Hello,
I did a fair bit of searching across the Isitio documentation for a way to override the global limits configured for the Istio sidecar proxy.
Is it accurate to say that this isn’t a supported configuration at the moment?
Has anyone created a kubernetes mutating admission controller to modify the limits of istio-proxy containers in certain namespaces?
You can customize the proxy limits globally by augmenting the setting global.proxy.resources in the Helm chart. The complete set of customizable options can be found here: https://istio.io/docs/reference/config/installation-options/#global-options
Hello,
I have set the global limits. Some of my services receive more connections than others so having the same limits on all sidecars is fine but not always efficient.
I see, per-workload overrides can be provided via annotations in the deployment spec:
sidecar.istio.io/proxyCPU for CPU request and sidecar.istio.io/proxyMemory for Memory request.
@nrjpoddar
Thanks for the help so far!
I found a reference to this condition in: https://github.com/istio/istio/blob/2be5863f6570540498b42d5b10ea54ee99fb36d3/install/kubernetes/helm/istio/files/injection-template.yaml
I can’t find any official documentation describing this usage but I will give it a go.
I applied the following YAML and the found out that the istio-proxy container still had the global limits.
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
namespace: test
annotations:
sidecar.istio.io/proxyCPU: 600
sidecar.istio.io/proxyMemory: 256
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80Actually I was able to now override the default limits but now it’s only setting requests and not limits.
I moved the annotation to the pod spec. Like:
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
namespace: test
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
annotations:
sidecar.istio.io/proxyCPU: "600m"
sidecar.istio.io/proxyMemory: "256Mi"
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
My global “default” istio-proxy resources:
Limits:
cpu: 200m
memory: 128Mi
Requests:
cpu: 100m
memory: 128Mi
The istio-proxy resource config after adding annotations:
Requests:
cpu: 600m
memory: 256Mi
Yes, I was just about to say that you need to move it to the pod spec annotations section. Currently, that’s the limitation only resource request overrides are provided and there’s no way to inherit global resource limits when these annotations are provided.
As pointed out here we have tried to add annotation in order to override default CPU requested but rollout fails with the following error. Does this error looks familiar to any of you?
Internal error occurred: admission webhook "sidecar-injector.istio.io" denied the request: error unmarshaling JSON: quantities must match the regular expression '^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$'
The following code is the one in use with Istio 1.0.0:
sidecar.istio.io/proxyCPU: 100m
Thanks!
@bmarkons Have you tried putting quotes around 100m?
I am now on istio 1.2.5 and I don’t think the quotes are required anymore.
Tried both with and without the quotes but unfortunately the same error is shown.
hi. This is a 404 link