Sidecar

    Services and configuration in a mesh are organized into one or more namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar configuration in a namespace will apply to one or more workload instances in the same namespace, selected using the workloadSelector field. In the absence of a workloadSelector, it will apply to all workload instances in the same namespace. When determining the Sidecar configuration to be applied to a workload instance, preference will be given to the resource with a workloadSelector that selects this workload instance, over a Sidecar configuration without any workloadSelector.

    NOTE 1: Each namespace can have only one Sidecar configuration without any workloadSelector. The behavior of the system is undefined if more than one selector-less Sidecar configurations exist in a given namespace. The behavior of the system is undefined if two or more Sidecar configurations with a workloadSelector select the same workload instance.

    NOTE 2: A Sidecar configuration in the MeshConfig root namespace will be applied by default to all namespaces without a Sidecar configuration. This global default Sidecar configuration should not have any workloadSelector.

    The example below declares a global default Sidecar configuration in the root namespace called istio-config, that configures sidecars in all namespaces to allow egress traffic only to other workloads in the same namespace, and to services in the istio-system namespace.

    The example below declares a Sidecar configuration in the prod-us1 namespace that overrides the global default defined above, and configures the sidecars in the namespace to allow egress traffic to public services in the prod-us1, prod-apis, and the istio-system namespaces.

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: Sidecar
    3. metadata:
    4.   name: default
    5.   namespace: prod-us1
    6. spec:
    7.   egress:
    8.   - hosts:
    9.     - "prod-us1/*"
    10.     - "prod-apis/*"
    11.     - "istio-system/*"

    The example below declares a Sidecar configuration in the prod-us1 namespace that accepts inbound HTTP traffic on port 9080 and forwards it to the attached workload instance listening on a Unix domain socket. In the egress direction, in addition to the istio-system namespace, the sidecar proxies only HTTP traffic bound for port 9080 for services in the prod-us1 namespace.

    If the workload is deployed without IPTables-based traffic capture, the Sidecar configuration is the only way to configure the ports on the proxy attached to the workload instance. The following example declares a Sidecar configuration in the prod-us1 namespace for all pods with labels app: productpage belonging to the productpage.prod-us1 service. Assuming that these pods are deployed without IPtable rules (i.e. the istio-init container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to NONE, the specification, below, allows such pods to receive HTTP traffic on port 9080 and forward it to the application listening on 127.0.0.1:8080. It also allows the application to communicate with a backing MySQL database on 127.0.0.1:3306, that then gets proxied to the externally hosted MySQL service at mysql.foo.com:3306.

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: Sidecar
    3. metadata:
    4.   name: no-ip-tables
    5. spec:
    6.   workloadSelector:
    7.     labels:
    8.       app: productpage
    9.   ingress:
    10.   - port:
    11.       number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
    12.       protocol: HTTP
    13.       name: somename
    14.     defaultEndpoint: 127.0.0.1:8080
    16.   egress:
    17.   - port:
    18.       number: 3306
    19.       protocol: MYSQL
    20.       name: egressmysql
    21.     captureMode: NONE # not needed if metadata is set for entire proxy
    22.     bind: 127.0.0.1
    23.     hosts:
    24.     - "*/mysql.foo.com"

    And the associated service entry for routing to mysql.foo.com:3306

    It is also possible to mix and match traffic capture modes in a single proxy. For example, consider a setup where internal services are on the 192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an additional network interface on 172.16.0.0/16 subnet for inbound traffic. The following Sidecar configuration allows the VM to expose a listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the 172.16.0.0/16 subnet. Note that in this scenario, the ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should contain REDIRECT or TPROXY as its value, implying that IP tables based traffic capture is active.

