
<li>
<a title="Shows how to enable Citadel health checking with Kubernetes." href="/v0.8/docs/tasks/security/health-check/">Citadel health checking</a>
</li>
<li>
<a title="Shows how to enable mutual TLS on HTTPS services." href="/v0.8/docs/tasks/security/https-overlay/">Mutual TLS over HTTPS</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates policy enforcement features." href="/v0.8/docs/tasks/policy-enforcement/">Policies </a>
</label>
<ul class="tree collapse">
<li>
<a title="This task shows you how to use Istio to dynamically limit the traffic to a service." href="/v0.8/docs/tasks/policy-enforcement/rate-limiting/">Enabling Rate Limits</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Demonstrates how to collect telemetry information from the mesh." href="/v0.8/docs/tasks/telemetry/">Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="How to configure the proxies to send tracing requests to Zipkin or Jaeger" href="/v0.8/docs/tasks/telemetry/distributed-tracing/">Distributed Tracing</a>
</li>
<li>
<a title="This task shows you how to configure Istio to collect metrics and logs." href="/v0.8/docs/tasks/telemetry/metrics-logs/">Collecting Metrics and Logs</a>
</li>
<li>
<a title="This task shows you how to configure Istio to collect metrics for TCP services." href="/v0.8/docs/tasks/telemetry/tcp-metrics/">Collecting Metrics for TCP services</a>
</li>
<li>
<a title="This task shows you how to query for Istio Metrics using Prometheus." href="/v0.8/docs/tasks/telemetry/querying-metrics/">Querying Metrics from Prometheus</a>
</li>
<li>
<a title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href="/v0.8/docs/tasks/telemetry/using-istio-dashboard/">Visualizing Metrics with Grafana</a>
</li>
<li>
<a title="This task shows you how to generate a graph of services within an Istio mesh." href="/v0.8/docs/tasks/telemetry/servicegraph/">Generating a Service Graph</a>
</li>
<li>
<a title="This task shows you how to configure Istio to log to a Fluentd daemon" href="/v0.8/docs/tasks/telemetry/fluentd/">Logging with Fluentd</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header48">
<a data-toggle="collapse" href="#collapse48" title="Guides include a variety of fully working example uses for Istio that you can experiment with." role="button" aria-controls="collapse48">
<div>
Guides
</div>
</a>
</div>
<div id="collapse48" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header48">
<div class="card-body">
<ul class="tree">
<li>
<a title="This guide deploys a sample application composed of four separate microservices which will be used to demonstrate various features of the Istio service mesh." href="/v0.8/docs/guides/bookinfo/">Bookinfo Sample Application</a>
</li>
<li>
<a title="This guide demonstrates how to use various traffic management capabilities of an Istio service mesh." href="/v0.8/docs/guides/intelligent-routing/">Intelligent Routing</a>
</li>
<li>
<a title="This sample demonstrates how to obtain uniform metrics, logs, traces across different services using Istio Mixer and Istio sidecar." href="/v0.8/docs/guides/telemetry/">In-Depth Telemetry</a>
</li>
<li>
<a title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href="/v0.8/docs/guides/endpoints/">Install Istio for Google Cloud Endpoints Services</a>
</li>
<li>
<a title="This sample deploys the Bookinfo services across Kubernetes and a set of virtual machines, and illustrates how to use the Istio service mesh to control this infrastructure as a single mesh." href="/v0.8/docs/guides/integrating-vms/">Integrating Virtual Machines</a>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header77">
<a data-toggle="collapse" href="#collapse77" title="Introduces Performance and Scalability methodology, results and best practices for Istio components." role="button" aria-controls="collapse77">
<div>
Performance and Scalability
</div>
</a>
</div>
<div id="collapse77" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header77">
<div class="card-body">
<ul class="tree">
<li>
<a title="Provides a conceptual introduction to Istio&#39;s Performance and Scalability" href="/v0.8/docs/performance-and-scalability/overview/">Overview</a>
</li>
<li>
<a title="Performance measurement through code level micro-benchmarks." href="/v0.8/docs/performance-and-scalability/microbenchmarks/">Micro Benchmarks</a>
</li>
<li>
<a title="The different scenarios we are tracking for performance and scalability." href="/v0.8/docs/performance-and-scalability/scenarios/">Testing scenarios</a>
</li>
<li>
<a title="Fortio is our simple synthetic http and grpc benchmarking tool." href="/v0.8/docs/performance-and-scalability/synthetic-benchmarks/">Synthetic End to End benchmarks</a>
</li>
<li>
<a title="Performance measurement through realistic micro service application tests." href="/v0.8/docs/performance-and-scalability/realistic-app-benchmark/">Realistic Application Benchmark</a>
</li>
<li>
<a title="How we ensure performance is tracked and improves or does not regress across releases." href="/v0.8/docs/performance-and-scalability/performance-testing-automation/">Automation</a>
</li>
<li>
<a title="Setup of Istio components to scale horizontally. High availability. Sizing guide." href="/v0.8/docs/performance-and-scalability/scalability/">Scalability and Sizing Guide</a>
</li>
</ul>
</div>
</div>
</div>
<div class="card">
<div class="card-header" role="tab" id="header85">
<a data-toggle="collapse" href="#collapse85" title="The Reference section contains detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." role="button" aria-controls="collapse85">
<div>
Reference
</div>
</a>
</div>
<div id="collapse85" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header85">
<div class="card-body">
<ul class="tree">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Detailed information on configuration options." href="/v0.8/docs/reference/config/">Configuration </a>
</label>
<ul class="tree collapse">
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes how to configure Istio&#39;s policy and telemetry features." href="/v0.8/docs/reference/config/policy-and-telemetry/">Policies and Telemetry </a>
