istio: istio.io/istio/pkg/kube/inject Index | Files

package inject

import "istio.io/istio/pkg/kube/inject"

Package inject implements kube-inject or webhoook autoinject feature to inject sidecar. This file is focused on rewriting Kubernetes app probers to support mutual TLS.

Index

Package Files

app_probe.go concurrency.go initializer.go inject.go monitoring.go webhook.go

Constants

const (
    DefaultSidecarProxyUID              = uint64(1337)
    DefaultVerbosity                    = 2
    DefaultStatusPort                   = 15020
    DefaultReadinessInitialDelaySeconds = 1
    DefaultReadinessPeriodSeconds       = 2
    DefaultReadinessFailureThreshold    = 30
    DefaultIncludeIPRanges              = "*"
    DefaultIncludeInboundPorts          = "*"
    DefaultkubevirtInterfaces           = ""
)

Defaults values for injecting istio proxy into kubernetes resources.

const (
    // ProxyContainerName is used by e2e integration tests for fetching logs
    ProxyContainerName = "istio-proxy"
)
const (
    // StatusPortCmdFlagName is the name of the command line flag passed to pilot-agent for sidecar readiness probe.
    // We reuse it for taking over application's readiness probing as well.
    // TODO: replace the hardcoded statusPort elsewhere by this variable as much as possible.
    StatusPortCmdFlagName = "statusPort"
)

func DumpAppProbers Uses

func DumpAppProbers(podspec *corev1.PodSpec) string

DumpAppProbers returns a json encoded string as `status.KubeAppProbers`. Also update the probers so that all usages of named port will be resolved to integer.

func FindSidecar Uses

func FindSidecar(containers []corev1.Container) *corev1.Container

FindSidecar returns the pointer to the first container whose name matches the "istio-proxy".

func FromRawToObject Uses

func FromRawToObject(raw []byte) (runtime.Object, error)

FromRawToObject is used to convert from raw to the runtime object

func IntoObject Uses

func IntoObject(sidecarTemplate string, valuesConfig string, meshconfig *meshconfig.MeshConfig, in runtime.Object) (interface{}, error)

IntoObject convert the incoming resources into Injected resources

func IntoResourceFile Uses

func IntoResourceFile(sidecarTemplate string, valuesConfig string, meshconfig *meshconfig.MeshConfig, in io.Reader, out io.Writer) error

IntoResourceFile injects the istio proxy into the specified kubernetes YAML file.

func ShouldRewriteAppHTTPProbers Uses

func ShouldRewriteAppHTTPProbers(annotations map[string]string, spec *SidecarInjectionSpec) bool

ShouldRewriteAppHTTPProbers returns if we should rewrite apps' probers config.

func ValidateExcludeIPRanges Uses

func ValidateExcludeIPRanges(ipRanges string) error

ValidateExcludeIPRanges validates the excludeIPRanges parameter

func ValidateExcludeInboundPorts Uses

func ValidateExcludeInboundPorts(ports string) error

ValidateExcludeInboundPorts validates the excludeInboundPorts parameter

func ValidateExcludeOutboundPorts Uses

func ValidateExcludeOutboundPorts(ports string) error

ValidateExcludeOutboundPorts validates the excludeOutboundPorts parameter

func ValidateIncludeIPRanges Uses

func ValidateIncludeIPRanges(ipRanges string) error

ValidateIncludeIPRanges validates the includeIPRanges parameter

func ValidateIncludeInboundPorts Uses

func ValidateIncludeInboundPorts(ports string) error

ValidateIncludeInboundPorts validates the includeInboundPorts parameter

type Config Uses

type Config struct {
    Policy InjectionPolicy `json:"policy"`

    // Template is the templated version of `SidecarInjectionSpec` prior to
    // expansion over the `SidecarTemplateData`.
    Template string `json:"template"`

    // NeverInjectSelector: Refuses the injection on pods whose labels match this selector.
    // It's an array of label selectors, that will be OR'ed, meaning we will iterate
    // over it and stop at the first match
    // Takes precedence over AlwaysInjectSelector.
    NeverInjectSelector []metav1.LabelSelector `json:"neverInjectSelector"`

