Alibaba Cloud Service Mesh:Enable automatic sidecar proxy injection

Prerequisites

A cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.

Manage automatic injection policies

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.

3. In the Injection strategy configuration management section of the Sidecar Proxy injection page, configure an automatic injection policy.

   A sidecar proxy is automatically injected into a pod only if the pod meets both the conditions selected under the Pod namespace label should meet condition and Pod label/annotation should meet condition parameters.

   Condition	Description
   Pod namespace label should meet condition	The condition that must be met by the label of the namespace to which the pod belongs so that a sidecar proxy can be automatically injected. Include istio-injection: enabled: If the namespace to which the pod belongs contains the istio-injection: enabled label, a sidecar proxy can be automatically injected into the pod. Not include istio-injection: disabled: If the namespace to which the pod belongs does not contain the istio-injection: disabled label, a sidecar proxy can be automatically injected into the pod.
   Pod label/annotation should meet condition	The pod label or pod annotation requirement that must be met by the pod so that a sidecar proxy can be automatically injected. Not include sidecar.istio.io/inject: "false": If the pod does not contain the sidecar.istio.io/inject: "false" label or annotation, a sidecar proxy can be automatically injected into the pod. Include sidecar.istio.io/inject: "true": If the pod contains the sidecar.istio.io/inject: "true" label or annotation, a sidecar proxy can be automatically injected into the pod. Note In ASM instances whose version is earlier than 1.12, only pod annotations can be used for determining whether a sidecar proxy can be automatically injected. In ASM instances of version 1.12 and later, pod labels or pod annotations can be used for determining whether a sidecar proxy can be automatically injected. A pod label takes precedence over a pod annotation during the determination of automatic sidecar proxy injection. For example, if a pod contains both the sidecar.istio.io/inject: "true" label and the sidecar.istio.io/inject: "false" annotation, the pod is marked as having the sidecar.istio.io/inject: "true" label instead of having the sidecar.istio.io/inject: "false" annotation.

4. (Optional) In the lower part of the Injection strategy configuration management section, click Show Advanced Settings to configure parameters as required.

   Parameter	Description
   The label selector which selector pods to be injected istio-proxy (AlwaysInjectSelector)	AlwaysInjectSelector is a configurable pod label selector. Pods selected by AlwaysInjectSelector are considered to contain the sidecar.istio.io/inject: "true" label or annotation.
   The label selector which selector pods which will never be injected (NeverInjectSelector)	NeverInjectSelector is a configurable pod label selector. Pods selected by NeverInjectSelector are considered to contain the sidecar.istio.io/inject: "false" label or annotation.

   Note

   Both AlwaysInjectSelector and NeverInjectSelector are pod label selectors. They are configured in the same way and can contain multiple lines. Each line describes a label selection expression. A pod is selected by a pod label selector if a label of the pod matches one of the label selection expressions.

   Each label selection expression contains the following three parts:

   • Key: It is used by the label selection expression to match the key in a pod label.

   • Operator: An operator indicates the action performed by the label selection expression when it matches pod labels. Valid values:

     • In: The expression determines whether a pod is matched by judging whether its label value is one of the specified values.

     • NotIn: The expression determines whether a pod is matched by judging whether its label value is not any of the specified values.

     • Exists: The expression determines whether a pod is matched by judging whether the pod contains the specified key.

     • DoesNotExist: The expression determines whether a pod is matched by judging whether the pod does not contain the specified key.

   • Values: If you set the Operator parameter to In or NotIn, you can set multiple values to determine whether a pod matches the expression.

5. In the lower part of the page, click Update Settings.

Manage sidecar injector settings

A sidecar injector is a component that is responsible for automatically injecting sidecar proxies. A sidecar injector is not a sidecar proxy. You can adjust the resource settings and the number of pods for a sidecar injector to improve the availability of the sidecar proxy injection service when a large number of sidecar proxies need to be injected into pods at the same time.

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.

3. In the Sidecar Injector Setting section of the Sidecar Proxy injection page, configure a sidecar injector.

   Parameter	Description
   Resource Settings for Sidecar Injector	Configure the Resource Limits and Required Resources parameters for the sidecar injector. Resource Limits: specifies the maximum CPU and memory resources that a sidecar injector container can apply for. The unit of CPU resources is Core. The unit of memory resources is MiB. Required Resources: specifies the minimum CPU and memory resources that a sidecar injector container needs to use at runtime. The unit of CPU resources is Core. The unit of memory resources is MiB.
   pod replicas	Configure the number of pods in which the sidecar injector is deployed. Note Increasing the number of pods can improve the availability of the sidecar proxy injection service when a large number of sidecar proxies need to be injected into pods at the same time. We recommend that you set the number of pods to two or more.
   Rewrite App Probe	Specifies whether to enable redirection of health check requests for applications. For more information, see Configure redirection of HTTP or TCP health check requests for applications in an ASM instance.
   Sidecar-injector NodeSelector	Select the nodes for the pods of a sidecar injector by matching labels. Click Add Matching Label. Enter the name and value of the label of a cluster node on the data plane under the Name and Value parameters to match a specific node.

4. In the lower part of the page, click Update Settings.

Example 1: Disable automatic sidecar proxy injection for the specified pods in a namespace and enable automatic sidecar proxy injection for other pods

1. Configure an automatic sidecar proxy injection policy.

   1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
   2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.

   3. In the Injection strategy configuration management section of the Sidecar Proxy injection page, configure the parameters as required.

      The following configurations indicate that if a namespace has the istio-injection: enabled label, sidecar proxies are automatically injected to the pods running in this namespace except the pods that have the sidecar.istio.io/inject: "false" label or annotation.

      Parameter	Description
      Pod namespace label should meet condition	Select Include istio-injection: enabled.
      Pod label/annotation should meet condition	Select Not include sidecar.istio.io/inject: "false".

2. Create a global namespace and enable automatic sidecar proxy injection for the namespace.

   1. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the page that appears, click Create.

   2. In the Create Namespace panel, enter a name for the namespace. In this example, the name is test1. Click Add next to Labels. Set Name to istio-injection, Value to enabled. Then, click OK.

   3. In the upper part of the page, click Sync Automatic Sidecar Injection to Kubernetes Cluster to synchronize the global namespace to the Kubernetes cluster on the data plane.

3. Create an application.

   1. Create an application named details in the test1 namespace of the ACK cluster on the data plane. For more information, see Deploy an application in an ASM instance.

   2. Check whether automatic sidecar proxy injection is enabled for the pod of the details application.

      1. Log on to the ACK console and click Clusters in the left-side navigation pane.

      2. On the Clusters page, click the name of a cluster and choose Workloads > Deployments in the left-side navigation pane.

      3. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.

         The Pods tab shows that the pod of the details application has a proxy image. This indicates that automatic sidecar proxy injection is enabled for this pod.

4. Add a label to the pod to disable automatic sidecar proxy injection.

   1. Log on to the ACK console and click Clusters in the left-side navigation pane.

   2. On the Clusters page, click the name of a cluster and choose Workloads > Deployments in the left-side navigation pane.

   3. On the Deployments page, choose test1 from the namespace drop-down list. Find the details application and choose More > View in YAML in the Actions column.

   4. In the Edit YAML dialog box, modify the configurations and click Update.

      • If the version of your ASM instance is 1.12.4 or later, add the sidecar.istio.io/inject: "false" label under the labels parameter by setting the key to sidecar.istio.io/inject and the value to "false".

      • If the version of your ASM instance is earlier than 1.12.4, add the sidecar.istio.io/inject: "false" annotation under the annotations parameter by setting the key to sidecar.istio.io/inject and the value to "false".

5. Check whether automatic sidecar proxy injection is disabled for the pod of the details application even if automatic sidecar proxy injection is enabled for the test1 namespace.

   1. Log on to the ACK console and click Clusters in the left-side navigation pane.

   2. On the Clusters page, click the name of a cluster and choose Workloads > Deployments in the left-side navigation pane.

   3. In the upper part of the Deployments page, select test1 from the Namespace drop-down list. Then, click the name of the details application.

      The Pods tab shows that the pod of the details application does not have a proxy image. This indicates that automatic sidecar proxy injection is disabled for the pod of the details application even if automatic sidecar proxy injection is enabled for the test1 namespace.

Example 2: Configure automatic injection policies at the pod level

If you do not want to configure automatic injection policies at the namespace level, you can configure automatic injection policies at the pod level by performing the following steps:

1. Enable automatic sidecar proxy injection for a namespace.

   1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
   2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy injection.

   3. In the Injection strategy configuration management section of the Sidecar Proxy injection page, configure the parameters as required.

      The following configurations indicate that sidecar proxies are automatically injected into all the pods that have the sidecar.istio.io/inject: "true" label in the namespace except the pods that have the istio-injection: disabled label in the namespace.

      Parameter	Description
      Pod namespace label should meet condition	Select Not include istio-injection: disabled.
      Pod label/annotation should meet condition	Select Include sidecar.istio.io/inject: "true".

2. Create a namespace named test2 that does not contain labels in the ACK cluster. For more information, see Manage namespaces and resource quotas.

3. Create an application named reviews in the test2 namespace of the ACK cluster. For more information, see Deploy an application in an ASM instance.

4. Add a label to the pod of the reviews application to enable automatic sidecar proxy injection for the pod.

   1. Log on to the ACK console and click Clusters in the left-side navigation pane.

   2. On the Clusters page, click the name of a cluster and choose Workloads > Deployments in the left-side navigation pane.

   3. In the upper part of the Deployments page, set Namespace to test2. Find the reviews application and choose More > View in YAML in the Actions column.

   4. In the Edit YAML dialog box that appears, add the sidecar.istio.io/inject: "true" label under the labels parameter and click Update.

      Note

      To configure automatic sidecar proxy injection for a pod by using a label, the version of your ASM instance must be 1.12.4 or later. You can update your ASM instance by referring to Update an ASM instance.

      

5. Check whether automatic sidecar proxy injection is enabled for the pod of the reviews application.

   1. Log on to the ACK console and click Clusters in the left-side navigation pane.

   2. On the Clusters page, click the name of a cluster and choose Workloads > Deployments in the left-side navigation pane.

   3. In the upper part of the Deployments page, select test2 from the Namespace drop-down list. Then, click the name of the reviews application.

      The Pods tab shows that the pod of the reviews application has a proxy image. This indicates that automatic sidecar proxy injection is enabled for this pod.