Deeper into sidecar injection📜
The following exercise explores sidecar injection.
-
Start with a pod yaml:
kubectl run mywebserver --image nginx \ --dry-run=client -oyaml > nginx-pod.yaml
-
Generate the full sidecar-injected manifest:
istioctl kube-inject -f ./nginx-pod.yaml > injected.yaml
-
Review the
injected.yaml
init-containerargs
field:istio-iptables -p "15001" -z "15006" -u "1337" -m REDIRECT -i '*' -x "" -b '*' -d 15090,15021,15020
-
Pull the container image and inspect it:
docker pull docker.io/istio/proxyv2:{{istio.version}} docker inspect istio/proxyv2:{{istio.version}} | grep Entrypoint -A 1
"Entrypoint": [ "/usr/local/bin/pilot-agent"
We learn that
istio-iptables
is apilot-agent
subcommand. -
Create a separate namespace that is not labeled for automatic injection.
kubectl create ns myns
-
Apply the injected yaml.
kubectl apply -f injected.yaml -n myns
-
Study the
pilot-agent istio-iptables
command’s flag descriptions:kubectl exec mywebserver -n myns \ -c istio-proxy -it \ -- pilot-agent istio-iptables --help