I have scenario where I need to inject istio-side into the workload without labelling the namespace. Reason I can't label the namespace is because in my cluster the namespace are created via an automated process and currently I can't change that process due to security reason. Hence want to understand if there is a way to automatically inject the istio sidecar into the workload without labelling the namespace.
Resources I have already tried and tested.
Using the sidecar.istio.io/inject="true"
annotation on the in the deployment/pod definition. Note: the annotation will only work with if the namespace is labelled and for this reason I really don't why do we even have this annotation. For more information please visit: https://github.com/istio/istio/issues/6476#issuecomment-1023817004
Manual injection works but it has way too much operational overhead and hence is not a preferred method.
DiscoverySelector construct as only works on namespaces not on deployment/pods object inside kube.netes.
Istio Version
client version: 1.12.2
control plane version: 1.12.1
The issue described above is resolved.
The way to achieve the above is to use sidecar.istio.io/inject="true"
as label
in pod/deployment definition, not as a annotation
.
The correct definition of should look like this
apiVersion: v1
kind: Pod
metadata:
name: labeled-true
namespace: policy-disabled
labels:
sidecar.istio.io/inject: "true"
spec:
containers:
- image: docker.io/citizenstig/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
Not like this
apiVersion: v1
kind: Pod
metadata:
name: labeled-true
namespace: policy-disabled
annotations:
sidecar.istio.io/inject: "true"
spec:
containers:
- image: docker.io/citizenstig/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.