Istio implements automatic SIDecAR injection

Sidecars mode

In a Sidecar deployment, you deploy a companion container for each application container. For the Service Mesh, the Sidecar takes over all network traffic going in and out of the application container.

Sidecar is good for job audits, especially in security-related areas.

The principle of analytic

Schematic diagram

Automatic injection is implemented through kube-Apiserver access control. Simply put, the IStio-Sidecar-Injector service provides a webService that provides the auto-injection service (this service uses istio-Sidecar-Injector ConfigMap as the injection configuration). Istio-sidecar – Injector MutatingAdmissionWebhook defines when kube-Apiserver needs to send a request to istio-Sidecar – Injector service for injection.

Check the configuration

View the existing (default) MutatingAdmissionWebhook configuration for IStio-Sidecar-Injector

kubectl describe mutatingwebhookconfiguration istio-sidecar-injector
Copy the code

By default, only the POD in the namespace that contains the ISTIo-Injection =enabled tag can be used for automatic injection when it is created.

Set automatic injection for a single namespace

Specify the Demo namespace to set automatic injection

kubectl label namespace demo istio-injection=enabled
Copy the code

View injection Results

kubectl get namespace -L istio-injection
Copy the code

All namespaces are set for automatic injection

Modify the configuration

kubectl edit mutatingwebhookconfiguration istio-sidecar-injector
Copy the code

If a namespace does not want automatic injection, add istio-injection=disabled.

Test auto injection

Create a simple Deployment

vim nginx.yaml

--- apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: '1' k8s.kuboard.cn/displayName: nginx k8s.kuboard.cn/workload: nginx generation: 1 labels: k8s.kuboard.cn/layer: '' k8s.kuboard.cn/name: nginx name: nginx namespace: demo spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s.kuboard.cn/layer: '' k8s.kuboard.cn/name: nginx template: metadata: labels: k8s.kuboard.cn/layer: '' k8s.kuboard.cn/name: nginx spec: containers: - image: Nginx :1.19.10- Alpine imagePullPolicy: IfNotPresent Name: nginxCopy the code

Create a pod

kubectl apply -f nginx.yaml
Copy the code

A POD generates two containers, one for nginx itself and the other for the Sidecar proxy.

Viewing POD Details

kubectl describe po nginx-5bbcd878cf-q2l5s -n demo
Copy the code

It can also be viewed in kuboard

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Istio implements automatic SIDecAR injection

Sidecars mode

The principle of analytic

Check the configuration

Set automatic injection for a single namespace

All namespaces are set for automatic injection

Test auto injection

The automatic injection configuration succeeded. Procedure

Istio implements automatic SIDecAR injection

Sidecars mode

The principle of analytic

Check the configuration

Set automatic injection for a single namespace

All namespaces are set for automatic injection

Test auto injection

The automatic injection configuration succeeded. Procedure

Related Posts

L1-009 items Go language primer 150 】 【 N number sum compare size (20 points) L1-010 (10) the Go | Golang

Concurrent container for multi-threaded high concurrency learning

Nginx is configured with a single page application

L1-009 items Go language primer 150 】【 N number sum compare size (20 points) L1-010 (10) the Go | Golang