Simple Sidecar (Injector)
This repo was originally forked from morvencao's kube-sidecar-injector. It's been productionized and turned into a simple generic Kubernetes sidecar injector (using a Kubernetes MutatingAdmissionWebhook).
Quick Start
You will need a certificate for the mutating admission webhook that powers simple-sidecar. It is recommended that you use Certificate Manager's CA Injector functionality for a serious deployment as certificates inevitably expire and need to be replaced. For this quickstart we're just going to use openssl cli.
Some configuration we'll use:
NAMESPACE=simple-sidecar # helm chart default value
TLS_SECRET_NAME=simple-sidecar-tls #helm chart default value
SERVICE_NAME=simple-sidecar # the helm chart default name
Create the namespace in kubectl if it doesn't already exist:
kubectl create ns $NAMESPACE
Generate the certificates:
cd examples
Create the secrets using the command printed:
kubectl create secret generic simple-sidecar --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt --namespace simple-sidecar
Create a values.yaml for the helm installation, use the caBundle provided by the script:
- args:
- -c
- sleep infinity
- /bin/sh
image: ubuntu
name: ubuntu
Install the helm chart:
helm install simple-sidecar ./charts/simple-sidecar -f values.yaml
Let's injected the ubuntu container into another container. First we need to create (or update) a namespace with the sidecar-injection label set to true:
kubectl apply -f - << EOF
apiVersion: v1
kind: Namespace
labels: enabled
name: injectable
Now let's create a pod with the
annotation pointing to the ubuntu pod we've configured:
kubectl apply -f - << EOF
apiVersion: v1
kind: Pod
name: my-pod
namespace: injectable
annotations: "ubuntu"
- name: curl-container
image: curlimages/curl
command: ["/bin/sleep"]
args: ["infinity"]
You should now have a ubuntu pod injected in your curl pod:
kubectl get pod my-pod -n injectable -o jsonpath='{.spec.containers}' | jq
"sleep infinity"
Configuring side cars
The easiest way to learn what can be configured is to look at the Config struct in pkg/webhook/webhook.go
go doc -all pkg/webhook/webhook.go
Look for:
type Config struct {
// InitContainers - inject one or more initContainers into the pod spec.
InitContainers []corev1.Container
// Containers - inject one or more containers into the pod spec.
Containers []corev1.Container
// ExistingContainerConfig - configuration for injecting into the pre-existing containers.
Config is the struct used to parse injection config items for Simple
Sidecar. The InitContainers, Containers, Volumes, and EnvVars fields are
arrays of Kubernetes objects that will be added to the pod spec.
type ExistingContainerConfig struct {
// Volumes - inject one or more volumes into pre-existing pod specs.
Volumes []corev1.Volume
// EnvVars - inject one or more environment variables into pre-existing container specs.
EnvVars []corev1.EnvVar
// VolumeMounts - inject one or more volume mounts into pre-existing container specs.
// BEFORE sidecar injection.
VolumeMounts []corev1.VolumeMount
ExistingContainerConfig provides configuration for injecting into the
pre-existing containers. This is useful for utilizing the functionality of
injected containers
The fields of these Config structs reference the kubernetes go source itself. So the syntax perfectly matches if you were defining a container etc by hand using yaml. You can check out the source here.
Basic Config
Define a config type in your values.yaml:
- args:
- -c
- sleep infinity
- /bin/sh
image: ubuntu
name: ubuntu
In order to use the 'mytype' injection:
1) Create or update a namespace with the 'sidecar-injection: enabled' *label*.
2) Create a pod in this namespace with the ' mytype' annotation.
That's it. Define as many configurations as you like with either containers or initContainers
Advanced Config
You can also inject things like:
- volumes into the existing pods
- environment variables, volume mounts into the pre-existing containers
This let's you leverage functionality that might be provided by your injected containers.
Using cert-manager's CA Injector
Follow the documentation related to installing cert-manager and then using it's [CA Injector functionality](
Setup a self signed certificate which will auto update to the secret location you've configured simple-sidecar to use.