Skip to content

Deeper into sidecar injection📜

The following exercise explores sidecar injection.

  1. Start with a pod yaml:

    kubectl run mywebserver --image nginx \
  --dry-run=client -oyaml > nginx-pod.yaml

  2. Generate the full sidecar-injected manifest:

    istioctl kube-inject -f ./nginx-pod.yaml > injected.yaml

  3. Review the injected.yaml init-container args field:

    istio-iptables
    -p "15001"
    -z "15006"
    -u "1337"
    -m REDIRECT
    -i '*'
    -x ""
    -b '*'
    -d 15090,15021,15020

  4. Pull the container image and inspect it:

    docker pull docker.io/istio/proxyv2:{{istio.version}}
docker inspect istio/proxyv2:{{istio.version}} | grep Entrypoint -A 1

    "Entrypoint": [
    "/usr/local/bin/pilot-agent"

    We learn that istio-iptables is a pilot-agent subcommand.

  5. Create a separate namespace that is not labeled for automatic injection.

    kubectl create ns myns

  6. Apply the injected yaml.

    kubectl apply -f injected.yaml -n myns

  7. Study the pilot-agent istio-iptables command’s flag descriptions:

    kubectl exec mywebserver -n myns \
  -c istio-proxy -it \
  -- pilot-agent istio-iptables --help