Enabled Istio sidecar injection automatically without labelling the namespace

Question

I have scenario where I need to inject istio-side into the workload without labelling the namespace. Reason I can't label the namespace is because in my cluster the namespace are created via an automated process and currently I can't change that process due to security reason. Hence want to understand if there is a way to automatically inject the istio sidecar into the workload without labelling the namespace.

Resources I have already tried and tested.

1. Using the sidecar.istio.io/inject="true" annotation on the in the deployment/pod definition. Note: the annotation will only work with if the namespace is labelled and for this reason I really don't why do we even have this annotation. For more information please visit: https://github.com/istio/istio/issues/6476#issuecomment-1023817004

2. Manual injection works but it has way too much operational overhead and hence is not a preferred method.

3. DiscoverySelector construct as only works on namespaces not on deployment/pods object inside kube.netes.

Istio Version

client version: 1.12.2
control plane version: 1.12.1

Answer 1

The issue described above is resolved.

The way to achieve the above is to use sidecar.istio.io/inject="true" as label in pod/deployment definition, not as a annotation .

The correct definition of should look like this

apiVersion: v1
kind: Pod
metadata:
  name: labeled-true
  namespace: policy-disabled
  labels:
    sidecar.istio.io/inject: "true"
spec:
  containers:
  - image: docker.io/citizenstig/httpbin
    imagePullPolicy: IfNotPresent
    name: httpbin

Not like this

apiVersion: v1
kind: Pod
metadata:
  name: labeled-true
  namespace: policy-disabled
  annotations:
    sidecar.istio.io/inject: "true"
spec:
  containers:
  - image: docker.io/citizenstig/httpbin
    imagePullPolicy: IfNotPresent
    name: httpbin