In an Alibaba Cloud Service Mesh (ASM) instance, the sidecars on the data plane manipulate the traffic of all applications in the clusters that are managed by the ASM instance. To upgrade the data plane, you must restart sidecar containers. This may result in failed requests and application service interruption. ASM allows you to upgrade the data plane without interrupting services or affecting applications. This topic shows you how to upgrade the data plane of an ASM instance without service interruption. In this topic, an ASM instance of which the Istio version is 1.6.x is used as an example. An NGINX application is deployed on the ASM instance. The HTTP stress testing tool go-stress-testing is used to continuously access the NGINX application. During this process, the data plane is upgraded without service interruption.

Prerequisites

Precautions

To upgrade the data plane of an ASM instance without service interruption, you must use an OpenKruise SidecarSet (SidecarSet), which can be used to switch sidecar containers. If an application requires no service interruption during data plane upgrade, you must use a SidecarSet to inject sidecars to the pods of the application. In this case, the sidecars must be injected when you create a deployment for the application. You can use the following two methods to inject sidecars:
Note We recommend that you inject sidecars when you deploy your application. If automatic sidecar injection is enabled for your application, you can change the injection mode and recreate the related pods. However, the pods are unavailable for a moment, which may cause service interruption.
  • Deploy deployments and pods that require no service interruption during data plane upgrade in an independent namespace.

    Deploy deployments and pods that require no service interruption during data plane upgrade in an independent namespace. This way, you can use a SidecarSet to inject sidecars in this namespace and enable automatic sidecar injection for other namespaces.

  • Disable automatic sidecar injection for specific pods and use a SidecarSet to inject sidecars into these pods.

    If automatic sidecar injection is enabled for the namespace of a pod, you can disable the feature by using pod annotations. Then, you can use the matching policy of the SidecarSet to match the pod for sidecar injection.

Step 1 Install OpenKruise in a cluster on the data plane

ASM does not automatically install OpenKruise in a cluster on the data plane. You must to manually install OpenKruise by using Helm.

  1. Install the Helm plug-in of Alibaba Cloud. For more information, see Helm Chart.
  2. Add the Helm repository address of OpenKruisem to Helm.
    helm repo add acr-openkruise-asm acr://openkruise-chart.cn-hangzhou.cr.aliyuncs.com/openkruise/kruise-asm
  3. Install OpenKruise in the cluster.
    helm install kruise acr-openkruise-asm/kruise-asm --version 0.1.0

Step 2: Deploy a ConfigMap

When you configure a SidecarSet, you must specify the ID of the cluster on the data plane. To avoid manually specifying the cluster ID for each SidecarSet, you can deploy a ConfigMap.

  1. Create a file named configmap.yaml.
    apiVersion: v1
    data:
      clusterid: $$$CLUSTER-ID$$$
    kind: ConfigMap
    metadata:
      name: ack-cluster-profile
      namespace: default

    Replace $$$CLUSTER-ID$$$ with the ID of the cluster on the data plane.

  2. Deploy a ConfigMap.
    kubectl apply -f configmap.yaml

Step 3: Deploy a SidecarSet

The sidecar injection configuration of an application contains parameters that cannot be configured at a time. To resolve this issue, you must deploy an independent SidecarSet for each deployment to configure sidecar injection.

