Istio sidecar 自动注入原理、开启全局注入（在所有命名空间自动注入）

一、背景介绍

Istio 作为重要的 ServiceMesh 框架，已经被越来越多的公司所使用。在 Istio 体系中，应用容器的出入流量都需要经过 Sidecar 的拦截和处理。默认地，Istio sidecar 自动注入是通过给 namespace 打 istio-injection=enabled 或 istio-injection=disabled 标签，来确定是否在该命名空间执行自动注入。但有些场景，用户可能需要开启全局自动注入，希望在所有命名空间自动注入。那就要给所有的 namespace 都打上 istio-injection=enabled 标签吗？是不是感觉略微繁琐了些呢？本文介绍一种简便方法实现全局自动注入。

二、原理剖析

先看一张自动注入原理图：

自动注入是通过 kube-apiserver 准入控制实现的。简单来说，istio-sidecar-injector 服务提供一个 webservice 用于提供自动注入服务（该服务使用 istio-sidecar-injector ConfigMap 作为注入配置），而定义在何种情况下 kube-apiserver 需要向 istio-sidecar-injector 服务发送请求进行注入的是 istio-sidecar-injector MutatingAdmissionWebhook。
我们的切入点就是 istio-sidecar-injector MutatingAdmissionWebhook！

三、实现步骤

3.1 首先查看现有 istio-sidecar-injector MutatingAdmissionWebhook 配置

$ kubectl describe mutatingwebhookconfiguration istio-sidecar-injector
Name:         istio-sidecar-injector
Namespace:    
Labels:       app=sidecarInjectorWebhook
              chart=sidecarInjectorWebhook
              heritage=Tiller
              release=istio
Annotations:  
API Version:  admissionregistration.k8s.io/v1beta1
Kind:         MutatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2019-05-29T06:41:17Z
  Generation:          2
  Resource Version:    15505
  Self Link:           /apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/istio-sidecar-injector
  UID:                 c2f56ba3-81dc-11e9-b133-000c29eb48e3
Webhooks:
  Admission Review Versions:
    v1beta1
  Client Config:
    Ca Bundle:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzakNDQWNhZ0F3SUJBZ0lSQUloOXdwRjdjbnk4SC9NS294S0J1cVF3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQ2hNTlkyeDFjM1JsY2k1c2IyTmhiREFlRncweE9UQTFNamt3TmpJMU1qRmFGdzB5TURBMQpNamd3TmpJMU1qRmFNQmd4RmpBVUJnTlZCQW9URFdOc2RYTjBaWEl1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3dXYitrRGE0ZkdqVzJzZlhrTEhiK2UvM1Z0cDA1VlJPTklhaE4Kd01oTzJCNnRzRU1pMlJ6c2ljc015YWRiK2lhOG5tSmw1THhXTi81cTVCYnF2WVlvclNhOUZHZ21RTkFPOURrNApNdksvOHJZMnZScGptdCsrS1o0cW9lWUJsNHRhWHhQS2t0ODhLSWxqeklXL3J4cEwzNWk4dzlrMEl4UThVdFRNCkZlLzFGWDVuQmxyZTNRQnJVNTdyb2pRU2ZJRkh2N2hMNjdMN2krU0I4blNacWM1UjhsUkhBVkdOUmk2aGJObmwKSG83VkJHWUVFdS9yMWZPd3dMdE1OR3BVYk1XNlg4M1B3OHpaY3ZtWHBXSi9KUldjbGVhYzJod2d0cGRmWUlzZgoySXJxczRKKzExZUdLU25IZXA2a2FiNVRoQjd1N1R2eElZOWNPVlNoQnRkMzZ4S1pBZ01CQUFHakl6QWhNQTRHCkExVWREd0VCL3dRRUF3SUNCREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUIKQVFDbFQySzE2QVZTRkd5OCsycGw1Nk4zUW5qc1dyMSt3KzdhRTh2Q2hzem5sdFVBajNBa1c4OTBaaVJDdU9FZQo2Q2VzNW0wK1FoeWxQQXhUSHlob0ZsTmlOM2I3aHZwWmFOWGlueWszcjE0cG5XNzd3bXZ0a3Y1TlJOeUpXeXNSClBUdFk4OVI0cENpZXhwQ1pmS1dIdDVVTlpSMzE3ZG12RW43WFluT1lHdlFsWU1NMFNpdjVHVWczeUxteXBqUmsKbUMxcmZpZk5rRmdVeTRwMFpqZXFycU5QbHhjS1RNUmk1VmtEUGdPZm11RVFFa3pjMjhWL3hvNlFEMU1OOHJKRQpEN0FNbUN6MTBBaGkybndTN1E0OWlHeVozeEVLS0IrTUJhVlh4THRMOXFENkwxOXZ3alVQMUlzdXh0bExqTkl5ClErZXhSd3FJeDQvZE1JY2dzdVBsdU9ZUQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    Service:
      Name:        istio-sidecar-injector
      Namespace:   istio-system
      Path:        /inject
  Failure Policy:  Fail
  Name:            sidecar-injector.istio.io
  Namespace Selector:
    Match Labels:
      Istio - Injection:  enabled
  Rules:
    API Groups:
      
