istio: Index | Files

package inject

import ""

Package inject implements kube-inject or webhoook autoinject feature to inject sidecar. This file is focused on rewriting Kubernetes app probers to support mutual TLS.


Package Files

app_probe.go initializer.go inject.go monitoring.go template.go validate.go watcher.go webhook.go


const (
    // ProxyContainerName is used by e2e integration tests for fetching logs
    ProxyContainerName = "istio-proxy"

    // ValidationContainerName is the name of the init container that validates
    // if CNI has made the necessary changes to iptables
    ValidationContainerName = "istio-validation"

    // InitContainerName is the name of the init container that deploys iptables
    InitContainerName = "istio-init"

    // EnableCoreDumpName is the name of the init container that allows core dumps
    EnableCoreDumpName = "enable-core-dump"
const (
    // AutoImage is the special image name to indicate to the injector that we should use the injected image, and NOT override it
    // This is necessary because image is a required field on container, so if a user defines an istio-proxy container
    // with customizations they must set an image.
    AutoImage = "auto"
const OverrideAnnotation = ""

OverrideAnnotation is used to store the overrides for injected containers TODO move this to api repo

const (
    SidecarTemplateName = "sidecar"
const TemplatesAnnotation = ""

TemplatesAnnotation declares the set of templates to use for injection. If not specified, DefaultTemplates will take precedence, which will inject a standard sidecar. The format is a comma separated list. For example, ` sidecar,debug`. TODO move this to api repo


var (
    AnnotationValidation = map[string]annotationValidationFunc{
        annotation.SidecarInterceptionMode.Name:                   validateInterceptionMode,
        annotation.SidecarEnableCoreDump.Name:                     validateBool,
        annotation.SidecarStatusPort.Name:                         validateStatusPort,
        annotation.SidecarStatusReadinessInitialDelaySeconds.Name: validateUInt32,
        annotation.SidecarStatusReadinessPeriodSeconds.Name:       validateUInt32,
        annotation.SidecarStatusReadinessFailureThreshold.Name:    validateUInt32,
        annotation.SidecarTrafficIncludeOutboundIPRanges.Name:     ValidateIncludeIPRanges,
        annotation.SidecarTrafficExcludeOutboundIPRanges.Name:     ValidateExcludeIPRanges,
        annotation.SidecarTrafficIncludeInboundPorts.Name:         ValidateIncludeInboundPorts,
        annotation.SidecarTrafficExcludeInboundPorts.Name:         ValidateExcludeInboundPorts,
        annotation.SidecarTrafficExcludeOutboundPorts.Name:        ValidateExcludeOutboundPorts,
        annotation.PrometheusMergeMetrics.Name:                    validateBool,
        annotation.ProxyConfig.Name:                               validateProxyConfig,

per-sidecar policy and status

var (
    URLParameterToEnv = map[string]string{
        "cluster": "ISTIO_META_CLUSTER_ID",
        "net":     "ISTIO_META_NETWORK",

func CreateInjectionFuncmap Uses

func CreateInjectionFuncmap() template.FuncMap

func DumpAppProbers Uses

func DumpAppProbers(podspec *corev1.PodSpec, targetPort int32) string

DumpAppProbers returns a json encoded string as `status.KubeAppProbers`. Also update the probers so that all usages of named port will be resolved to integer.

func ExtractCanonicalServiceLabels Uses

func ExtractCanonicalServiceLabels(podLabels map[string]string, workloadName string) (string, string)

func FindContainer Uses

func FindContainer(name string, containers []corev1.Container) *corev1.Container

FindContainer returns the pointer to the first container whose name matches.

func FindSidecar Uses

func FindSidecar(containers []corev1.Container) *corev1.Container

FindSidecar returns the pointer to the first container whose name matches the "istio-proxy".

func FromRawToObject Uses

func FromRawToObject(raw []byte) (runtime.Object, error)

FromRawToObject is used to convert from raw to the runtime object

func IntoObject Uses

func IntoObject(sidecarTemplate Templates, valuesConfig string, revision string, meshconfig *meshconfig.MeshConfig, in runtime.Object, warningHandler func(string)) (interface{}, error)

