Back to

package inject

v0.0.0 (5ae3c9a)
Latest Go to latest
Published: 2 hours ago | License: Apache-2.0 | Module:


Package inject implements kube-inject or webhoook autoinject feature to inject sidecar. This file is focused on rewriting Kubernetes app probers to support mutual TLS.



const (
	// ProxyContainerName is used by e2e integration tests for fetching logs
	ProxyContainerName = "istio-proxy"


var (
	AnnotationValidation = map[string]annotationValidationFunc{
		annotation.SidecarInject.Name:                             alwaysValidFunc,
		annotation.SidecarStatus.Name:                             alwaysValidFunc,
		annotation.SidecarRewriteAppHTTPProbers.Name:              alwaysValidFunc,
		annotation.SidecarControlPlaneAuthPolicy.Name:             alwaysValidFunc,
		annotation.SidecarDiscoveryAddress.Name:                   alwaysValidFunc,
		annotation.SidecarProxyImage.Name:                         alwaysValidFunc,
		annotation.SidecarProxyCPU.Name:                           alwaysValidFunc,
		annotation.SidecarProxyMemory.Name:                        alwaysValidFunc,
		annotation.SidecarInterceptionMode.Name:                   validateInterceptionMode,
		annotation.SidecarBootstrapOverride.Name:                  alwaysValidFunc,
		annotation.SidecarStatsInclusionPrefixes.Name:             alwaysValidFunc,
		annotation.SidecarStatsInclusionSuffixes.Name:             alwaysValidFunc,
		annotation.SidecarStatsInclusionRegexps.Name:              alwaysValidFunc,
		annotation.SidecarUserVolume.Name:                         alwaysValidFunc,
		annotation.SidecarUserVolumeMount.Name:                    alwaysValidFunc,
		annotation.SidecarEnableCoreDump.Name:                     validateBool,
		annotation.SidecarStatusPort.Name:                         validateStatusPort,
		annotation.SidecarStatusReadinessInitialDelaySeconds.Name: validateUInt32,
		annotation.SidecarStatusReadinessPeriodSeconds.Name:       validateUInt32,
		annotation.SidecarStatusReadinessFailureThreshold.Name:    validateUInt32,
		annotation.SidecarTrafficIncludeOutboundIPRanges.Name:     ValidateIncludeIPRanges,
		annotation.SidecarTrafficExcludeOutboundIPRanges.Name:     ValidateExcludeIPRanges,
		annotation.SidecarTrafficIncludeInboundPorts.Name:         ValidateIncludeInboundPorts,
		annotation.SidecarTrafficExcludeInboundPorts.Name:         ValidateExcludeInboundPorts,
		annotation.SidecarTrafficExcludeOutboundPorts.Name:        ValidateExcludeOutboundPorts,
		annotation.SidecarTrafficKubevirtInterfaces.Name:          alwaysValidFunc,
		annotation.PrometheusMergeMetrics.Name:                    validateBool,
		annotation.ProxyConfig.Name:                               validateProxyConfig,
		"":                             alwaysValidFunc,

per-sidecar policy and status

func DumpAppProbers

func DumpAppProbers(podspec *corev1.PodSpec) string

DumpAppProbers returns a json encoded string as `status.KubeAppProbers`. Also update the probers so that all usages of named port will be resolved to integer.

func FindSidecar

func FindSidecar(containers []corev1.Container) *corev1.Container

FindSidecar returns the pointer to the first container whose name matches the "istio-proxy".

func FromRawToObject

func FromRawToObject(raw []byte) (runtime.Object, error)

FromRawToObject is used to convert from raw to the runtime object

func IntoObject

func IntoObject(sidecarTemplate string, valuesConfig string, revision string, meshconfig *meshconfig.MeshConfig, in runtime.Object) (interface{}, error)

IntoObject convert the incoming resources into Injected resources

func IntoResourceFile

func IntoResourceFile(sidecarTemplate string, valuesConfig string, revision string, meshconfig *meshconfig.MeshConfig, in io.Reader, out io.Writer) error

IntoResourceFile injects the istio proxy into the specified kubernetes YAML file.

func ShouldRewriteAppHTTPProbers

func ShouldRewriteAppHTTPProbers(annotations map[string]string, spec *SidecarInjectionSpec) bool

ShouldRewriteAppHTTPProbers returns if we should rewrite apps' probers config.

func ValidateExcludeIPRanges

func ValidateExcludeIPRanges(ipRanges string) error

ValidateExcludeIPRanges validates the excludeIPRanges parameter

func ValidateExcludeInboundPorts

func ValidateExcludeInboundPorts(ports string) error

ValidateExcludeInboundPorts validates the excludeInboundPorts parameter

func ValidateExcludeOutboundPorts

func ValidateExcludeOutboundPorts(ports string) error

ValidateExcludeOutboundPorts validates the excludeOutboundPorts parameter

func ValidateIncludeIPRanges

func ValidateIncludeIPRanges(ipRanges string) error

ValidateIncludeIPRanges validates the includeIPRanges parameter

func ValidateIncludeInboundPorts

func ValidateIncludeInboundPorts(ports string) error

ValidateIncludeInboundPorts validates the includeInboundPorts parameter

type Config

type Config struct {
	Policy InjectionPolicy `json:"policy"`

	// Template is the templated version of `SidecarInjectionSpec` prior to
	// expansion over the `SidecarTemplateData`.
	Template string `json:"template"`

