Sidecar Injection
Services participating in the service mesh communicate via sidecar proxies installed on pods backing the services. The following sections describe the sidecar injection workflow in OSM.
Automatic Sidecar Injection
Automatic sidecar injection is currently the only way to inject sidecars into the service mesh. Sidecars can be automatically injected into applicable Kubernetes pods using a mutating webhook admission controller provided by OSM.
Automatic sidecar injection can be configured per namespace as a part of enrolling a namespace into the mesh, or later using the Kubernetes API. Automatic sidecar injection can be enabled either on a per namespace or per pod basis by annotating the namespace or pod resource with the sidecar injection annotation. Individual pods and namespaces can be explicitly configured to either enable or disable automatic sidecar injection, giving users the flexibility to control sidecar injection on pods and namespaces.
Enabling Automatic Sidecar Injection
Prerequisites:
- The namespace to which the pods belong must be a monitored namespace that is added to the mesh using the
osm namespace add
command. - The namespace to which the pods belong must not be set to be ignored using the
osm namespace ignore
command. - The namespace to which the pods belong must not have a label with key
name
and value corresponding to the OSM control plane namespace. For example, a namespace with a labelname: osm-system
whereosm-system
is the control plane namespace cannot have sidecar injection enabled for pods in this namespace. - The pod must not have
hostNetwork: true
in the pod spec. Pods withhostNetwork: true
are not injected with a sidecar since doing so can result in routing failures in the host network.
Automatic Sidecar injection can be enabled in the following ways:
-
While enrolling a namespace into the mesh using
osm
cli:osm namespace add <namespace>
: Automatic sidecar injection is enabled by default with this command. -
Using
kubectl
to annotate individual namespaces and pods to enable sidecar injection:# Enable sidecar injection on a namespace $ kubectl annotate namespace <namespace> openservicemesh.io/sidecar-injection=enabled
# Enable sidecar injection on a pod $ kubectl annotate pod <pod> openservicemesh.io/sidecar-injection=enabled
-
Setting the sidecar injection annotation to
enabled
in the Kubernetes resource spec for a namespace or pod:metadata: name: test annotations: 'openservicemesh.io/sidecar-injection': 'enabled'
Pods will be injected with a sidecar only if the following conditions are met:
- The namespace to which the pod belongs is a monitored namespace.
- The pod is explicitly enabled for the sidecar injection, OR the namespace to which the pod belongs is enabled for the sidecar injection and the pod is not explicitly disabled for sidecar injection.
Explicitly Disabling Automatic Sidecar Injection on Namespaces
Namespaces can be disabled for automatic sidecar injection in the following ways:
-
While enrolling a namespace into the mesh using
osm
cli:osm namespace add <namespace> --disable-sidecar-injection
: If the namespace was previously enabled for sidecar injection, it will be disabled after running this command. -
Using
kubectl
to annotate individual namespaces to disable sidecar injection:# Disable sidecar injection on a namespace $ kubectl annotate namespace <namespace> openservicemesh.io/sidecar-injection=disabled
Explicitly Disabling Automatic Sidecar Injection on Pods
Individual pods can be explicitly disabled for sidecar injection. This is useful when a namespace is enabled for sidecar injection but specific pods should not be injected with sidecars.
-
Using
kubectl
to annotate individual pods to disable sidecar injection:# Disable sidecar injection on a pod $ kubectl annotate pod <pod> openservicemesh.io/sidecar-injection=disabled
-
Setting the sidecar injection annotation to
disabled
in the Kubernetes resource spec for the pod:metadata: name: test annotations: 'openservicemesh.io/sidecar-injection': 'disabled'
Automatic sidecar injection is implicitly disabled for a namespace when it is removed from the mesh using the osm namespace remove
command.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.