Sorry if this is in the wrong discussion section, wasn’t exactly sure where to put it.
I was wondering if it is possible to configure Istio so that it can be deployed after pods have been running. To do this I believe that Istio would have to be deployed in a non-sidecar setup, since Kubernetes does not allow pod modification during runtime. I was looking at deploying istio on a per-host basis as described in this article as a start, however I wasn’t able to find any documentation on how to do so.
Additionally, I have been looking at this issue, which requests for envoy to be deployed as a DaemonSet, however seems to be closed, stating there are security concerns with a DaemonSet setup. I was a little confused when I was following the referenced kubernetes issue, (something to do with permissions and NET_ADMIN) Is the setup that I have described not possible without security concerns?
For my use, ideally, istio would be able to be run and destroyed during pod runtime, however, if this is not possible, it would be fine if istio could inject into pods before their deployment, but the service mesh were to be turned on and off without restarting pods.