I want to add envoy proxy to an existing Kubernetes deployment as a sidecar. I tried following multiple blog posts and that did not seem to help. I was wondering if anyone has done it, and if so, how to?
Thank you!
You must restart the deployment.
from istio manual:
If you are using manual sidecar injection, use the following command
$ kubectl apply -f <(istioctl kube-inject -f bookinfo.yaml)
The istioctl kube-inject command is used to manually modify the bookinfo.yaml file before creating the deployments as documented here.
If you are using a cluster with automatic sidecar injection enabled, label the default namespace with istio-injection=enabled
$ kubectl label namespace default istio-injection=enabled
Then simply deploy the services using kubectl
$ kubectl apply -f bookinfo.yaml
To add Kun Li's anwer, if your case is the kubernetes cluster already has many services running, it is safer to do that by set the autoInjection policy as disabled by default, and let the service owner set it explicitly that it wants to use istio side car.
To do that, you have to:
--global.proxy.autoInject=disabled --sidecarInjectorWebhook.enabled=true.kubectl label namespace bar istio-injection=enabledThe --sidecarInjectorWebhook.enabled=true and labeling your namespace: means that the istio sidecar injector webhook is activated for your namespace. But then, since you specify the global.proxy.autoInject=disabled, it won't inject any pods. So, the service owner have to define explicitly the pod's annotation (in your deployment yaml file) like below:
template:
metadata:
annotations:
sidecar.istio.io/inject: "true"To check your istio's sidecar injection policy,
kubectl get cm istio-sidecar-injector -n istio-system -o yaml
take a look at data.config value, it should contains policy: disable or policy: enabled.
Reference: - https://istio.io/docs/setup/kubernetes/sidecar-injection/#policy - personal hands on (I've tried it)