    // AlwaysInjectSelector: Forces the injection on pods whose labels match this selector.
    // It's an array of label selectors, that will be OR'ed, meaning we will iterate
    // over it and stop at the first match
    AlwaysInjectSelector []metav1.LabelSelector `json:"alwaysInjectSelector"`

    // InjectedAnnotations are additional annotations that will be added to the pod spec after injection
    // This is primarily to support PSP annotations.
    InjectedAnnotations map[string]string `json:"injectedAnnotations"`
}

Config specifies the sidecar injection configuration This includes the sidecar template and cluster-side injection policy. It is used by kube-inject, sidecar injector, and http endpoint.

type InjectionPolicy Uses

type InjectionPolicy string

InjectionPolicy determines the policy for injecting the sidecar proxy into the watched namespace(s).

const (
    // InjectionPolicyDisabled specifies that the sidecar injector
    // will not inject the sidecar into resources by default for the
    // namespace(s) being watched. Resources can enable injection
    // using the "sidecar.istio.io/inject" annotation with value of
    // true.
    InjectionPolicyDisabled InjectionPolicy = "disabled"

    // InjectionPolicyEnabled specifies that the sidecar injector will
    // inject the sidecar into resources by default for the
    // namespace(s) being watched. Resources can disable injection
    // using the "sidecar.istio.io/inject" annotation with value of
    // false.
    InjectionPolicyEnabled InjectionPolicy = "enabled"
)

type Params Uses

type Params struct {
    InitImage       string `json:"initImage"`
    ProxyImage      string `json:"proxyImage"`
    Version         string `json:"version"`
    ImagePullPolicy string `json:"imagePullPolicy"`
    Tracer          string `json:"tracer"`
    // Comma separated list of IP ranges in CIDR form. If set, only redirect outbound traffic to Envoy for these IP
    // ranges. All outbound traffic can be redirected with the wildcard character "*". Defaults to "*".
    IncludeIPRanges string `json:"includeIPRanges"`
    // Comma separated list of IP ranges in CIDR form. If set, outbound traffic will not be redirected for
    // these IP ranges. Exclusions are only applied if configured to redirect all outbound traffic. By default,
    // no IP ranges are excluded.
    ExcludeIPRanges string `json:"excludeIPRanges"`
    // Comma separated list of inbound ports for which traffic is to be redirected to Envoy. All ports can be
    // redirected with the wildcard character "*". Defaults to "*".
    IncludeInboundPorts string `json:"includeInboundPorts"`
    // Comma separated list of inbound ports. If set, inbound traffic will not be redirected for those ports.
    // Exclusions are only applied if configured to redirect all inbound traffic. By default, no ports are excluded.
    ExcludeInboundPorts string `json:"excludeInboundPorts"`
    // Comma separated list of outbound ports. If set, outbound traffic will not be redirected for those ports.
    // By default, no ports are excluded.
    ExcludeOutboundPorts string `json:"excludeOutboundPorts"`
    // Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound
    // By default, no interfaces are configured.
    KubevirtInterfaces           string                 `json:"kubevirtInterfaces"`
    Verbosity                    int                    `json:"verbosity"`
    SidecarProxyUID              uint64                 `json:"sidecarProxyUID"`
    Mesh                         *meshconfig.MeshConfig `json:"-"`
    StatusPort                   int                    `json:"statusPort"`
    ReadinessInitialDelaySeconds uint32                 `json:"readinessInitialDelaySeconds"`
    ReadinessPeriodSeconds       uint32                 `json:"readinessPeriodSeconds"`
    ReadinessFailureThreshold    uint32                 `json:"readinessFailureThreshold"`
    RewriteAppHTTPProbe          bool                   `json:"rewriteAppHTTPProbe"`
    EnableCoreDump               bool                   `json:"enableCoreDump"`
    DebugMode                    bool                   `json:"debugMode"`
    Privileged                   bool                   `json:"privileged"`
    SDSEnabled                   bool                   `json:"sdsEnabled"`
    PodDNSSearchNamespaces       []string               `json:"podDNSSearchNamespaces"`
}

