在ASM管控的集群中,数据平面(Sidecar)代理了应用的全部流量。对数据平面的升级需要重启Sidecar容器,而重启会导致部分请求失败、应用服务中断。ASM提供了对数据平面热升级的能力,在升级数据平面时不会中断服务,使数据平面在应用无感知的情况下完成升级。本文将以ASM的Istio1.6.x版本为演示环境,部署一个Nginx应用,并使用HTTP压力测试工具go-stress-testing对Nginx进行持续访问,在此过程中对数据平面进行热升级。

前提条件

注意事项

ASM数据平面热升级需要借助OpenKruise SidecarSet(简称SidecarSet)完成Sidecar容器替换,所以对于潜在存在热升级需求的Deployment,需要在部署时就使用SidecarSet对Deployment的Pod进行Sidecar注入,以便进行热升级操作。可以使用以下两种方式进行Sidecar注入:
说明 建议您在部署应用时完成Sidecar注入。如果您的应用已启用默认注入,您可以改变注入方式并重建Pod,但是会存在Pod短暂不可用带来的业务风险。
  • 将有热升级需求的Deployment或Pod部署于独立的Namespace。

    将有热升级需求的Deployment或Pod部署于独立的Namespace,这样就可以对其他Namespace仍旧启用默认注入方案,对该Namespace则使用SidecarSet注入。

  • 禁止特定Pod的默认注入,对这些Pod使用SidecarSet注入。

    如果Pod的命名空间已开启默认自动注入,则可以通过Per-Pod-Annotation实现对该Pod禁用默认注入,再使用SidecarSet的匹配策略匹配该Pod进行注入。

步骤一:在数据面集群部署OpenKruise

ASM当前不会在您的数据面集群安装OpenKruise,您需要手动使用Helm安装OpenKruise。

  1. 安装阿里云Helm插件。更多信息,请参见Helm Chart
  2. 添加OpenKruise的Helm仓库。
    helm repo add acr-openkruise-asm acr://openkruise-chart.cn-hangzhou.cr.aliyuncs.com/openkruise/kruise-asm
  3. 在集群中安装OpenKruise。
    helm install kruise acr-openkruise-asm/kruise-asm --version 0.1.0

步骤二:部署ConfigMap

SidecarSet配置中涉及数据面集群ID,您可以通过部署ConfigMap避免在每个SidecarSet中重复配置。

  1. 创建configmap.yaml
    apiVersion: v1
    data:
      clusterid: $$$CLUSTER-ID$$$
    kind: ConfigMap
    metadata:
      name: ack-cluster-profile
      namespace: default