</label>
<ul class="tree collapse">
<li>
<a title="Describes the base attribute vocabulary used for policy and control." href="/v0.8/docs/reference/config/policy-and-telemetry/attribute-vocabulary/">Attribute Vocabulary</a>
</li>
<li>
<a title="Mixer config expression language reference." href="/v0.8/docs/reference/config/policy-and-telemetry/expression-language/">Expression Language</a>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/">Adapters </a>
</label>
<ul class="tree collapse">
<li>
<a title="Adapter for circonus.com&#39;s monitoring solution." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/circonus/">Circonus</a>
</li>
<li>
<a title="Adapter for cloudwatch metrics." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/">CloudWatch</a>
</li>
<li>
<a title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/datadog/">Datadog</a>
</li>
<li>
<a title="Adapter that always returns a precondition denial." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/denier/">Denier</a>
</li>
<li>
<a title="Adapter that delivers logs to a fluentd daemon." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/fluentd/">Fluentd</a>
</li>
<li>
<a title="Adapter that extracts information from a Kubernetes environment." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/">Kubernetes Env</a>
</li>
<li>
<a title="Adapter that performs whitelist or blacklist checks" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/list/">List</a>
</li>
<li>
<a title="Adapter for a simple in-memory quota management system." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/memquota/">Memory quota</a>
</li>
<li>
<a title="Adapter that implements an Open Policy Agent engine" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/opa/">OPA</a>
</li>
<li>
<a title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/prometheus/">Prometheus</a>
</li>
<li>
<a title="Adapter that exposes Istio&#39;s Role-Based Access Control model." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/rbac/">RBAC</a>
</li>
<li>
<a title="Adapter for a Redis-based quota management system." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/redisquota/">Redis Quota</a>
</li>
<li>
<a title="Adapter that delivers logs and metrics to Google Service Control" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/servicecontrol/">Service Control</a>
</li>
<li>
<a title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/solarwinds/">SolarWinds</a>
</li>
<li>
<a title="Adapter to deliver logs and metrics to Stackdriver" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/stackdriver/">Stackdriver</a>
</li>
<li>
<a title="Adapter to deliver metrics to a StatsD backend" href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/statsd/">StatsD</a>
</li>
<li>
<a title="Adapter for outputting logs and metrics locally." href="/v0.8/docs/reference/config/policy-and-telemetry/adapters/stdio/">Stdio</a>
</li>
</ul>
</li>
<li>
<a title="Default Metrics exported from Istio through Mixer." href="/v0.8/docs/reference/config/policy-and-telemetry/metrics/">Default Metrics</a>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Mixer templates are used to send data to individual adapters." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/">Templates </a>
</label>
<ul class="tree collapse">
<li>
<a title="A template that represents a single API key." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/apikey/">API Key</a>
</li>
<li>
<a title="A template used to represent an access control query." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/authorization/">Authorization</a>
</li>
<li>
<a title="A template that carries no data, useful for testing." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/checknothing/">Check Nothing</a>
</li>
<li>
<a title="A template that is used to control the production of Kubernetes-specific attributes." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/kubernetes/">Kubernetes</a>
</li>
<li>
<a title="A template designed to let you perform list checking operations." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/listentry/">List Entry</a>
</li>
<li>
<a title="A template that represents a single runtime log entry." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/logentry/">Log Entry</a>
</li>
<li>
<a title="A template that represents a single runtime metric." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/metric/">Metric</a>
</li>
<li>
<a title="A template that represents a quota allocation request" href="/v0.8/docs/reference/config/policy-and-telemetry/templates/quota/">Quota</a>
</li>
<li>
<a title="A template that carries no data, useful for testing." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/reportnothing/">Report Nothing</a>
</li>
<li>
<a title="A template used by the Google Service Control adapter." href="/v0.8/docs/reference/config/policy-and-telemetry/templates/servicecontrolreport/">Service Control Report</a>
</li>
</ul>
</li>
<li>
<a title="Describes the rules used to configure Mixer&#39;s policy and telemetry features." href="/v0.8/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/">Rules</a>
</li>
</ul>
</li>
<li>
<a title="Configuration for Role Based Access Control" href="/v0.8/docs/reference/config/istio.rbac.v1alpha1/">RBAC</a>
</li>
<li>
<a title="Configuration affecting traffic routing" href="/v0.8/docs/reference/config/istio.routing.v1alpha1/">Route Rules v1alpha1 (deprecated)</a>
</li>
<li>
<a title="Configuration affecting traffic routing" href="/v0.8/docs/reference/config/istio.networking.v1alpha3/">Route Rules v1alpha3</a>
</li>
</ul>
</li>
<li class="sublist">
<label class='tree-toggle'>
<i class='fa fa-lg fa-caret-right'></i>
<a title="Describes usage and options of the Istio commands and utilities." href="/v0.8/docs/reference/commands/">Commands </a>
</label>
<ul class="tree collapse">
<li>
<a title="Istio Certificate Authority (CA)" href="/v0.8/docs/reference/commands/istio_ca/">istio_ca</a>
</li>
<li>
