All Pods Have Sidecars Injected

Description

An istio-proxy container must exist in all pods of a Service. Otherwise, this item is abnormal.

Rectification Guide

1. Log in to the ASM console and click the name of the service mesh that the Service is added to. Choose Mesh Configuration in the navigation pane, click the Sidecar Management tab, and check whether a sidecar is injected into the namespace that the Service belongs to.

   • If the sidecar is not injected into the namespace, go to 2.

   • If the sidecar has been injected into the namespace, go to 3.

     Check method:

     On the CCE console, click the cluster name to access the cluster console. In the navigation pane, choose Namespaces. On the displayed page, locate your namespace and click Edit YAML in the Operation column. If there is the istio.io/rev=<revision> or istio-injection=enabled label, the sidecar has been injected.

     Note

     • There must the istio-injection=enabled label for Istio 1.13.9-r3 and earlier versions, as well as Istio 1.15.5-r2 and earlier versions. Note that the version numbers are combined by hyphens (-).

     • There must be the istio.io/rev=<revision> label for Istio later than 1.13.9-r3, Istio later than 1.15.5-r2, and all Istio 1.18 versions. Note that the version numbers are combined by hyphens (-).

       

2. Inject a sidecar into a workload or inject sidecars into the pods of all workloads in the namespace. For details, see Injecting a Sidecar.

   Injection methods:

   • To inject sidecars into the pods of all workloads in the namespace, run the following command to add a label to the namespace (the label varies depending on the Istio version):

     kubectl label ns <namespace> istio-injection=enabled
     

     Or

     kubectl label ns <namespace> istio.io/rev=<revision>
     

     Note

     The system adds labels for namespaces based on Istio versions.

     • istio-injection=enabled can be used in Istio 1.13.9-r3 and earlier versions, as well as Istio 1.15.5-r2 and earlier versions.

     • istio.io/rev=<revision> can be used in Istio later than 1.13.9-r3, Istio later than 1.15.5-r2, and all Istio 1.18 versions.

   • Injecting a sidecar into a workload

     On the CCE console, locate the target workload, choose More > Edit YAML in the Operation column, and manually add the annotations field.

     annotations:
       sidecar.istio.io/inject: 'true'
     

     

   For more details about sidecar injection, see Installing the Sidecar.

3. If namespace injection is enabled for the cluster but no sidecar is injected into the pod, you need to manually restart the pod on the CCE console as follows:

   On the CCE console, choose More > Redeploy in the Operation column of the target workload.

4. Check whether the host network mode is configured for the workload as follows:

   On the CCE console, choose More > Edit YAML in the Operation column of the target workload, and check whether spec.template.spec.hostNetwork: true is configured. If yes, check whether this field can be deleted or set to false. Otherwise, sidecars cannot be injected.

   

5. Check whether the number of pods exceeds the service mesh scale.

   If the number exceeds , the excess pods cannot be injected with sidecars.

last updated: 2024-12-10 14:10 UTC - commit: 920761258fae74f943120ecbea2c5052b628b23d