1

I am currently evaluating the istio mesh within a bare metal kubernetes deployment. Everything just fine so far, I use the sidecar auto injection with the namespace labels.

Now to my question:

Should the namespaces kube-system and istio-system be labeled for sidecar injection as well? Or is this not advisable?

Thanks for any advice

chrstnwhlrt
  • 325
  • 6
  • 15

1 Answers1

2

Should the namespaces kube-system and istio-system be labeled for sidecar injection as well?

No, it should not.

It's against security rules.

  • sidecars cannot be injected in the kube-system or kube-public namespaces
  • sidecars cannot be injected into pods that use the host network

Please read this Sidecar Injection Webhook

Crou
  • 714
  • 3
  • 9
  • Thanks for the link, does this apply to istio-system as well? – chrstnwhlrt Jul 29 '19 at 14:29
  • If you read the docs you will see they enabled only `default` for injection and `disabled` istio-system, kube-public and kube-system. – Crou Jul 29 '19 at 14:32
  • In the default deployment there is no disabled label for those namespaces. The example you linked even shows: kubectl label namespace istio-system istio-injection=disabled --overwrite Which shouldn't be allowed for the istio-system namespace, correct? – chrstnwhlrt Jul 29 '19 at 14:35
  • Yes, `default` is the only one enabled. Others are `disabled`. – Crou Jul 29 '19 at 14:37