Alibaba Cloud Service Mesh (ASM) allows you to add a Container Service for Kubernetes (ACK) cluster to an ASM instance. To make full use of ASM, you must inject a sidecar proxy into the pod of an application that is deployed in the ACK cluster. ASM supports both manual and automatic sidecar injection. We recommend that you enable automatic sidecar injection because it requires simpler operations than manual sidecar injection. This topic describes the methods that can be used to enable automatic sidecar injection.

Background information

ASM provides a webhook controller for each cluster on the data plane to automatically inject sidecar proxies into the pods of applications. For more information about sidecar proxies, see Installing the Sidecar.
Note Make sure that the Istio version of the ASM instance for which you want to enable automatic sidecar injection is 1.6.8.17 or later.

Configure automatic sidecar injection

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the details page of the ASM instance, click Sidecar Injection in the left-side navigation pane. On the Sidecar Injection page, select one or more options to configure automatic sidecar injection and click Update Settings.
    The following table describes the operations that you can perform to configure automatic sidecar injection.
    Operation Description
    Select only Enable Automatic Sidecar Injection for All Namespaces.

    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.

    • Enable automatic sidecar injection

      In a namespace that is not labeled with istio-injection:disabled, add the sidecar.istio.io/inject="true" annotation to a pod. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Label a namespace with istio-injection:disabled. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod. This way, automatic sidecar injection is disabled for the pod.
    Select Enable Automatic Sidecar Injection for All Namespaces and Other Configurations of Automatic Sidecar Injection.
    After you select the options, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Set the alwaysInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection. In a namespace that is not labeled with istio-injection:disabled, add the key label in the alwaysInjectSelector parameter to a pod. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Label a namespace with istio-injection:disabled. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod. This way, automatic sidecar injection is disabled for the pod.
    Select only Use the Pod Annotation to Enable Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Label a namespace with istio-injection:enabled. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection
      • Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Add the sidecar.istio.io/inject="false" annotation to a pod. This way, automatic sidecar injection is disabled for the pod.
    Select Use the Pod Annotation to Enable Automatic Sidecar Injection and Other Configurations of Automatic Sidecar Injection.
    After you select the options, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Label a namespace with istio-injection:enabled. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection

      Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.

    • Disable automatic sidecar injection for a pod in a namespace that is labeled with istio-injection:enabled

      Set the neverInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection. Add the key label in the neverInjectSelector parameter to a pod in a namespace that is labeled with istio-injection:enabled. This way, automatic sidecar injection is disabled for the pod.

    Select Enable Automatic Sidecar Injection for All Namespaces and Use the Pod Annotation to Enable Automatic Sidecar Injection.

    After you select the options, you can enable or disable automatic sidecar injection based on your business requirements.

    • Enable automatic sidecar injection

      Remove the istio-injection:disabled label from a namespace. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection

      Label a namespace with istio-injection:disabled. This way, automatic sidecar injection is disabled for the pods in the namespace.

    Select Enable Automatic Sidecar Injection for All Namespaces, Use the Pod Annotation to Enable Automatic Sidecar Injection, and Other Configurations of Automatic Sidecar Injection.
    After you select the options, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Remove the istio-injection:disabled label from a namespace. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection

      Label a namespace with istio-injection:disabled. This way, automatic sidecar injection is disabled for the pods in the namespace.

    • Disable automatic sidecar injection for a pod in a namespace that is not labeled with istio-injection:disabled

      Set the neverInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection. Add the key label in the neverInjectSelector parameter to a pod in a namespace that is not labeled with istio-injection:disabled. This way, automatic sidecar injection is disabled for the pod.

    Select only Other Configurations of Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Label a namespace with istio-injection:enabled, set the alwaysInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection, and then add the key label in the alwaysInjectSelector parameter to a pod in the namespace. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod in a namespace that is labeled with istio-injection:enabled. This way, automatic sidecar injection is disabled for the pod.
    Select no option.
    In this case, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Label a namespace with istio-injection:enabled and add the sidecar.istio.io/inject="true" annotation to a pod in the namespace. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod in a namespace that is labeled with istio-injection:enabled. This way, automatic sidecar injection is disabled for the pod.
    In addition to configuring automatic sidecar injection, you can configure proxy resources.
    Parameter Description
    Resource Settings for Sidecar Injection ASM provides a webhook controller for each cluster on the data plane to automatically inject sidecar proxies into the pods of applications. The specified resource settings are used to limit the size of the webhook controller.
    Resource Settings for Injected Proxies A sidecar proxy provides the proxy service for an application. After a sidecar proxy is automatically injected into the pod of an application, the sidecar proxy runs in the same pod as the container of the application. The specified resource settings are used to limit the size of the sidecar proxy.

Other automatic sidecar injection configurations

You can set labels in other automatic sidecar injection configurations to control whether to inject a sidecar proxy into a pod based on label matching.
  • Set the alwaysInjectSelector parameter to inject sidecar proxies into the pods that are matched by label. This setting takes priority over global settings.
    {
      "alwaysInjectSelector": [
        {
          "matchExpressions": [
            {
              "key": "key1",
              "operator": "Exists"
            }
          ]
        },
        {
          "matchExpressions": [
            {
              "key": "key2",
              "operator": "Exists"
            }
          ]
        }
      ]
    }
  • Set the neverInjectSelector parameter to disable sidecar proxies from being injected into the pods that are matched by label. This setting takes priority over global settings.
    {
      "neverInjectSelector": [
        {
          "matchExpressions": [
            {
              "key": "key3",
              "operator": "Exists"
            }
          ]
        },
        {
          "matchExpressions": [
            {
              "key": "key4",
              "operator": "Exists"
            }
          ]
        }
      ]
    }    
  • Set other parameters.
    {
      "replicaCount": 2,
      "injectedAnnotations": {
        "test/istio-init": "runtime/default",
        "test/istio-proxy": "runtime/default"
      },
      "nodeSelector": {
         "beta.kubernetes.io/os": "linux"
      }   
    }  
    • replicaCount: the number of replicas that are deployed for a sidecar injector.
    • injectedAnnotations: other injected annotations.
    • nodeSelector: the nodes on which sidecar injectors run. In this example, the beta.kubernetes.io/os parameter is set to linux, which indicates that sidecar injectors run on the nodes that are labeled with linux.