  1. Create a file named nginx-sidecarset.json.
    In the following code, the template in the References section is modified to apply to the SidecarSet in this example. For more information about how to customize a SidecarSet, see References.
    {
        "apiVersion": "apps.kruise.io/v1alpha1",
        "kind": "SidecarSet",
        "metadata": {
            "name": "sidecarset-example"
        },
        "spec": {
            "containers": [
                {
                    "args": [
                        "proxy",
                        "sidecar",
                        "--domain",
                        "$(POD_NAMESPACE).svc.cluster.local",
                        "--serviceCluster",
                        "$(ISTIO_META_WORKLOAD_NAME). $(POD_NAMESPACE)",
                        "--drainDuration",
                        "45s",
                        "--parentShutdownDuration",
                        "1m0s",
                        "--discoveryAddress",
                        "istiod.istio-system.svc:15012",
                        "--zipkinAddress",
                        "zipkin.istio-system:9411",
                        "--proxyLogLevel=warning",
                        "--proxyComponentLogLevel=misc:error",
                        "--proxyAdminPort",
                        "15000",
                        "--concurrency",
                        "2",
                        "--controlPlaneAuthPolicy",
                        "NONE",
                        "--dnsRefreshRate",
                        "300s",
                        "--statusPort",
                        "15021",
                        "--trust-domain=cluster.local",
                        "--controlPlaneBootstrap=false"
                    ],
                    "env": [
                        {
                            "name": "JWT_POLICY",
                            "value": "first-party-jwt"
                        },
                        {
                            "name": "PILOT_CERT_PROVIDER",
                            "value": "istiod"
                        },
                        {
                            "name": "CA_ADDR",
                            "value": "istiod.istio-system.svc:15012"
                        },
                        {
                            "name": "POD_NAME",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.name"
                                }
                            }
                        },
                        {
                            "name": "POD_NAMESPACE",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.namespace"
                                }
                            }
                        },
                        {
                            "name": "INSTANCE_IP",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "status.podIP"
                                }
                            }
                        },
                        {
                            "name": "SERVICE_ACCOUNT",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "spec.serviceAccountName"
                                }
                            }
                        },
                        {
                            "name": "CANONICAL_SERVICE",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels['service.istio.io/canonical-name']"
                                }
                            }
                        },
                        {
                            "name": "CANONICAL_REVISION",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels['service.istio.io/canonical-revision']"
                                }
                            }
                        },
                        {
                            "name": "PROXY_CONFIG",
                            "value": "{\"configPath\":\"/etc/istio/proxy\",\"proxyMetadata\":{\"DNS_AGENT\":\"\"}}\n"
                        },
                        {
                            "name": "ISTIO_META_POD_PORTS",
                            "value": "[\n]"
                        },
                        {
                            "name": "ISTIO_META_CLUSTER_ID",
                            "valueFrom": {
                                "configMapKeyRef": {
                                    "name": "ack-cluster-profile",
                                    "key": "clusterid"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_POD_NAME",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.name"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_CONFIG_NAMESPACE",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.namespace"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_INTERCEPTION_MODE",
                            "value": "REDIRECT"
                        },
                        {
                            "name": "ISTIO_METAJSON_ANNOTATIONS",
                            "value": "{\"kubernetes.io/psp\":\"ack.privileged\"}\n"
                        },
                        {
                            "name": "ISTIO_META_WORKLOAD_NAME",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels['app']"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_MESH_ID",
                            "value": "cluster.local"
                        },
                        {
                            "name": "DNS_AGENT"
                        },
                        {
                            "name": "TERMINATION_DRAIN_DURATION_SECONDS",
                            "value": "5"
                        }
                    ],
                    "image": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1531",
                    "imagePullPolicy": "IfNotPresent",
                    "name": "istio-proxy",
                    "podInjectPolicy": "BeforeAppContainer",
                    "lifecycle": {
                        "postStart": {
                            "exec": {
                                "command": ["/bin/sh", "-c", "/usr/local/bin/pilot-agent wait"]
                            }
                        }
                    },
                    "ports": [
                        {
                            "containerPort": 15090,
                            "name": "http-envoy-prom",
                            "protocol": "TCP"
                        }
                    ],
