From e0f7803be6acaab9f7ef2e28de6e1ec9402ea58b Mon Sep 17 00:00:00 2001 From: Chunlin Yang Date: Sat, 27 Jul 2019 19:37:59 -0500 Subject: [PATCH] Support kube-uninject for istioctl command (#15573) * Support kube-uninject for istioctl command Signed-off-by: Chun Lin Yang * Address review comments * avoid duplicated method Signed-off-by: Chun Lin Yang * add more cases: handle enable-core-dump container/dnsConfig/annotations * add sidecar.istio.io/inject:false always * avoid panics Signed-off-by: Chun Lin Yang * correct the comment for exported method --- istioctl/cmd/kubeuninject.go | 340 +++++++++++++++++ istioctl/cmd/kubeuninject_test.go | 124 +++++++ istioctl/cmd/root.go | 1 + .../testdata/uninject/cronjob-with-app.yaml | 30 ++ .../uninject/cronjob-with-app.yaml.injected | 123 +++++++ istioctl/cmd/testdata/uninject/cronjob.yaml | 28 ++ .../testdata/uninject/cronjob.yaml.injected | 156 ++++++++ istioctl/cmd/testdata/uninject/daemonset.yaml | 35 ++ .../testdata/uninject/daemonset.yaml.injected | 164 +++++++++ .../uninject/deploymentconfig-multi.yaml | 64 ++++ .../deploymentconfig-multi.yaml.injected | 197 ++++++++++ .../testdata/uninject/deploymentconfig.yaml | 47 +++ .../uninject/deploymentconfig.yaml.injected | 180 +++++++++ .../testdata/uninject/enable-core-dump.yaml | 32 ++ .../uninject/enable-core-dump.yaml.injected | 176 +++++++++ istioctl/cmd/testdata/uninject/hello.yaml | 28 ++ istioctl/cmd/testdata/uninject/job.yaml | 25 ++ .../cmd/testdata/uninject/job.yaml.injected | 153 ++++++++ istioctl/cmd/testdata/uninject/list.yaml | 77 ++++ .../cmd/testdata/uninject/list.yaml.injected | 345 ++++++++++++++++++ istioctl/cmd/testdata/uninject/pod.yaml | 20 + .../cmd/testdata/uninject/pod.yaml.injected | 152 ++++++++ .../cmd/testdata/uninject/replicaset.yaml | 28 ++ .../uninject/replicaset.yaml.injected | 161 ++++++++ .../uninject/replicationcontroller.yaml | 27 ++ .../replicationcontroller.yaml.injected | 160 ++++++++ .../cmd/testdata/uninject/statefulset.yaml | 41 +++ .../uninject/statefulset.yaml.injected | 173 +++++++++ pilot/pkg/kube/inject/inject.go | 9 +- 29 files changed, 3092 insertions(+), 4 deletions(-) create mode 100644 istioctl/cmd/kubeuninject.go create mode 100644 istioctl/cmd/kubeuninject_test.go create mode 100644 istioctl/cmd/testdata/uninject/cronjob-with-app.yaml create mode 100644 istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/cronjob.yaml create mode 100644 istioctl/cmd/testdata/uninject/cronjob.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/daemonset.yaml create mode 100644 istioctl/cmd/testdata/uninject/daemonset.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml create mode 100644 istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/deploymentconfig.yaml create mode 100644 istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/enable-core-dump.yaml create mode 100644 istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/hello.yaml create mode 100644 istioctl/cmd/testdata/uninject/job.yaml create mode 100644 istioctl/cmd/testdata/uninject/job.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/list.yaml create mode 100644 istioctl/cmd/testdata/uninject/list.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/pod.yaml create mode 100644 istioctl/cmd/testdata/uninject/pod.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/replicaset.yaml create mode 100644 istioctl/cmd/testdata/uninject/replicaset.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/replicationcontroller.yaml create mode 100644 istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected create mode 100644 istioctl/cmd/testdata/uninject/statefulset.yaml create mode 100644 istioctl/cmd/testdata/uninject/statefulset.yaml.injected diff --git a/istioctl/cmd/kubeuninject.go b/istioctl/cmd/kubeuninject.go new file mode 100644 index 000000000000..d10805d9c6ec --- /dev/null +++ b/istioctl/cmd/kubeuninject.go @@ -0,0 +1,340 @@ +// Copyright 2019 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "bufio" + "errors" + "fmt" + "io" + "os" + "reflect" + "strings" + + "github.com/ghodss/yaml" + "github.com/spf13/cobra" + "go.uber.org/multierr" + "k8s.io/api/batch/v2alpha1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + yamlDecoder "k8s.io/apimachinery/pkg/util/yaml" + + "istio.io/istio/pilot/pkg/kube/inject" + "istio.io/pkg/log" +) + +const ( + proxyContainerName = "istio-proxy" + initContainerName = "istio-init" + enableCoreDumpContainerName = "enable-core-dump" + envoyVolumeName = "istio-envoy" + certVolumeName = "istio-certs" + annotationPolicy = "sidecar.istio.io/inject" + sidecarAnnotationPrefix = "sidecar.istio.io" +) + +func validateUninjectFlags() error { + var err error + + if uninjectInFilename == "" { + err = multierr.Append(err, errors.New("filename not specified (see --filename or -f)")) + } + return err +} + +// extractResourceFile