All Products
Search

This Product

    Alibaba Cloud Service Mesh:Control the injection scope of OPA sidecar proxies

    Document Center

    Alibaba Cloud Service Mesh:Control the injection scope of OPA sidecar proxies

    Last Updated:Mar 11, 2026

    By default, the Open Policy Agent (OPA) plug-in in Service Mesh (ASM) injects OPA sidecar proxies into all pods across the cluster. When you only need OPA access control in specific namespaces -- for example, to enforce policies in production while leaving development namespaces unrestricted -- enable injection scope control. ASM then injects OPA sidecar proxies only into pods in namespaces labeled with opa-istio-injection=enabled.

    How it works

    After you enable OPA injection scope control, ASM checks the opa-istio-injection label on a pod's namespace when the pod is created:

    Namespace labelInjection behavior
    opa-istio-injection=enabledOPA sidecar proxy (opa-istio) is injected into the pod
    Label absentNo OPA sidecar proxy is injected
    Note: The label is evaluated only at pod creation time. To apply label changes to existing pods, delete and recreate them.

    Prerequisites

    Before you begin, ensure that you have:

    • A Container Service for Kubernetes (ACK) cluster added to an ASM instance v1.12.4.19 or later. For more information, see Add a cluster to an ASM instance

    • Two namespaces, default and develop, created in the ACK cluster. For more information, see Manage namespaces and resource quotas

    • An NGINX application deployed in the default namespace and a sleep application deployed in the develop namespace. For more information, see Create a stateless application by using a Deployment

      Sample YAML files for the NGINX and sleep applications

      1. Create an nginx.yaml file and a sleep.yaml file with the corresponding code shown in the following code blocks:

        nginx.yaml

        apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
        sidecarset-injected: "true"
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: nginx
  type: ClusterIP

        sleep.yaml

        apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true

      2. Deploy the applications:

        kubectl apply -f nginx.yaml -n default
kubectl apply -f sleep.yaml -n develop

    Step 1: Enable OPA and injection scope control

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance.

    3. In the left-side navigation pane, choose Mesh Security Center > OPA Policy.

    4. On the OPA Policy page, select Enable Open Policy Agent (OPA) Plug-in and Enable OPA Injection Range Control, then click Enable OPA.

    5. In the Note dialog box, click OK.

    Step 2: Label the target namespaces

    Add the opa-istio-injection=enabled label to each namespace where OPA sidecar proxies should be injected. In this example, only the default namespace is labeled, so OPA sidecar proxies are injected into pods in default but not in develop.

    Option A: kubectl (recommended)

    For more information about how to connect to a cluster, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

    kubectl label namespace default opa-istio-injection=enabled --overwrite

    Verify the label:

    kubectl get namespace default --show-labels

    Option B: ACK console

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage, then click Namespaces and Quotas in the left-side navigation pane.

    3. On the Namespace page, click Edit in the Actions column of the default namespace.

    4. In the Edit Namespace dialog box, set the label name to opa-istio-injection and the label value to enabled, click Add, and then click OK.

    Step 3: Restart the applications to trigger injection

    Delete the existing pods so that ASM re-evaluates injection when replacement pods start.

    Note: If the application has multiple pods, you need to delete all the pods to restart the application. When the state of a pod changes back to Running, the pod is restarted.

    Option A: kubectl

    kubectl delete pod -l app=nginx -n default
kubectl delete pod -l app=sleep -n develop

    Wait until the new pods reach Running status:

    kubectl get pod -l app=nginx -n default
kubectl get pod -l app=sleep -n develop

    Option B: ACK console

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage, then choose Workloads > Pods in the left-side navigation pane.

    3. In the upper part of the Pods page, set Namespace to default and choose More > Delete in the Actions column of the pod on which the NGINX application is deployed. In the Note dialog box, click OK.

    4. Repeat the preceding operations to restart the pod of the sleep application in the develop namespace.

    Step 4: Verify the injection scope

    After the pods restart, confirm that OPA sidecar proxies are injected only into the labeled namespace.

    Option A: kubectl

    Check the READY column to compare the number of containers in each pod:

    kubectl get pod -l app=nginx -n default

    Expected output -- 2/2 indicates that the OPA sidecar proxy (opa-istio) runs alongside the application container:

    NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-xxxx-yyyy          2/2     Running   0          30s
    kubectl get pod -l app=sleep -n develop

    Expected output -- 1/1 confirms no OPA sidecar proxy was injected:

    NAME                     READY   STATUS    RESTARTS   AGE
sleep-xxxx-yyyy          1/1     Running   0          30s

    Option B: ACK console

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage, then choose Workloads > Pods in the left-side navigation pane.

    3. On the Pods page, set Namespace to default and click the pod name of the NGINX application. On the Container tab, opa-istio is displayed, which confirms the OPA sidecar proxy is injected.

      OPA sidecar proxy injected into the NGINX application

    4. Set Namespace to develop and click the pod name of the sleep application. On the Container tab, opa-istio is not displayed, which confirms no OPA sidecar proxy is injected.

      No OPA sidecar proxy in the sleep application

    Disable injection for a namespace

    To stop injecting OPA sidecar proxies into a namespace, remove the label and restart the pods:

    kubectl label namespace default opa-istio-injection-
kubectl delete pod -l app=nginx -n default

    After the pods restart, verify that the READY column shows 1/1, confirming the OPA sidecar proxy is no longer injected.