<a title="Istio control interface" href="/v0.8/docs/reference/commands/istioctl/">istioctl</a>
</li>
<li>
<a title="Utility to trigger direct calls to Mixer&amp;#39;s API." href="/v0.8/docs/reference/commands/mixc/">mixc</a>
</li>
<li>
<a title="Mixer is Istio&amp;#39;s abstraction on top of infrastructure backends." href="/v0.8/docs/reference/commands/mixs/">mixs</a>
</li>
<li>
<a title="Istio security per-node agent" href="/v0.8/docs/reference/commands/node_agent/">node_agent</a>
</li>
<li>
<a title="Istio Pilot agent" href="/v0.8/docs/reference/commands/pilot-agent/">pilot-agent</a>
</li>
<li>
<a title="Istio Pilot" href="/v0.8/docs/reference/commands/pilot-discovery/">pilot-discovery</a>
</li>
<li>
<a title="Kubernetes webhook for automatic Istio sidecar injection" href="/v0.8/docs/reference/commands/sidecar-injector/">sidecar-injector</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="col-12 col-md-9 col-xl-8">
<p class="d-md-none">
<label class="sidebar-toggler" data-toggle="offcanvas">
<i class="fa fa-sign-out-alt"></i>
</label>
</p>
<main aria-labelledby="title">
<h1 id="title">Installing the Istio Sidecar</h1>
<nav class="toc-inlined d-xl-none d-print-none" >
<div class="directory" role="directory">
<nav id="InlinedTableOfContents">
<ul>
<li><a href="#pod-spec-requirements">Pod spec requirements</a></li>
<li><a href="#injection">Injection</a>
<ul>
<li><a href="#manual-sidecar-injection">Manual sidecar injection</a></li>
<li><a href="#automatic-sidecar-injection">Automatic sidecar injection</a></li>
</ul>
</li>
</ul>
</nav>
</div>
</nav>
<blockquote>
<p>The following requires Istio 0.5 or greater. See
<a href="https://archive.istio.io/v0.4/docs/setup/kubernetes/sidecar-injection">https://archive.istio.io/v0.4/docs/setup/kubernetes/sidecar-injection</a>
for Istio 0.4 or prior.</p>
<p>In previous releases, the Kubernetes initializer feature was used for automatic proxy injection. This was an Alpha feature, subject to change/removal,
and not enabled by default in Kubernetes. Starting in Kubernetes 1.9 it was replaced by a beta feature called
<a href="https://kubernetes.io/docs/admin/admission-controllers/#mutatingadmissionwebhook-beta-in-19">mutating webhooks</a>, which is now enabled by default in
Kubernetes 1.9 and beyond. Starting with Istio 0.5.0 the automatic proxy injection uses mutating webhooks, and support for injection by initializer has been
removed. Users who cannot upgrade to Kubernetes 1.9 should use manual injection.</p>
</blockquote>
<h2 id="pod-spec-requirements">Pod spec requirements</h2>
<p>In order to be a part of the service mesh, each pod in the Kubernetes
cluster must satisfy the following requirements:</p>
<ol>
<li>
<p><em><strong>Service association</strong>:</em> The pod must belong to a <em>single</em>
<a href="https://kubernetes.io/docs/concepts/services-networking/service/">Kubernetes Service</a>
(pods that belong to multiple services are not supported as of now).</p>
</li>
<li>
<p><em><strong>Named ports</strong>:</em> Service ports must be named. The port names must be of
the form <code>&lt;protocol&gt;[-&lt;suffix&gt;]</code> with <em>http</em>, <em>http2</em>, <em>grpc</em>, <em>mongo</em>, or <em>redis</em>
as the <code>&lt;protocol&gt;</code> in order to take advantage of Istio's routing features.
For example, <code>name: http2-foo</code> or <code>name: http</code> are valid port names, but
<code>name: http2foo</code> is not. If the port name does not begin with a recognized
prefix or if the port is unnamed, traffic on the port will be treated as
plain TCP traffic (unless the port explicitly uses <code>Protocol: UDP</code> to
signify a UDP port).</p>
</li>
<li>
<p><em><strong>Deployments with app label</strong>:</em> It is recommended that Pods deployed using
the Kubernetes <code>Deployment</code> have an explicit <code>app</code> label in the
Deployment specification. Each deployment specification should have a
distinct <code>app</code> label with a value indicating something meaningful. The
<code>app</code> label is used to add contextual information in distributed
tracing.</p>
</li>
<li>
<p><em><strong>Sidecar in every pod in mesh</strong>:</em> Finally, each pod in the mesh must be
running an Istio compatible sidecar. The following sections describe two
ways of injecting the Istio sidecar into a pod: manually using <code>istioctl</code>
CLI tool or automatically using the Istio Initializer. Note that the
sidecar is not involved in traffic between containers in the same pod.</p>
</li>
</ol>
<h2 id="injection">Injection</h2>
<p>Manual injection modifies the controller configuration, e.g. deployment. It
does this by modifying the pod template spec such that <em>all</em> pods for that
deployment are created with the injected sidecar. Adding/Updating/Removing
the sidecar requires modifying the entire deployment.</p>
<p>Automatic injection injects at pod creation time. The controller resource is
unmodified. Sidecars can be updated selectively by manually deleting a pods or
systematically with a deployment rolling update.</p>
<p>Manual and automatic injection use the same templated configuration. Automatic
injection loads the configuration from the <code>istio-sidecar-injector</code> ConfigMap in the
<code>istio-system</code> namespace. Manual injection can load from a local file or from
the ConfigMap.</p>
<h3 id="manual-sidecar-injection">Manual sidecar injection</h3>
<p>Use the built-in defaults template and dynamically fetch the mesh
configuration from the <code>istio</code> ConfigMap. Additional parameter overrides
are available via flags (see <code>istioctl kube-inject --help</code>).</p>
<pre><code class="language-command" data-lang="command">$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
</code></pre><p><code>kube-inject</code> can also be run without access to a running Kubernetes
cluster. Create local copies of the injection and mesh configmap.</p>
<blockquote>
<p>The <code>istioctl kube-inject</code> operation may not be repeated on the output
from a previous <code>kube-inject</code>. The <code>kube-inject</code> operation is not idempotent.