    $$$CLUSTER-ID$$$替换为您的数据面集群ID。

  2. 部署ConfigMap。
    kubectl apply -f configmap.yaml

步骤三:部署SidecarSet

每个应用的注入配置中存在一些特定的字段无法统一配置,您需要为每一个Deployment部署独立的SidecarSet来定义注入配置。

  1. 创建nginx-sidecarset.json
    本例中已根据模板文件修改为适用于本例的SidecarSet。关于如何定制SidecarSet请参见 相关信息
    {
        "apiVersion": "apps.kruise.io/v1alpha1",
        "kind": "SidecarSet",
        "metadata": {
            "name": "sidecarset-example"
        },
        "spec": {
            "containers": [
                {
                    "args": [
                        "proxy",
                        "sidecar",
                        "--domain",
                        "$(POD_NAMESPACE).svc.cluster.local",
                        "--serviceCluster",
                        "$(ISTIO_META_WORKLOAD_NAME).$(POD_NAMESPACE)",
                        "--drainDuration",
                        "45s",
                        "--parentShutdownDuration",
                        "1m0s",
                        "--discoveryAddress",
                        "istiod.istio-system.svc:15012",
                        "--zipkinAddress",
                        "zipkin.istio-system:9411",
                        "--proxyLogLevel=warning",
                        "--proxyComponentLogLevel=misc:error",
                        "--proxyAdminPort",
                        "15000",
                        "--concurrency",
                        "2",
                        "--controlPlaneAuthPolicy",
                        "NONE",
                        "--dnsRefreshRate",
                        "300s",
                        "--statusPort",
                        "15021",
                        "--trust-domain=cluster.local",
                        "--controlPlaneBootstrap=false"
                    ],
                    "env": [
                        {
                            "name": "JWT_POLICY",
                            "value": "first-party-jwt"
                        },
                        {
                            "name": "PILOT_CERT_PROVIDER",
                            "value": "istiod"
                        },
                        {
                            "name": "CA_ADDR",
                            "value": "istiod.istio-system.svc:15012"
                        },
                        {
                            "name": "POD_NAME",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.name"
                                }
                            }
                        },
                        {
                            "name": "POD_NAMESPACE",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.namespace"
                                }
                            }
                        },
                        {
                            "name": "INSTANCE_IP",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "status.podIP"
                                }
                            }
                        },
                        {
                            "name": "SERVICE_ACCOUNT",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "spec.serviceAccountName"
                                }
                            }
                        },
                        {
                            "name": "CANONICAL_SERVICE",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels['service.istio.io/canonical-name']"
                                }
                            }
                        },
                        {
                            "name": "CANONICAL_REVISION",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels['service.istio.io/canonical-revision']"
                                }
                            }
                        },
                        {
                            "name": "PROXY_CONFIG",
                            "value": "{\"configPath\":\"/etc/istio/proxy\",\"proxyMetadata\":{\"DNS_AGENT\":\"\"}}\n"
                        },
                        {
                            "name": "ISTIO_META_POD_PORTS",
                            "value": "[\n]"
                        },
                        {
                            "name": "ISTIO_META_CLUSTER_ID",
                            "valueFrom": {
                                "configMapKeyRef": {
                                    "name": "ack-cluster-profile",
                                    "key": "clusterid"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_POD_NAME",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.name"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_CONFIG_NAMESPACE",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.namespace"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_INTERCEPTION_MODE",
                            "value": "REDIRECT"
                        },
                        {
                            "name": "ISTIO_METAJSON_ANNOTATIONS",
                            "value": "{\"kubernetes.io/psp\":\"ack.privileged\"}\n"
                        },
                        {
                            "name": "ISTIO_META_WORKLOAD_NAME",
                            "valueFrom": {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels['app']"
                                }
                            }
                        },
                        {
                            "name": "ISTIO_META_MESH_ID",
                            "value": "cluster.local"
                        },
                        {
                            "name": "DNS_AGENT"
                        },
                        {
                            "name": "TERMINATION_DRAIN_DURATION_SECONDS",
                            "value": "5"
                        }
                    ],
                    "image": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1531",
                    "imagePullPolicy": "IfNotPresent",
                    "name": "istio-proxy",
                    "podInjectPolicy": "BeforeAppContainer",
                    "lifecycle": {
                        "postStart": {
                            "exec": {
                                "command": ["/bin/sh", "-c", "/usr/local/bin/pilot-agent wait"]
                            }
                        }
                    },
                    "ports": [
                        {
                            "containerPort": 15090,
                            "name": "http-envoy-prom",
                            "protocol": "TCP"
                        }
                    ],
