Skip to content

Deeper into sidecar injection📜

The following exercise explores sidecar injection.

  1. Start with a pod yaml:

    kubectl run mywebserver --image nginx \
      --dry-run=client -oyaml > nginx-pod.yaml
  2. Generate the full sidecar-injected manifest:

    istioctl kube-inject -f ./nginx-pod.yaml > injected.yaml
  3. Review the injected.yaml init-container args field:

        -p "15001"
        -z "15006"
        -u "1337"
        -m REDIRECT
        -i '*'
        -x ""
        -b '*'
        -d 15090,15021,15020
  4. Pull the container image and inspect it:

    docker pull{{istio.version}}
    docker inspect istio/proxyv2:{{istio.version}} | grep Entrypoint -A 1
    "Entrypoint": [

    We learn that istio-iptables is a pilot-agent subcommand.

  5. Create a separate namespace that is not labeled for automatic injection.

    kubectl create ns myns
  6. Apply the injected yaml.

    kubectl apply -f injected.yaml -n myns
  7. Study the pilot-agent istio-iptables command’s flag descriptions:

    kubectl exec mywebserver -n myns \
      -c istio-proxy -it \
      -- pilot-agent istio-iptables --help