sidecar-injector
Kubernetes webhook for automatic Istio sidecar injection.
sidecar-injector [flags]
| Flags | Description |
|---|---|
--caCertFile <string> | File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/root-cert.pem`) |
--healthCheckFile <string> | File that should be periodically updated if health checking is enabled (default ``) |
--healthCheckInterval <duration> | Configure how frequently the health check file specified by --healthCheckFile should be updated (default `0s`) |
--injectConfig <string> | File containing the Istio sidecar injection configuration and template (default `/etc/istio/inject/config`) |
--injectValues <string> | File containing the Istio sidecar injection values, in yaml format (default `/etc/istio/inject/values`) |
--kubeconfig <string> | Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--meshConfig <string> | File containing the Istio mesh configuration (default `/etc/istio/config/mesh`) |
--port <int> | Webhook port (default `443`) |
--tlsCertFile <string> | File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`) |
--tlsKeyFile <string> | File containing the x509 private key matching --tlsCertFile. (default `/etc/istio/certs/key.pem`) |
--webhookConfigName <string> | Name of the mutatingwebhookconfiguration resource in Kubernetes. (default `istio-sidecar-injector`) |
--webhookName <string> | Name of the webhook entry in the webhook config. (default `sidecar-injector.istio.io`) |
sidecar-injector probe
Check the liveness or readiness of a locally-running server
sidecar-injector probe [flags]
| Flags | Description |
|---|---|
--caCertFile <string> | File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/root-cert.pem`) |
--healthCheckFile <string> | File that should be periodically updated if health checking is enabled (default ``) |
--healthCheckInterval <duration> | Configure how frequently the health check file specified by --healthCheckFile should be updated (default `0s`) |
--injectConfig <string> | File containing the Istio sidecar injection configuration and template (default `/etc/istio/inject/config`) |
--injectValues <string> | File containing the Istio sidecar injection values, in yaml format (default `/etc/istio/inject/values`) |
--interval <duration> | Duration used for checking the target file's last modified time. (default `0s`) |
--kubeconfig <string> | Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--meshConfig <string> | File containing the Istio mesh configuration (default `/etc/istio/config/mesh`) |
--port <int> | Webhook port (default `443`) |
--probe-path <string> | Path of the file for checking the availability. (default ``) |
--tlsCertFile <string> | File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`) |
--tlsKeyFile <string> | File containing the x509 private key matching --tlsCertFile. (default `/etc/istio/certs/key.pem`) |
--webhookConfigName <string> | Name of the mutatingwebhookconfiguration resource in Kubernetes. (default `istio-sidecar-injector`) |
--webhookName <string> | Name of the webhook entry in the webhook config. (default `sidecar-injector.istio.io`) |
sidecar-injector version
Prints out build version information
sidecar-injector version [flags]
| Flags | Shorthand | Description |
|---|---|---|
--caCertFile <string> | File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/root-cert.pem`) | |
--healthCheckFile <string> | File that should be periodically updated if health checking is enabled (default ``) | |
--healthCheckInterval <duration> | Configure how frequently the health check file specified by --healthCheckFile should be updated (default `0s`) | |
--injectConfig <string> | File containing the Istio sidecar injection configuration and template (default `/etc/istio/inject/config`) | |
--injectValues <string> | File containing the Istio sidecar injection values, in yaml format (default `/etc/istio/inject/values`) | |
--kubeconfig <string> | Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``) | |
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--meshConfig <string> | File containing the Istio mesh configuration (default `/etc/istio/config/mesh`) | |
--output <string> | -o | One of 'yaml' or 'json'. (default ``) |
--port <int> | Webhook port (default `443`) | |
--short | -s | Displays a short form of the version information |
--tlsCertFile <string> | File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`) | |
--tlsKeyFile <string> | File containing the x509 private key matching --tlsCertFile. (default `/etc/istio/certs/key.pem`) | |
--webhookConfigName <string> | Name of the mutatingwebhookconfiguration resource in Kubernetes. (default `istio-sidecar-injector`) | |
--webhookName <string> | Name of the webhook entry in the webhook config. (default `sidecar-injector.istio.io`) |
Environment variables
These environment variables affect the behavior of thesidecar-injector command.| Variable Name | Type | Default Value | Description |
|---|---|---|---|
ISTIO_GPRC_MAXSTREAMS | Integer | 100000 | |
PILOT_CERT_DIR | String | | |
PILOT_DEBOUNCE_AFTER | Time Duration | 100ms | |
PILOT_DEBOUNCE_MAX | Time Duration | 10s | |
PILOT_DEBUG_ADSZ_CONFIG | Boolean | false | |
PILOT_DISABLE_EDS_ISOLATION | String | | |
PILOT_DISABLE_XDS_MARSHALING_TO_ANY | String | | |
PILOT_ENABLE_FALLTHROUGH_ROUTE | Boolean | true | EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned. |
PILOT_ENABLE_LOCALITY_LOAD_BALANCING | String | | |
PILOT_ENABLE_MYSQL_FILTER | Boolean | false | EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain. |
PILOT_ENABLE_REDIS_FILTER | Boolean | false | EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain. |
PILOT_ENABLE_WAIT_CACHE_SYNC | String | | |
PILOT_HTTP10 | Boolean | false | |
PILOT_INITIAL_FETCH_TIMEOUT | Time Duration | 0s | Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup. |
PILOT_PUSH_BURST | Integer | 100 | |
PILOT_PUSH_THROTTLE | Integer | 10 | |
PILOT_SIDECAR_USE_REMOTE_ADDRESS | Boolean | false | UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners. |
PILOT_TRACE_SAMPLING | Floating-Point | 100 | |
TERMINATION_DRAIN_DURATION_SECONDS | String | | |
V2_REFRESH | Time Duration | 0s |
Annotations
These resource annotations are used by thesidecar-injector command.| Annotation Name | Description |
|---|---|
policy.istio.io/check | Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests. |
policy.istio.io/checkBaseRetryWaitTime | Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms. |
policy.istio.io/checkMaxRetryWaitTime | Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms. |
policy.istio.io/checkRetries | The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries. |
readiness.status.sidecar.istio.io/applicationPorts | |
readiness.status.sidecar.istio.io/failureThreshold | |
readiness.status.sidecar.istio.io/initialDelaySeconds | |
readiness.status.sidecar.istio.io/periodSeconds | |
sidecar.istio.io/inject | |
sidecar.istio.io/interceptionMode | |
sidecar.istio.io/proxyImage | |
sidecar.istio.io/rewriteAppHTTPProbers | Rewrite HTTP readiness and liveness probes to be redirected to istio-proxy sidecar |
sidecar.istio.io/status | |
status.sidecar.istio.io/port | |
traffic.sidecar.istio.io/excludeInboundPorts | |
traffic.sidecar.istio.io/excludeOutboundIPRanges | |
traffic.sidecar.istio.io/excludeOutboundPorts | |
traffic.sidecar.istio.io/includeInboundPorts | |
traffic.sidecar.istio.io/includeOutboundIPRanges | |
traffic.sidecar.istio.io/kubevirtInterfaces |
Exported metrics
| Metric Name | Type | Description |
|---|