Configure sidecar proxy injection policies - Alibaba Cloud Service Mesh

Service Mesh (ASM) provides a sidecar injector that can automatically inject sidecar proxies into new pods. You can configure policies for the sidecar injector to meet specific requirements and use labels to select pods into which sidecar proxies need to be injected. This allows you to use resources more efficiently and simplify management. Based on the size and load of a cluster, you can also adjust the resource configuration of the sidecar injector to ensure that sufficient resources are provided to run the sidecar injector.

Prerequisites

A cluster is added to your ASM instance. For more information, see Add a cluster to an ASM instance.

Configure automatic sidecar proxy injection policies

You can select pods into which you want to inject sidecar proxies by using the labels of the namespaces to which the pods belong, the labels of the pods, or the annotations of the pods.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.

In the Injection strategy configuration management section of the Sidecar Proxy injection page, configure an automatic injection policy.

A sidecar proxy is automatically injected into a pod only if the pod meets both the conditions selected under the Pod namespace label should meet condition and Pod label/annotation should meet condition parameters.

Condition

Description

Pod namespace label should meet condition

The condition that must be met by the label of the namespace to which the pod belongs so that a sidecar proxy can be automatically injected.

Include istio-injection: enabled: If the namespace to which the pod belongs contains the istio-injection: enabled label, a sidecar proxy can be automatically injected into the pod.
Not include istio-injection: disabled: If the namespace to which the pod belongs does not contain the istio-injection: disabled label, a sidecar proxy can be automatically injected into the pod.

Pod label/annotation should meet condition

The pod label or pod annotation requirement that must be met by the pod so that a sidecar proxy can be automatically injected.

Not include sidecar.istio.io/inject: "false": If the pod does not contain the sidecar.istio.io/inject: "false" label or annotation, a sidecar proxy can be automatically injected into the pod.
Include sidecar.istio.io/inject: "true": If the pod contains the sidecar.istio.io/inject: "true" label or annotation, a sidecar proxy can be automatically injected into the pod.
Note
- For ASM instances of versions earlier than 1.12, only pod annotations can be used for determining whether a sidecar proxy can be automatically injected.
- For ASM instances of version 1.12 and later, pod labels or pod annotations can be used for determining whether a sidecar proxy can be automatically injected.
  A pod label takes precedence over a pod annotation during the determination of automatic sidecar proxy injection. For example, if a pod contains both the sidecar.istio.io/inject: "true" label and the sidecar.istio.io/inject: "false" annotation, the pod is marked as having the sidecar.istio.io/inject: "true" label instead of having the sidecar.istio.io/inject: "false" annotation.

(Optional) In the lower part of the Injection strategy configuration management section, click Show Advanced Settings to configure parameters as required.

Parameter	Description
The label selector which selector pods to be injected istio-proxy (AlwaysInjectSelector)	AlwaysInjectSelector is a configurable pod label selector. Pods selected by AlwaysInjectSelector are considered to contain the sidecar.istio.io/inject: "true" label or annotation.
The label selector which selector pods which will never be injected (NeverInjectSelector)	NeverInjectSelector is a configurable pod label selector. Pods selected by NeverInjectSelector are considered to contain the sidecar.istio.io/inject: "false" label or annotation.

Note

Both AlwaysInjectSelector and NeverInjectSelector are pod label selectors. They are configured in the same way and can contain multiple lines. Each line describes a label selection expression. A pod is selected by a pod label selector if a label of the pod matches one of the label selection expressions.

Each label selection expression contains the following three parts:

Key: It is used by the label selection expression to match the key in a pod label.
Operator: An operator indicates the action performed by the label selection expression when it matches pod labels. Valid values:
- In: The expression determines whether a pod is matched by judging whether its label value is one of the specified values.
- NotIn: The expression determines whether a pod is matched by judging whether its label value is not any of the specified values.
- Exists: The expression determines whether a pod is matched by judging whether the pod contains the specified key.
- DoesNotExist: The expression determines whether a pod is matched by judging whether the pod does not contain the specified key.
Values: If you set the Operator parameter to In or NotIn, you can set multiple values to determine whether a pod matches the expression.

In the lower part of the page, click Update Settings.

Configure the sidecar injector of the ASM instance

A sidecar injector is an admission webhook service that is deployed in a Kubernetes cluster on the data plane. The sidecar injector is not a sidecar proxy. It is used to automatically inject sidecar proxies. The service and workloads of the sidecar injector are deployed in the istio-system namespace of the Kubernetes cluster. The name of the sidecar injector starts with istio-sidecar-injector. You can adjust the resource settings and the number of replicas for the sidecar injector to ensure the availability of the sidecar injector when a large number of sidecar proxies are injected into pods at the same time. We recommend that you configure metric monitoring and alert rules for the admission webhook service of the sidecar injector by referring to Alert management and Monitor kube-apiserver.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.

In the Sidecar Injector Setting section of the Sidecar Proxy injection page, configure the sidecar injector. Then, click Update Settings in the lower part of the page.

