我的书签
添加书签
移除书签Sidecar Injection Problems
Ensure your pod is not in the
kube-systemorkube-publicnamespace. Automatic sidecar injection will be ignored for pods in these namespaces.Ensure your pod does not have
hostNetwork: truein its pod spec. Automatic sidecar injection will be ignored for pods that are on the host network.The sidecar model assumes that the iptables changes required for Envoy to intercept traffic are within the pod. For pods on the host network this assumption is violated, and this can lead to routing failures at the host level.
Check the webhook’s
namespaceSelectorto determine whether the webhook is scoped to opt-in or opt-out for the target namespace.The
namespaceSelectorfor opt-in will look like the following:The injection webhook will be invoked for pods created in namespaces with the
istio-injection=enabledlabel.$ kubectl get namespace -L istio-injectionNAME STATUS AGE ISTIO-INJECTIONdefault Active 18d enabledistio-system Active 3dkube-public Active 18dkube-system Active 18d
The
namespaceSelectorfor opt-out will look like the following:$ kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml | grep "namespaceSelector:" -A5namespaceSelector:matchExpressions:- key: istio-injectionoperator: NotInvalues:rules:- apiGroups:- ""
The injection webhook will be invoked for pods created in namespaces without the
istio-injection=disabledlabel.$ kubectl get namespace -L istio-injectionNAME STATUS AGE ISTIO-INJECTIONdefault Active 18distio-system Active 3d disabledkube-public Active 18d disabled
Verify the application pod’s namespace is labeled properly and (re) label accordingly, e.g.
$ kubectl label namespace istio-system istio-injection=disabled --overwrite
Check default policy
Check the default injection policy in the
istio-sidecar-injector configmap.$ kubectl -n istio-system get configmap istio-sidecar-injector -o jsonpath='{.data.config}' | grep policy:policy: enabled
Allowed policy values are
disabledandenabled. The default policy only applies if the webhook’snamespaceSelectormatches the target namespace. Unrecognized policy causes injection to be disabled completely.Check the per-pod override annotation
The default policy can be overridden with the
sidecar.istio.io/injectannotation in the pod template spec’s metadata. The deployment’s metadata is ignored. Annotation value oftrueforces the sidecar to be injected while a value offalseforces the sidecar to not be injected.The following annotation overrides whatever the default
policywas to force the sidecar to be injected:$ kubectl get deployment sleep -o yaml | grep "sidecar.istio.io/inject:" -C3template:metadata:annotations:sidecar.istio.io/inject: "true"labels:app: sleep
Run kubectl describe -n namespace deployment name on the failing pod’s deployment. Failure to invoke the injection webhook will typically be captured in the event log.
Warning FailedCreate 3m (x17 over 8m) replicaset-controller Error creating: Internal error occurred: \x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying \to verify candidate authority certificate "Kubernetes.cluster.local")
x509: certificate signed by unknown authority errors are typically caused by an empty caBundle in the webhook configuration.
Verify the caBundle in the mutatingwebhookconfiguration matches the root certificate mounted in the istiod pod.
$ kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml -o jsonpath='{.webhooks[0].clientConfig.caBundle}' | md5sum4b95d2ba22ce8971c7c92084da31faf0 -4b95d2ba22ce8971c7c92084da31faf0 -
no such hosts or no endpoints available errors in deployment status
Injection is fail-close. If the istio-sidecar-injector pod is not ready, pods cannot be created. In such cases you’ll see an error about no endpoints available.
Internal error occurred: failed calling admission webhook "istio-sidecar-injector.istio.io": \Post https://istio-sidecar-injector.istio-system.svc:443/admitPilot?timeout=30s: \no endpoints available for service "istio-sidecar-injector"
$ kubectl -n istio-system get pod -listio=sidecar-injectorNAME READY STATUS RESTARTS AGEistio-sidecar-injector-5dbbbdb746-d676g 1/1 Running 0 2d
$ kubectl -n istio-system get endpoints istio-sidecar-injectorNAME ENDPOINTS AGEistio-sidecar-injector 10.48.6.108:15014,10.48.6.108:443 3d
If the pods or endpoints aren’t ready, check the pod logs and status for any indication about why the webhook pod is failing to start and serve traffic.
$ for pod in $(kubectl -n istio-system get pod -listio=sidecar-injector -o jsonpath='{.items[*].metadata.name}'); do \kubectl -n istio-system logs ${pod} \done$ for pod in $(kubectl -n istio-system get pod -listio=sidecar-injector -o name); do \kubectl -n istio-system describe ${pod} \done
When the Kubernetes API server includes proxy settings such as:
With these settings, Sidecar injection fails. The only related failure log can be found in kube-apiserver log:
Make sure both pod and service CIDRs are not proxied according to *_proxy variables. Check the kube-apiserver files and logs to verify the configuration and whether any requests are being proxied.
One workaround is to remove the proxy settings from the kube-apiserver manifest, another workaround is to include istio-sidecar-injector.istio-system.svc or .svc in the no_proxy value. Make sure that kube-apiserver is restarted after each workaround.
An was filed with Kubernetes related to this and has since been closed. https://github.com/kubernetes/kubernetes/pull/58698#discussion_r163879443
Tcpdump doesn’t work in the sidecar pod - the container doesn’t run as root. However any other container in the same pod will see all the packets, since the network namespace is shared. will also see the pod-wide configuration.
Communication between Envoy and the app happens on 127.0.0.1, and is not encrypted.
