I have an OpenShift deployment with two containers: main java app and a custom sidecar that does jmx monitoring of the main app. So when I don't inject Istio sidecar (with annotation sidecar.istio.io/inject: 'false') everything works as I expect and jmx sidecar can establish connection. But when I inject Istio sidecar I have connection problems.
There are annotations like:
but they don't seem to work, at least in my case and I couldn't find much information about them.
Here is my deployment yaml with relevant information that works with 'false' and doesn't with 'true' Istio sidecar inject option
apiVersion: apps/v1beta1
kind: Deployment
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: 'true'
spec:
containers:
- image: mainjavaappsource
ports:
- containerPort: 9090
- image: jmxsidecarsource
dnsPolicy: ClusterFirst
So the question is - how can I exclude connections between containers in the same deployment from being intercepted by Istio sidecar?
Prevent the proxy from intercepting the traffic, basically means to exclude that service from the mesh. Simply don't inject the sidecar (so, keep that service outside the mesh), and create a ServiceEntry
.