istio: Index | Files

package inject

import ""

Package inject implements kube-inject or webhoook autoinject feature to inject sidecar. This file is focused on rewriting Kubernetes app probers to support mutual TLS.


Package Files

app_probe.go concurrency.go initializer.go inject.go monitoring.go webhook.go


const (
    // ProxyContainerName is used by e2e integration tests for fetching logs
    ProxyContainerName = "istio-proxy"


var (
    AnnotationValidation = map[string]annotationValidationFunc{
        annotation.SidecarInject.Name:                             alwaysValidFunc,
        annotation.SidecarStatus.Name:                             alwaysValidFunc,
        annotation.SidecarRewriteAppHTTPProbers.Name:              alwaysValidFunc,
        annotation.SidecarControlPlaneAuthPolicy.Name:             alwaysValidFunc,
        annotation.SidecarDiscoveryAddress.Name:                   alwaysValidFunc,
        annotation.SidecarProxyImage.Name:                         alwaysValidFunc,
        annotation.SidecarProxyCPU.Name:                           alwaysValidFunc,
        annotation.SidecarProxyMemory.Name:                        alwaysValidFunc,
        annotation.SidecarInterceptionMode.Name:                   validateInterceptionMode,
        annotation.SidecarBootstrapOverride.Name:                  alwaysValidFunc,
        annotation.SidecarStatsInclusionPrefixes.Name:             alwaysValidFunc,
        annotation.SidecarStatsInclusionSuffixes.Name:             alwaysValidFunc,
        annotation.SidecarStatsInclusionRegexps.Name:              alwaysValidFunc,
        annotation.SidecarUserVolume.Name:                         alwaysValidFunc,
        annotation.SidecarUserVolumeMount.Name:                    alwaysValidFunc,
        annotation.SidecarEnableCoreDump.Name:                     validateBool,
        annotation.SidecarStatusPort.Name:                         validateStatusPort,
        annotation.SidecarStatusReadinessInitialDelaySeconds.Name: validateUInt32,
        annotation.SidecarStatusReadinessPeriodSeconds.Name:       validateUInt32,
        annotation.SidecarStatusReadinessFailureThreshold.Name:    validateUInt32,
        annotation.SidecarTrafficIncludeOutboundIPRanges.Name:     ValidateIncludeIPRanges,
        annotation.SidecarTrafficExcludeOutboundIPRanges.Name:     ValidateExcludeIPRanges,
        annotation.SidecarTrafficIncludeInboundPorts.Name:         ValidateIncludeInboundPorts,
        annotation.SidecarTrafficExcludeInboundPorts.Name:         ValidateExcludeInboundPorts,
        annotation.SidecarTrafficExcludeOutboundPorts.Name:        ValidateExcludeOutboundPorts,
        annotation.SidecarTrafficKubevirtInterfaces.Name:          alwaysValidFunc,
        annotation.PrometheusMergeMetrics.Name:                    validateBool,
        annotation.ProxyConfig.Name:                               validateProxyConfig,

per-sidecar policy and status

func DumpAppProbers Uses

func DumpAppProbers(podspec *corev1.PodSpec) string

DumpAppProbers returns a json encoded string as `status.KubeAppProbers`. Also update the probers so that all usages of named port will be resolved to integer.

func FindSidecar Uses

func FindSidecar(containers []corev1.Container) *corev1.Container

FindSidecar returns the pointer to the first container whose name matches the "istio-proxy".

func FromRawToObject Uses

func FromRawToObject(raw []byte) (runtime.Object, error)

FromRawToObject is used to convert from raw to the runtime object

func IntoObject Uses

func IntoObject(sidecarTemplate string, valuesConfig string, revision string, meshconfig *meshconfig.MeshConfig, in runtime.Object) (interface{}, error)

IntoObject convert the incoming resources into Injected resources

func IntoResourceFile Uses

func IntoResourceFile(sidecarTemplate string, valuesConfig string, revision string, meshconfig *meshconfig.MeshConfig, in io.Reader, out io.Writer) error

IntoResourceFile injects the istio proxy into the specified kubernetes YAML file.

func ShouldRewriteAppHTTPProbers Uses

func ShouldRewriteAppHTTPProbers(annotations map[string]string, spec *SidecarInjectionSpec) bool

ShouldRewriteAppHTTPProbers returns if we should rewrite apps' probers config.

func ValidateExcludeIPRanges Uses

func ValidateExcludeIPRanges(ipRanges string) error

ValidateExcludeIPRanges validates the excludeIPRanges parameter

func ValidateExcludeInboundPorts Uses

func ValidateExcludeInboundPorts(ports string) error

ValidateExcludeInboundPorts validates the excludeInboundPorts parameter

func ValidateExcludeOutboundPorts Uses

func ValidateExcludeOutboundPorts(ports string) error

ValidateExcludeOutboundPorts validates the excludeOutboundPorts parameter

func ValidateIncludeIPRanges Uses

func ValidateIncludeIPRanges(ipRanges string) error

ValidateIncludeIPRanges validates the includeIPRanges parameter

func ValidateIncludeInboundPorts Uses

func ValidateIncludeInboundPorts(ports string) error

ValidateIncludeInboundPorts validates the includeInboundPorts parameter

type Config Uses

type Config struct {
    Policy InjectionPolicy `json:"policy"`

    // Template is the templated version of `SidecarInjectionSpec` prior to
    // expansion over the `SidecarTemplateData`.
    Template string `json:"template"`