For upgrade purposes, if using manual injection, it is recommended to keep
the original non-injected <code>yaml</code> file so that the dataplane sidecars may be
updated.</p>
</blockquote>
<pre><code class="language-command" data-lang="command">$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.config}' &gt; inject-config.yaml
$ kubectl -n istio-system get configmap istio -o=jsonpath='{.data.mesh}' &gt; mesh-config.yaml
</code></pre><p>Run <code>kube-inject</code> over the input file.</p>
<pre><code class="language-command" data-lang="command">$ istioctl kube-inject \
--injectConfigFile inject-config.yaml \
--meshConfigFile mesh-config.yaml \
--filename @samples/sleep/sleep.yaml@ \
--output sleep-injected.yaml
</code></pre><p>Deploy the injected YAML file.</p>
<pre><code class="language-command" data-lang="command">$ kubectl apply -f sleep-injected.yaml
</code></pre><p>Verify that the sidecar has been injected into the deployment.</p>
<pre><code class="language-command" data-lang="command">$ kubectl get deployment sleep -o wide
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
sleep 1 1 1 1 2h sleep,istio-proxy tutum/curl,unknown/proxy:unknown app=sleep
</code></pre><h3 id="automatic-sidecar-injection">Automatic sidecar injection</h3>
<p>Sidecars can be automatically added to applicable Kubernetes pods using a
<a href="https://kubernetes.io/docs/admin/admission-controllers/#validatingadmissionwebhook-alpha-in-18-beta-in-19">mutating webhook admission controller</a>. This feature requires Kubernetes 1.9 or later. Verify that the kube-apiserver process has the <code>admission-control</code> flag set with the <code>MutatingAdmissionWebhook</code> and <code>ValidatingAdmissionWebhook</code> admission controllers added and listed in the correct order and the admissionregistration API is enabled.</p>
<pre><code class="language-command" data-lang="command">$ kubectl api-versions | grep admissionregistration
admissionregistration.k8s.io/v1alpha1
admissionregistration.k8s.io/v1beta1
</code></pre><p>See the Kubernetes <a href="/v0.8/docs/setup/kubernetes/quick-start/">quick start</a> guide for instructions on installing Kubernetes version &gt;= 1.9.</p>
<p>Note that unlike manual injection, automatic injection occurs at the pod-level. You won't see any change to the deployment itself. Instead you'll want to check individual pods (via <code>kubectl describe</code>) to see the injected proxy.</p>
<h4 id="disabling-or-updating-the-webhook">Disabling or updating the webhook</h4>
<p>The sidecar injecting webhook is enabled by default. If you wish to disable the webhook, you can
use <a href="/v0.8/docs/setup/kubernetes/helm-install/">Helm</a> to generate an updated istio.yaml
with the option <code>sidecarInjectorWebhook.enabled</code> set to <code>false</code>. E.g.</p>
<pre><code class="language-command" data-lang="command">$ helm template --namespace=istio-system --set sidecarInjectorWebhook.enabled=false @install/kubernetes/helm/istio@ &gt; istio.yaml
$ kubectl create ns istio-system
$ kubectl apply -n istio-system -f istio.yaml
</code></pre><p>In addition, there are some other configuration parameters defined for the sidecar injector webhook
service in <code>values.yaml</code>. You can override the default values to customize the installation.</p>
<h4 id="deploying-an-app">Deploying an app</h4>
<p>Deploy sleep app. Verify both deployment and pod have a single container.</p>
<pre><code class="language-command" data-lang="command">$ kubectl apply -f @samples/sleep/sleep.yaml@
$ kubectl get deployment -o wide
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
sleep 1 1 1 1 12m sleep tutum/curl app=sleep
</code></pre><pre><code class="language-command" data-lang="command">$ kubectl get pod
NAME READY STATUS RESTARTS AGE
sleep-776b7bcdcd-7hpnk 1/1 Running 0 4
</code></pre><p>Label the <code>default</code> namespace with <code>istio-injection=enabled</code></p>
<pre><code class="language-command" data-lang="command">$ kubectl label namespace default istio-injection=enabled
$ kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 1h enabled
istio-system Active 1h
kube-public Active 1h
kube-system Active 1h
</code></pre><p>Injection occurs at pod creation time. Kill the running pod and verify a new pod is created with the injected sidecar. The original pod has 1/1 READY containers and the pod with injected sidecar has 2/2 READY containers.</p>
<pre><code class="language-command" data-lang="command">$ kubectl delete pod sleep-776b7bcdcd-7hpnk
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
sleep-776b7bcdcd-7hpnk 1/1 Terminating 0 1m
sleep-776b7bcdcd-bhn9m 2/2 Running 0 7s
</code></pre><p>View detailed state of the injected pod. You should see the injected <code>istio-proxy</code> container and corresponding volumes. Be sure to substitute the correct name for the <code>Running</code> pod below.</p>
<pre><code class="language-command" data-lang="command">$ kubectl describe pod sleep-776b7bcdcd-bhn9m
</code></pre><p>Disable injection for the <code>default</code> namespace and verify new pods are created without the sidecar.</p>
<pre><code class="language-command" data-lang="command">$ kubectl label namespace default istio-injection-
$ kubectl delete pod sleep-776b7bcdcd-bhn9m
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
sleep-776b7bcdcd-bhn9m 2/2 Terminating 0 2m
sleep-776b7bcdcd-gmvnr 1/1 Running 0 2s
</code></pre><h4 id="understanding-what-happened">Understanding what happened</h4>
<p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#mutatingwebhookconfiguration-v1beta1-admissionregistration">admissionregistration.k8s.io/v1beta1#MutatingWebhookConfiguration</a>
configures when the webhook is invoked by Kubernetes. The default
supplied with Istio selects pods in namespaces with label <code>istio-injection=enabled</code>.
