A sidecar proxy is a dedicated transparent network proxy, such as Envoy, that intercepts and handles the inbound and outbound traffic of the associated application container. It abstracts and manages underlying network features, such as load balancing, service discovery, traffic control, retry, and timeout handling. Sidecar proxies communicate with control-plane components. The control plane is responsible for centrally managing policies and rules and issuing them to sidecar proxies. Sidecar proxies adjust their routing behavior and service governance policies based on the configurations dynamically issued by the control plane. This topic describes how to install sidecar proxies.
Background information
If you install a sidecar proxy in the pod of an application, an independent container is created in the pod to provide the features of the sidecar proxy. To make full use of these features, each service in your application requires a sidecar proxy to run in the pod of the service. The sidecar proxy intercepts all inbound and outbound HTTP traffic of the service and communicates with the Pilot component on the Istio control plane of the corresponding Service Mesh (ASM) instance.
Step 1: Enable sidecar proxy injection
By default, automatic sidecar proxy injection is disabled for all namespaces. You can manually inject a sidecar proxy by updating the Kubernetes configuration of the corresponding pod. Alternatively, you can use the automatic sidecar proxy injection feature of Istio, which is based on webhooks. Run the following command to enable automatic sidecar proxy injection:
kubectl label namespace {namespace} istio-injection=enabled --overwrite
In the preceding command, the namespace
parameter specifies the namespace of the application. If you do not specify this parameter, the namespace named default is used.
Step 2: Restart the corresponding pods
Sidecar proxies are injected when pods are created. Therefore, you must restart the pods to make sidecar proxy injection take effect.
We recommend that you restart the pods in the test environment multiple times to ensure that your service will not be affected by any traffic interruptions.
Run the following command to restart a specific pod:
kubectl get pod {podname} -n {namespace} -o yaml | kubectl replace --force -f -
Check whether a sidecar proxy is injected into every pod in the namespace.
After a sidecar proxy is injected into a pod, each workload is supported by a main container and a sidecar proxy container.
kubectl get pod -n {namespace} --all
References
You can inject sidecar proxies into a namespace in the ASM console. For more information, see Manage global namespaces.
ASM provides a sidecar injector that can automatically inject sidecar proxies into new pods. You can configure policies for the sidecar injector to meet specific requirements and use labels to select pods into which sidecar proxies need to be injected. This allows you to use resources more efficiently and simplify management. Based on the size and load of a cluster, you can also adjust the resource configuration of the sidecar injector to ensure that sufficient resources are provided to run the sidecar injector. For more information, see Configure sidecar proxy injection policies.
You can use the ASM console to flexibly configure parameters such as those related to the resources, lifecycle, traffic interception mode, and observability for sidecar proxies based on your business requirements. For more information, see Configure sidecar proxies.
You can use annotations to modify the resources and configurations of a sidecar proxy. For example, you can modify the termination drain duration and the start sequence of the istio-proxy container. For more information, see Configure a sidecar proxy by adding resource annotations.
In scenarios where traffic is not required to pass through sidecar proxies, you can configure settings by using different methods to allow traffic to bypass sidecar proxies. For more information, see Configure settings to allow traffic to bypass sidecar proxies.