                    "resources": {
                        "limits": {
                            "cpu": "2",
                            "memory": "1Gi"
                        },
                        "requests": {
                            "cpu": "100m",
                            "memory": "128Mi"
                        }
                    },
                    "securityContext": {
                        "allowPrivilegeEscalation": false,
                        "capabilities": {
                            "drop": [
                                "ALL"
                            ]
                        },
                        "privileged": false,
                        "readOnlyRootFilesystem": true,
                        "runAsGroup": 1337,
                        "runAsNonRoot": true,
                        "runAsUser": 1337
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File",
                    "upgradeStrategy": {
                        "upgradeType": "HotUpgrade",
                        "hotUpgradeEmptyImage": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778"
                    },
                    "volumeMounts": [
                        {
                            "mountPath": "/var/run/secrets/istio",
                            "name": "istiod-ca-cert"
                        },
                        {
                            "mountPath": "/var/lib/istio/data",
                            "name": "istio-data"
                        },
                        {
                            "mountPath": "/etc/istio/proxy",
                            "name": "istio-envoy"
                        },
                        {
                            "mountPath": "/etc/istio/pod",
                            "name": "istio-podinfo"
                        },
                        {
                            "mountPath": "/etc/asm/uds/",
                            "name": "asm-hotupgrade-data"
                        }
                    ]
                }
            ],
            "initContainers": [
                {
                    "args": [
                        "istio-iptables",
                        "-p",
                        "15001",
                        "-z",
                        "15006",
                        "-u",
                        "1337",
                        "-m",
                        "REDIRECT",
                        "-i",
                        "*",
                        "-x",
                        "172.23.0.1/32",
                        "-b",
                        "*",
                        "-d",
                        "15090,15021,15021"
                    ],
                    "env": [
                        {
                            "name": "DNS_AGENT"
                        }
                    ],
                    "image": "registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8",
                    "imagePullPolicy": "IfNotPresent",
                    "name": "istio-init",
                    "resources": {
                        "limits": {
                            "cpu": "100m",
                            "memory": "50Mi"
                        },
                        "requests": {
                            "cpu": "10m",
                            "memory": "10Mi"
                        }
                    },
                    "securityContext": {
                        "allowPrivilegeEscalation": false,
                        "capabilities": {
                            "add": [
                                "NET_ADMIN",
                                "NET_RAW"
                            ],
                            "drop": [
                                "ALL"
                            ]
                        },
                        "privileged": false,
                        "readOnlyRootFilesystem": false,
                        "runAsGroup": 0,
                        "runAsNonRoot": false,
                        "runAsUser": 0
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File",
                    "upgradeStrategy": {}
                }
            ],
            "selector": {
                "matchExpressions": [
                    {
                        "key": "app",
                        "operator": "In",
                        "values": [
                            "nginx"
                        ]
                    },
                    {
                        "key": "sidecarset-injected",
                        "operator": "In",
                        "values": [
                            "true"
                        ]
                    }
                ]
            },
            "strategy": {
                "type": "RollingUpdate",
                "partition": 0,
                "maxUnavailable": 1
            },
            "volumes": [
                {
                    "emptyDir": {},
                    "name": "asm-hotupgrade-data"
                },
                {
                    "emptyDir": {
                        "medium": "Memory"
                    },
                    "name": "istio-envoy"
                },
                {
                    "emptyDir": {},
                    "name": "istio-data"
                },
                {
                    "downwardAPI": {
                        "defaultMode": 420,
                        "items": [
                            {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels"
                                },
                                "path": "labels"
                            },
                            {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.annotations"
                                },
                                "path": "annotations"
                            }
                        ]
                    },
                    "name": "istio-podinfo"
                },
                {
                    "configMap": {
                        "defaultMode": 420,
                        "name": "istio-ca-root-cert"
                    },
                    "name": "istiod-ca-cert"
                }
            ]
        }
    }
  2. Apply the nginx-sidecarset.json file to the cluster on the data plane.
    kubectl apply -f nginx-sidecarset.json