This can be changed by modifying the MutatingWebhookConfiguration in
<code>install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml</code>.</p>
<p>The <code>istio-sidecar-injector</code> ConfigMap in the <code>istio-system</code> namespace has the default
injection policy and sidecar injection template.</p>
<h5 id="-policy-"><em><strong>policy</strong></em></h5>
<p><code>disabled</code> - The sidecar injector will not inject the sidecar into
pods by default. Add the <code>sidecar.istio.io/inject</code> annotation with
value <code>true</code> to the pod template spec to enable injection.</p>
<p><code>enabled</code> - The sidecar injector will inject the sidecar into pods by
default. Add the <code>sidecar.istio.io/inject</code> annotation with
value <code>false</code> to the pod template spec to disable injection.</p>
<p>The following example uses the <code>sidecar.istio.io/inject</code> annotation to disable sidecar injection.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ignored
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: <span style="color:#e6db74">&#34;false&#34;</span>
spec:
containers:
- name: ignored
image: tutum/curl
command: [<span style="color:#e6db74">&#34;/bin/sleep&#34;</span>,<span style="color:#e6db74">&#34;infinity&#34;</span>]
</code></pre></div><h5 id="-template-"><em><strong>template</strong></em></h5>
<p>The sidecar injection template uses <a href="https://golang.org/pkg/text/template">https://golang.org/pkg/text/template</a> which,
when parsed and executed, is decoded to the following
struct containing the list of containers and volumes to inject into the pod.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-go" data-lang="go"><span style="color:#66d9ef">type</span> <span style="color:#a6e22e">SidecarInjectionSpec</span> <span style="color:#66d9ef">struct</span> {
<span style="color:#a6e22e">InitContainers</span> []<span style="color:#a6e22e">v1</span>.<span style="color:#a6e22e">Container</span> <span style="color:#e6db74">`</span><span style="color:#e6db74">yaml:&#34;initContainers&#34;</span><span style="color:#e6db74">`</span>
<span style="color:#a6e22e">Containers</span> []<span style="color:#a6e22e">v1</span>.<span style="color:#a6e22e">Container</span> <span style="color:#e6db74">`</span><span style="color:#e6db74">yaml:&#34;containers&#34;</span><span style="color:#e6db74">`</span>
<span style="color:#a6e22e">Volumes</span> []<span style="color:#a6e22e">v1</span>.<span style="color:#a6e22e">Volume</span> <span style="color:#e6db74">`</span><span style="color:#e6db74">yaml:&#34;volumes&#34;</span><span style="color:#e6db74">`</span>
}
</code></pre></div><p>The template is applied to the following data structure at runtime.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-go" data-lang="go"><span style="color:#66d9ef">type</span> <span style="color:#a6e22e">SidecarTemplateData</span> <span style="color:#66d9ef">struct</span> {
<span style="color:#a6e22e">ObjectMeta</span> <span style="color:#f92672">*</span><span style="color:#a6e22e">metav1</span>.<span style="color:#a6e22e">ObjectMeta</span>
<span style="color:#a6e22e">Spec</span> <span style="color:#f92672">*</span><span style="color:#a6e22e">v1</span>.<span style="color:#a6e22e">PodSpec</span>
<span style="color:#a6e22e">ProxyConfig</span> <span style="color:#f92672">*</span><span style="color:#a6e22e">meshconfig</span>.<span style="color:#a6e22e">ProxyConfig</span> <span style="color:#75715e">// Defined by https://istio.io/docs/reference/config/service-mesh.html#proxyconfig
</span><span style="color:#75715e"></span> <span style="color:#a6e22e">MeshConfig</span> <span style="color:#f92672">*</span><span style="color:#a6e22e">meshconfig</span>.<span style="color:#a6e22e">MeshConfig</span> <span style="color:#75715e">// Defined by https://istio.io/docs/reference/config/service-mesh.html#meshconfig
</span><span style="color:#75715e"></span>}
</code></pre></div><p><code>ObjectMeta</code> and <code>Spec</code> are from the pod. <code>ProxyConfig</code> and <code>MeshConfig</code>
are from the <code>istio</code> ConfigMap in the <code>istio-system</code> namespace. Templates can conditional
define injected containers and volumes with this data.</p>
<p>For example, the following template snippet from <code>install/kubernetes/istio-sidecar-injector-configmap-release.yaml</code></p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-plain" data-lang="plain">containers:
- name: istio-proxy
image: istio.io/proxy:0.5.0
args:
- proxy
- sidecar
- --configPath
- {{ .ProxyConfig.ConfigPath }}
- --binaryPath
- {{ .ProxyConfig.BinaryPath }}
- --serviceCluster
{{ if ne &#34;&#34; (index .ObjectMeta.Labels &#34;app&#34;) -}}
- {{ index .ObjectMeta.Labels &#34;app&#34; }}
{{ else -}}
- &#34;istio-proxy&#34;
{{ end -}}
</code></pre></div><p>expands to</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">containers:
- name: istio-proxy
image: istio.io/proxy:<span style="color:#ae81ff">0.5</span><span style="color:#ae81ff">.0</span>
args:
- proxy
- sidecar
- --configPath
- /etc/istio/proxy
- --binaryPath
- /usr/local/bin/envoy
