istio-operator icon indicating copy to clipboard operation
istio-operator copied to clipboard

Published 20 hours ago verified publisher icon banzaicloud

the workload is not injected with sidecar,is that the namespace with istio-injection=enabled label,the workload will be injected

Open 13567436138 opened this issue 2 years ago • 3 comments

Describe the bug A clear and concise description of what the bug is. the workload is not injected with sidecar,is that the namespace with istio-injection=enabled label,the workload will be injected Steps to reproduce the issue: Please describe the steps to reproduce the issue. I installed istio-operator,and istio,everything seems ok.but the workload did not injected with sidecar Expected behavior A clear and concise description of what you expected to happen. the workload injected sidecar Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem like release number version, branch, etc.

13567436138 avatar Mar 30 '22 08:03 13567436138

Hi,

The istio.io/rev=<YOUR_ICP_NAME>.istio-system label should be used on the namespace and no istio-injection=enabled.

Laci21 avatar Mar 30 '22 09:03 Laci21

Hey @Laci21, got the same result when using the pod annotations for the granular sidecar injection. I've annotated pod with combinations of istio.io/rev: "istio-base.istio-system" and sidecar.istio.io/inject: "true" but didn't get success. Have this webhook created:

webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    service:
      name: istiod-istio-base
      namespace: istio-system
      path: /inject
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: rev.namespace.sidecar-injector.istio.io
  namespaceSelector:
    matchExpressions:
    - key: istio.io/rev
      operator: In
      values:
      - istio-base.istio-system
    - key: istio-injection
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: sidecar.istio.io/inject
      operator: NotIn
      values:
      - "false"
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    service:
      name: istiod-istio-base
      namespace: istio-system
      path: /inject
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: rev.object.sidecar-injector.istio.io
  namespaceSelector:
    matchExpressions:
    - key: istio.io/rev
      operator: DoesNotExist
    - key: istio-injection
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: sidecar.istio.io/inject
      operator: NotIn
      values:
      - "false"
    - key: istio.io/rev
      operator: In
      values:
      - istio-base.istio-system
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10

dshmatov avatar May 15 '22 10:05 dshmatov

@dshmatov istio.io/rev: "istio-base.istio-system" should be a label, not an annotation. Do you still have this issue?

Laci21 avatar May 24 '22 09:05 Laci21

Please reopen, if you still think there is an issue here.

Laci21 avatar Sep 02 '22 21:09 Laci21