Documentation
¶
Overview ¶
Package inject implements kube-inject or webhoook autoinject feature to inject sidecar. This file is focused on rewriting Kubernetes app probers to support mutual TLS.
Index ¶
- Constants
- func DumpAppProbers(podspec *corev1.PodSpec) string
- func FindSidecar(containers []corev1.Container) *corev1.Container
- func InitImageName(hub string, tag string, _ bool) string
- func IntoResourceFile(sidecarTemplate string, valuesConfig string, meshconfig *meshconfig.MeshConfig, ...) error
- func ProxyImageName(hub string, tag string, debug bool) string
- func ShouldRewriteAppHTTPProbers(annotations map[string]string, spec *SidecarInjectionSpec) bool
- func ValidateExcludeIPRanges(ipRanges string) error
- func ValidateExcludeInboundPorts(ports string) error
- func ValidateIncludeIPRanges(ipRanges string) error
- func ValidateIncludeInboundPorts(ports string) error
- type Config
- type InjectionPolicy
- type Params
- type SidecarInjectionSpec
- type SidecarInjectionStatus
- type SidecarTemplateData
- type Webhook
- type WebhookParameters
Constants ¶
const ( DefaultSidecarProxyUID = uint64(1337) DefaultVerbosity = 2 DefaultImagePullPolicy = "IfNotPresent" DefaultStatusPort = 15020 DefaultReadinessInitialDelaySeconds = 1 DefaultReadinessPeriodSeconds = 2 DefaultReadinessFailureThreshold = 30 DefaultIncludeIPRanges = "*" DefaultIncludeInboundPorts = "*" DefaultkubevirtInterfaces = "" )
Defaults values for injecting istio proxy into kubernetes resources.
const (
// ProxyContainerName is used by e2e integration tests for fetching logs
ProxyContainerName = "istio-proxy"
)
const ( // StatusPortCmdFlagName is the name of the command line flag passed to pilot-agent for sidecar readiness probe. // We reuse it for taking over application's readiness probing as well. // TODO: replace the hardcoded statusPort elsewhere by this variable as much as possible. StatusPortCmdFlagName = "statusPort" )
Variables ¶
This section is empty.
Functions ¶
func DumpAppProbers ¶
DumpAppProbers returns a json encoded string as `status.KubeAppProbers`. Also update the probers so that all usages of named port will be resolved to integer.
func FindSidecar ¶
FindSidecar returns the pointer to the first container whose name matches the "istio-proxy".
func InitImageName ¶
InitImageName returns the fully qualified image name for the istio init image given a docker hub and tag and debug flag
func IntoResourceFile ¶
func IntoResourceFile(sidecarTemplate string, valuesConfig string, meshconfig *meshconfig.MeshConfig, in io.Reader, out io.Writer) error
IntoResourceFile injects the istio proxy into the specified kubernetes YAML file.
func ProxyImageName ¶
ProxyImageName returns the fully qualified image name for the istio proxy image given a docker hub and tag and whether to use debug or not.
func ShouldRewriteAppHTTPProbers ¶
func ShouldRewriteAppHTTPProbers(annotations map[string]string, spec *SidecarInjectionSpec) bool
ShouldRewriteAppHTTPProbers returns if we should rewrite apps' probers config.
func ValidateExcludeIPRanges ¶
ValidateExcludeIPRanges validates the excludeIPRanges parameter
func ValidateExcludeInboundPorts ¶
ValidateExcludeInboundPorts validates the excludeInboundPorts parameter
func ValidateIncludeIPRanges ¶
ValidateIncludeIPRanges validates the includeIPRanges parameter
func ValidateIncludeInboundPorts ¶
ValidateIncludeInboundPorts validates the includeInboundPorts parameter
Types ¶
type Config ¶
type Config struct {
Policy InjectionPolicy `json:"policy"`
// Template is the templated version of `SidecarInjectionSpec` prior to
// expansion over the `SidecarTemplateData`.
Template string `json:"template"`
// NeverInjectSelector: Refuses the injection on pods whose labels match this selector.
// It's an array of label selectors, that will be OR'ed, meaning we will iterate
// over it and stop at the first match
// Takes precedence over AlwaysInjectSelector.
NeverInjectSelector []metav1.LabelSelector `json:"neverInjectSelector"`
// AlwaysInjectSelector: Forces the injection on pods whose labels match this selector.
// It's an array of label selectors, that will be OR'ed, meaning we will iterate
// over it and stop at the first match
AlwaysInjectSelector []metav1.LabelSelector `json:"alwaysInjectSelector"`
}
Config specifies the sidecar injection configuration This includes the sidecar template and cluster-side injection policy. It is used by kube-inject, sidecar injector, and http endpoint.
type InjectionPolicy ¶
type InjectionPolicy string
InjectionPolicy determines the policy for injecting the sidecar proxy into the watched namespace(s).
const ( // InjectionPolicyDisabled specifies that the sidecar injector // will not inject the sidecar into resources by default for the // namespace(s) being watched. Resources can enable injection // using the "sidecar.istio.io/inject" annotation with value of // true. InjectionPolicyDisabled InjectionPolicy = "disabled" // InjectionPolicyEnabled specifies that the sidecar injector will // inject the sidecar into resources by default for the // namespace(s) being watched. Resources can disable injection // using the "sidecar.istio.io/inject" annotation with value of // false. InjectionPolicyEnabled InjectionPolicy = "enabled" )
type Params ¶
type Params struct {
InitImage string `json:"initImage"`
ProxyImage string `json:"proxyImage"`
Version string `json:"version"`
ImagePullPolicy string `json:"imagePullPolicy"`
Tracer string `json:"tracer"`
// Comma separated list of IP ranges in CIDR form. If set, only redirect outbound traffic to Envoy for these IP
// ranges. All outbound traffic can be redirected with the wildcard character "*". Defaults to "*".
