Istio implements non-intrusive service governance by injecting sidecar into each POD in the serviceMesh. Among them, sidecar injection is an important part of its capability implementation (this article mainly introduces the injection method in kubernetes cluster).
Sidecar injection has two ways: one is to create Webhook resources and make use of K8S webhook capability to realize pod automatic injection; the other is to manually inject YAML files through istioctl tool. These two methods are briefly introduced here.
Webhook automatic injection:
Preparation conditions:
- Kubernetes 1.9 or higher is required for automatic injection;
- Kubernetes environment needs to support MutatingAdmissionWebhook;
$ kubectl api-versions | grep admissionregistration
admissionregistration.k8s.io/v1beta1
Copy the code- Need to be in
kube-apiserverIs added to the boot parameters - Ensure that the communication between the master and the node container is normal.
Automatic injection control:
- You can set whether auto injection is enabled by setting policy= Disabled in the Sidecar-Injector ConfigMap field.
$ kubectl get cm istio-sidecar-injector -nistio-system apiVersion: v1 kind: ConfigMap metadata: name: Istio sidecars - injector namespace: istio - system data: config: | - policy: enabled / / enabeld for open, disabeld to shut downCopy the code- Label the namespace to be automatically injected. Istio-injection: Enabled (indicates the NS level automatic injection control).
$ kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 1h
istio-system Active 1h
kube-public Active 1h
kube-system Active 1h
$ kubectl label namespace default istio-injection=enabled
namespace "default" labeled
$ kubectl get namespace -L istio-injection
NAME STATUS AGE ISTIO-INJECTION
default Active 1h enabled
istio-system Active 1h
kube-public Active 1h
kube-system Active 1h
Copy the code- It is also possible to control automatic injection of POD level by setting annotation, sidecar.istio. IO /inject=true in Deployment.
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: testSpec: replicas: 1 Template: metadata: annotations: sidecar.istio. IO /inject:"true/ /"trueTo enable automatic injection,falseTo turn off automatic injectionCopy the code- Define webhook MutatingWebhookConfiguration parameter files, format as follows (in sidecarInject helm package).
The semantics here are that the listener has istio-injection: When the rules (CREATE POD) action occurs, Services (istio-sidecar-Injector. Istio-system /inject interface) is called.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: istio-sidecar-injector
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
matchLabels:
istio-injection: enabled
Copy the code- Webhook workflow flowchart
The attention and principle of automatic injection are introduced. Finally, the result of automatic injection can be tested
- First, install the Istio control surface and ensure that sidecar-Inject is installed.
$ kubectl get po -nistio-system | grep sidecar-injector
istio-sidecar-injector-5fb5999bf8-59k79 1/1 Running 0
1d
Copy the code- Deploy a simple test deploy. Here we use Nginx as an example.
$ kubectl get po | grep nginx
nginx-v1-74c674fbd5-fl9bh 1/1 Running 0 22s
Copy the code- We use the method in step b).II to label the namespace of default with automatic injection, delete POD, and observe the POD status. It can be seen that the number of POD containers changes from 1 to 2.
$ kubectl get po | grep nginx
nginx-v1-54fbccf6fd-ff4k2 2/2 Running 0 4s
nginx-v1-74c674fbd5-fl9bh 1/1 Terminating 0 5m
Copy the code- You can see that the Sidecar container has been injected successfully. Let’s take a look at the pod description to see what the auto-injection does. As you can see, auto injection has inserted an initialization container istio-init and a Sidecar container istio-proxy into pod (see ConfigMap: istio-Sidecar-Injector for details).
$ kubectl describe po nginx-v1-54fbccf6fd-ff4k2 Name: nginx-v1-54fbccf6fd-ff4k2 Namespace: default Status: Running ... Init Containers: istio-init: Container ID: Docker: / / 96951306 e214594d0c1e550f732a81781287f79f0e5a3262455f38535d42d61f Image: istio/proxy_init: 0.8.0... Containers: container-0: Container ID: docker://237781c7ce1e8c1f49f68047142ce1738822bafbe504f836f51873cbb1ac1f5d Image: Nginx :1.12- Alpine - Perl Port: 80/TCP State: Running... istio-proxy: Container ID: docker://7208d32552918a5853fd56171bdbab3de3ae734242d23b140f6e5c2a1a4bce64 Image: Istio /proxyv2:0.8.0 Args: proxy sidecar --configPath /etc/istio/proxy --binaryPath /usr/local/bin/envoy
--serviceCluster
nginx
...
Copy the codeIstioctl Manual injection:
- Download istioctl tool and copy to the environment, links to https://github.com/istio/istio/releases/
- Copy the istioctl binary to the /usr/local/bin directory
mv -f istioctl /usr/local/bin
Copy the code- mv -f istioctl /usr/local/bin
$ kubectl get cm -n istio-system | grep istio-sidecar-injector
istio-sidecar-injector 1 15h
Copy the code- Prepare the file test.yaml that you want to inject
- Executing istioctl adds the sidecar configuration content to the original content and outputs it to the console.
$ kubectl apply -f <(istioctl kube-inject -f test.yaml)
Copy the code- Deploy the istioctl processed content to Kubernetes
$ kubectl apply -f <(istioctl kube-inject -f test.yaml)
Copy the code- You can view pod details with the k8s command
$ kubectl describe pod test-c9f4b55c7-np4cf
Copy the codeConclusion:
Here, automatic injection is recommended to implement sidecar injection. The corresponding key can be added to the Annotation of Deployment to realize automatic injection control. The implementation logic of automatic injection is not complicated, mainly the use of Webhook in K8S and the injection of corresponding Container resources into Deployment through templates.