I have Kubernetes 1.9.3 cluster and deployed Istio 1.0.12 on it. Create a namespace with istio-injection=enabled and created a deployment in that namespace. I don't see envoy proxy getting automatically injected into the pods created by deployments.
Istio calls kube-apiserver to inject envoy proxy into the pods. Two plugins need to be enabled in kube-apiserver for proxy injection to work.
kube-apiserver runs as a static pod and the pod manifest is available at /etc/kubernetes/manifests/kube-apiserver.yaml. Update the line as shown below to include MutatingAdmissionWebhook and ValidatingAdmissionWebhook plugins (available since Kubernetes 1.9).
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuotaThe kubelet will detect the changes and re-create kube-apiserver pod automatically.