In Service Mesh (ASM), you can install an Envoy sidecar proxy in the pod of each service in your application to improve the security, reliability, and observability of inter-service communication. This topic describes how to install sidecar proxies.
Background information
If you install a sidecar proxy in the pod of an application, an independent container is created in the pod to provide the features of the sidecar proxy. To make full use of these features, each service in your application requires an Envoy sidecar proxy that runs in the pod of that service. The Envoy proxy intercepts all inbound and outbound HTTP traffic to the service and communicates with the Pilot component on the Istio control plane of the corresponding ASM instance.
Step 1: Enable sidecar injection
By default, automatic sidecar injection is disabled for all namespaces. You can manually inject a sidecar proxy by updating the Kubernetes configuration of the pod. Alternatively, you can use the automatic sidecar injection feature of Istio, which is based on webhooks. Run the following command to enable automatic sidecar injection:
kubectl label namespace {namespace} istio-injection=enabled --overwriteIn the preceding command, the namespace parameter specifies the namespace of the application. If you do not specify this parameter, the default namespace is used.
Step 2: Restart the pod
Sidecar proxies are injected when pods are created. Therefore, you must restart the pods to make sidecar injection take effect.
We recommend that you restart the pods in the test environment multiple times to ensure that your service will not be affected by any traffic interruptions.
Run the following command to restart a pod:
kubectl get pod {podname} -n {namespace} -o yaml | kubectl replace --force -f -Check whether a sidecar proxy is injected to every pod in the namespace. After a sidecar proxy is injected to a pod, each workload is supported by a main container and a sidecar proxy container.
kubectl get pod -n {namespace} --all