Istio就是充分利用了Kubernets Webhook机制来实现Envoy Proxy Sidecar的自动注入。
首先,创建Sidecar注入的配置项istio-sidecar-injector,如下所示:
kubectl describe configmap istio-sidecar-injector -n istio-system
Name: istio-sidecar-injector
Namespace: istio-system
Labels: app=ack-istio
chart=ack-istio-1.0.0
heritage=Tiller
istio=sidecar-injector
release=myistio
Annotations: <none>
Data
====
config:
----
policy: enabled
template: |-
initContainers:
- name: istio-init
image: "registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/proxy_init:1.0.0"
args:
......
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
restartPolicy: Always
containers:
- name: istio-proxy
image: [[ if (isset .ObjectMeta.Annotations "sidecar.istio.io/proxyImage") -]]
......
可以看到该Conf igMap保存了默认注入策略(policy)和Sidecar注入模板(template)。
策略参数如下所示:
·disabled:Sidecar注入器默认不会注入pod中。pod模板定义中的注解sidecar.istio.io/inject值为true,会启用注入功能。
·enabled:Sidecar注入器默认会注入pod中。pod模板定义中的注解sidecar.istio.io/inject值为false,会禁止注入功能。
部署Sidecar注入的Webhook,如下所示:
mutatingwebhook.yaml:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: istio-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
{{- if .Values.enableNamespacesByDefault }}
matchExpressions:
- key: istio-injection
operator: NotIn
values:
- disabled
{{- else }}
matchLabels:
istio-injection: enabled
{{- end }}
需要注意,如果enableNamespacesByDefault设置为true时,会根据命名空间选择器的匹配规则来决定是否默认启用Sidecar自动注入,即istio-injection不为disabled;反之,如果enableNamespacesByDefault设置为false时,只有命令空间中设置了标签istio-injection并且值为enabled,才会启用Sidecar自动注入。
可以查看部署好的istio-sidecar-injector容器,如图3-9所示,其对应部署的YAML定义如下:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: sidecar-injector
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: sidecar-injector
spec:
serviceAccountName: istio-sidecar-injector-service-account
containers:
- name: sidecar-injector-webhook
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=2s
- --healthCheckFile=/health
图3-9 启用Sidecar注入服务