istio the sidecar injection Webhook

Istio by injecting sidecar of serviceMesh each pod, to achieve non-intrusive service management capabilities.
sidecar is an important part of the injection (injection method in kubernetes cluster) of its ability to achieve. sidecar injected in two ways,
one is by creating webhook resources, the use of k8s webhook ability to achieve automatic injection pod, and
two is that for yaml file manually injected by istioctl tool.

https://istio.io/zh/docs/setup/kubernetes/additional-setup/sidecar-injection/

Pod of necessary functions

Pod 具备运行 Istio 初始化容器的权限；否则必须进行Service Account 赋权。
需要给端口正确命名: 服务端口必须进行命名
Pod 端口: Pod 必须包含每个容器将监听的明确端口列表
关联服务：Pod 不论是否公开端口，都必须关联到至少一个 Kubernetes 服务上，如果一个 Pod 属于多个服务，这些服务不能在同一端口上使用不同协议
Deployment 应带有 app 以及 version 标签

A manual injection

Yaml file is modified before deployment, in which the addition of sidecar configuration, and then deploy it to go kubernetes

### 查看原始内容-nginx.yaml  ###
#apiVersion: v1
#kind: ServiceAccount
#metadata:
#  name: nginx-web

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-web
  labels:
    app: nginx-web
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 31000
  selector:
    app: nginx-web
  type: NodePort

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-web-v1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx-web
        version: v1
    spec:
     # serviceAccountName: nginx-web
      containers:
      - name: nginx-web
        image: registry.cn-hangzhou.aliyuncs.com/ccgg/nginx:v2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
        env:
        - name: version
          value: v1

### 将 Sidecar 注入到 Deployment 中部署到kubernetes上
istioctl kube-inject -f nginx-web.yaml | kubectl apply -f - 

###观察pod状态，可以看到pod的容器数由1变为2；pod中有两个容器：nginx和istio-proxy，手动注入成功。 ###
kubectl get pods

### 查看pod详细内容 ###
kubectl describe pod nginx-web-v1-69577869dd-dr5fv

Two, webhook automatic injection

https://preliminary.istio.io/zh/docs/ops/setup/injection/

### 准备条件 ###
  自动注入功能需要kubernetes 1.9或更高版本；
  kubernetes环境需支持MutatingAdmissionWebhook；

$ kubectl api-versions | grep admissionregistration
admissionregistration.k8s.io/v1beta1

需要在kube-apiserver的启动参数中加入；
--admission-control=MutatingAdmissionWebhook，ValidatingAdmissionWebhook

###  自动注入控制###
在sidecar-injector的configmap中设置policy:disabled字段来设置是否启用自动注入（此处为全局控制是否启用自动注入功能）；
//enabeld为开启，disabeld为关闭

kubectl describe cm istio-sidecar-injector -n istio-system | grep policy
policy: enabled

### 保sidecar-inject安装完成 ###
kubectl get po -n istio-system | grep sidecar-injector
istio-sidecar-injector-b88dfb954-gc4xz   1/1       Running     0          

为需要自动注入的namespace打上标签istio-injection: enabled
###  查看 ###
kubectl get namespace -L istio-injection

### 打标签 ###
kubectl label namespace default istio-injection=enabled

### 删除标签 ###
kubectl label namespace default istio-injection-


同时也可以在deployment中通过设置annotation，sidecar.istio.io/inject=true来控制pod级别的自动注入。
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: test
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: my-nginx
        version: v1
      annotations:
        sidecar.istio.io/inject: "true"
    // true为启用自动注入，false为关闭自动注入