uninjects the istio proxy from the specified +// kubernetes YAML file. +func extractResourceFile(in io.Reader, out io.Writer) error { + reader := yamlDecoder.NewYAMLReader(bufio.NewReaderSize(in, 4096)) + for { + raw, err := reader.Read() + if err == io.EOF { + break + } + if err != nil { + return err + } + + obj, err := inject.FromRawToObject(raw) + if err != nil && !runtime.IsNotRegisteredError(err) { + return multierr.Append(fmt.Errorf("cannot parse YAML input"), err) + } + + var updated []byte + if err == nil { + outObject, err := extractObject(obj) + if err != nil { + return err + } + if updated, err = yaml.Marshal(outObject); err != nil { + return err + } + } else { + updated = raw // unchanged + } + + if _, err = out.Write(updated); err != nil { + return err + } + if _, err = fmt.Fprint(out, "---\n"); err != nil { + return err + } + } + return nil +} + +// removeInjectedContainers removes the injected container name - istio-proxy and istio-init +func removeInjectedContainers(containers []corev1.Container, injectedContainerName string) []corev1.Container { + for index, c := range containers { + if c.Name == injectedContainerName { + if index < len(containers)-1 { + containers = append(containers[:index], containers[index+1:]...) + } else { + containers = append(containers[:index]) + } + break + } + } + return containers +} + +// removeInjectedVolumes removes the injected volumes - istio-envoy and istio-certs +func removeInjectedVolumes(volumes []corev1.Volume, injectedVolume string) []corev1.Volume { + + for index, v := range volumes { + if v.Name == injectedVolume { + if index < len(volumes)-1 { + volumes = append(volumes[:index], volumes[index+1:]...) + } else { + volumes = append(volumes[:index]) + } + break + } + } + return volumes +} + +func removeDNSConfig(podDNSConfig *corev1.PodDNSConfig) { + if podDNSConfig == nil { + return + } + + l := len(podDNSConfig.Searches) + index := 0 + for index < l { + s := podDNSConfig.Searches[index] + if strings.Contains(s, "global") { + if index < len(podDNSConfig.Searches)-1 { + podDNSConfig.Searches = append(podDNSConfig.Searches[:index], + podDNSConfig.Searches[index+1:]...) + } else { + podDNSConfig.Searches = append(podDNSConfig.Searches[:index]) + } + //reset to 0 + index = 0 + l = len(podDNSConfig.Searches) + } else { + index++ + } + } + +} + +// handleAnnotations removes the injected annotations which contains sidecar.istio.io +// it adds sidecar.istio.io/inject: false +func handleAnnotations(annotations map[string]string) map[string]string { + if annotations == nil { + annotations = make(map[string]string) + } + + for key := range annotations { + if strings.Contains(key, sidecarAnnotationPrefix) { + delete(annotations, key) + } + } + // sidecar.istio.io/inject: false to default the auto-injector in case it is present. + annotations[annotationPolicy] = "false" + return annotations +} + +// extractObject extras the sidecar injection and return the uninjected object. +func extractObject(in runtime.Object) (interface{}, error) { + out := in.DeepCopyObject() + + var metadata *metav1.ObjectMeta + var podSpec *corev1.PodSpec + + // Handle Lists + if list, ok := out.(*corev1.List); ok { + result := list + + for i, item := range list.Items { + obj, err := inject.FromRawToObject(item.Raw) + if runtime.IsNotRegisteredError(err) { + continue + } + if err != nil { + return nil, err + } + + r, err := extractObject(obj) + if err != nil { + return nil, err + } + + re := runtime.RawExtension{} + re.Object = r.(runtime.Object) + result.Items[i] = re + } + return result, nil + } + + // CronJobs have JobTemplates in them, instead of Templates, so we + // special case them. + switch v := out.(type) { + case *v2alpha1.CronJob: + job := v + metadata = &job.Spec.JobTemplate.ObjectMeta + podSpec = &job.Spec.JobTemplate.Spec.Template.Spec + case *corev1.Pod: + pod := v + metadata = &pod.ObjectMeta + podSpec = &pod.Spec + default: + // `in` is a pointer to an Object. Dereference it. + outValue := reflect.ValueOf(out).Elem() + + templateValue := outValue.FieldByName("Spec").FieldByName("Template") + + // `Template` is defined as a pointer in some older API + // definitions, e.g. ReplicationController + if templateValue.Kind() == reflect.Ptr { + if templateValue.IsNil() { + return out, fmt.Errorf("spec.template is required value") + } + templateValue = templateValue.Elem() + } + metadata = templateValue.FieldByName("ObjectMeta").Addr().Interface().(*metav1.ObjectMeta) + podSpec = templateValue.FieldByName("Spec").Addr().Interface().