IncludeIPRanges string `json:"includeIPRanges"`
// Comma separated list of IP ranges in CIDR form. If set, outbound traffic will not be redirected for
// these IP ranges. Exclusions are only applied if configured to redirect all outbound traffic. By default,
// no IP ranges are excluded.
ExcludeIPRanges string `json:"excludeIPRanges"`
// Comma separated list of inbound ports for which traffic is to be redirected to Envoy. All ports can be
// redirected with the wildcard character "*". Defaults to "*".
IncludeInboundPorts string `json:"includeInboundPorts"`
// Comma separated list of inbound ports. If set, inbound traffic will not be redirected for those ports.
// Exclusions are only applied if configured to redirect all inbound traffic. By default, no ports are excluded.
ExcludeInboundPorts string `json:"excludeInboundPorts"`
// Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound
// By default, no interfaces are configured.
KubevirtInterfaces string `json:"kubevirtInterfaces"`
Verbosity int `json:"verbosity"`
SidecarProxyUID uint64 `json:"sidecarProxyUID"`
Mesh *meshconfig.MeshConfig `json:"-"`
StatusPort int `json:"statusPort"`
ReadinessInitialDelaySeconds uint32 `json:"readinessInitialDelaySeconds"`
ReadinessPeriodSeconds uint32 `json:"readinessPeriodSeconds"`
ReadinessFailureThreshold uint32 `json:"readinessFailureThreshold"`
RewriteAppHTTPProbe bool `json:"rewriteAppHTTPProbe"`
EnableCoreDump bool `json:"enableCoreDump"`
DebugMode bool `json:"debugMode"`
Privileged bool `json:"privileged"`
SDSEnabled bool `json:"sdsEnabled"`
EnableSdsTokenMount bool `json:"enableSdsTokenMount"`
}
Params describes configurable parameters for injecting istio proxy into a kubernetes resource.
type SidecarInjectionSpec ¶
type SidecarInjectionSpec struct {
// RewriteHTTPProbe indicates whether Kubernetes HTTP prober in the PodSpec
// will be rewritten to be redirected by pilot agent.
RewriteAppHTTPProbe bool `yaml:"rewriteAppHTTPProbe"`
InitContainers []corev1.Container `yaml:"initContainers"`
Containers []corev1.Container `yaml:"containers"`
Volumes []corev1.Volume `yaml:"volumes"`
DNSConfig *corev1.PodDNSConfig `yaml:"dnsConfig"`
ImagePullSecrets []corev1.LocalObjectReference `yaml:"imagePullSecrets"`
}
SidecarInjectionSpec collects all container types and volumes for sidecar mesh injection
func InjectionData ¶
func InjectionData(sidecarTemplate, valuesConfig, version string, deploymentMetadata *metav1.ObjectMeta, spec *corev1.PodSpec, metadata *metav1.ObjectMeta, proxyConfig *meshconfig.ProxyConfig, meshConfig *meshconfig.MeshConfig) ( *SidecarInjectionSpec, string, error)
type SidecarInjectionStatus ¶
type SidecarInjectionStatus struct {
Version string `json:"version"`
InitContainers []string `json:"initContainers"`
Containers []string `json:"containers"`
Volumes []string `json:"volumes"`
ImagePullSecrets []string `json:"imagePullSecrets"`
}
SidecarInjectionStatus contains basic information about the injected sidecar. This includes the names of added containers and volumes.
type SidecarTemplateData ¶
type SidecarTemplateData struct {
DeploymentMeta *metav1.ObjectMeta
ObjectMeta *metav1.ObjectMeta
Spec *corev1.PodSpec
ProxyConfig *meshconfig.ProxyConfig
MeshConfig *meshconfig.MeshConfig
Values map[string]interface{}
}
SidecarTemplateData is the data object to which the templated version of `SidecarInjectionSpec` is applied.
type Webhook ¶
type Webhook struct {
// contains filtered or unexported fields
}
Webhook implements a mutating webhook for automatic proxy injection.
func NewWebhook ¶
func NewWebhook(p WebhookParameters) (*Webhook, error)
NewWebhook creates a new instance of a mutating webhook for automatic sidecar injection.
type WebhookParameters ¶
type WebhookParameters struct {
// ConfigFile is the path to the sidecar injection configuration file.
ConfigFile string
ValuesFile string
// MeshFile is the path to the mesh configuration file.
MeshFile string
// CertFile is the path to the x509 certificate for https.
CertFile string
// KeyFile is the path to the x509 private key matching `CertFile`.
KeyFile string
// Port is the webhook port, e.g. typically 443 for https.
Port int
// HealthCheckInterval configures how frequently the health check
// file is updated. Value of zero disables the health check
// update.
HealthCheckInterval time.Duration
// HealthCheckFile specifies the path to the health check file
// that is periodically updated.
HealthCheckFile string
}
WebhookParameters configures parameters for the sidecar injection webhook.
Source Files