Alibaba Cloud Service Mesh (ASM) allows you to add a Container Service for Kubernetes (ACK) cluster to an ASM instance. To make full use of ASM, you must inject a sidecar proxy into the pod of an application that is deployed in the ACK cluster. ASM supports both manual and automatic sidecar injection. We recommend that you enable automatic sidecar injection because it requires simpler operations than manual sidecar injection. This topic describes the methods that can be used to enable automatic sidecar injection.

Background information

By default, ASM provides a webhook controller to automatically inject sidecar proxies into the pods of applications. For more information about sidecar proxies, see Installing the Sidecar.
Note Make sure that the Istio version of the ASM instance for which you want to enable automatic sidecar injection is 1.6.8.17 or later.

Enable automatic sidecar injection

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  4. On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy injection in the left-side navigation pane.
  5. On the Sidecar Proxy injection page, click Injection strategy configuration management, configure settings for automatic sidecar injection, and then click Update Settings.
    The following table describes the operations that you can perform to configure automatic sidecar injection.
    Operation Description
    Select only Enable Automatic Sidecar Injection for All Namespaces.

    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.

    • Enable automatic sidecar injection

      In a namespace to which the istio-injection:disabled label is added, add the sidecar.istio.io/inject="true" annotation to a pod. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Add the istio-injection:disabled label to a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod. This way, automatic sidecar injection is disabled for the pod.
    Select Enable Automatic Sidecar Injection for All Namespaces and Other Configurations of Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Set the alwaysInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection. In a namespace without the istio-injection:disabled label, add the key label in the alwaysInjectSelector parameter to a pod. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Add the istio-injection:disabled label to a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod. This way, automatic sidecar injection is disabled for the pod.
    Select only Use the Pod Annotation to Enable Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Add the istio-injection:enabled label to a namespace. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection
      • Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Add the sidecar.istio.io/inject="false" annotation to a pod. This way, automatic sidecar injection is disabled for the pod.
    Select Use the Pod Annotation to Enable Automatic Sidecar Injection and Other Configurations of Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Add the istio-injection:enabled label to a namespace. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection

      Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.

    • Disable automatic sidecar injection for a pod in a namespace to which the istio-injection:enabled label is added.

      Set the neverInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection. Add the key label in the neverInjectSelector parameter to a pod in a namespace with the istio-injection:enabled label. This way, automatic sidecar injection is disabled for the pod.

    Select Enable Automatic Sidecar Injection for All Namespaces and Use the Pod Annotation to Enable Automatic Sidecar Injection.

    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.

    • Enable automatic sidecar injection

      Remove the istio-injection:disabled label from a namespace. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection

      Add the istio-injection:disabled label to a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.

    Select Enable Automatic Sidecar Injection for All Namespaces, Use the Pod Annotation to Enable Automatic Sidecar Injection, and Other Configurations of Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Remove the istio-injection:disabled label from a namespace. This way, automatic sidecar injection is enabled for the pods in the namespace.

    • Disable automatic sidecar injection

      Add the istio-injection:disabled label to a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.

    • Disable automatic sidecar injection for a pod in a namespace without the istio-injection:disabled label.

      Set the neverInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection. Add the key label in the neverInjectSelector parameter to a pod in a namespace without the istio-injection:disabled label. This way, automatic sidecar injection is disabled for the pod.

    Select only Other Configurations of Automatic Sidecar Injection.
    After you select this option, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Add the istio-injection:enabled label to a namespace, set the alwaysInjectSelector parameter in the code editor that appears after you select Other Configurations of Automatic Sidecar Injection, and then add the key label in the alwaysInjectSelector parameter to a pod in the namespace. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod in a namespace to which the istio-injection:enabled label is added. This way, automatic sidecar injection is disabled for the pod.
    Select no option.
    In this case, you can enable or disable automatic sidecar injection based on your business requirements.
    • Enable automatic sidecar injection

      Add the istio-injection:enabled label to a namespace and add the sidecar.istio.io/inject="true" annotation to a pod in the namespace. This way, automatic sidecar injection is enabled for the pod.

    • Disable automatic sidecar injection
      • Remove the istio-injection:enabled label from a namespace. This way, automatic sidecar injection is disabled for the pods in the namespace.
      • Remove the sidecar.istio.io/inject="true" annotation from a pod in a namespace to which the istio-injection:enabled label is added. This way, automatic sidecar injection is disabled for the pod.
  6. Optional: On the Sidecar Proxy injection page, click Sidecar Injector Setting. Configure the resources for the sidecar proxy and click Update Settings. The following table describes the parameters.
    Parameter Description
    Resource Settings for Sidecar Injector By default, ASM provides a webhook controller for each cluster on the data plane to automatically inject sidecar proxies into the pods of applications. The specified resource settings are used to limit the size of the webhook controller.
    pod replicas Specifies the number of pod replicas for the sidecar proxy.
    Pod NodeSelector Schedules the pod for which the automatic sidecar proxy is enabled to a specific node based on labels.