                    "resources": {
                        "limits": {
                            "cpu": "2",
                            "memory": "1Gi"
                        },
                        "requests": {
                            "cpu": "100m",
                            "memory": "128Mi"
                        }
                    },
                    "securityContext": {
                        "allowPrivilegeEscalation": false,
                        "capabilities": {
                            "drop": [
                                "ALL"
                            ]
                        },
                        "privileged": false,
                        "readOnlyRootFilesystem": true,
                        "runAsGroup": 1337,
                        "runAsNonRoot": true,
                        "runAsUser": 1337
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File",
                    "upgradeStrategy": {
                        "upgradeType": "HotUpgrade",
                        "hotUpgradeEmptyImage": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778"
                    },
                    "volumeMounts": [
                        {
                            "mountPath": "/var/run/secrets/istio",
                            "name": "istiod-ca-cert"
                        },
                        {
                            "mountPath": "/var/lib/istio/data",
                            "name": "istio-data"
                        },
                        {
                            "mountPath": "/etc/istio/proxy",
                            "name": "istio-envoy"
                        },
                        {
                            "mountPath": "/etc/istio/pod",
                            "name": "istio-podinfo"
                        },
                        {
                            "mountPath": "/etc/asm/uds/",
                            "name": "asm-hotupgrade-data"
                        }
                    ]
                }
            ],
            "initContainers": [
                {
                    "args": [
                        "istio-iptables",
                        "-p",
                        "15001",
                        "-z",
                        "15006",
                        "-u",
                        "1337",
                        "-m",
                        "REDIRECT",
                        "-i",
                        "*",
                        "-x",
                        "172.23.0.1/32",
                        "-b",
                        "*",
                        "-d",
                        "15090,15021,15021"
                    ],
                    "env": [
                        {
                            "name": "DNS_AGENT"
                        }
                    ],
                    "image": "registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8",
                    "imagePullPolicy": "IfNotPresent",
                    "name": "istio-init",
                    "resources": {
                        "limits": {
                            "cpu": "100m",
                            "memory": "50Mi"
                        },
                        "requests": {
                            "cpu": "10m",
                            "memory": "10Mi"
                        }
                    },
                    "securityContext": {
                        "allowPrivilegeEscalation": false,
                        "capabilities": {
                            "add": [
                                "NET_ADMIN",
                                "NET_RAW"
                            ],
                            "drop": [
                                "ALL"
                            ]
                        },
                        "privileged": false,
                        "readOnlyRootFilesystem": false,
                        "runAsGroup": 0,
                        "runAsNonRoot": false,
                        "runAsUser": 0
                    },
                    "terminationMessagePath": "/dev/termination-log",
                    "terminationMessagePolicy": "File",
                    "upgradeStrategy": {}
                }
            ],
            "selector": {
                "matchExpressions": [
                    {
                        "key": "app",
                        "operator": "In",
                        "values": [
                            "nginx"
                        ]
                    },
                    {
                        "key": "sidecarset-injected",
                        "operator": "In",
                        "values": [
                            "true"
                        ]
                    }
                ]
            },
            "strategy": {
                "type": "RollingUpdate",
                "partition": 0,
                "maxUnavailable": 1
            },
            "volumes": [
                {
                    "emptyDir": {},
                    "name": "asm-hotupgrade-data"
                },
                {
                    "emptyDir": {
                        "medium": "Memory"
                    },
                    "name": "istio-envoy"
                },
                {
                    "emptyDir": {},
                    "name": "istio-data"
                },
                {
                    "downwardAPI": {
                        "defaultMode": 420,
                        "items": [
                            {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.labels"
                                },
                                "path": "labels"
                            },
                            {
                                "fieldRef": {
                                    "apiVersion": "v1",
                                    "fieldPath": "metadata.annotations"
                                },
                                "path": "annotations"
                            }
                        ]
                    },
                    "name": "istio-podinfo"
                },
                {
                    "configMap": {
                        "defaultMode": 420,
                        "name": "istio-ca-root-cert"
                    },
                    "name": "istiod-ca-cert"
                }
            ]
        }
    }
  2. 将nginx-sidecarset.json应用至数据面集群。
    kubectl apply -f nginx-sidecarset.json