(*corev1.PodSpec) + } + + metadata.Annotations = handleAnnotations(metadata.Annotations) + //skip uninjection for pods + sidecarInjected := false + for _, c := range podSpec.Containers { + if c.Name == proxyContainerName { + sidecarInjected = true + } + } + if !sidecarInjected { + return out, nil + } + + podSpec.InitContainers = removeInjectedContainers(podSpec.InitContainers, initContainerName) + podSpec.InitContainers = removeInjectedContainers(podSpec.InitContainers, enableCoreDumpContainerName) + podSpec.Containers = removeInjectedContainers(podSpec.Containers, proxyContainerName) + podSpec.Volumes = removeInjectedVolumes(podSpec.Volumes, envoyVolumeName) + podSpec.Volumes = removeInjectedVolumes(podSpec.Volumes, certVolumeName) + removeDNSConfig(podSpec.DNSConfig) + + return out, nil +} + +var ( + uninjectInFilename string + uninjectOutFilename string +) + +func uninjectCommand() *cobra.Command { + uninjectCmd := &cobra.Command{ + Use: "kube-uninject", + Short: "Uninject Envoy sidecar from Kubernetes pod resources", + Long: ` + +kube-uninject is used to prevent Istio from adding a sidecar and +also provides the inverse of "istioctl kube-inject -f". + +`, + Example: ` +# Update resources before applying. +kubectl apply -f <(istioctl experimental kube-uninject -f ) + +# Create a persistent version of the deployment by removing Envoy sidecar. +istioctl experimental kube-uninject -f deployment.yaml -o deployment-uninjected.yaml + +# Update an existing deployment. +kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kubectl apply -f - +`, + RunE: func(c *cobra.Command, _ []string) (err error) { + + if err = validateUninjectFlags(); err != nil { + return err + } + //get the resource content + var reader io.Reader + if uninjectInFilename == "-" { + reader = os.Stdin + } else { + var in *os.File + if in, err = os.Open(uninjectInFilename); err != nil { + log.Errorf("Error: close file from %s, %s", uninjectInFilename, err) + return err + } + reader = in + defer func() { + if errClose := in.Close(); errClose != nil { + log.Errorf("Error: close file from %s, %s", uninjectInFilename, errClose) + + // don't overwrite the previous error + if err == nil { + err = errClose + } + } + }() + } + + var writer io.Writer + if uninjectOutFilename == "" { + writer = c.OutOrStdout() + } else { + var out *os.File + if out, err = os.Create(uninjectOutFilename); err != nil { + return err + } + writer = out + defer func() { + if errClose := out.Close(); errClose != nil { + log.Errorf("Error: close file from %s, %s", uninjectOutFilename, errClose) + + // don't overwrite the previous error + if err == nil { + err = errClose + } + } + }() + } + + return extractResourceFile(reader, writer) + }, + } + + uninjectCmd.PersistentFlags().StringVarP(&uninjectInFilename, "filename", "f", + "", "Input Kubernetes resource filename") + uninjectCmd.PersistentFlags().StringVarP(&uninjectOutFilename, "output", "o", + "", "Modified output Kubernetes resource filename") + + return uninjectCmd +} diff --git a/istioctl/cmd/kubeuninject_test.go b/istioctl/cmd/kubeuninject_test.go new file mode 100644 index 000000000000..a811409d2dc4 --- /dev/null +++ b/istioctl/cmd/kubeuninject_test.go @@ -0,0 +1,124 @@ +// Copyright 2019 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "fmt" + "strings" + "testing" + + "istio.io/istio/pilot/pkg/model" +) + +func TestKubeUninject(t *testing.T) { + cases := []testCase{ + { // case 0 + configs: []model.Config{}, + args: strings.Split("experimental kube-uninject", " "), + expectedOutput: "Error: filename not specified (see --filename or -f)\n", + wantException: true, + }, + { // case 1 + configs: []model.Config{}, + args: strings.Split("experimental kube-uninject -f missing.yaml", " "), + expectedOutput: "Error: open missing.yaml: no such file or directory\n", + wantException: true, + }, + { // case 2 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/cronjob.yaml.injected", " "), + goldenFilename: "testdata/uninject/cronjob.yaml", + }, + { // case 3 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/cronjob-with-app.yaml.injected", " "), + goldenFilename: "testdata/uninject/cronjob-with-app.yaml", + }, + { // case 4 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/daemonset.yaml.injected", " "), + goldenFilename: "testdata/uninject/daemonset.yaml", + }, + { // case 5 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/deploymentconfig.yaml.injected", " "), + goldenFilename: "testdata/uninject/deploymentconfig.yaml", + }, + { // case 6 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/deploymentconfig-multi.yaml.injected", " "), + goldenFilename: "testdata/uninject/deploymentconfig-multi.yaml", + }, + { // case 7 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/job.yaml.injected", " "), + goldenFilename: "testdata/uninject/job.yaml", + }, + { // case 8 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/list.yaml.injected", " "), + goldenFilename: "testdata/uninject/list.yaml", + }, + { // case 9 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/pod.yaml.injected", " "), + goldenFilename: "testdata/uninject/pod.yaml", + }, + { // case 