本文使用的版本號:1.4.2
查看默認sidecar配置
kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml | grep "namespaceSelector:" -A5
namespaceSelector:
matchLabels:
istio-injection: enabled
objectSelector: {}
reinvocationPolicy: Never
rules:
可以看出,istio默認sidecar注入規則是,namespace帶有標籤istio-injection: enabled纔會注入sidecar。
查看哪些namespace已經配置注入:
[root@k8s-master istio-1.4.2]# kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 70d
ingress-nginx Active 69d
istio-system Active 19h
kube-node-lease Active 70d
kube-public Active 70d
kube-system Active 70d
naftis Active 19h
test-deri Active 47d
爲namespace打上注入sidecar標籤:
kubectl label namespace default istio-injection=enabled --overwrite
默認情況,是沒有設置。
爲namespace設置不注入sidecar
有些k8s系統組件namespace不應該注入sidecar,如kube-system等,參考如下設置
kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml | grep "namespaceSelector:" -A5
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: NotIn
values:
- disabled
rules:
- apiGroups:
- ""
爲namespace打上不注入sidecar標籤:
kubectl label namespace istio-system istio-injection=disabled --overwrite
kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 18d
istio-system Active 3d disabled
kube-public Active 18d disabled
kube-system Active 18d disabled
查看sidecar配置策略
sidecar配置保存在configmap-istio-sidecar-injector中,更多配置可以在install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/values.yaml中查看。
主要配置,默認策略:
kubectl -n istio-system get configmap istio-sidecar-injector -o jsonpath='{.data.config}' | grep policy:
允許的值爲disabled
和enabled
。僅當Webhook namespaceSelector
匹配目標名稱空間時,才應用默認策略。無法識別的策略導致注入被完全禁用。
注意:①策略爲disabled
,但是想要爲POD注入sidecar,增加annotation sidecar.istio.io/inject: "true"即可
②策略爲enabled
,但是不想要爲POD注入sidecar,增加annotation sidecar.istio.io/inject: "false"即可
apiVersion: apps/v1
kind: Deployment
metadata:
name: ignored
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: ignored
image: tutum/curl
command: ["/bin/sleep","infinity"]
手動注入sidecar
爲一個寫好的yaml文件手動注入sidecar,我們可以使用istioctl kube-inject:
istioctl kube-inject -f samples/sleep/sleep.yaml | kubectl apply -f -
默認情況下,這將使用集羣內配置。或者,可以使用配置的本地副本來完成注入。下面命令可以將默認配置導出到文件:
kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.config}' > inject-config.yaml
kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath='{.data.values}' > inject-values.yaml
kubectl -n istio-system get configmap istio -o=jsonpath='{.data.mesh}' > mesh-config.yaml
然後再將文件中配置注入到已建好的YAML中並運行:
istioctl kube-inject \
--injectConfigFile inject-config.yaml \
--meshConfigFile mesh-config.yaml \
--valuesFile inject-values.yaml \
--filename samples/sleep/sleep.yaml \
| kubectl apply -f -
這和第一條命令效果一樣。驗證sidecar已經注入:
kubectl get pod -l app=sleep
NAME READY STATUS RESTARTS AGE
sleep-64c6f57bc8-f5n4x 2/2 Running 0 24s
其它配置:neverInjectSelector/alwaysInjectSelector,參考官網
示例:
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
data:
config: |-
policy: enabled
neverInjectSelector:
- matchExpressions:
- {key: openshift.io/build.name, operator: Exists}
- matchExpressions:
- {key: openshift.io/deployer-pod-for.name, operator: Exists}
template: |-
initContainers:
...
配置優先級
如果POD配置了註解、neverInjectSelector/alwaysInjectSelector也都配置了,默認策略也配置了,那麼他們之間的優先級參考如下:
Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy
卸載自動注入sidecar
- 卸載istio中sidecar組件
kubectl delete mutatingwebhookconfiguration istio-sidecar-injector
kubectl -n istio-system delete service istio-sidecar-injector
kubectl -n istio-system delete deployment istio-sidecar-injector
kubectl -n istio-system delete serviceaccount istio-sidecar-injector-service-account
kubectl delete clusterrole istio-sidecar-injector-istio-system
kubectl delete clusterrolebinding istio-sidecar-injector-admin-role-binding-istio-system
- 刪除某個namespace自動注入
kubectl label namespace default istio-injection-
sidecar注入問題
更多可以參考官網.