Automatic Sidecar Injection

Automatic sidecar injection adds the sidecar proxy into user-created pods. It uses a MutatingWebhook to append the sidecar’s containers and volumes to each pod’s template spec during creation time. Injection can be scoped to particular sets of namespaces using the webhooks namespaceSelector mechanism. Injection can also be enabled and disabled per-pod with an annotation.

Whether or not a sidecar is injected depends on three pieces of configuration and two security rules:

Configuration:

  • webhooks namespaceSelector
  • default policy
  • per-pod override annotation

Security rules:

  • sidecars cannot be injected in the kube-system or kube-public namespaces
  • sidecars cannot be injected into pods that use the host network

The following truth table shows the final injection status based on the three configuration items. The security rules above cannot be overridden.

namespaceSelector matchdefault policyPod override annotation sidecar.istio.io/injectSidecar injected?
yesenabledtrue (default)yes
yesenabledfalseno
yesdisabledtrueyes
yesdisabledfalse (default)no
noenabledtrue (default)no
noenabledfalseno
nodisabledtrueno
nodisabledfalse (default)no