10 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/replicaset.yaml.injected", " "), + goldenFilename: "testdata/uninject/replicaset.yaml", + }, + { // case 11 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/replicationcontroller.yaml.injected", " "), + goldenFilename: "testdata/uninject/replicationcontroller.yaml", + }, + { // case 12 + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/statefulset.yaml.injected", " "), + goldenFilename: "testdata/uninject/statefulset.yaml", + }, + { // case 13: verify the uninjected file + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/hello.yaml", " "), + goldenFilename: "testdata/uninject/hello.yaml", + }, + { // case 14: enable-core-dump + configs: []model.Config{}, + args: strings.Split( + "experimental kube-uninject -f testdata/uninject/enable-core-dump.yaml.injected", " "), + goldenFilename: "testdata/uninject/enable-core-dump.yaml", + }, + } + + for i, c := range cases { + t.Run(fmt.Sprintf("case %d %s", i, strings.Join(c.args, " ")), func(t *testing.T) { + verifyOutput(t, c) + }) + } +} diff --git a/istioctl/cmd/root.go b/istioctl/cmd/root.go index 8254804696bb..cba7bc834c03 100644 --- a/istioctl/cmd/root.go +++ b/istioctl/cmd/root.go @@ -107,6 +107,7 @@ debug and diagnose their Istio mesh. experimentalCmd.AddCommand(Auth()) experimentalCmd.AddCommand(convertIngress()) experimentalCmd.AddCommand(dashboard()) + experimentalCmd.AddCommand(uninjectCommand()) experimentalCmd.AddCommand(metricsCmd) rootCmd.AddCommand(collateral.CobraCommand(rootCmd, &doc.GenManHeader{ diff --git a/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml new file mode 100644 index 000000000000..ba228e19aab9 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml @@ -0,0 +1,30 @@ +apiVersion: batch/v2alpha1 +kind: CronJob +metadata: + creationTimestamp: null + name: hello +spec: + jobTemplate: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + image: busybox + name: hello + resources: {} + restartPolicy: OnFailure + schedule: '*/1 * * * *' +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected new file mode 100644 index 000000000000..03662775c4bd --- /dev/null +++ b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected @@ -0,0 +1,123 @@ +apiVersion: batch/v2alpha1 +kind: CronJob +metadata: + creationTimestamp: null + name: hello +spec: + jobTemplate: + metadata: + annotations: + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + creationTimestamp: null + labels: + app: hello + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + image: busybox + name: hello + resources: {} + - args: + - proxy + - sidecar + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.default + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --connectTimeout + - 1s + - --statsdUdpAddress + - "" + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --concurrency + - "1" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + resources: + requests: + cpu: 10m + memory: 30Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "" + - -d + - "" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + restartPolicy: OnFailure + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + schedule: '*/1 * * * *' +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/cronjob.yaml b/istioctl/cmd/testdata/uninject/cronjob.yaml new file mode 100644 index 000000000000..cc1cf3d69191 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/cronjob.yaml @@ -0,0 +1,28 @@ +apiVersion: batch/v2alpha1 +kind: CronJob +metadata: + creationTimestamp: null + name: hellocron +spec: + jobTemplate: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + image: busybox + name: hello + resources: {} + restartPolicy: OnFailure + schedule: '*/1 * * * *' +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/cronjob.yaml.injected b/istioctl/cmd/testdata/uninject/cronjob.yaml.injected new file mode 100644 index 000000000000..d53b111571b9 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/cronjob.yaml.injected @@ -0,0 +1,156 @@ +apiVersion: batch/v2alpha1 +kind: CronJob +metadata: + creationTimestamp: null + name: hellocron +spec: + jobTemplate: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + image: busybox + name: hello + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hellocron.default + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + restartPolicy: OnFailure + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + schedule: '*/1 * * * *' +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/daemonset.yaml b/istioctl/cmd/testdata/uninject/daemonset.yaml new file mode 100644 index 000000000000..3fdea63e3103 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/daemonset.