Other settings of automatic sidecar injection

You can configure labels in other automatic sidecar injection settings to specify whether to inject a sidecar proxy into a pod based on label matching.
  • Set the alwaysInjectSelector parameter to inject sidecar proxies into the pods that are matched by label. This setting takes priority over global settings.
    {
      "alwaysInjectSelector": [
        {
          "matchExpressions": [
            {
              "key": "key1",
              "operator": "Exists"
            }
          ]
        },
        {
          "matchExpressions": [
            {
              "key": "key2",
              "operator": "Exists"
            }
          ]
        }
      ]
    }
  • Set the neverInjectSelector parameter to prevent sidecar proxies from being injected into the pods that are matched by label. This setting takes priority over global settings.
    {
      "neverInjectSelector": [
        {
          "matchExpressions": [
            {
              "key": "key3",
              "operator": "Exists"
            }
          ]
        },
        {
          "matchExpressions": [
            {
              "key": "key4",
              "operator": "Exists"
            }
          ]
        }
      ]
    }    
  • Set other parameters.
    {
      "replicaCount": 2,
      "injectedAnnotations": {
        "test/istio-init": "runtime/default",
        "test/istio-proxy": "runtime/default"
      },
      "nodeSelector": {
         "beta.kubernetes.io/os": "linux"
      }   
    }  
    • replicaCount: the number of replicas that are deployed for a sidecar injector.
    • injectedAnnotations: other injected annotations.
    • nodeSelector: the nodes on which sidecar injectors run. In this example, the beta.kubernetes.io/os parameter is set to linux, which indicates that sidecar injectors run on the nodes with the linux label.

Scenario 1: Disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled

To disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled, perform the following operations:

Use other automatic sidecar injection configurations to disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled

  1. Enable automatic injection for an ASM instance.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
    4. On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy injection in the left-side navigation pane.
    5. On the Sidecar Proxy injection page, click Injection strategy configuration management. In the Enable Automatic Sidecar Injection section, select Use the Pod Annotation to Enable Automatic Sidecar Injection and Other Configurations of Automatic Sidecar Injection. In the code editor that appears, add the following content and click Update Settings.
      {
        "neverInjectSelector": [
          {
            "matchExpressions": [
              {
                "key": "notinjectapp",
                "operator": "Exists"
              }
            ]
          }
        ]
      }
  2. Create a namespace.
    1. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the Global Namespace page, click Create.
    2. In the Create Namespace panel, specify a name for the namespace, click Add next to Labels to add a label with the name of istio-injection and the value of enabled, and then click OK. In this example, the namespace is named test1.
  3. Creates an application.
    1. Create an application in the test1 namespace of the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance. In this example, the details application is deployed.
    2. Check whether automatic sidecar injection is enabled for the pod of the details application.
      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
      4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
      5. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.
        The Pods tab shows a proxy image. This indicates that automatic sidecar injection is enabled for the pod of the details application. Pods tab
  4. Add a label to the pod to disable automatic sidecar injection.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
    5. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > View in YAML in the Actions column.
    6. In the labels parameter, add a label with the key of notinjectapp and a custom value. Then, click Update.
      Label
    7. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > Redeploy in the Actions column.
    8. In the message that appears, click Confirm.
  5. Check whether automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace.
    On the Deployments page, click the name of the details application. The Pods tab shows no proxy image. This indicates that automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace. Pods tab

Use annotations to disable automatic sidecar injection for specific pods in a namespace for which automatic sidecar injection is enabled

  1. Enable automatic injection for an ASM instance.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
    4. On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy injection in the left-side navigation pane.
    5. On the Sidecar Proxy injection page, click Injection strategy configuration management. In the Enable Automatic Sidecar Injection section, select Use the Pod Annotation to Enable Automatic Sidecar Injection, and click Update Settings.
  2. Create a namespace.
    1. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the Global Namespace page, click Create.
    2. In the Create Namespace panel, specify a name for the namespace, click Add next to Labels, add a label with the name of istio-injection and the value of enabled, and then click OK. In this example, the namespace is named test1.
  3. Creates an application.
    1. Create an application in the test1 namespace of the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance. In this example, the details application is deployed.
    2. Check whether automatic sidecar injection is enabled for the pod of the details application.
      1. Log on to the ACK console.
      2. In the left-side navigation pane of the ACK console, click Clusters.
      3. On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
      4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
      5. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.
        The Pods tab shows a proxy image. This indicates that automatic sidecar injection is enabled for the pod of the details application. Pods tab
  4. Add an annotation to the pod to disable automatic sidecar injection.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
    5. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > View in YAML in the Actions column.
    6. Add sidecar.istio.io/inject: "false" to annotations, and click Update.
      Annotation
    7. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, find the details application and choose More > Redeploy in the Actions column.
    8. In the message that appears, click Confirm.
  5. Check whether automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace.
    On the Deployments page, click the name of the details application. The Pods tab shows no proxy image. This indicates that automatic sidecar injection is disabled for the pod of the details application even if automatic sidecar injection is enabled for the test1 namespace. Pods tab

Scenario 2: Configure automatic sidecar injection for a pod

If you do not want to configure automatic sidecar injection by namespace, you can configure automatic sidecar injection by pod.

  1. Enable automatic sidecar injection for a namespace.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
    4. On the details page of the ASM instance, choose Sidecar Management(Data Plane) > Sidecar Proxy injection in the left-side navigation pane.
    5. On the Sidecar Proxy injection page, click Injection strategy configuration management. In the Enable Automatic Sidecar Injection section, select Enable Automatic Sidecar Injection for All Namespaces, and click Update Settings.
  2. Create an application in the test2 namespace of the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance. In this example, the reviews application is deployed.
  3. Add an annotation to the pod of the reviews application to enable automatic sidecar injection for the pod.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Deployments.
    5. In the upper part of the Deployments page, select test2 from the Namespace drop-down list. Then, find the reviews application and choose More > View in YAML in the Actions column.
    6. Add sidecar.istio.io/inject: "true" to annotations, and click Update.
      Annotation
    7. In the upper part of the Deployments page, select test2 from the Namespace drop-down list. Then, find the reviews application and choose More > Redeploy in the Actions column.
    8. In the message that appears, click OK.
  4. Check whether automatic sidecar injection is enabled for the pod of the reviews application.
    On the Deployments page, click the name of the reviews application. The Pods tab shows a proxy image. This indicates that automatic sidecar injection is enabled for the pod of the reviews application. Pods tab