Step 4: Deploy an NGINX application

  1. Deploy an NGINX application.
    1. Create a file named nginx.yaml.
      apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
      kind: Deployment
      metadata:
        name: nginx-deployment
      spec:
        selector:
          matchLabels:
            app: nginx
        replicas: 1
        template:
          metadata:
            labels:
              app: nginx
              sidecarset-injected: "true"
          spec:
            containers:
            - name: nginx
              image: nginx:1.14.2
              ports:
              - containerPort: 80
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: nginx
      spec:
        ports:
          - name: http
            port: 80
            protocol: TCP
            targetPort: 80
        selector:
          app: nginx
        type: ClusterIP
    2. Deploy an NGINX application.
      kubectl apply -f nginx.yaml
  2. Expose the service port of the NGINX application to the ingress gateway and create a routing rule.
    1. Create a file named nginx-gateway.yaml.
      apiVersion: networking.istio.io/v1beta1
      kind: Gateway
      metadata:
        name: nginx-gateway
        namespace: default
      spec:
        selector:
          istio: ingressgateway
        servers:
        - hosts:
          - '*'
          port:
            name: http
            number: 8080
            protocol: HTTP
      ---
      apiVersion: networking.istio.io/v1beta1
      kind: VirtualService
      metadata:
        name: nginx
        namespace: default
      spec:
        gateways:
        - nginx-gateway
        hosts:
        - '*'
        http:
        - match:
          - uri:
              exact: /
          route:
          - destination:
              host: nginx
              port:
                number: 80
    2. Apply the nginx-gateway.yaml file.
      kubectl apply -f nginx-gateway.yaml
  3. Verify whether the NGINX application is deployed.
    1. Check whether the pod is started.
      kubectl get pod

      The following output is expected:

      NAME                                READY   STATUS             RESTARTS   AGE
      nginx-deployment-6c9b9677d4-rlvsn   3/3     Running            0          1m

      If Running is displayed in the STATUS column, the pod is started.

    2. Access port 8080 of the IP address of the ingress gateway to check whether NGINX is running as expected.
      If the following page is displayed, the NGINX application is deployed.nginx

Step 5: Use go-stress-testing to access the NGINX application

The go-stress-testing tool is an HTTP stress testing tool the is developed in Go. This tool is compatible with multiple platforms. In this example, this tool is used to continuously access the NGINX application. During the continuous access, the data plane is upgraded without service interruption. This tool counts the numbers of successful and failed requests.

  1. Download go-stress-testing. To download go-stress-testing, visit go-stress-testing.
  2. Start to access the NGINX application.

    Four concurrent processes are started to access the server. Each process sends a total of 100,000 requests.

    go-stress-testing-mac -c 4 -n 100000 -u http://IP address of ingress gateway:8080
    After the access starts, the statistics about the return codes of the requests are returned.

Step 6: Upgrade the data plane without service interruption

  1. Edit the SidecarSet.
    kubectl edit sidecarset sidecarset-example
  2. Modify the value of the image parameter of the sidecar to the URL of the image of the new SidecarSet. Then, save the modification and exit.
    registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546
    Modify the image parameter
  3. Check whether services are interrupted when the data plane is upgraded.
    1. Query the upgrade status.
      kubectl describe pod nginx-deployment-76f4578864-js5hc |grep Image:

      The following output is expected:

          Image:         registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8
          Image:         registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778
          Image:         registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546
          Image:          nginx:1.14.2

      When containers in the pod are changed to the asm-istio-proxy-empty, asm-isitio-proxy, and nginx images, the upgrade is completed.