	// NeverInjectSelector: Refuses the injection on pods whose labels match this selector.
	// It's an array of label selectors, that will be OR'ed, meaning we will iterate
	// over it and stop at the first match
	// Takes precedence over AlwaysInjectSelector.
	NeverInjectSelector []metav1.LabelSelector `json:"neverInjectSelector"`

	// AlwaysInjectSelector: Forces the injection on pods whose labels match this selector.
	// It's an array of label selectors, that will be OR'ed, meaning we will iterate
	// over it and stop at the first match
	AlwaysInjectSelector []metav1.LabelSelector `json:"alwaysInjectSelector"`

	// InjectedAnnotations are additional annotations that will be added to the pod spec after injection
	// This is primarily to support PSP annotations.
	InjectedAnnotations map[string]string `json:"injectedAnnotations"`

Config specifies the sidecar injection configuration This includes the sidecar template and cluster-side injection policy. It is used by kube-inject, sidecar injector, and http endpoint.

type InjectionPolicy

type InjectionPolicy string

InjectionPolicy determines the policy for injecting the sidecar proxy into the watched namespace(s).

const (
	// InjectionPolicyDisabled specifies that the sidecar injector
	// will not inject the sidecar into resources by default for the
	// namespace(s) being watched. Resources can enable injection
	// using the "" annotation with value of
	// true.
	InjectionPolicyDisabled InjectionPolicy = "disabled"

	// InjectionPolicyEnabled specifies that the sidecar injector will
	// inject the sidecar into resources by default for the
	// namespace(s) being watched. Resources can disable injection
	// using the "" annotation with value of
	// false.
	InjectionPolicyEnabled InjectionPolicy = "enabled"

type SidecarInjectionSpec

type SidecarInjectionSpec struct {
	// RewriteHTTPProbe indicates whether Kubernetes HTTP prober in the PodSpec
	// will be rewritten to be redirected by pilot agent.
	PodRedirectAnnot    map[string]string             `yaml:"podRedirectAnnot"`
	RewriteAppHTTPProbe bool                          `yaml:"rewriteAppHTTPProbe"`
	InitContainers      []corev1.Container            `yaml:"initContainers"`
	Containers          []corev1.Container            `yaml:"containers"`
	Volumes             []corev1.Volume               `yaml:"volumes"`
	DNSConfig           *corev1.PodDNSConfig          `yaml:"dnsConfig"`
	ImagePullSecrets    []corev1.LocalObjectReference `yaml:"imagePullSecrets"`

SidecarInjectionSpec collects all container types and volumes for sidecar mesh injection

func InjectionData

func InjectionData(sidecarTemplate, valuesConfig, version string, typeMetadata *metav1.TypeMeta, deploymentMetadata *metav1.ObjectMeta, spec *corev1.PodSpec,
	metadata *metav1.ObjectMeta, meshConfig *meshconfig.MeshConfig, path string) (
	*SidecarInjectionSpec, string, error)

InjectionData renders sidecarTemplate with valuesConfig.

type SidecarInjectionStatus

type SidecarInjectionStatus struct {
	Version          string   `json:"version"`
	InitContainers   []string `json:"initContainers"`
	Containers       []string `json:"containers"`
	Volumes          []string `json:"volumes"`
	ImagePullSecrets []string `json:"imagePullSecrets"`

SidecarInjectionStatus contains basic information about the injected sidecar. This includes the names of added containers and volumes.

type SidecarTemplateData

type SidecarTemplateData struct {
	TypeMeta       *metav1.TypeMeta
	DeploymentMeta *metav1.ObjectMeta
	ObjectMeta     *metav1.ObjectMeta
	Spec           *corev1.PodSpec
	ProxyConfig    *meshconfig.ProxyConfig
	MeshConfig     *meshconfig.MeshConfig
	Values         map[string]interface{}

SidecarTemplateData is the data object to which the templated version of `SidecarInjectionSpec` is applied.

type Webhook

type Webhook struct {
	Config *Config
	// contains filtered or unexported fields

Webhook implements a mutating webhook for automatic proxy injection.

func NewWebhook

func NewWebhook(p WebhookParameters) (*Webhook, error)

NewWebhook creates a new instance of a mutating webhook for automatic sidecar injection.

func (*Webhook) Run

func (wh *Webhook) Run(stop <-chan struct{})

Run implements the webhook server

type WebhookParameters

type WebhookParameters struct {
	// ConfigFile is the path to the sidecar injection configuration file.
	ConfigFile string

	ValuesFile string

	// Port is the webhook port, e.g. typically 443 for https.
	// This is mainly used for tests. Webhook runs on the port started by Istiod.
	Port int

	// MonitoringPort is the webhook port, e.g. typically 15014.
	// Set to -1 to disable monitoring
	MonitoringPort int

	// HealthCheckInterval configures how frequently the health check
	// file is updated. Value of zero disables the health check
	// update.
	HealthCheckInterval time.Duration

	// HealthCheckFile specifies the path to the health check file
	// that is periodically updated.
	HealthCheckFile string

	Env *model.Environment

	// Use an existing mux instead of creating our own.
	Mux *http.ServeMux

	// The this injector is responsible for
	Revision string

WebhookParameters configures parameters for the sidecar injection webhook.

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
f or F : Jump to identifier