    API Versions:
      v1
    Operations:
      CREATE
    Resources:
      pods
    Scope:          *
  Side Effects:     Unknown
  Timeout Seconds:  30
Events:             

看到中间那句了没，是关于命名空间选择的：

  Namespace Selector:
    Match Labels:
      Istio - Injection:  enabled

默认配置是只有包含 istio-injection=enabled 标签的命名空间内的 Pod 创建时才能调用 istio-sidecar-injector 服务完成自动注入。

我们编辑这个文件：

$ kubectl edit mutatingwebhookconfiguration istio-sidecar-injector
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  creationTimestamp: "2019-05-29T06:41:17Z"
  generation: 2
  labels:
    app: sidecarInjectorWebhook
    chart: sidecarInjectorWebhook
    heritage: Tiller
    release: istio
  name: istio-sidecar-injector
  resourceVersion: "15505"
  selfLink: /apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/istio-sidecar-injector
  uid: c2f56ba3-81dc-11e9-b133-000c29eb48e3
webhooks:
- admissionReviewVersions:
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzakNDQWNhZ0F3SUJBZ0lSQUloOXdwRjdjbnk4SC9NS294S0J1cVF3RFFZSktvWklodmNOQVFFTEJRQXcKR0RFV01CUUdBMVVFQ2hNTlkyeDFjM1JsY2k1c2IyTmhiREFlRncweE9UQTFNamt3TmpJMU1qRmFGdzB5TURBMQpNamd3TmpJMU1qRmFNQmd4RmpBVUJnTlZCQW9URFdOc2RYTjBaWEl1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3dXYitrRGE0ZkdqVzJzZlhrTEhiK2UvM1Z0cDA1VlJPTklhaE4Kd01oTzJCNnRzRU1pMlJ6c2ljc015YWRiK2lhOG5tSmw1THhXTi81cTVCYnF2WVlvclNhOUZHZ21RTkFPOURrNApNdksvOHJZMnZScGptdCsrS1o0cW9lWUJsNHRhWHhQS2t0ODhLSWxqeklXL3J4cEwzNWk4dzlrMEl4UThVdFRNCkZlLzFGWDVuQmxyZTNRQnJVNTdyb2pRU2ZJRkh2N2hMNjdMN2krU0I4blNacWM1UjhsUkhBVkdOUmk2aGJObmwKSG83VkJHWUVFdS9yMWZPd3dMdE1OR3BVYk1XNlg4M1B3OHpaY3ZtWHBXSi9KUldjbGVhYzJod2d0cGRmWUlzZgoySXJxczRKKzExZUdLU25IZXA2a2FiNVRoQjd1N1R2eElZOWNPVlNoQnRkMzZ4S1pBZ01CQUFHakl6QWhNQTRHCkExVWREd0VCL3dRRUF3SUNCREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUIKQVFDbFQySzE2QVZTRkd5OCsycGw1Nk4zUW5qc1dyMSt3KzdhRTh2Q2hzem5sdFVBajNBa1c4OTBaaVJDdU9FZQo2Q2VzNW0wK1FoeWxQQXhUSHlob0ZsTmlOM2I3aHZwWmFOWGlueWszcjE0cG5XNzd3bXZ0a3Y1TlJOeUpXeXNSClBUdFk4OVI0cENpZXhwQ1pmS1dIdDVVTlpSMzE3ZG12RW43WFluT1lHdlFsWU1NMFNpdjVHVWczeUxteXBqUmsKbUMxcmZpZk5rRmdVeTRwMFpqZXFycU5QbHhjS1RNUmk1VmtEUGdPZm11RVFFa3pjMjhWL3hvNlFEMU1OOHJKRQpEN0FNbUN6MTBBaGkybndTN1E0OWlHeVozeEVLS0IrTUJhVlh4THRMOXFENkwxOXZ3alVQMUlzdXh0bExqTkl5ClErZXhSd3FJeDQvZE1JY2dzdVBsdU9ZUQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    service:
      name: istio-sidecar-injector
      namespace: istio-system
      path: /inject
  failurePolicy: Fail
  name: sidecar-injector.istio.io
  namespaceSelector:
    matchExpressions:
      - key: istio-injection
        operator: NotIn
        values:
        - disabled
    # matchLabels:
    #   istio-injection: enabled
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: Unknown

将 namespaceSelector 修改为：

  namespaceSelector:
    matchExpressions:
      - key: istio-injection
        operator: NotIn
        values:
        - disabled

保存该文件，即可实现在所有命名空间开启自动注入。
如果某个命名空间不想自动注入，只需为该 namespace 加上 istio-injection=disabled 标签即可。