Sidecar injection
In order to take advantage of all of Istio's features, pods in the service mesh must be running an Istio sidecar proxy.
TOC
About sidecar injection
Sidecar proxy injection is primarily controlled through labels applied at either the namespace or pod level.
When enabled in namespace, automatic injection injects the proxy configuration at pod creation time using an admission controller, ensures any new pods in that namespace include a sidecar.
The revision label is also used to dictates which Istio control plane instance the sidecar will associate with.
Note that unlike manual injection, automatic injection occurs at the pod-level. You won't see any change to the deployment itself.
Instead, you'll want to check individual pods (via kubectl describe) to see the injected proxy.
Identifying the revision name
The label required to enable sidecar injection is determined by the specific control plane instance, known as a revision.
Each revision is managed by corresponding IstioRevision resource, which is automatically managed by the Istio resource.
The naming convention for an IstioRevision is based on the spec.updateStrategy.type setting in the Istio resource:
InPlace: The revision shares the same name as the parentIstioresource.RevisionBased: The revision is named using the format<istio-resource-name>-v<version>.
Typically, each Istio resource corresponds to a single IstioRevision.
However, during a revision-based upgrade, multiple IstioRevision resources may exist, each representing a distinct control plane.
To list available revisions, use the following command:
For example output:
Enabling sidecar injection with default revision
When the name of IstioRevision is default, you can use the following labels on a namespace or a pod to enable sidecar injection:
| Resource | Enabled label | Disalbed label |
|---|---|---|
| Namespace | istio-injection=enabled | istio-injection=disabled |
| Pod | sidecar.istio.io/inject=true | sidecar.istio.io/inject=false |
You can also enable injection by applying the istio.io/rev: default label to the namespace or pod.
Enabling sidecar injection with other revisions
When then name of IstioRevision is not default, you'll need to use the specific IstioRevision name with the istio.io/rev label.
This links the pod to the desired control plane and enables sidecar injection.
For instance, using the example revision default-v1-26-3 from above, the following labels would enable sidecar injection:
| Resource | Enabled label | Disabled label |
|---|---|---|
| Namespace | istio.io/rev=default-v1-26-3 | istio-injection=disabled |
| Pod | istio.io/rev=default-v1-26-3 | sidecar.istio.io/inject=false |
When both istio-injection and istio.io/rev labels are applied, the istio-injection label takes precedence and treats the namespace as part of the default revision.
The injector is configured with the following logic:
- If either label (
istio-injectionorsidecar.istio.io/inject) is disabled, the pod is not injected. - If either label (
istio-injectionorsidecar.istio.io/injectoristio.io/rev) is enabled, the pod is injected.