Alibaba Cloud Service Mesh (ASM) supports both sidecar and sidecarless modes for deploying mesh proxies. In sidecar mode, a mesh proxy container shares the pod and network namespace with the application container, transparently intercepting inbound and outbound traffic to provide load balancing, service discovery, traffic control, security, and observability.
Native sidecar mode uses the Kubernetes built-in sidecar container feature (available since Kubernetes 1.29) to tie the mesh proxy lifecycle to the application container. This eliminates the startup, shutdown, and Job-completion issues that affect traditional sidecar deployments.
Why native sidecar mode
In a traditional sidecar deployment, Kubernetes treats the mesh proxy and the application as independent containers with separate lifecycles. This mismatch causes several operational issues:
Startup race condition -- If the application container starts before the
istio-proxysidecar is ready, the application cannot reach the network. Sidecar Graceful Startup mitigates this, but the issue persists when the sidecar starts slowly.Shutdown ordering -- If the
istio-proxysidecar shuts down before the application container, the application loses network access. Sidecar Graceful Shutdown mitigates this but may extend pod termination time.Zombie pods from Jobs -- When an application container in a Job exits after the job completes, the sidecar proxy keeps running and prevents the pod from terminating.
No network for init containers -- Init containers that run before the sidecar proxy starts cannot access the network. One workaround is to exclude specific ports from sidecar traffic redirection.
Native sidecar mode solves all four issues. The mesh proxy is defined as a native sidecar container (an init container with restartPolicy: Always), so Kubernetes guarantees that it:
Starts before regular containers and remains running throughout the pod lifecycle.
Shuts down only after all regular containers have terminated.
Exits automatically when the last regular container exits, preventing zombie pods.
Runs before other init containers, giving them network access through the mesh proxy.
Traditional sidecar vs. native sidecar
| Attribute | Traditional sidecar | Native sidecar |
|---|---|---|
| Kubernetes version | Community: 1.4 to 1.28. ACK, ACK Serverless, or ACS clusters: 1.30 and earlier | Community: 1.29 and later. ACK, ACK Serverless, or ACS clusters: 1.30 and later |
| ASM version | ASM 1.22 and earlier | When you add ACK, ACK Serverless, or ACS clusters of version 1.30 and earlier to ASM instances of version 1.22 and earlier, mesh proxies are deployed in native sidecar mode by default |
| Pod spec placement | istio-proxy appears in the containers field alongside the application container | istio-proxy appears in the initContainers field with restartPolicy: Always |
| Lifecycle management | Independent of the main container; requires manual configuration for startup and shutdown ordering | Syncs with the main container automatically; no additional configuration needed |
Verify the deployment mode
To determine which sidecar mode a pod uses, inspect its spec for two indicators: the location of the istio-proxy container and the presence of restartPolicy: Always.
kubectl get pod <pod-name> -o yamlReplace <pod-name> with the actual pod name.
Native sidecar mode -- The output includes istio-proxy in the initContainers section:
apiVersion: v1
kind: Pod
metadata:
name: sleep-xxxxxxxx-xxxxx
namespace: default
spec:
containers:
...
- image: 'registry.cn-hangzhou.aliyuncs.com/acs/curl:8.1.2'
imagePullPolicy: IfNotPresent
name: sleep
...
initContainers:
...
- image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
restartPolicy: Always # Confirms native sidecar mode
...Traditional sidecar mode -- The istio-proxy container appears in the containers field instead of initContainers, and no restartPolicy: Always is set.
In native sidecar mode, lifecycle-related sidecar proxy configurations (such as graceful startup and graceful shutdown) are not required and have no effect. For the full list of sidecar proxy settings, see Configure sidecar proxies.
Switch to traditional sidecar mode
Some third-party MutatingWebhook components configured on Kubernetes of version 8 or earlier can modify the pod definition in ways that conflict with native sidecar containers. For example, KubeSphere's logsidecar-injector can remove the native sidecar definition and cause pod creation failures. If you encounter similar issues, switch to traditional sidecar mode.
Mutating webhooks can modify pods based on various conditions. Before you switch modes, check whether any admission webhooks in your cluster interfere with native sidecar containers.
Prerequisites
Before you begin, make sure that you have:
Access to the ASM instance with
kubectl. For details, see Use kubectl on the control plane to access Istio resources
Steps
Disable native sidecar mode by patching the
asmmeshconfigresource:kubectl patch asmmeshconfig default --type=merge --patch='{"spec":{"enableNativeSidecar":false}}'Expected output:
asmmeshconfig.istio.alibabacloud.com/default patchedRestart the affected pods to apply the change. For details, see Redeploy workloads.
Verify that the pod now uses traditional sidecar mode:
kubectl get pod <pod-name> -o yamlIn the output, confirm that
istio-proxyappears in thecontainersfield (not ininitContainers):apiVersion: v1 kind: Pod metadata: name: sleep-xxxxxxxx-xxxxx namespace: default spec: containers: ... - image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP ... - image: 'registry.cn-hangzhou.aliyuncs.com/acs/curl:8.1.2' imagePullPolicy: IfNotPresent name: sleep ...The
istio-proxycontainer is no longer ininitContainersand does not haverestartPolicy: Always, confirming the switch to traditional sidecar mode.