Istio Injector based on workload labels

Hi,

I’ve updated the sidecar-injector webhook to includes also the ObjectSelector so it loos like this:

name: sidecar-injector.istio.io
  namespaceSelector:
    matchLabels:
      istio-injection: enabled
  objectSelector:
    matchLabels:
      sidecar.istio.io/inject: "true"
  reinvocationPolicy: Never 

but still deployments with this label (or annotation) does not gets injected.
the namespace does not includes the istio-injection label, and policy is enabled.
what am i missing?
cant i chose to inject automatically only on workloads i want? (to be able to enroll to istio gradually)

10x

maybe look at using neverInjectSelector?

of you can disable an application directly by adding the annotation

annotations:
        sidecar.istio.io/inject: "false"

$ kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ignored
  labels:
    app: ignored
spec:
  selector:
    matchLabels:
      app: ignored
  template:
    metadata:
      labels:
        app: ignored
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - name: ignored
        image: governmentpaas/curl-ssl
        command: ["/bin/sleep","infinity"]
EOF

per the documentation the first approach should be by adding the annotation

sidecar.istio.io/inject: “true”

to the deployment, to cause the deployment to be injected, even if the namespsace isnt, but it did not work.

i saw another approach to update the sidecar-inject configmap and update the AlwaysInjectSelector like the following

config: |-
policy: enabled
alwaysInjectSelector:
- matchExpressions:
- {key: inject-proxy, operator: Exists}
but also this did not worked and cause the pod to get injected.

what am i missing? anyone got this working?

i’ve solved it by disabling the policy on the sidecar-inject configmap, enabling the auto inject on the namespace and then only when deployment includes the sidecar.istio.io/inject annotation i’m able to control if i want to inject or not.