Configure a sidecar proxy by adding resource annotations - Alibaba Cloud Service Mesh

Service Mesh (ASM) allows you to modify a sidecar proxy by adding resource annotations. This topic describes how to configure a sidecar proxy by adding resource annotations and setting ProxyConfig fields.

Prerequisites

An ASM instance is created. For more information, see Create an ASM instance.
An ACK managed cluster is created. For more information, see Create an ACK managed cluster.
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
An ingress gateway service is deployed. For more information, see Create an ingress gateway service.

Add resource annotations

ASM allows you to add annotations to pods to modify a sidecar proxy. This section describes how to modify the memory of a sidecar proxy. For more information about resource annotations, see Appendix 1: Istio resource annotations.

Enable automatic sidecar injection.
1. Log on to the ASM console.
2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
4. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane.
5. On the Global Namespace page, find the default namespace and click Enable Automatic Sidecar Injection in the Automatic Sidecar Injection column.
6. In the message that appears, click OK.
Deploy an application in the default namespace. For more information, see Deploy an application in an ASM instance.
Modify the minimum memory of the sidecar proxy.
1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
5. On the Deployments page, find the application that you want to modify and click Details in the Actions column.
6. In the upper-right corner of the application details page, click View YAML.
7. In the Edit YAML dialog box, add the following content under the template parameter. Then, click Update.
```
annotations:
  sidecar.istio.io/proxyMemory: 14Mi
```
Check whether the memory of the sidecar proxy has been modified.
1. In the left-side navigation pane of the details page, choose Workloads > Pods.
2. On the Pods page, find the pod that you want to view and click View Details in the Actions column.
3. On the Container tab, click istio-proxy.
  You can see that the required memory for the istio-proxy is 14 MiB.

Set ProxyConfig fields

ASM allows you to configure a sidecar proxy by modifying ProxyConfig fields. For more information about ProxyConfig fields, see Appendix 2: ProxyConfig fields.

Note

The value of the proxy.istio.io/config annotation is in the YAML format or JSON format.

The procedure for setting ProxyConfig fields is similar to that for adding resource annotations. For more information, see the steps described in the "Add resource annotations" section. In this example, common ProxyConfig fields are used.

Example 1: Set the termination drain duration

You can modify the termination drain duration by setting the terminationDrainDuration field. The termination drain duration indicates the amount of time that the istio-proxy waits for before it is killed or shut down when the application container is terminated.

Add the following content to the YAML file of the application. When the application container is terminated, the istio-proxy waits for 3 seconds.

annotations:
  proxy.istio.io/config: |
    terminationDrainDuration: 3s

On the Pods page, find the pod that you want to view and click View Details in the Actions column. On the Container tab, click istio-proxy. You can see that the termination drain duration is 3 seconds. Proxy configuration

Example 2: Set the start sequence of the istio-proxy

By default, the holdApplicationUntilProxyStarts field is set to true globally in ASM to ensure that the istio-proxy has been started before the pod is started. If the istio-proxy is not started when the pod is started, the pod fails to receive traffic.

If you do not need to limit the start sequence of the istio-proxy, you can add the following content to the YAML file of the application. Then, the istio-proxy starts after the pod is started.

annotations:
  proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": false }'

On the Pods page, find the pod that you want to view and click View Details in the Actions column. Click the Events tab. Then, you can see that the istio-proxy is started after the pod is started. Start

