When a Container Service for Kubernetes (ACK) cluster joins a Service Mesh (ASM) instance, each pod needs a sidecar proxy to participate in the mesh. However, automatic sidecar injection is not enabled by default at the namespace level. Without enforcement, pods can deploy without a sidecar, leaving gaps in traffic management and security coverage.
The ASMSidecarInjectionEnforced policy closes this gap. It blocks pod creation or raises alerts when a namespace lacks automatic sidecar injection. This ensures every workload in the mesh runs a sidecar proxy.
How the policy works
ACK uses OPA Gatekeeper as an admission controller for policy governance. After Kubernetes deprecated Pod Security Policy (PSP) in version 1.21, ACK replaced PSP-based controls with Gatekeeper-based policies. These policies add status monitoring, log collection, and log retrieval.
ACK organizes policies into four categories:
| Category | Purpose |
|---|---|
| Infra | Enforce security controls on infrastructure resources |
| Compliance | Meet Kubernetes compliance standards such as Alibaba Cloud Kubernetes Security Hardening |
| PSP | Replace deprecated PSP resources |
| K8s-general | Apply Alibaba Cloud security best practices to Kubernetes resources |
The ASMSidecarInjectionEnforced policy belongs to the Infra category. When enabled, it checks whether automatic sidecar injection is active for the target namespace before allowing pod creation.
Enforcement modes
The policy supports two enforcement modes:
| Mode | Behavior | Use case |
|---|---|---|
| Block | Rejects pod creation in non-injected namespaces | Production enforcement after injection is fully configured |
| Alert | Allows pod creation but generates an alert | Audit phase to identify namespaces that still need injection |
Sidecar injection overview
A sidecar proxy runs as a separate container inside each pod. It intercepts all inbound and outbound HTTP traffic and communicates with the Pilot component on the ASM Istio control plane.
After a cluster joins an ASM instance, namespace-level automatic injection is not enabled by default. Enable injection for each namespace before enabling the enforcement policy.
If you enable the enforcement policy before enabling automatic injection for a namespace, all pod creation in that namespace is blocked (Block mode) or triggers alerts (Alert mode).
Prerequisites
Before you begin, make sure you have:
An ACK cluster running Kubernetes 1.16 or later. To upgrade, see Manually update ACK clusters
The cluster added to an ASM instance
If you manage security policies as a Resource Access Management (RAM) user, grant the following permissions:
| Permission | Description |
|---|---|
cs:DescribePolicies | Query policies |
cs:DescribePoliceDetails | Query policy details |
cs:DescribePolicyGovernanceInCluster | Query policies in a cluster |
cs:DescribePolicyInstances | Query policy instances deployed in a cluster |
cs:DescribePolicyInstancesStatus | Query policy instance status in a cluster |
cs:DeployPolicyInstance | Deploy a policy instance in a cluster |
cs:DeletePolicyInstance | Delete policy instances in a cluster |
cs:ModifyPolicyInstance | Modify a policy instance in a cluster |
For details, see Create a custom RAM policy.
Enable the policy
The following diagram shows the configuration flow:
Two methods are available. Choose the one that fits your workflow.
Option 1: Enable from the security policy list
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the target cluster and click its name. In the left-side pane, choose Security > Policy Governance.
On the Policy Governance page, install or upgrade the component if prompted.
Click the My Policies tab.
Find ASMSidecarInjectionEnforced in the Policy Name column and click Enable in the Actions column.
Configure the following parameters, then click Create:
Parameter Description Action Block: Reject pod creation that does not comply with the policy. Alert: Allow pod creation but generate an alert. Applicable Scope Select the namespaces to apply the policy to. Selecting all namespaces is not recommended. Parameters Leave blank.
Option 2: Create a policy instance
On the Policy Governance page, click the My Policies tab, then click Create Policy Instance.
In the Create Policy Instance dialog box, configure the following parameters:
Parameter Description Policy Type Select infra. For details, see Predefined security policies of ACK. Policy Name Select ASMSidecarInjectionEnforced. Action Block: Reject pod creation that does not comply with the policy. Alert: Allow pod creation but generate an alert. Applicable Scope Select the namespaces to apply the policy to. Selecting all namespaces is not recommended. Parameters Leave blank.
Verify the policy
After you enable the policy, test it with a sample application to confirm it behaves as expected.
Test Block mode
This test uses the default namespace with automatic sidecar injection not enabled and Action set to Block.
Deploy the HTTPBin application to the
defaultnamespace.Check the workload status. The pod fails to create because the namespace does not have automatic injection enabled.
Click the Overview tab. In the Actions within Last 7 Days section, a blocking record appears.
Test Alert mode
Edit the policy and change Action to Alert.
Redeploy the HTTPBin application.
Check the workload status. The application deploys successfully, but an alert is generated.
Click the Overview tab. In the Actions within Last 7 Days section, an alerting record appears.