Scenario 1: Disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled

To disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled, perform the following steps:

Use other automatic sidecar injection configurations to disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled

  1. Enable automatic injection for an ASM instance.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
    4. On the details page of the ASM instance, click Sidecar Injection in the left-side navigation pane.
    5. On the Sidecar Injection page, select Use the Pod Annotation to Enable Automatic Sidecar Injection and Other Configurations of Automatic Sidecar Injection in the Enable Automatic Sidecar Injection section. In the code editor that appears, add the following content and click Update Settings.
      {
        "neverInjectSelector": [
          {
            "matchExpressions": [
              {
                "key": "notinjectapp",
                "operator": "Exists"
              }
            ]
          }
        ]
      }
  2. Create a namespace.
    1. On the details page of the ASM instance, click Namespace in the left-side navigation pane. On the Namespace page, click Create.
    2. In the Create Namespace panel, specify a name for the namespace, click Add next to Labels, add a label with the name of istio-injection and the value of enabled, and then click OK. In this example, the namespace is named test1.
  3. Create an application.
    1. Create an application in the test1 namespace of the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance. In this example, the details application is deployed.
    2. Check whether automatic sidecar injection is enabled for the pod of the details application.
      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name or click Details in the Actions column.
      4. On the details page of the ACK cluster, choose Workloads > Deployments.
      5. At the top of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.
        The Pods tab displays a proxy image. This indicates that automatic sidecar injection is enabled for the pod of the details application. Pods tab
  4. Add a label to the pod to disable automatic sidecar injection.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
    5. At the top of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > View in YAML in the Actions column.
    6. In the labels parameter, add a label with the key of notinjectapp and a custom value. Then, click Update.
      Label
    7. At the top of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > Redeploy in the Actions column.
    8. In the Redeploy message, click Confirm.
  5. Check whether automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace.
    On the Deployments page, click the name of the details application. The Pods tab displays no proxy image. This indicates that automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace. Pods tab

Use annotations to disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled

  1. Enable automatic injection for an ASM instance.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
    4. On the details page of the ASM instance, click Sidecar Injection in the left-side navigation pane.
    5. On the Sidecar Injection page, select Use the Pod Annotation to Enable Automatic Sidecar Injection in the Enable Automatic Sidecar Injection section and click Update Settings.
  2. Create a namespace.
    1. On the details page of the ASM instance, click Namespace in the left-side navigation pane. On the Namespace page, click Create.
    2. In the Create Namespace panel, specify a name for the namespace, click Add next to Labels, add a label with the name of istio-injection and the value of enabled, and then click OK. In this example, the namespace is named test1.
  3. Create an application.
    1. Create an application in the test1 namespace of the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance. In this example, the details application is deployed.
    2. Check whether automatic sidecar injection is enabled for the pod of the details application.
      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage and click the name or click Details in the Actions column.
      4. On the details page of the ACK cluster, choose Workloads > Deployments.
      5. At the top of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.
        The Pods tab displays a proxy image. This indicates that automatic sidecar injection is enabled for the pod of the details application. Pods tab
  4. Add an annotation to the pod to disable automatic sidecar injection.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
    5. At the top of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > View in YAML in the Actions column.
    6. In the annotations parameter, add the sidecar.istio.io/inject: "false" annotation and click Update.
      Annotation
    7. At the top of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > Redeploy in the Actions column.
    8. In the Redeploy message, click Confirm.
  5. Check whether automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace.
    On the Deployments page, click the name of the details application. The Pods tab displays no proxy image. This indicates that automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace. Pods tab

Scenario 2: Configure automatic sidecar injection for a pod

In addition to configuring automatic sidecar injection at the granularity of namespaces, you can configure automatic sidecar injection at the granularity of pods.

  1. Enable automatic sidecar injection for a namespace.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
    4. On the details page of the ASM instance, click Namespace in the left-side navigation pane.
    5. Find the namespace for which you want to enable automatic sidecar injection and click Enable Automatic Sidecar Injection in the Automatic Sidecar Injection column. In the Submit message, click OK. In this example, the test2 namespace is used.
  2. Create an application in the test2 namespace of the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance. In this example, the reviews application is deployed.
  3. Add an annotation to the pod of the reviews application to enable automatic sidecar injection for the pod.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
    5. At the top of the Deployments page, select test2 from the Namespace drop-down list. Then, find the reviews application and choose More > View in YAML in the Actions column.
    6. In the annotations parameter, add the sidecar.istio.io/inject: "true"annotation and click Update.
      Annotation
    7. At the top of the Deployments page, select test2 from the Namespace drop-down list. Then, find the reviews application and choose More > Redeploy in the Actions column.
    8. In the Redeploy message, click Confirm.
  4. Check whether automatic sidecar injection is enabled for the pod of the reviews application.
    On the Deployments page, click the name of the reviews application. The Pods tab displays a proxy image. This indicates that automatic sidecar injection is enabled for the pod of the reviews application. Pods tab