Is there is a way to force injection of sidecar into non-enabled namespace? Some short description of use-case: we have a namespace which holds migrated legacy apps, which do not really need istio. However, in the same namespace some apps (very few of them) need istio as egress gateway. So we’d like to have istio sidecar injected into those few pods while keeping others (much more) without sidecar. We can’t change default global policy, as other namespaces contain app which need istio.
I’d say we look for smth like sidecar.istio.io/inject:true (or alwaysInjectSelector), but it should work regardless of namespaceSelector match.
From what I understood so far it’s not possible and injection is done for matched namespaces only, but please correct me if I’m wrong and there is a way to do that.
FYI
Yeah, I’ve read that article and table and it seems there is no way to achieve what we need (as I wrote, there is no way to have sidecar injected in case if namespace doesn’t match selector - that’s my problem)
You probably have already seen this, but would manual injection with istioctl work here?
Let me know if you have solutions, i’m facing the same problem here.
Thx
Yes, saw it, but manual one is not really an option for us considering our deployment pipeline
Hi! In my environment I made a modification where only the Pods with the annotation “sidecar.istio.io/inject: “true”” receive the sidecar. For this, the namespace must have the label istio-injection=enabled and the ConfigMap istio-sidecar-injector of the istio-system must have the “policy” field changed to disabled. With this, as a drawback, all automatic configuration is disabled.