    2. After the upgrade is completed, view the output of the go-stress-testing-mac command, which is described in Step 5: Use go-stress-testing to access the NGINX application. The following figure shows that the return code of all requests is 200. This indicates that no request failed during the upgrade.
      Result of upgrade

References

Customize a SidecarSet

To customize a SidecarSet to configure sidecar injection, you must use the template file that corresponds to your Istio version. The following code provides an example in which Istio 1.6.x is used. When you use the template file, you must replace the parameters in the template file based on the following requirements:
{
    "apiVersion": "apps.kruise.io/v1alpha1",
    "kind": "SidecarSet",
    "metadata": {
        "name": "sidecarset-example"
    },
    "spec": {
        "containers": [
            {
                "args": [
                    "proxy",
                    "sidecar",
                    "--domain",
                    "$(POD_NAMESPACE).svc.cluster.local",
                    "--serviceCluster",
                    "$(ISTIO_META_WORKLOAD_NAME). $(POD_NAMESPACE)",
                    "--drainDuration",
                    "45s",
                    "--parentShutdownDuration",
                    "1m0s",
                    "--discoveryAddress",
                    "istiod.istio-system.svc:15012",
                    "--zipkinAddress",
                    "zipkin.istio-system:9411",
                    "--proxyLogLevel=warning",
                    "--proxyComponentLogLevel=misc:error",
                    "--proxyAdminPort",
                    "15000",
                    "--concurrency",
                    "2",
                    "--controlPlaneAuthPolicy",
                    "NONE",
                    "--dnsRefreshRate",
                    "300s",
                    "--statusPort",
                    "15021",
                    "--trust-domain=cluster.local",
                    "--controlPlaneBootstrap=false"
                ],
                "env": [
                    {
                        "name": "JWT_POLICY",
                        "value": "first-party-jwt"
                    },
                    {
                        "name": "PILOT_CERT_PROVIDER",
                        "value": "istiod"
                    },
                    {
                        "name": "CA_ADDR",
                        "value": "istiod.istio-system.svc:15012"
                    },
                    {
                        "name": "POD_NAME",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.name"
                            }
                        }
                    },
                    {
                        "name": "POD_NAMESPACE",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.namespace"
                            }
                        }
                    },
                    {
                        "name": "INSTANCE_IP",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "status.podIP"
                            }
                        }
                    },
                    {
                        "name": "SERVICE_ACCOUNT",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "spec.serviceAccountName"
                            }
                        }
                    },
                    {
                        "name": "CANONICAL_SERVICE",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels['service.istio.io/canonical-name']"
                            }
                        }
                    },
                    {
                        "name": "CANONICAL_REVISION",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels['service.istio.io/canonical-revision']"
                            }
                        }
                    },
                    {
                        "name": "PROXY_CONFIG",
                        "value": "{\"configPath\":\"/etc/istio/proxy\",\"proxyMetadata\":{\"DNS_AGENT\":\"\"}}\n"
                    },
                    {
                        "name": "ISTIO_META_POD_PORTS",
                        "value": "[\n]"
                    },
                    {
                        "name": "ISTIO_META_CLUSTER_ID",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "name": "ack-cluster-profile",
                                "key": "clusterid"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_POD_NAME",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.name"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_CONFIG_NAMESPACE",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.namespace"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_INTERCEPTION_MODE",
                        "value": "REDIRECT"
                    },
                    {
                        "name": "ISTIO_METAJSON_ANNOTATIONS",
                        "value": "{\"kubernetes.io/psp\":\"ack.privileged\"}\n"
                    },
                    {
                        "name": "ISTIO_META_WORKLOAD_NAME",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels['app']"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_MESH_ID",
                        "value": "cluster.local"
                    },
                    {
                        "name": "DNS_AGENT"
                    },
                    {
                        "name": "TERMINATION_DRAIN_DURATION_SECONDS",
                        "value": "5"
                    }
                ],
                "image": "$$$IMAGE$$$",
                "imagePullPolicy": "IfNotPresent",
                "name": "istio-proxy",
                "podInjectPolicy": "BeforeAppContainer",
                "lifecycle": {
                    "postStart": {
                        "exec": {
                            "command": ["/bin/sh", "-c", "/usr/local/bin/pilot-agent wait"]
                        }