- --serviceCluster
- sleep
</code></pre></div><p>when applied over a pod defined by the pod template spec in <a href="https://raw.githubusercontent.com/istio/istio/release-0.8/samples/sleep/sleep.yaml">samples/sleep/sleep.yaml</a>.</p>
<h4 id="uninstalling-the-webhook">Uninstalling the webhook</h4>
<pre><code class="language-command" data-lang="command">$ kubectl delete -f @install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml@
</code></pre><p>The above command will not remove the injected sidecars from
Pods. A rolling update or simply deleting the pods and forcing
the deployment to create them is required.</p>
<p>Optionally, if may be also be desirable to clean-up other resources that were created in this task. This includes the secret holding the cert/key and CSR used to sign them, as well as any namespace that was labeled for injection.</p>
<pre><code class="language-command" data-lang="command">$ kubectl -n istio-system delete secret sidecar-injector-certs
$ kubectl delete csr istio-sidecar-injector.istio-system
$ kubectl label namespace default istio-injection-
</code></pre>
</main>
<div class="container-fluid d-print-none">
<br/><hr/><br/>
<div class="row">
<div class="col-6">
<a title="Install Istio with the included Ansible playbook." href="/v0.8/docs/setup/kubernetes/ansible-install/"><i class="fa fa-arrow-left"></i> Installation with Ansible</a>
</div>
<div class="col-6" style="text-align: right">
<a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href="/v0.8/docs/setup/kubernetes/mesh-expansion/">Mesh Expansion <i class="fa fa-arrow-right"></i></a>
</div>
</div>
</div>
<div class="d-none d-print-block" aria-hidden="true">
<h2>Links</h2>
<ol id="endnotes"></ol>
</div>
</div>
<div class="col-12 col-md-2 d-none d-xl-block d-print-none">
<nav class="toc">
<div class="spacer"></div>
<div id="toc" class="directory" role="directory">
<nav id="TableOfContents">
<ul>
<li><a href="#pod-spec-requirements">Pod spec requirements</a></li>
<li><a href="#injection">Injection</a>
<ul>
<li><a href="#manual-sidecar-injection">Manual sidecar injection</a></li>
<li><a href="#automatic-sidecar-injection">Automatic sidecar injection</a></li>
</ul>
</li>
</ul>
</nav>
</div>
</nav>
</div>
</div>
</div>
<footer class="d-print-none container-fluid">
<div class="row">
<div class="col-6 col-lg-4" role="navigation">
<div class="container-fluid">
<div class="row">
<div class="icon">
<span>istio-users@</span>
<a title="Join the istio-users@ mailing list to participate in discussions and get help troubleshooting problems"
href="https://groups.google.com/forum/#!forum/istio-users" aria-label="istio-users mailing list">
<svg viewBox="0 0 490 490">
<path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495
C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/>
<path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982
c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121
c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/>
</svg>
</a>
</div>
<div class="icon">
<span>twitter</span>
<a title="Follow us on Twitter to get the latest news"
href="https://twitter.com/IstioMesh" aria-label="Twitter">
<svg viewBox="0 0 310 310">
<path d="M302.973,57.388c-4.87,2.16-9.877,3.983-14.993,5.463c6.057-6.85,10.675-14.91,13.494-23.73
c0.632-1.977-0.023-4.141-1.648-5.434c-1.623-1.294-3.878-1.449-5.665-0.39c-10.865,6.444-22.587,11.075-34.878,13.783
c-12.381-12.098-29.197-18.983-46.581-18.983c-36.695,0-66.549,29.853-66.549,66.547c0,2.89,0.183,5.764,0.545,8.598
C101.163,99.244,58.83,76.863,29.76,41.204c-1.036-1.271-2.632-1.956-4.266-1.825c-1.635,0.128-3.104,1.05-3.93,2.467
c-5.896,10.117-9.013,21.688-9.013,33.461c0,16.035,5.725,31.249,15.838,43.137c-3.075-1.065-6.059-2.396-8.907-3.977
c-1.529-0.851-3.395-0.838-4.914,0.033c-1.52,0.871-2.473,2.473-2.513,4.224c-0.007,0.295-0.007,0.59-0.007,0.889
c0,23.935,12.882,45.484,32.577,57.229c-1.692-0.169-3.383-0.414-5.063-0.735c-1.732-0.331-3.513,0.276-4.681,1.597
c-1.17,1.32-1.557,3.16-1.018,4.84c7.29,22.76,26.059,39.501,48.749,44.605c-18.819,11.787-40.34,17.961-62.932,17.961
c-4.714,0-9.455-0.277-14.095-0.826c-2.305-0.274-4.509,1.087-5.294,3.279c-0.785,2.193,0.047,4.638,2.008,5.895
c29.023,18.609,62.582,28.445,97.047,28.445c67.754,0,110.139-31.95,133.764-58.753c29.46-33.421,46.356-77.658,46.356-121.367
c0-1.826-0.028-3.67-0.084-5.508c11.623-8.757,21.63-19.355,29.773-31.536c1.237-1.85,1.103-4.295-0.33-5.998
C307.394,57.037,305.009,56.486,302.973,57.388z"/>
</svg>
</a>
</div>
<div class="icon">
<span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio"
href="https://stackoverflow.com/questions/tagged/istio" aria-label="Stack Overflow">
<svg viewBox="0 0 120 120">
<polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8 "/>
<path d="M38.8,68.4l37.8,7.9l1.6-7.6l-37.8-7.9L38.8,68.4z M43.8,50.4l35,16.3l3.2-7l-35-16.4L43.8,50.4z M53.5,33.2
l29.7,24.7l4.9-5.9L58.4,27.3L53.5,33.2z M72.7,14.9l-6.2,4.6l23,31l6.2-4.6L72.7,14.9z M38,86h38.6v-7.7H38V86z"/>
</svg>
</a>
</div>
<div class="icon">
<span>rocket chat</span>
<a title="Interactively chat with members of the Istio community."