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + creationTimestamp: null + name: hello +spec: + selector: + matchLabels: + app: hello + tier: backend + track: stable + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + updateStrategy: {} +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/daemonset.yaml.injected b/istioctl/cmd/testdata/uninject/daemonset.yaml.injected new file mode 100644 index 000000000000..09a8d236f923 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/daemonset.yaml.injected @@ -0,0 +1,164 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + creationTimestamp: null + name: hello +spec: + selector: + matchLabels: + app: hello + tier: backend + track: stable + template: + metadata: + annotations: + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + updateStrategy: {} +status: + currentNumberScheduled: 0 + desiredNumberScheduled: 0 + numberMisscheduled: 0 + numberReady: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml b/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml new file mode 100644 index 000000000000..ed701cb9c843 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml @@ -0,0 +1,64 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Service + metadata: + name: frontend + spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + selector: + app: hello + tier: frontend + type: LoadBalancer +- apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + metadata: + creationTimestamp: null + name: hello + spec: + replicas: 7 + revisionHistoryLimit: 2 + strategy: + resources: {} + type: Rolling + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + test: false + triggers: + - type: ConfigChange + - imageChangeParams: + automatic: true + containerNames: + - helloworld + from: + kind: ImageStreamTag + name: hello-go-gke:1.0 + type: ImageChange + status: + availableReplicas: 0 + latestVersion: 0 + observedGeneration: 0 + replicas: 0 + unavailableReplicas: 0 + updatedReplicas: 0 +kind: List +metadata: {} +--- diff --git a/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected b/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected new file mode 100644 index 000000000000..37020dfde9c8 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected @@ -0,0 +1,197 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Service + metadata: + name: frontend + spec: + ports: + - port: 80 + protocol: TCP + targetPort: 80 + selector: + app: hello + tier: frontend + type: LoadBalancer +- apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + metadata: + creationTimestamp: null + name: hello + spec: + replicas: 7 + revisionHistoryLimit: 2 + strategy: + resources: {} + type: Rolling + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + test: false + triggers: + - type: ConfigChange + - imageChangeParams: + automatic: true + containerNames: + - helloworld + from: + kind: ImageStreamTag + name: hello-go-gke:1.0 + type: ImageChange + status: + availableReplicas: 0 + latestVersion: 0 + observedGeneration: 0 + replicas: 0 + unavailableReplicas: 0 + updatedReplicas: 0 +kind: List +metadata: {} +--- diff --git a/istioctl/cmd/testdata/uninject/deploymentconfig.yaml b/istioctl/cmd/testdata/uninject/deploymentconfig.yaml new file mode 100644 index 000000000000..390b6998179a --- /dev/null +++ b/istioctl/cmd/testdata/uninject/deploymentconfig.yaml @@ -0,0 +1,47 @@ +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + revisionHistoryLimit: 2 + strategy: + resources: {} + type: Rolling + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + test: false + triggers: + - type: ConfigChange + - imageChangeParams: + automatic: true + containerNames: + - helloworld + from: + kind: ImageStreamTag + name: hello-go-gke:1.0 + type: ImageChange +status: + availableReplicas: 0 + latestVersion: 0 + observedGeneration: 0 + replicas: 0 + unavailableReplicas: 0 + updatedReplicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected b/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected new file mode 100644 index 000000000000..b5e7f8d7a0cd --- /dev/null +++ b/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected @@ -0,0 +1,180 @@ +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + revisionHistoryLimit: 2 + strategy: + resources: {} + type: Rolling + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + test: false + triggers: + - type: ConfigChange + - imageChangeParams: + automatic: true + containerNames: + - helloworld + from: + kind: ImageStreamTag + name: hello-go-gke:1.0 + type: ImageChange +status: + availableReplicas: 0 + latestVersion: 0 + observedGeneration: 0 + replicas: 0 + unavailableReplicas: 0 + updatedReplicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/enable-core-dump.yaml b/istioctl/cmd/testdata/uninject/enable-core-dump.yaml new file mode 100644 index 000000000000..d2ec77b90565 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/enable-core-dump.