                    }
                },
                "ports": [
                    {
                        "containerPort": 15090,
                        "name": "http-envoy-prom",
                        "protocol": "TCP"
                    }
                ],
                "resources": {
                    "limits": {
                        "cpu": "2",
                        "memory": "1Gi"
                    },
                    "requests": {
                        "cpu": "100m",
                        "memory": "128Mi"
                    }
                },
                "securityContext": {
                    "allowPrivilegeEscalation": false,
                    "capabilities": {
                        "drop": [
                            "ALL"
                        ]
                    },
                    "privileged": false,
                    "readOnlyRootFilesystem": true,
                    "runAsGroup": 1337,
                    "runAsNonRoot": true,
                    "runAsUser": 1337
                },
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "upgradeStrategy": {
                    "upgradeType": "HotUpgrade",
                    "hotUpgradeEmptyImage": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778"
                },
                "volumeMounts": [
                    {
                        "mountPath": "/var/run/secrets/istio",
                        "name": "istiod-ca-cert"
                    },
                    {
                        "mountPath": "/var/lib/istio/data",
                        "name": "istio-data"
                    },
                    {
                        "mountPath": "/etc/istio/proxy",
                        "name": "istio-envoy"
                    },
                    {
                        "mountPath": "/etc/istio/pod",
                        "name": "istio-podinfo"
                    },
                    {
                        "mountPath": "/etc/asm/uds/",
                        "name": "asm-hotupgrade-data"
                    }
                ]
            }
        ],
        "initContainers": [
            {
                "args": [
                    "istio-iptables",
                    "-p",
                    "15001",
                    "-z",
                    "15006",
                    "-u",
                    "1337",
                    "-m",
                    "REDIRECT",
                    "-i",
                    "*",
                    "-x",
                    "172.23.0.1/32",
                    "-b",
                    "*",
                    "-d",
                    "15090,15021,15021"
                ],
                "env": [
                    {
                        "name": "DNS_AGENT"
                    }
                ],
                "image": "registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8",
                "imagePullPolicy": "IfNotPresent",
                "name": "istio-init",
                "resources": {
                    "limits": {
                        "cpu": "100m",
                        "memory": "50Mi"
                    },
                    "requests": {
                        "cpu": "10m",
                        "memory": "10Mi"
                    }
                },
                "securityContext": {
                    "allowPrivilegeEscalation": false,
                    "capabilities": {
                        "add": [
                            "NET_ADMIN",
                            "NET_RAW"
                        ],
                        "drop": [
                            "ALL"
                        ]
                    },
                    "privileged": false,
                    "readOnlyRootFilesystem": false,
                    "runAsGroup": 0,
                    "runAsNonRoot": false,
                    "runAsUser": 0
                },
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "upgradeStrategy": {}
            }
        ],
        "selector": {
            "matchExpressions": [
                ...
            ]
        },
        "strategy": {
            "type": "RollingUpdate",
            "partition": 0,
            "maxUnavailable": 1
        },
        "volumes": [
            {
                "emptyDir": {},
                "name": "asm-hotupgrade-data"
            },
            {
                "emptyDir": {
                    "medium": "Memory"
                },
                "name": "istio-envoy"
            },
            {
                "emptyDir": {},
                "name": "istio-data"
            },
            {
                "downwardAPI": {
                    "defaultMode": 420,
                    "items": [
                        {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels"
                            },
                            "path": "labels"
                        },
                        {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.annotations"
                            },
                            "path": "annotations"
                        }
                    ]
                },
                "name": "istio-podinfo"
            },
            {
                "configMap": {
                    "defaultMode": 420,
                    "name": "istio-ca-root-cert"
                },
                "name": "istiod-ca-cert"
            }
        ]
    }
}
  • Replace $$$IMAGE$$$ with the URL of the sidecar image.
  • Set the matchExpressions parameter for the selector. This way, the selector can be used to match the pod where you want to inject sidecars. For more information, visit Labels and Selectors.
URLs of Istio 1.6.x images
  • Istio 1.6.x-1 : registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1531
  • Istio 1.6.x-2 : registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546