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: Sidecar
    3.   name: partial-ip-tables
    4.   namespace: prod-us1
    5. spec:
    6.   workloadSelector:
    7.     labels:
    8.       app: productpage
    9.   ingress:
    10.   - bind: 172.16.1.32
    11.     port:
    12.       number: 80 # binds to 172.16.1.32:80
    13.       protocol: HTTP
    14.       name: somename
    15.     defaultEndpoint: 127.0.0.1:8080
    16.     captureMode: NONE
    17.   egress:
    18.     # use the system detected defaults
    19.     # sets up configuration to handle outbound traffic to services
    20.     # in 192.168.0.0/16 subnet, based on information provided by the
    21.     # service registry
    22.   - captureMode: IPTABLES
    23.     hosts:
    24.     - "*/*"

    CaptureMode describes how traffic to a listener is expected to be captured. Applicable only when the listener is bound to an IP.

    IstioEgressListener

    IstioEgressListener specifies the properties of an outbound traffic listener on the sidecar proxy attached to a workload instance.

    FieldTypeDescriptionRequired
    portPort

    The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if specified, will be used as the default destination port associated with the imported hosts. If the port is omitted, Istio will infer the listener ports based on the imported hosts. Note that when multiple egress listeners are specified, where one or more listeners have specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port.

    		No
    bindstring

    The IP or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If omitted, Istio will automatically configure the defaults based on imported services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is NONE, bind will default to 127.0.0.1.

    		No
    captureMode

    When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or NONE for Unix domain socket binds.

    		No
    hostsstring[]

    One or more service hosts exposed by the listener in namespace/dnsName format. Services in the specified namespace matching dnsName will be exposed. The corresponding service can be a service in the service registry (e.g., a Kubernetes or cloud foundry service) or a service specified using a ServiceEntry or VirtualService configuration. Any associated DestinationRule in the same namespace will also be used.

    The should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., prod/.example.com). Set the dnsName to to select all services from the specified namespace (e.g., prod/).

    The namespace can be set to , ., or ~, representing any, the current, or no namespace, respectively. For example, /foo.example.com selects the service from any available namespace while ./foo.example.com only selects the service from the namespace of the sidecar. If a host is set to /, Istio will configure the sidecar to be able to reach every service in the mesh that is exported to the sidecar’s namespace. The value ~/ can be used to completely trim the configuration for sidecars that simply receive traffic and respond, but make no outbound connections of their own.

    NOTE: Only services and configuration artifacts exported to the sidecar’s namespace (e.g., exportTo value of ) can be referenced. Private configurations (e.g., exportTo set to .) will not be available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.

    WARNING: The list of egress hosts in a Sidecar must also include the Mixer control plane services if they are enabled. Envoy will not be able to reach them otherwise. For example, add host istio-system/istio-telemetry.istio-system.svc.cluster.local if telemetry is enabled, istio-system/istio-policy.istio-system.svc.cluster.local if policy is enabled, or add istio-system/ to allow all services in the istio-system namespace. This requirement is temporary and will be removed in a future Istio release.

    		Yes

    IstioIngressListener specifies the properties of an inbound traffic listener on the sidecar proxy attached to a workload instance.

    OutboundTrafficPolicy

    OutboundTrafficPolicy sets the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination. Users are strongly encouraged to use ServiceEntry configurations to explicitly declare any external dependencies, instead of using ALLOW_ANY, so that traffic to these services can be monitored.

    FieldTypeDescriptionRequired
    modeNo

    Sidecar

    Sidecar describes the configuration of the sidecar proxy that mediates inbound and outbound communication of the workload instance to which it is attached.

    FieldTypeDescriptionRequired
    workloadSelector

    Criteria used to select the specific set of pods/VMs on which this Sidecar configuration should be applied. If omitted, the Sidecar configuration will be applied to all workload instances in the same namespace.

    		No
    ingressIstioIngressListener[]

    Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will automatically configure the sidecar based on the information about the workload obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.

    		No
    egress

    Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh.

    		Yes
    outboundTrafficPolicyOutboundTrafficPolicy

    This allows to configure the outbound traffic policy. If your application uses one or more external services that are not known apriori, setting the policy to ALLOW_ANY will cause the sidecars to route any unknown traffic originating from the application to its requested destination.

    		No