步骤四:部署Nginx应用

  1. 部署Nginx应用。
    1. 创建nginx.yaml
      apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
      kind: Deployment
      metadata:
        name: nginx-deployment
      spec:
        selector:
          matchLabels:
            app: nginx
        replicas: 1
        template:
          metadata:
            labels:
              app: nginx
              sidecarset-injected: "true"
          spec:
            containers:
            - name: nginx
              image: nginx:1.14.2
              ports:
              - containerPort: 80
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: nginx
      spec:
        ports:
          - name: http
            port: 80
            protocol: TCP
            targetPort: 80
        selector:
          app: nginx
        type: ClusterIP
    2. 部署Nginx应用。
      kubectl apply -f nginx.yaml
  2. 在Istio Ingress Gateway暴露Nginx服务端口以及创建路由规则。
    1. 创建nginx-gateway.yaml
      apiVersion: networking.istio.io/v1beta1
      kind: Gateway
      metadata:
        name: nginx-gateway
        namespace: default
      spec:
        selector:
          istio: ingressgateway
        servers:
        - hosts:
          - '*'
          port:
            name: http
            number: 8080
            protocol: HTTP
      ---
      apiVersion: networking.istio.io/v1beta1
      kind: VirtualService
      metadata:
        name: nginx
        namespace: default
      spec:
        gateways:
        - nginx-gateway
        hosts:
        - '*'
        http:
        - match:
          - uri:
              exact: /
          route:
          - destination:
              host: nginx
              port:
                number: 80
    2. 使nginx-gateway.yaml生效。
      kubectl apply -f nginx-gateway.yaml
  3. 验证Nginx应用是否部署成功。
    1. 检查Pod是否正常启动。
      kubectl get pod

      预期输出:

      NAME                                READY   STATUS             RESTARTS   AGE
      nginx-deployment-6c9b9677d4-rlvsn   3/3     Running            0          1m

      返回结果中STATUS显示 Running ,说明Pod正常启动。

    2. 访问入口网关地址的8080端口,检查Nginx是否可以正常服务。
      返回如下页面,说明Nginx已成功部署。 nginx

步骤五:使用go-stress-testing启动对Nginx的访问

go-stress-testing是一个使用Go语言编写并且支持多平台的HTTP压力测试工具,本例中使用该工具对Nginx应用持续发起访问,在访问持续期间进行热升级,该工具会统计请求的成功或失败数量。

  1. 下载go-stress-testing。关于go-stress-testing的下载地址请参见go-stress-testing
  2. 启动对Nginx的访问。

    将启动4个并发对服务器进行访问,每个并发累计发出10万个请求。

    go-stress-testing-mac -c 4 -n 100000 -u http://入口网关地址:8080
    启动后,可以看到命令实行时输出的返回码统计信息。 并发

步骤六:对数据平面进行热升级

  1. 编辑SidecarSet。
    kubectl edit sidecarset sidecarset-example
  2. 将Sidecar的image字段替换为新的SidecarSet版本Image地址,然后保存并退出。
    registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546
    替换image
  3. 验证数据平面热升级时,是否会中断服务。
    1. 查看热升级状态。
      kubectl describe pod nginx-deployment-76f4578864-js5hc |grep Image:

      预期输出:

          Image:         registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8
          Image:         registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778
          Image:         registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546
          Image:          nginx:1.14.2

      当Pod中的Container变为asm-istio-proxy-empty,asm-isitio-proxy,nginx三个Image时,说明该Pod热升级结束。

    2. 热升级结束后,查看步骤五:使用go-stress-testing启动对Nginx的访问中go-stress-testing-mac的输出结果,从输出中可以看到所有请求的返回值均为200,没有请求在升级过程中失败。
      热升级结果

