search

banzaicloud / istio-operator

An operator that manages Istio deployments on Kubernetes
Apache License 2.0
535 stars 94 forks source link

the workload is not injected with sidecar,is that the namespace with istio-injection=enabled label,the workload will be injected #843

Closed 13567436138 closed 2 years ago

13567436138 commented 2 years ago

Describe the bug A clear and concise description of what the bug is. the workload is not injected with sidecar,is that the namespace with istio-injection=enabled label,the workload will be injected Steps to reproduce the issue: Please describe the steps to reproduce the issue. I installed istio-operator,and istio,everything seems ok.but the workload did not injected with sidecar Expected behavior A clear and concise description of what you expected to happen. the workload injected sidecar Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem like release number version, branch, etc.

Laci21 commented 2 years ago

Hi,

The istio.io/rev=<YOUR_ICP_NAME>.istio-system label should be used on the namespace and no istio-injection=enabled.

dshmatov commented 2 years ago

Hey @Laci21, got the same result when using the pod annotations for the granular sidecar injection. I've annotated pod with combinations of istio.io/rev: "istio-base.istio-system" and sidecar.istio.io/inject: "true" but didn't get success. Have this webhook created:

webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    service:
      name: istiod-istio-base
      namespace: istio-system
      path: /inject
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: rev.namespace.sidecar-injector.istio.io
  namespaceSelector:
    matchExpressions:
    - key: istio.io/rev
      operator: In
      values:
      - istio-base.istio-system
    - key: istio-injection
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: sidecar.istio.io/inject
      operator: NotIn
      values:
      - "false"
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    service:
      name: istiod-istio-base
      namespace: istio-system
      path: /inject
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: rev.object.sidecar-injector.istio.io
  namespaceSelector:
    matchExpressions:
    - key: istio.io/rev
      operator: DoesNotExist
    - key: istio-injection
      operator: DoesNotExist
  objectSelector:
    matchExpressions:
    - key: sidecar.istio.io/inject
      operator: NotIn
      values:
      - "false"
    - key: istio.io/rev
      operator: In
      values:
      - istio-base.istio-system
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
Laci21 commented 2 years ago

@dshmatov istio.io/rev: "istio-base.istio-system" should be a label, not an annotation. Do you still have this issue?

Laci21 commented 2 years ago

Please reopen, if you still think there is an issue here.