Sidecar injection

Service Mesh Manager allows you to configure automatic sidecar injection on the namespace level.

For details on configuring the sidecar proxies, see Restrict Outbound Traffic of Workloads.

Set sidecar injection using the UI

To set automatic sidecar injection using the web interface, complete the following steps.

  1. Navigate to MENU > TOPOLOGY.

  2. Click the name of the namespace you want to modify, for example, SMM-DEMO. A sidebar opens.

    Enable automatic sidecar injection Enable automatic sidecar injection

  3. Click DISABLE or ENABLE to disable or enable automatic sidecar injection.

    Note: Automatic sidecar injection happens when the pod is created. Changing this setting does not affect existing pods. To update existing pods, delete them manually, or update all deployments of the namespace by running kubectl rollout restart deployment -n <name-of-namespace>

Set sidecar injection from the command line

To enable automatic sidecar injection on a namespace, run the following command:

smm sidecar-proxy auto-inject on <name-of-namespace>

Expected output:

INFO[0006] auto sidecar injection successfully set to namespace

Note: Automatic sidecar injection happens when the pod is created. Changing this setting does not affect existing pods. To update existing pods, delete them manually, or update all deployments of the namespace by running kubectl rollout restart deployment -n <name-of-namespace>

CAUTION:

Adding the istio-injection label to the namespace does not trigger sidecar injection, because Service Mesh Manager uses versioned control planes. We recommend using the smm sidecar-proxy auto-inject command. Alternatively, you can set the istio.io/rev=cp-v115x.istio-system label manually by running:

kubectl label ns <namespace-to-label> istio.io/rev=cp-v115x.istio-system

To disable automatic sidecar injection on a namespace, run the following command:

smm sidecar-proxy auto-inject off <name-of-namespace>

Expected output:

INFO[0006] auto sidecar injection removed from to namespace

OpenShift

To invoke the istio-cni plugin on an OpenShift cluster, a NetworkAttachmentDefinition object must be present in the namespace which has sidecar-proxy enabled. The Calisti UI and the smm sidecar-proxy command automatically deploys a NetworkAttachmentDefinition instance to the namespace where you configure automatic sidecar injection.

To verify that the NetworkAttachmentDefinition object has been successfully deployed, run:

kubectl get network-attachment-definition -n <name-of-namespace>