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + selector: + matchLabels: + app: hello + tier: backend + track: stable + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected b/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected new file mode 100644 index 000000000000..2c1394d4eaf6 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + selector: + matchLabels: + app: hello + tier: backend + track: stable + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + - args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: enable-core-dump + resources: {} + securityContext: + privileged: true + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/hello.yaml b/istioctl/cmd/testdata/uninject/hello.yaml new file mode 100644 index 000000000000..3a1e68005f00 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/hello.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + selector: {} + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} +status: {} +--- \ No newline at end of file diff --git a/istioctl/cmd/testdata/uninject/job.yaml b/istioctl/cmd/testdata/uninject/job.yaml new file mode 100644 index 000000000000..c52b59fb6c1d --- /dev/null +++ b/istioctl/cmd/testdata/uninject/job.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + name: pi +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + name: pi + spec: + containers: + - command: + - perl + - -Mbignum=bpi + - -wle + - print bpi(2000) + image: perl + name: pi + resources: {} + restartPolicy: Never +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/job.yaml.injected b/istioctl/cmd/testdata/uninject/job.yaml.injected new file mode 100644 index 000000000000..f80e1bf30f83 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/job.yaml.injected @@ -0,0 +1,153 @@ +apiVersion: batch/v1 +kind: Job +metadata: + creationTimestamp: null + name: pi +spec: + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + name: pi + spec: + containers: + - command: + - perl + - -Mbignum=bpi + - -wle + - print bpi(2000) + image: perl + name: pi + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - pi.default + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + restartPolicy: Never + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/list.yaml b/istioctl/cmd/testdata/uninject/list.yaml new file mode 100644 index 000000000000..ad4e82d65058 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/list.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +items: +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + name: hello-v1 + spec: + replicas: 3 + selector: + matchLabels: + app: hello + tier: backend + track: stable + version: v1 + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + version: v1 + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + dnsConfig: {} + volumes: + - name: test + secret: + optional: true + secretName: test + status: {} +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + name: hello-v2 + spec: + replicas: 3 + selector: + matchLabels: + app: hello + tier: backend + track: stable + version: v2 + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + version: v2 + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 81 + name: http + resources: {} + status: {} +kind: List +metadata: {} +--- diff --git a/istioctl/cmd/testdata/uninject/list.yaml.injected b/istioctl/cmd/testdata/uninject/list.yaml.injected new file mode 100644 index 000000000000..8a89884de596 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/list.yaml.injected @@ -0,0 +1,345 @@ +apiVersion: v1 +items: +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + name: hello-v1 + spec: + replicas: 3 + selector: + matchLabels: + app: hello + tier: backend + track: stable + version: v1 + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + version: v1 + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable","version":"v1"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + dnsConfig: + searches: + - global + - default.global + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - name: test + secret: + optional: true + secretName: test + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + status: {} +- apiVersion: apps/v1 + kind: Deployment + metadata: + creationTimestamp: null + name: hello-v2 + spec: + replicas: 3 + selector: + matchLabels: + app: hello + tier: backend + track: stable + version: v2 + strategy: {} + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "81" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + version: v2 + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 81 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "81" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "81" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable","version":"v2"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "81" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + status: {} +kind: List +metadata: {} +--- diff --git a/istioctl/cmd/testdata/uninject/pod.yaml b/istioctl/cmd/testdata/uninject/pod.yaml new file mode 100644 index 000000000000..7fa3558c2cf7 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/pod.