Deploying mesh proxy by using native sidecar - Alibaba Cloud Service Mesh

To deploy a mesh proxy for applications in a cluster using the native sidecar approach in Service Mesh (ASM), you can leverage both the sidecar and sidecarless modes. This allows you to manage underlying network functions, such as load balancing, service discovery, traffic control, enhanced security, and traffic observability. In the sidecar mode, a mesh proxy container and an application container can be deployed in the same pod. In this case, the two containers share a network namespace, and the mesh proxy can transparently intercept and process inbound and outbound traffic for the application container. This topic describes how to deploy a mesh proxy using native sidecar mode in ASM.

Traditional sidecar vs. Native sidecar

Comparison item	Traditional sidecar	Native sidecar
Supported K8s version	Version 1.2 to 1.28.	Version 1.28 and later.
Supported ASM version	ASM instances of 1.22 and earlier.	When adding Kubernetes clusters (ACK, ACK Serverless, or ACS clusters) of version 1.30 and earlier to ASM instances of version 1.22 and earlier, mesh proxies are deployed by default using native sidecar mode.
Deployment mode	Both sidecar container and the main container are configured in the `containers` field.	The sidecar container is configured in the `initContainers` field and contains the `restartPolicy: Always` field.
Lifecycle	Cannot sync with the main container, requires separate management.	Syncs with the main container, no additional configuration needed.

The mesh proxy configured in the traditional sidecar mode is deployed as a normal container in the pod along with an application container, each having its own lifecycle. This may cause the following issues:

If the application container starts faster than the sidecar proxy container, the application container cannot access the Internet. To solve this issue, you can configure Sidecar Graceful Startup. This issue persists if the sidecar proxy container starts slowly. For more information, see Sidecar Graceful Startup.
If the sidecar proxy container shuts down before the application container, the application container cannot access the Internet. To solve this issue, you can configure Sidecar Graceful Shutdown. In this case, the pod termination time may be extended. For more information, see Sidecar Graceful Shutdown.
If you use a Job to create an application container and the container exits immediately after a job stops running, the sidecar proxy container still runs as normal to ensure that the pod keeps running in the environment.
The initContainers running before the sidecar proxy container cannot access the Internet. In this case, you can provide a port on which outbound traffic is not redirected to sidecar proxies. For more information, see Addresses to which external access is not redirected to sidecar proxy.

How can I confirm whether a mesh proxy is deployed using native sidecar mode?

If a istio-proxy container is included in the initContainers field of a pod and the restartPolicy: Always field is included in the container configurations, the mesh proxy is deployed using the native sidecar mode. For example:

apiVersion: v1
kind: Pod
metadata:
  name: sleep-xxxxxxxx-xxxxx
  namespace: default
spec:
  containers:
...
      image: 'registry.cn-hangzhou.aliyuncs.com/acs/curl:8.1.2'
      imagePullPolicy: IfNotPresent
      name: sleep
...
  initContainers:
...  
      image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun
      imagePullPolicy: IfNotPresent
      name: istio-proxy
      ports:
        - containerPort: 15090
          name: http-envoy-prom
          protocol: TCP
      restartPolicy: Always  # The presence of this field indicates taht mesh proxies are deployed using native sidecar mode
...

In native sidecar mode, the configurations for all sidecar proxies that are related to sidecar proxy lifecycle are invalid. These configurations are not required for native sidecar proxies. For more information, see Configure sidecar proxies.

How can I switch from native sidecar mode to traditional sidecar mode?

The MutatingWebhook components deployed in the cluster that are configured on Kubernetes of version 8 or eralier can modify the pod definition, for example, kubesphere's logsidecar-injector may remove the native sidecar definition, causing creation failures. To ensure compatibility, you may need to switch from native sidecar mode back to the traditional sidecar mode.

Perform the following steps:

Access an ASM instance by using kubectl. For more information, see Use kubectl on the control plane to access Istio resources.

Run the following command to add configuration for the asmmeshconfig resource.

kubectl patch asmmeshconfig default --type=merge --patch='{"spec":{"enableNativeSidecar":false}}'

Expected output:

asmmeshconfig.istio.alibabacloud.com/default patched

Restart the pod. For more information, see Redeploy workloads.

Run the following command to view the pod.

kubectl get pod sleep-xxxxxxxx-xxxxx -o yaml

Expected output:

apiVersion: v1
kind: Pod
metadata:
  name: sleep-xxxxxxxx-xxxxx
  namespace: default
spec:
  containers:
...  
      image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/proxyv2:v1.22.2.35-ge64ec8af-aliyun      
      name: istio-proxy
      ports:
        - containerPort: 15090
          name: http-envoy-prom
          protocol: TCP
...
      image: 'registry.cn-hangzhou.aliyuncs.com/acs/curl:8.1.2'
      imagePullPolicy: IfNotPresent
      name: sleep
...

The result shows that the sidecar proxy container istio-proxy is not included in the initContainers field, but is configured in the containers field along with the main container.