相关信息

定制SidecarSet

如果您希望定制自己的SidecarSet注入配置,请使用对应版本的模版文件,以下以Istio 1.6.x为例。您需要按照以下要求替换上述模板中的字段:
{
    "apiVersion": "apps.kruise.io/v1alpha1",
    "kind": "SidecarSet",
    "metadata": {
        "name": "sidecarset-example"
    },
    "spec": {
        "containers": [
            {
                "args": [
                    "proxy",
                    "sidecar",
                    "--domain",
                    "$(POD_NAMESPACE).svc.cluster.local",
                    "--serviceCluster",
                    "$(ISTIO_META_WORKLOAD_NAME).$(POD_NAMESPACE)",
                    "--drainDuration",
                    "45s",
                    "--parentShutdownDuration",
                    "1m0s",
                    "--discoveryAddress",
                    "istiod.istio-system.svc:15012",
                    "--zipkinAddress",
                    "zipkin.istio-system:9411",
                    "--proxyLogLevel=warning",
                    "--proxyComponentLogLevel=misc:error",
                    "--proxyAdminPort",
                    "15000",
                    "--concurrency",
                    "2",
                    "--controlPlaneAuthPolicy",
                    "NONE",
                    "--dnsRefreshRate",
                    "300s",
                    "--statusPort",
                    "15021",
                    "--trust-domain=cluster.local",
                    "--controlPlaneBootstrap=false"
                ],
                "env": [
                    {
                        "name": "JWT_POLICY",
                        "value": "first-party-jwt"
                    },
                    {
                        "name": "PILOT_CERT_PROVIDER",
                        "value": "istiod"
                    },
                    {
                        "name": "CA_ADDR",
                        "value": "istiod.istio-system.svc:15012"
                    },
                    {
                        "name": "POD_NAME",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.name"
                            }
                        }
                    },
                    {
                        "name": "POD_NAMESPACE",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.namespace"
                            }
                        }
                    },
                    {
                        "name": "INSTANCE_IP",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "status.podIP"
                            }
                        }
                    },
                    {
                        "name": "SERVICE_ACCOUNT",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "spec.serviceAccountName"
                            }
                        }
                    },
                    {
                        "name": "CANONICAL_SERVICE",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels['service.istio.io/canonical-name']"
                            }
                        }
                    },
                    {
                        "name": "CANONICAL_REVISION",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels['service.istio.io/canonical-revision']"
                            }
                        }
                    },
                    {
                        "name": "PROXY_CONFIG",
                        "value": "{\"configPath\":\"/etc/istio/proxy\",\"proxyMetadata\":{\"DNS_AGENT\":\"\"}}\n"
                    },
                    {
                        "name": "ISTIO_META_POD_PORTS",
                        "value": "[\n]"
                    },
                    {
                        "name": "ISTIO_META_CLUSTER_ID",
                        "valueFrom": {
                            "configMapKeyRef": {
                                "name": "ack-cluster-profile",
                                "key": "clusterid"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_POD_NAME",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.name"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_CONFIG_NAMESPACE",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.namespace"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_INTERCEPTION_MODE",
                        "value": "REDIRECT"
                    },
                    {
                        "name": "ISTIO_METAJSON_ANNOTATIONS",
                        "value": "{\"kubernetes.io/psp\":\"ack.privileged\"}\n"
                    },
                    {
                        "name": "ISTIO_META_WORKLOAD_NAME",
                        "valueFrom": {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels['app']"
                            }
                        }
                    },
                    {
                        "name": "ISTIO_META_MESH_ID",
                        "value": "cluster.local"
                    },
                    {
                        "name": "DNS_AGENT"
                    },
                    {
                        "name": "TERMINATION_DRAIN_DURATION_SECONDS",
                        "value": "5"
                    }
                ],
                "image": "$$$IMAGE$$$",
                "imagePullPolicy": "IfNotPresent",
                "name": "istio-proxy",
                "podInjectPolicy": "BeforeAppContainer",
                "lifecycle": {
                    "postStart": {
                        "exec": {
                            "command": ["/bin/sh", "-c", "/usr/local/bin/pilot-agent wait"]
                        }
                    }
                },
                "ports": [
                    {
                        "containerPort": 15090,