href="https://istio.rocket.chat" aria-label="Rocket Chat">
<svg viewBox="0 0 512 512">
<path d="M496.293,255.338c0-24.103-7.21-47.215-21.437-68.699c-12.771-19.288-30.666-36.362-53.184-50.745
c-43.474-27.771-100.612-43.065-160.885-43.065c-20.131,0-39.974,1.702-59.222,5.072c-11.942-11.176-25.919-21.233-40.712-29.187
c-79.026-38.298-144.561-0.9-144.561-0.9s60.931,50.053,51.023,93.93c-27.259,27.041-42.033,59.646-42.033,93.594
c0,0.108,0.005,0.216,0.006,0.324c-0.001,0.108-0.006,0.216-0.006,0.324c0,33.949,14.774,66.554,42.033,93.595
c9.907,43.874-51.023,93.93-51.023,93.93s65.535,37.397,144.561-0.901c14.792-7.953,28.77-18.01,40.712-29.188
c19.249,3.372,39.091,5.072,59.222,5.072c60.272,0,117.411-15.294,160.885-43.064c22.518-14.383,40.412-31.457,53.184-50.742
c14.227-21.487,21.437-44.599,21.437-68.702c0-0.107-0.006-0.216-0.006-0.324C496.287,255.554,496.293,255.446,496.293,255.338z
M260.882,387.763c-25.367,0-49.66-2.932-72.107-8.282c-22.81,27.443-72.993,65.596-121.742,53.26
c15.857-17.031,39.352-45.81,34.32-93.207c-29.218-22.738-46.759-51.832-46.759-83.541c0-72.776,92.36-131.769,206.288-131.769
c113.928,0,206.288,58.993,206.288,131.769C467.17,328.765,374.81,387.763,260.882,387.763z M288.283,255.991
c0,15.133-12.27,27.403-27.4,27.403c-15.134,0-27.402-12.271-27.402-27.403s12.268-27.401,27.402-27.401
C276.014,228.59,288.283,240.858,288.283,255.991z M356.163,228.59c-15.133,0-27.4,12.268-27.4,27.401s12.268,27.403,27.4,27.403
c15.134,0,27.399-12.271,27.399-27.403S371.297,228.59,356.163,228.59z M165.601,228.59c-15.133,0-27.4,12.268-27.4,27.401
s12.268,27.403,27.4,27.403c15.134,0,27.401-12.271,27.401-27.403S180.735,228.59,165.601,228.59z"/>
</svg>
</a>
</div>
</div>
<div class="tag row d-none d-lg-flex">
for users
</div>
</div>
</div>
<div class="col-6 col-lg-4">
<p class="text-center copyright" role="contentinfo">
Istio
Archive
0.8<br>&copy; 2018 Istio Authors, <a href="https://policies.google.com/privacy">Privacy Policy</a><br>
Archived on July 31, 2018
</p>
</div>
<div class="col-6 col-lg-4 d-none d-lg-flex" role="navigation">
<div class="container-fluid">
<div class="row justify-content-end">
<div class="icon">
<span>istio-dev@</span>
<a title="Join the istio-dev@ mailing list to discuss development issues around the Istio project"
href="https://groups.google.com/forum/#!forum/istio-dev" aria-label="istio-dev mailing list">
<svg viewBox="0 0 490 490">
<path d="M480,410.248H10c-5.523,0-10-4.477-10-10V89.752c0-5.523,4.477-10,10-10h470c5.522,0,10,4.477,10,10v310.495
C490,405.771,485.522,410.248,480,410.248z M20,390.248h450V99.752H20V390.248z"/>
<path d="M245,286.131c-2.083,0-4.167-0.649-5.931-1.948L48.64,143.929c-4.446-3.275-5.396-9.535-2.121-13.982
c3.275-4.447,9.535-5.396,13.982-2.121L245,263.712l184.5-135.886c4.447-3.274,10.709-2.326,13.982,2.121
c3.275,4.447,2.325,10.707-2.121,13.982L250.931,284.183C249.167,285.482,247.083,286.131,245,286.131z"/>
</svg>
</a>
</div>
<div class="icon">
<span>github</span>
<a title="GitHub is where development takes place on Istio code"
href="https://github.com/istio/community" aria-label="GitHub">
<svg viewBox="0 0 478.165 478.165">
<path d="M349.22,55.768c6.136,14.046,10.241,37.556,4.224,54.69
c24.426,20.999,33.073,71.904,21.079,113.704c35.006,2.73,76.666-1.235,103.642,9.484c-25.183-3.248-59.651-9.563-91.987-7.431
c-6.136,0.458-15.361-0.239-14.903,8.408c37.735,3.008,75.092,6.117,105.894,15.779c-30.702-4.981-67.74-12.552-105.894-13.668
c-15.54,30.921-47.239,46.262-90.991,49.49c4.682,10.261,13.847,14.066,15.879,30.702c3.267,24.406-4.881,60.328,3.208,76.686
c4.064,7.89,10.579,8.009,14.863,14.604c-10.699,12.871-37.257-1.395-40.186-14.604c-5.14-22.852,7.89-58.256-6.415-73.737
c0.996,24.865-5.718,59.85,0.996,82.145c2.789,8.806,10.659,12.113,8.647,20.063c-49.809,5.08-28.989-64.373-37.177-105.356
c-7.471,0.697-4.204,11.197-4.224,15.76c-0.199,40.106,8.189,94.836-34.846,89.556c-1.315-8.348,5.838-11.217,8.467-19.007
c7.91-22.434-1.454-56.045,2.112-83.161c-16.417,12.512,1.793,55.666-8.428,77.961c-5.838,12.671-24.785,18.27-39.19,12.651
c1.873-9.464,11.695-7.989,15.879-16.875c5.818-12.452,0.02-30.244,2.092-48.494c-30.423,6.097-53.993-0.877-65.608-20.023
c-5.12-8.507-6.356-18.708-12.632-26.219c-6.117-7.551-16.098-8.507-19.087-18.808c37.755-9.185,39.17,38.771,73.06,39.807
c10.44,0.418,15.799-2.909,25.402-5.16c2.749-12.113,8.428-21.039,16.875-27.494c-42.078-5.658-76.865-18.788-93.023-50.466
c-38.293,1.893-73.339,7.013-105.894,14.843c29.547-10.679,65.807-14.604,104.778-15.819c-2.351-13.807-22.434-10.022-34.866-9.543