Appendix 1: Istio resource annotations

Annotation	Description
proxy.istio.io/config	Overwrites the proxy configuration.
readiness.status.sidecar.istio.io/applicationPorts	The list of ports exposed by the application container. This annotation is used by a sidecar proxy readiness probe to determine whether the sidecar proxy is configured and ready to receive traffic.
readiness.status.sidecar.istio.io/failureThreshold	The failure threshold for the sidecar proxy readiness probe.
readiness.status.sidecar.istio.io/initialDelaySeconds	The initial delay for the sidecar proxy readiness probe. Unit: seconds.
readiness.status.sidecar.istio.io/periodSeconds	The detection period for the sidecar proxy readiness probe. Unit: seconds.
sidecar.istio.io/componentLogLevel	The component log level for the sidecar proxy.
sidecar.istio.io/enableCoreDump	Specifies whether to enable core dump for the sidecar proxy.
sidecar.istio.io/extraStatTags	The list of additional tags extracted from the in-proxy Istio telemetry. Each additional tag must be present in this list.
sidecar.istio.io/inject	Specifies whether to enable automatic sidecar injection.
sidecar.istio.io/interceptionMode	The mode such as REDIRECT or TPROXY used to redirect inbound traffic to Envoy.
sidecar.istio.io/logLevel	The log level for the sidecar proxy.
sidecar.istio.io/proxyCPU	The requested CPU setting for the sidecar proxy.
sidecar.istio.io/proxyCPULimit	The CPU limits for the sidecar proxy.
sidecar.istio.io/proxyMemory	The requested memory setting for the sidecar proxy.
sidecar.istio.io/proxyMemoryLimit	The memory limits for the sidecar proxy.
sidecar.istio.io/rewriteAppHTTPProbers	Rewrites HTTP readiness and liveness probes to be redirected to the sidecar proxy.
status.sidecar.istio.io/port	The HTTP status port of the sidecar proxy. If the port number is 0, the sidecar proxy does not provide status.
traffic.sidecar.istio.io/excludeInboundPorts	The comma-separated list of inbound ports to be excluded from traffic redirection to the sidecar proxy. This annotation is valid only when all inbound traffic is redirected to the sidecar proxy. The wildcard (*) indicates any inbound port.
traffic.sidecar.istio.io/excludeOutboundIPRanges	The comma-separated list of CIDR blocks to be excluded from outbound traffic redirection to the sidecar proxy. This annotation is valid only when all outbound traffic is redirected to the sidecar proxy. The wildcard (*) indicates any CIDR block.
traffic.sidecar.istio.io/excludeOutboundPorts	The comma-separated list of outbound ports to be excluded from traffic redirection to the sidecar proxy.
traffic.sidecar.istio.io/includeInboundPorts	The comma-separated list of inbound ports for which traffic is to be redirected to the sidecar proxy. The wildcard (*) indicates any inbound port. An empty list indicates that the redirection of all inbound traffic to the sidecar proxy is disabled.
traffic.sidecar.istio.io/includeOutboundIPRanges	The comma-separated list of CIDR blocks to redirect outbound traffic to the sidecar proxy. The wildcard (*) indicates any CIDR block. An empty list indicates that the redirection of all outbound traffic to the sidecar proxy is disabled.
traffic.sidecar.istio.io/includeOutboundPorts	The comma-separated list of outbound ports for which traffic is to be redirected to the sidecar proxy.
traffic.sidecar.istio.io/kubevirtInterfaces	The comma-separated list of virtual interfaces whose inbound traffic, such as that from VMs, is treated as outbound traffic.

Appendix 2: ProxyConfig fields

Field	Type	Description
configPath	String	The path to the directory of the configuration file. The proxy agent generates the actual configuration and stores it in this directory.
statsdUdpAddress	String	The IP address and port of a StatsD UDP listener.
proxyAdminPort	Int32	The port on which Envoy listens for administrative commands. The default port is port 15000.
controlPlaneAuthPolicy	AuthenticationPolicy	The policy that is used to authenticate the sidecar proxy when it connects to the control plane. The default value is `MUTUAL_TLS`.
concurrency	Int32Value	The number of worker threads to run. If this field is not specified, the number is automatically determined based on the requested CPU setting and limits. If this field is set to 0, all cores on the machine are used. The default value is 2.
interceptionMode	InboundInterceptionMode	The mode in which inbound traffic is redirected to the sidecar proxy.
tracing	Tracing	The tracing configuration of the sidecar proxy.
sds	SDS	The secret discovery service (SDS) configuration of the sidecar proxy.
proxyMetadata	Map<string, string>	The additional environment variables for the sidecar proxy. Variables whose names start with ISTIO_META_ are included in the generated bootstrap and sent to the XDS server.
statusPort	Map<string, string>	The port on which the sidecar proxy listens for administrative commands such as readiness probe. The default port is port 15020.
terminationDrainDuration	Duration	The amount of time allowed for connections to complete on proxy shutdown. After SIGTERM or SIGINT is received, the istio-agent tells the active Envoy to start draining, preventing new connections and allowing existing connections to complete. The istio-agent then sleeps for the termination drain duration and then kills the remaining active Envoy processes. The default value is 5. Unit: seconds.
holdApplicationUntilProxyStarts	BoolValue	Specifies whether to enable or disable the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions.