Automatic Sidecar Injection
Automatic sidecar injection adds the sidecar proxy into user-createdpods. It uses a MutatingWebhook
to append the sidecar’s containersand volumes to each pod’s template spec during creationtime. Injection can be scoped to particular sets of namespaces usingthe webhooks namespaceSelector
mechanism. Injection can also beenabled and disabled per-pod with an annotation.
Whether or not a sidecar is injected depends on three pieces of configuration and two security rules:
Configuration:
- webhooks
namespaceSelector
- default
policy
- per-pod override annotation
Security rules:
- sidecars cannot be injected in the
kube-system
orkube-public
namespaces - sidecars cannot be injected into pods that use the host network
The following truth table shows the final injection status based onthe three configuration items. The security rules above cannot be overridden.
namespaceSelector match | default policy | Pod override annotation sidecar.istio.io/inject | Sidecar injected? |
---|---|---|---|
yes | enabled | true (default) | yes |
yes | enabled | false | no |
yes | disabled | true | yes |
yes | disabled | false (default) | no |
no | enabled | true (default) | no |
no | enabled | false | no |
no | disabled | true | no |
no | disabled | false (default) | no |