C47.677,227.17,18.449,230.138,0,233.645c26.817-9.543,64.233-8.348,100.454-8.428c-11.038-34.767-7.232-90.014,17.015-110.615
c-6.854-17.254-4.722-45.346,4.184-58.834c27.036,1.175,43.374,12.891,60.388,24.247c21.019-6.017,43.035-9.045,71.904-7.451
c12.133,0.677,24.705,6.097,33.731,5.32c8.906-0.877,18.728-10.898,27.534-14.843C326.507,58.099,336.17,56.206,349.22,55.768z"/>
</svg>
</a>
</div>
<div class="icon">
<span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents"
href="https://groups.google.com/forum/#!forum/istio-team-drive-access" aria-label="team drive">
<svg viewBox="0 0 207.027 207.027">
<path d="M69.866,15.557L0,138.919l28.732,52.552l143.288-0.029l35.008-59.588L136.39,15.735L69.866,15.557z M17.166,139.046
L74.268,38.205L91.21,67.783L33.24,168.447L17.166,139.046z M99.841,82.851l23.805,41.558l-47.732-0.006L99.841,82.851z
M163.434,176.443l-117.332,0.024l21.53-37.065l64.606,0.008l0.067,0.119l52.865-0.085L163.434,176.443z M140.932,124.411
L90.157,35.767l-2.966-5.178l40.751,0.121l57.003,93.706L140.932,124.411z"/>
</svg>
</a>
</div>
<div class="icon">
<span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups"
href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" aria-label="working groups">
<svg viewBox="0 -45 439.833 439.833">
<polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/>
<polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/>
<path d="M219.927,11.558c-23.854,0-37.057,12.362-36.814,36.182c0.348,32.623,14.211,52.414,36.814,52.068
c0,0,36.802,1.492,36.802-52.068C256.729,23.918,244.294,11.558,219.927,11.558z"/>
<path d="M285.017,124.567l-36.77-14.659l-8.608-7.256c-2.274-1.922-5.636-1.78-7.741,0.317l-11.973,11.904l-12.008-11.907
c-2.109-2.094-5.465-2.229-7.736-0.313l-8.611,7.256l-36.77,14.661c-11.842,4.715-11.83,46.647-12.848,50.497h155.93
C296.866,171.228,296.862,129.28,285.017,124.567z"/>
<path d="M77.976,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182
c-23.854,0-37.057,12.362-36.814,36.182C41.509,209.124,55.372,228.915,77.976,228.568z"/>
<path d="M143.065,253.329l-36.77-14.658l-8.609-7.256c-2.275-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908
c-2.109-2.094-5.465-2.229-7.736-0.312l-8.611,7.256l-36.77,14.66C1.006,258.045,1.018,299.977,0,303.827h155.93
C154.915,299.988,154.911,258.042,143.065,253.329z"/>
<path d="M361.878,228.568c0,0,36.801,1.492,36.801-52.068c0-23.82-12.434-36.182-36.801-36.182
c-23.854,0-37.057,12.362-36.812,36.182C325.411,209.124,339.274,228.915,361.878,228.568z"/>
<path d="M426.968,253.329l-36.77-14.658l-8.609-7.256c-2.273-1.923-5.635-1.781-7.742,0.315l-11.971,11.904l-12.008-11.908
c-2.109-2.094-5.465-2.229-7.736-0.312l-8.61,7.256l-36.771,14.66c-11.842,4.715-11.83,46.646-12.848,50.497h155.93
C438.817,299.988,438.812,258.042,426.968,253.329z"/>
</svg>
</a>
</div>
<div class="icon">
<span>slack</span>
<a title="Interactively discuss development issues with the Istio community on Slack (invitation-only)"
href="https://istio.slack.com" aria-label="slack">
<svg viewBox="0 0 31.444 31.443">
<path d="M31.202,16.369c-0.62-1.388-2.249-2.011-3.637-1.391l-1.325,0.594l-3.396-7.591l1.325-0.592
c1.388-0.622,2.01-2.25,1.389-3.637c-0.62-1.389-2.248-2.012-3.637-1.39l-1.324,0.593l-0.593-1.326
c-0.621-1.388-2.249-2.009-3.637-1.388c-1.388,0.62-2.009,2.247-1.389,3.637l0.593,1.325L7.98,8.598L7.388,7.273
c-0.621-1.39-2.249-2.009-3.637-1.39C2.363,6.504,1.742,8.132,2.362,9.52l0.592,1.324L1.63,11.438
c-1.388,0.621-2.01,2.247-1.389,3.636c0.62,1.388,2.249,2.01,3.637,1.39l1.325-0.594l3.394,7.592l-1.325,0.592
c-1.388,0.621-2.009,2.25-1.389,3.637c0.621,1.389,2.249,2.011,3.637,1.391l1.324-0.593l0.593,1.325
c0.621,1.389,2.249,2.01,3.637,1.389c1.387-0.62,2.009-2.248,1.388-3.636l-0.591-1.326l7.591-3.394l0.592,1.321
c0.621,1.391,2.248,2.013,3.637,1.392c1.388-0.619,2.01-2.248,1.389-3.637l-0.592-1.324l1.323-0.594
C31.201,19.384,31.823,17.757,31.202,16.369z M13.623,21.215l-3.395-7.593l7.591-3.394l3.395,7.591L13.623,21.215z"/>
</svg>
</a>
</div>
</div>
<div class="tag row justify-content-end text-right">
for developers
</div>
</div>
</div>
</div>
</footer>
<div class="d-xl-none d-print-none">
<button id="scroll-to-top" aria-hidden="true" onclick="scrollToTop()" title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button>
</div>
<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script>
<script src="https://www.google.com/cse/brand?form=search_form"></script>
<script src="/v0.8/js/all.min.js" data-manual></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink