In Alibaba Cloud Service Mesh (ASM), you can install an Envoy sidecar proxy in the pod of each service in your application to improve the security, reliability, and observability of inter-service communication. This topic describes how to install sidecar proxies.

Background information

If you install a sidecar proxy in the pod of an application, an independent container is created in the pod to provide the features of the sidecar proxy. To make full use of these features, each service in your application requires an Envoy sidecar proxy running in the pod of that service. The Envoy proxy intercepts all inbound and outbound HTTP traffic to the service and communicates with the Pilot component on the Istio control plane of the corresponding ASM instance.

Step 1: Enable sidecar injection

By default, automatic sidecar injection is disabled for all namespaces. You can inject a sidecar proxy manually by updating the Kubernetes configuration of the target pod. Alternatively, you can use the automatic sidecar injection feature of Istio, which is based on webhooks. Run the following command to enable automatic sidecar injection:
kubectl label namespace {namespace} istio-injection=enabled --overwrite
Note In the preceding command, the namespace parameter specifies the namespace of the target application. If you do not specify this parameter, the default namespace is used.

Step 2: Restart the pod

Sidecar proxies are injected when pods are created. Therefore, you must restart the pods to make sidecar injection take effect.
Notice We recommend that you restart the pods in the test environment multiple times to ensure that your service will not be affected by any traffic interruptions.
  1. Run the following command to restart a pod:
    kubectl get pod {podname} -n {namespace} -o yaml | kubectl replace --force -f -
  2. Check whether a sidecar proxy is injected to every pod in the namespace. After a sidecar proxy is injected to a pod, each workload is supported by a main container and a sidecar proxy container.
    kubectl get pod -n {namespace} --all