istio side car is not created

Question

we have istio installed without the side car enabled gloablly , and I want to enable it to specific service in a new namespace

I’ve added to my deployment the following:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: gow
  labels:
    app: gowspec:
  replicas: 2
  template:
    metadata:
      labels:
        app: gow
        tier: service
      annotations:
        sidecar.istio.io/inject: "true"

while running

get namespace -L istio-injection I don’t see anything enabled , everything is empty…

How can I verify that the side car is created ? I dont see anything new ...

Answer 1

You can use istioctl kube-inject to make that

kubectl create namespace asdd
istioctl kube-inject -f nginx.yaml | kubectl apply -f - 

---

nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: asdd
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "True"
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80

Result:

nginx-deployment-55b6fb474b-77788   2/2     Running   0          5m36s
nginx-deployment-55b6fb474b-jrkqk   2/2     Running   0          5m36s

Let me know if You have any more questions.

Answer 2

You can describe your pod to see list of containers and one of those should be sidecar container. Look for something called istio-proxy.

kubectl describe pod pod name

It should look something like below

$ kubectl describe pod demo-red-pod-8b5df99cc-pgnl7
SNIPPET from the output:

Name:               demo-red-pod-8b5df99cc-pgnl7
Namespace:          default
.....
Labels:             app=demo-red
                    pod-template-hash=8b5df99cc
                    version=version-red
Annotations:        sidecar.istio.io/status={"version":"3c0b8d11844e85232bc77ad85365487638ee3134c91edda28def191c086dc23e","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs...
Status:             Running
IP:                 10.32.0.6
Controlled By:      ReplicaSet/demo-red-pod-8b5df99cc
Init Containers:
  istio-init:
    Container ID:  docker://bef731eae1eb3b6c9d926cacb497bb39a7d9796db49cd14a63014fc1a177d95b
    Image:         docker.io/istio/proxy_init:1.0.2
    Image ID:      docker-pullable://docker.io/istio/proxy_init@sha256:e16a0746f46cd45a9f63c27b9e09daff5432e33a2d80c8cc0956d7d63e2f9185
    .....
    State:          Terminated
      Reason:       Completed
    .....
    Ready:          True
Containers:
  demo-red:
    Container ID:   docker://8cd9957955ff7e534376eb6f28b56462099af6dfb8b9bc37aaf06e516175495e
    Image:          chugtum/blue-green-image:v3
    Image ID:       docker-pullable://docker.io/chugtum/blue-green-image@sha256:274756dbc215a6b2bd089c10de24fcece296f4c940067ac1a9b4aea67cf815db
    State:          Running
      Started:      Sun, 09 Dec 2018 18:12:31 -0800
    Ready:          True
  istio-proxy:
    Container ID:  docker://ca5d690be8cd6557419cc19ec4e76163c14aed2336eaad7ebf17dd46ca188b4a
    Image:         docker.io/istio/proxyv2:1.0.2
    Image ID:      docker-pullable://docker.io/istio/proxyv2@sha256:54e206530ba6ca9b3820254454e01b7592e9f986d27a5640b6c03704b3b68332
    Args:
      proxy
      sidecar
      .....
    State:          Running
      Started:      Sun, 09 Dec 2018 18:12:31 -0800
    Ready:          True
    .....

You need to have the admission webhook for automatic sidecar injection.

kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml | grep "namespaceSelector:" -A5

There may be many reasons for sidecar injection failures as described here

Here is a table which shows final injection status based on different scenarios.

Based on above table its mandatory to label the namespace with a label istio-injection=enabled

kubectl label namespace default istio-injection=enabled --overwrite