IntoObject convert the incoming resources into Injected resources nolint: lll

func IntoResourceFile Uses

func IntoResourceFile(sidecarTemplate Templates, valuesConfig string, revision string, meshconfig *meshconfig.MeshConfig, in io.Reader, out io.Writer, warningHandler func(string)) error

IntoResourceFile injects the istio proxy into the specified kubernetes YAML file. nolint: lll

func RunTemplate Uses

func RunTemplate(params InjectionParameters) (mergedPod *corev1.Pod, templatePod *corev1.Pod, err error)

RunTemplate renders the sidecar template Returns the raw string template, as well as the parse pod form

func ShouldRewriteAppHTTPProbers Uses

func ShouldRewriteAppHTTPProbers(annotations map[string]string, specSetting *types.BoolValue) bool

ShouldRewriteAppHTTPProbers returns if we should rewrite apps' probers config.

func ValidateExcludeIPRanges Uses

func ValidateExcludeIPRanges(ipRanges string) error

ValidateExcludeIPRanges validates the excludeIPRanges parameter

func ValidateExcludeInboundPorts Uses

func ValidateExcludeInboundPorts(ports string) error

ValidateExcludeInboundPorts validates the excludeInboundPorts parameter

func ValidateExcludeOutboundPorts Uses

func ValidateExcludeOutboundPorts(ports string) error

ValidateExcludeOutboundPorts validates the excludeOutboundPorts parameter

func ValidateIncludeIPRanges Uses

func ValidateIncludeIPRanges(ipRanges string) error

ValidateIncludeIPRanges validates the includeIPRanges parameter

func ValidateIncludeInboundPorts Uses

func ValidateIncludeInboundPorts(ports string) error

ValidateIncludeInboundPorts validates the includeInboundPorts parameter

type Config Uses

type Config struct {
    Policy InjectionPolicy `json:"policy"`

    // DefaultTemplates defines the default template to use for pods that do not explicitly specify a template
    DefaultTemplates []string `json:"defaultTemplates"`

    // Templates defines a set of templates to be used. The specified template will be run, provided with
    // SidecarTemplateData, and merged with the original pod spec using a strategic merge patch.
    Templates Templates `json:"templates"`

    // Aliases defines a translation of a name to inject template. For example, `sidecar: [proxy,init]` could allow
    // referencing two templates, "proxy" and "init" by a single name, "sidecar".
    // Expansion is not recursive.
    Aliases map[string][]string `json:"aliases"`

    // NeverInjectSelector: Refuses the injection on pods whose labels match this selector.
    // It's an array of label selectors, that will be OR'ed, meaning we will iterate
    // over it and stop at the first match
    // Takes precedence over AlwaysInjectSelector.
    NeverInjectSelector []metav1.LabelSelector `json:"neverInjectSelector"`

    // AlwaysInjectSelector: Forces the injection on pods whose labels match this selector.
    // It's an array of label selectors, that will be OR'ed, meaning we will iterate
    // over it and stop at the first match
    AlwaysInjectSelector []metav1.LabelSelector `json:"alwaysInjectSelector"`

    // InjectedAnnotations are additional annotations that will be added to the pod spec after injection
    // This is primarily to support PSP annotations.
    InjectedAnnotations map[string]string `json:"injectedAnnotations"`

Config specifies the sidecar injection configuration This includes the sidecar template and cluster-side injection policy. It is used by kube-inject, sidecar injector, and http endpoint.

func UnmarshalConfig Uses

func UnmarshalConfig(yml []byte) (Config, error)

UnmarshalConfig unmarshals the provided YAML configuration, while normalizing the resulting configuration nolint: staticcheck

type ContainerReorder Uses

type ContainerReorder int
const (
    MoveFirst ContainerReorder = iota

type InjectionParameters Uses

type InjectionParameters struct {
    // contains filtered or unexported fields

type InjectionPolicy Uses

type InjectionPolicy string

InjectionPolicy determines the policy for injecting the sidecar proxy into the watched namespace(s).