    // NeverInjectSelector: Refuses the injection on pods whose labels match this selector.
    // It's an array of label selectors, that will be OR'ed, meaning we will iterate
    // over it and stop at the first match
    // Takes precedence over AlwaysInjectSelector.
    NeverInjectSelector []metav1.LabelSelector `json:"neverInjectSelector"`

    // AlwaysInjectSelector: Forces the injection on pods whose labels match this selector.
    // It's an array of label selectors, that will be OR'ed, meaning we will iterate
    // over it and stop at the first match
    AlwaysInjectSelector []metav1.LabelSelector `json:"alwaysInjectSelector"`

    // InjectedAnnotations are additional annotations that will be added to the pod spec after injection
    // This is primarily to support PSP annotations.
    InjectedAnnotations map[string]string `json:"injectedAnnotations"`

Config specifies the sidecar injection configuration This includes the sidecar template and cluster-side injection policy. It is used by kube-inject, sidecar injector, and http endpoint.

type InjectionPolicy Uses

type InjectionPolicy string

InjectionPolicy determines the policy for injecting the sidecar proxy into the watched namespace(s).

const (
    // InjectionPolicyDisabled specifies that the sidecar injector
    // will not inject the sidecar into resources by default for the
    // namespace(s) being watched. Resources can enable injection
    // using the "" annotation with value of
    // true.
    InjectionPolicyDisabled InjectionPolicy = "disabled"

    // InjectionPolicyEnabled specifies that the sidecar injector will
    // inject the sidecar into resources by default for the
    // namespace(s) being watched. Resources can disable injection
    // using the "" annotation with value of
    // false.
    InjectionPolicyEnabled InjectionPolicy = "enabled"

type SidecarInjectionSpec Uses

type SidecarInjectionSpec struct {
    // RewriteHTTPProbe indicates whether Kubernetes HTTP prober in the PodSpec
    // will be rewritten to be redirected by pilot agent.
    PodRedirectAnnot    map[string]string             `yaml:"podRedirectAnnot"`
    RewriteAppHTTPProbe bool                          `yaml:"rewriteAppHTTPProbe"`
    InitContainers      []corev1.Container            `yaml:"initContainers"`
    Containers          []corev1.Container            `yaml:"containers"`
    Volumes             []corev1.Volume               `yaml:"volumes"`
    DNSConfig           *corev1.PodDNSConfig          `yaml:"dnsConfig"`
    ImagePullSecrets    []corev1.LocalObjectReference `yaml:"imagePullSecrets"`

SidecarInjectionSpec collects all container types and volumes for sidecar mesh injection

func InjectionData Uses

func InjectionData(sidecarTemplate, valuesConfig, version string, typeMetadata *metav1.TypeMeta, deploymentMetadata *metav1.ObjectMeta, spec *corev1.PodSpec,
    metadata *metav1.ObjectMeta, meshConfig *meshconfig.MeshConfig, path string) (
    *SidecarInjectionSpec, string, error)

InjectionData renders sidecarTemplate with valuesConfig.

type SidecarInjectionStatus Uses

type SidecarInjectionStatus struct {
    Version          string   `json:"version"`
    InitContainers   []string `json:"initContainers"`
    Containers       []string `json:"containers"`
    Volumes          []string `json:"volumes"`
    ImagePullSecrets []string `json:"imagePullSecrets"`

SidecarInjectionStatus contains basic information about the injected sidecar. This includes the names of added containers and volumes.

type SidecarTemplateData Uses

type SidecarTemplateData struct {
    TypeMeta       *metav1.TypeMeta
    DeploymentMeta *metav1.ObjectMeta
    ObjectMeta     *metav1.ObjectMeta
    Spec           *corev1.PodSpec
    ProxyConfig    *meshconfig.ProxyConfig
    MeshConfig     *meshconfig.MeshConfig
    Values         map[string]interface{}

SidecarTemplateData is the data object to which the templated version of `SidecarInjectionSpec` is applied.

type Webhook Uses

type Webhook struct {
    Config *Config
    // contains filtered or unexported fields

Webhook implements a mutating webhook for automatic proxy injection.

func NewWebhook Uses

func NewWebhook(p WebhookParameters) (*Webhook, error)

NewWebhook creates a new instance of a mutating webhook for automatic sidecar injection.

func (*Webhook) Run Uses

func (wh *Webhook) Run(stop <-chan struct{})

Run implements the webhook server

type WebhookParameters Uses

type WebhookParameters struct {
    // ConfigFile is the path to the sidecar injection configuration file.
    ConfigFile string

    ValuesFile string

    // Port is the webhook port, e.g. typically 443 for https.
    // This is mainly used for tests. Webhook runs on the port started by Istiod.
    Port int

    // MonitoringPort is the webhook port, e.g. typically 15014.
    // Set to -1 to disable monitoring
    MonitoringPort int

    // HealthCheckInterval configures how frequently the health check
    // file is updated. Value of zero disables the health check
    // update.
    HealthCheckInterval time.Duration

    // HealthCheckFile specifies the path to the health check file
    // that is periodically updated.
    HealthCheckFile string

    Env *model.Environment

    // Use an existing mux instead of creating our own.
    Mux *http.ServeMux

    // The this injector is responsible for
    Revision string

WebhookParameters configures parameters for the sidecar injection webhook.

Package inject imports 55 packages (graph) and is imported by 7 packages. Updated 2020-06-02. Refresh now. Tools for package owners.