Parameter	Description
Resource Settings for Sidecar Injector	Configure the Resource Limits and Required Resources parameters for the sidecar injector. Resource Limits: specifies the maximum CPU and memory resources that a sidecar injector container can apply for. The unit of CPU resources is Core. The unit of memory resources is MiB. Required Resources: specifies the minimum CPU and memory resources that a sidecar injector container needs to use at runtime. The unit of CPU resources is Core. The unit of memory resources is MiB.
pod replicas	Configure the number of pods in which the sidecar injector is deployed. Note Increasing the number of pods can improve the availability of the sidecar proxy injection service when a large number of sidecar proxies need to be injected into pods at the same time. We recommend that you set the number of pods to two or more.
Rewrite App Probe	Specifies whether to enable redirection of health check requests for applications. For more information, see Configure redirection of HTTP or TCP health check requests for applications in an ASM instance.
Sidecar-injector NodeSelector	Select the nodes for the pods of a sidecar injector by matching labels. Click Add Matching Label. Enter the name and value of the label of a cluster node on the data plane under the Name and Value parameters to match a specific node.

Example 1: Disable automatic sidecar proxy injection for the specified pods in a namespace and enable automatic sidecar proxy injection for other pods

Configure an automatic sidecar proxy injection policy.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.
3. In the Injection strategy configuration management section of the Sidecar Proxy injection page, configure the parameters as required.
  The following configurations indicate that if a namespace has the istio-injection: enabled label, sidecar proxies are automatically injected to the pods running in this namespace except the pods that have the sidecar.istio.io/inject: "false" label or annotation.
  Parameter
  Description
  Pod namespace label should meet condition
  Select Include istio-injection: enabled.
  Pod label/annotation should meet condition
  Select Not include sidecar.istio.io/inject: "false".
Create a global namespace and enable automatic sidecar proxy injection for the namespace.
1. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the page that appears, click Create.
2. In the Create Namespace panel, enter a name for the namespace. In this example, the name is test1. Click Add next to Labels. Set Name to istio-injection, Value to enabled. Then, click OK.
3. In the upper part of the page, click Sync Automatic Sidecar Injection to Kubernetes Cluster to synchronize the global namespace to the Kubernetes cluster on the data plane.
Create an application.
1. Create an application named details in the test1 namespace of the ACK cluster on the data plane. For more information, see Deploy an application in an ASM instance.
2. Check whether automatic sidecar proxy injection is enabled for the pod of the details application.
  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
  2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
  3. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.
    The Pods tab shows that the pod of the details application has a proxy image. This indicates that automatic sidecar proxy injection is enabled for this pod.
Add a label to the pod to disable automatic sidecar proxy injection.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
3. On the Deployments page, choose test1 from the namespace drop-down list. Find the details application and choose More > View in YAML in the Actions column.
4. In the Edit YAML dialog box, modify the configurations and click Update.
  - If the version of your ASM instance is 1.12.4 or later, add the sidecar.istio.io/inject: "false" label under the labels parameter by setting the key to sidecar.istio.io/inject and the value to "false".
  - If the version of your ASM instance is earlier than 1.12.4, add the sidecar.istio.io/inject: "false" annotation under the annotations parameter by setting the key to sidecar.istio.io/inject and the value to "false".
Check whether automatic sidecar proxy injection is disabled for the pod of the details application even if automatic sidecar proxy injection is enabled for the test1 namespace.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
3. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.
  The Pods tab shows that the pod of the details application does not have a proxy image. This indicates that automatic sidecar proxy injection is disabled for the pod of the details application even if automatic sidecar proxy injection is enabled for the test1 namespace.

Example 2: Configure automatic injection policies at the pod level

If you do not want to configure automatic injection policies at the namespace level, you can configure automatic injection policies at the pod level by performing the following steps:

Enable automatic sidecar proxy injection for a namespace.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.
3. In the Injection strategy configuration management section of the Sidecar Proxy injection page, configure the parameters as required. Then, click Update Settings in the lower part of the page.
  The following configurations indicate that sidecar proxies are automatically injected into all the pods that have the sidecar.istio.io/inject: "true" label in the namespace except the pods that have the istio-injection: disabled label in the namespace.
  Parameter
  Description
  Pod namespace label should meet condition
  Select Not include istio-injection: disabled.
  Pod label/annotation should meet condition
  Select Include sidecar.istio.io/inject: "true".
Create a namespace named test2 that does not contain labels in the ACK cluster. For more information, see Manage namespaces and resource quotas.
Create an application named reviews in the test2 namespace of the ACK cluster. For more information, see Deploy an application in an ASM instance.
Add a label to the pod of the reviews application to enable automatic sidecar proxy injection for the pod.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
3. In the upper part of the Deployments page, set Namespace to test2. Find the reviews application and choose More > View in YAML in the Actions column.
4. In the Edit YAML dialog box that appears, add the sidecar.istio.io/inject: "true" label under the labels parameter and click Update.
  Note
  To configure automatic sidecar proxy injection for a pod by using a label, the version of your Service Mesh instance must be 1.12.4 or later. You can update your ASM instance by referring to Update an ASM instance.
Check whether automatic sidecar proxy injection is enabled for the pod of the reviews application.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
3. In the upper part of the Deployments page, select test2 from the Namespace drop-down list. Then, click the name of the reviews application.
  The Pods tab shows that the pod of the reviews application has a proxy image. This indicates that automatic sidecar proxy injection is enabled for this pod.

References

A running pod must be restarted for the sidecar proxy injection policies to take effect. For more information, see Restart the pod.
If sidecar proxies of an earlier version are still used by applications after you upgrade the control plane, you can upgrade the sidecar proxies by following the procedure described in Upgrade sidecar proxies.
You can configure the resource usage, traffic interception mode, DNS proxy, and lifecycle of the sidecar proxies at different levels, such as global, namespace, workload, and pod. For more information, see Configure sidecar proxies.