I am creating a pod that run 2 sidecars (istio and vault), both of them are injected via mutating webhook. Both sidecar came with their own init container: Istio use it to update the Iptables rules, and the vault init container communicate with a server for authentication. The problem is, if the Istio init ran first, everything after it that need to make an outbound connection will fail. I am speculating it is due to the Istio init updated the iptables rules, but the proxy hasn’t started yet, since all the init containers have to run to completion first. Is there a way to make the Istio mutating webhook to invoke last so the istio init would be ran last?
I found a workaround guys. Credit to sleepybrett from reddit. Apparently you can control the order of by changing the name of the webhooks, because they are invoked alphabetically.