                        "name": "http-envoy-prom",
                        "protocol": "TCP"
                    }
                ],
                "resources": {
                    "limits": {
                        "cpu": "2",
                        "memory": "1Gi"
                    },
                    "requests": {
                        "cpu": "100m",
                        "memory": "128Mi"
                    }
                },
                "securityContext": {
                    "allowPrivilegeEscalation": false,
                    "capabilities": {
                        "drop": [
                            "ALL"
                        ]
                    },
                    "privileged": false,
                    "readOnlyRootFilesystem": true,
                    "runAsGroup": 1337,
                    "runAsNonRoot": true,
                    "runAsUser": 1337
                },
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "upgradeStrategy": {
                    "upgradeType": "HotUpgrade",
                    "hotUpgradeEmptyImage": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778"
                },
                "volumeMounts": [
                    {
                        "mountPath": "/var/run/secrets/istio",
                        "name": "istiod-ca-cert"
                    },
                    {
                        "mountPath": "/var/lib/istio/data",
                        "name": "istio-data"
                    },
                    {
                        "mountPath": "/etc/istio/proxy",
                        "name": "istio-envoy"
                    },
                    {
                        "mountPath": "/etc/istio/pod",
                        "name": "istio-podinfo"
                    },
                    {
                        "mountPath": "/etc/asm/uds/",
                        "name": "asm-hotupgrade-data"
                    }
                ]
            }
        ],
        "initContainers": [
            {
                "args": [
                    "istio-iptables",
                    "-p",
                    "15001",
                    "-z",
                    "15006",
                    "-u",
                    "1337",
                    "-m",
                    "REDIRECT",
                    "-i",
                    "*",
                    "-x",
                    "172.23.0.1/32",
                    "-b",
                    "*",
                    "-d",
                    "15090,15021,15021"
                ],
                "env": [
                    {
                        "name": "DNS_AGENT"
                    }
                ],
                "image": "registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8",
                "imagePullPolicy": "IfNotPresent",
                "name": "istio-init",
                "resources": {
                    "limits": {
                        "cpu": "100m",
                        "memory": "50Mi"
                    },
                    "requests": {
                        "cpu": "10m",
                        "memory": "10Mi"
                    }
                },
                "securityContext": {
                    "allowPrivilegeEscalation": false,
                    "capabilities": {
                        "add": [
                            "NET_ADMIN",
                            "NET_RAW"
                        ],
                        "drop": [
                            "ALL"
                        ]
                    },
                    "privileged": false,
                    "readOnlyRootFilesystem": false,
                    "runAsGroup": 0,
                    "runAsNonRoot": false,
                    "runAsUser": 0
                },
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "upgradeStrategy": {}
            }
        ],
        "selector": {
            "matchExpressions": [
                ...
            ]
        },
        "strategy": {
            "type": "RollingUpdate",
            "partition": 0,
            "maxUnavailable": 1
        },
        "volumes": [
            {
                "emptyDir": {},
                "name": "asm-hotupgrade-data"
            },
            {
                "emptyDir": {
                    "medium": "Memory"
                },
                "name": "istio-envoy"
            },
            {
                "emptyDir": {},
                "name": "istio-data"
            },
            {
                "downwardAPI": {
                    "defaultMode": 420,
                    "items": [
                        {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.labels"
                            },
                            "path": "labels"
                        },
                        {
                            "fieldRef": {
                                "apiVersion": "v1",
                                "fieldPath": "metadata.annotations"
                            },
                            "path": "annotations"
                        }
                    ]
                },
                "name": "istio-podinfo"
            },
            {
                "configMap": {
                    "defaultMode": 420,
                    "name": "istio-ca-root-cert"
                },
                "name": "istiod-ca-cert"
            }
        ]
    }
}
  • $$$IMAGE$$$替换为Sidecar Image镜像地址。
  • 配置selector的matchExpressions,使其可以匹配希望注入的Pod。更多信息,请参见Labels and Selectors
Istio 1.6.x镜像地址
  • Istio 1.6.x-1 : registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1531
  • Istio 1.6.x-2 : registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546