const (
    // InjectionPolicyDisabled specifies that the sidecar injector
    // will not inject the sidecar into resources by default for the
    // namespace(s) being watched. Resources can enable injection
    // using the "" annotation with value of
    // true.
    InjectionPolicyDisabled InjectionPolicy = "disabled"

    // InjectionPolicyEnabled specifies that the sidecar injector will
    // inject the sidecar into resources by default for the
    // namespace(s) being watched. Resources can disable injection
    // using the "" annotation with value of
    // false.
    InjectionPolicyEnabled InjectionPolicy = "enabled"

type KubeAppProbers Uses

type KubeAppProbers map[string]*Prober

type Prober Uses

type Prober struct {
    HTTPGet        *corev1.HTTPGetAction `json:"httpGet"`
    TimeoutSeconds int32                 `json:"timeoutSeconds,omitempty"`

Prober represents a single container prober

type SidecarInjectionStatus Uses

type SidecarInjectionStatus struct {
    InitContainers   []string `json:"initContainers"`
    Containers       []string `json:"containers"`
    Volumes          []string `json:"volumes"`
    ImagePullSecrets []string `json:"imagePullSecrets"`

SidecarInjectionStatus contains basic information about the injected sidecar. This includes the names of added containers and volumes.

type SidecarTemplateData Uses

type SidecarTemplateData struct {
    TypeMeta       *metav1.TypeMeta
    DeploymentMeta *metav1.ObjectMeta
    ObjectMeta     metav1.ObjectMeta
    Spec           corev1.PodSpec
    ProxyConfig    *meshconfig.ProxyConfig
    MeshConfig     *meshconfig.MeshConfig
    Values         map[string]interface{}
    Revision       string

SidecarTemplateData is the data object to which the templated version of `SidecarInjectionSpec` is applied.

type Template Uses

type Template *corev1.Pod

type Templates Uses

type Templates map[string]string

type Watcher Uses

type Watcher interface {
    // SetHandler sets the handler that is run when the config changes.
    // Must call this before Run.
    SetHandler(func(*Config, string))

    // Run starts the Watcher. Must call this after SetHandler.
    Run(<-chan struct{})

    // Get returns the sidecar and values configuration.
    Get() (*Config, string, error)

Watcher watches for and reacts to injection config updates.

func NewConfigMapWatcher Uses

func NewConfigMapWatcher(client kube.Client, namespace, name, configKey, valuesKey string) Watcher

NewConfigMapWatcher creates a new Watcher for changes to the given ConfigMap.

func NewFileWatcher Uses

func NewFileWatcher(configFile, valuesFile string) (Watcher, error)

NewFileWatcher creates a Watcher for local config and values files.

type Webhook Uses

type Webhook struct {
    Config *Config
    // contains filtered or unexported fields

Webhook implements a mutating webhook for automatic proxy injection.

func NewWebhook Uses

func NewWebhook(p WebhookParameters) (*Webhook, error)

NewWebhook creates a new instance of a mutating webhook for automatic sidecar injection.

func (*Webhook) Run Uses

func (wh *Webhook) Run(stop <-chan struct{})

Run implements the webhook server

type WebhookParameters Uses

type WebhookParameters struct {
    // Watcher watches the sidecar injection configuration.
    Watcher Watcher

    // Port is the webhook port, e.g. typically 443 for https.
    // This is mainly used for tests. Webhook runs on the port started by Istiod.
    Port int

    // MonitoringPort is the webhook port, e.g. typically 15014.
    // Set to -1 to disable monitoring
    MonitoringPort int

    // HealthCheckInterval configures how frequently the health check
    // file is updated. Value of zero disables the health check
    // update.
    HealthCheckInterval time.Duration

    // HealthCheckFile specifies the path to the health check file
    // that is periodically updated.
    HealthCheckFile string

    Env *model.Environment

    // Use an existing mux instead of creating our own.
    Mux *http.ServeMux

    // The this injector is responsible for
    Revision string

WebhookParameters configures parameters for the sidecar injection webhook.

Package inject imports 62 packages (graph) and is imported by 5 packages. Updated 2021-01-21. Refresh now. Tools for package owners.