Params describes configurable parameters for injecting istio proxy into a kubernetes resource.

func (*Params) Validate Uses

func (p *Params) Validate() error

Validate validates the parameters and returns an error if there is configuration issue.

type SidecarInjectionSpec Uses

type SidecarInjectionSpec struct {
    // RewriteHTTPProbe indicates whether Kubernetes HTTP prober in the PodSpec
    // will be rewritten to be redirected by pilot agent.
    PodRedirectAnnot    map[string]string             `yaml:"podRedirectAnnot"`
    RewriteAppHTTPProbe bool                          `yaml:"rewriteAppHTTPProbe"`
    InitContainers      []corev1.Container            `yaml:"initContainers"`
    Containers          []corev1.Container            `yaml:"containers"`
    Volumes             []corev1.Volume               `yaml:"volumes"`
    DNSConfig           *corev1.PodDNSConfig          `yaml:"dnsConfig"`
    ImagePullSecrets    []corev1.LocalObjectReference `yaml:"imagePullSecrets"`
}

SidecarInjectionSpec collects all container types and volumes for sidecar mesh injection

func InjectionData Uses

func InjectionData(sidecarTemplate, valuesConfig, version string, typeMetadata *metav1.TypeMeta, deploymentMetadata *metav1.ObjectMeta, spec *corev1.PodSpec,
    metadata *metav1.ObjectMeta, proxyConfig *meshconfig.ProxyConfig, meshConfig *meshconfig.MeshConfig) (
    *SidecarInjectionSpec, string, error)

InjectionData renders sidecarTemplate with valuesConfig.

type SidecarInjectionStatus Uses

type SidecarInjectionStatus struct {
    Version          string   `json:"version"`
    InitContainers   []string `json:"initContainers"`
    Containers       []string `json:"containers"`
    Volumes          []string `json:"volumes"`
    ImagePullSecrets []string `json:"imagePullSecrets"`
}

SidecarInjectionStatus contains basic information about the injected sidecar. This includes the names of added containers and volumes.

type SidecarTemplateData Uses

type SidecarTemplateData struct {
    TypeMeta       *metav1.TypeMeta
    DeploymentMeta *metav1.ObjectMeta
    ObjectMeta     *metav1.ObjectMeta
    Spec           *corev1.PodSpec
    ProxyConfig    *meshconfig.ProxyConfig
    MeshConfig     *meshconfig.MeshConfig
    Values         map[string]interface{}
}

SidecarTemplateData is the data object to which the templated version of `SidecarInjectionSpec` is applied.

type Webhook Uses

type Webhook struct {
    // contains filtered or unexported fields
}

Webhook implements a mutating webhook for automatic proxy injection.

func NewWebhook Uses

func NewWebhook(p WebhookParameters) (*Webhook, error)

NewWebhook creates a new instance of a mutating webhook for automatic sidecar injection.

func (*Webhook) Run Uses

func (wh *Webhook) Run(stop <-chan struct{})

Run implements the webhook server

type WebhookParameters Uses

type WebhookParameters struct {
    // ConfigFile is the path to the sidecar injection configuration file.
    ConfigFile string

    ValuesFile string

    // MeshFile is the path to the mesh configuration file.
    MeshFile string

    // CertFile is the path to the x509 certificate for https.
    CertFile string

    // KeyFile is the path to the x509 private key matching `CertFile`.
    KeyFile string

    // Port is the webhook port, e.g. typically 443 for https.
    Port int

    // MonitoringPort is the webhook port, e.g. typically 15014.
    MonitoringPort int

    // HealthCheckInterval configures how frequently the health check
    // file is updated. Value of zero disables the health check
    // update.
    HealthCheckInterval time.Duration

    // HealthCheckFile specifies the path to the health check file
    // that is periodically updated.
    HealthCheckFile string
}

WebhookParameters configures parameters for the sidecar injection webhook.

Package inject imports 52 packages (graph) and is imported by 2 packages. Updated 2019-10-17. Refresh now. Tools for package owners.