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + name: hellopod +spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + dnsConfig: + searches: + - test +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/pod.yaml.injected b/istioctl/cmd/testdata/uninject/pod.yaml.injected new file mode 100644 index 000000000000..418a58297101 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/pod.yaml.injected @@ -0,0 +1,152 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + name: hellopod +spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hellopod.default + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + dnsConfig: + searches: + - global + - default.global + - test + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default +status: {} +--- diff --git a/istioctl/cmd/testdata/uninject/replicaset.yaml b/istioctl/cmd/testdata/uninject/replicaset.yaml new file mode 100644 index 000000000000..f55892aacb0d --- /dev/null +++ b/istioctl/cmd/testdata/uninject/replicaset.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: ReplicaSet +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + selector: + matchLabels: + app: hello + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} +status: + replicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/replicaset.yaml.injected b/istioctl/cmd/testdata/uninject/replicaset.yaml.injected new file mode 100644 index 000000000000..aa69296989b7 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/replicaset.yaml.injected @@ -0,0 +1,161 @@ +apiVersion: apps/v1 +kind: ReplicaSet +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 7 + selector: + matchLabels: + app: hello + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default +status: + replicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/replicationcontroller.yaml b/istioctl/cmd/testdata/uninject/replicationcontroller.yaml new file mode 100644 index 000000000000..33aedbe81913 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/replicationcontroller.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + creationTimestamp: null + name: nginx +spec: + replicas: 3 + selector: + app: nginx + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: nginx + name: nginx + spec: + containers: + - image: nginx + name: nginx + ports: + - containerPort: 80 + resources: {} +status: + replicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected b/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected new file mode 100644 index 000000000000..2a9a8d232d92 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected @@ -0,0 +1,160 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + creationTimestamp: null + name: nginx +spec: + replicas: 3 + selector: + app: nginx + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: nginx + name: nginx + spec: + containers: + - image: nginx + name: nginx + ports: + - containerPort: 80 + resources: {} + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - nginx.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"nginx"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default +status: + replicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/statefulset.yaml b/istioctl/cmd/testdata/uninject/statefulset.yaml new file mode 100644 index 000000000000..c6909aa5cb11 --- /dev/null +++ b/istioctl/cmd/testdata/uninject/statefulset.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 3 + selector: + matchLabels: + app: hello + tier: backend + track: stable + serviceName: hello + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + volumeMounts: + - mountPath: /var/lib/data + name: data + volumes: + - hostPath: + path: /mnt/disks/ssd0 + name: data + updateStrategy: {} +status: + replicas: 0 +--- diff --git a/istioctl/cmd/testdata/uninject/statefulset.yaml.injected b/istioctl/cmd/testdata/uninject/statefulset.yaml.injected new file mode 100644 index 000000000000..a35ee165eecc --- /dev/null +++ b/istioctl/cmd/testdata/uninject/statefulset.yaml.injected @@ -0,0 +1,173 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + creationTimestamp: null + name: hello +spec: + replicas: 3 + selector: + matchLabels: + app: hello + tier: backend + track: stable + serviceName: hello + template: + metadata: + annotations: + sidecar.istio.io/interceptionMode: REDIRECT + sidecar.istio.io/status: '{"version":"","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' + traffic.sidecar.istio.io/excludeInboundPorts: "15020" + traffic.sidecar.istio.io/includeInboundPorts: "80" + traffic.sidecar.istio.io/includeOutboundIPRanges: '*' + creationTimestamp: null + labels: + app: hello + tier: backend + track: stable + spec: + containers: + - image: fake.docker.io/google-samples/hello-go-gke:1.0 + name: hello + ports: + - containerPort: 80 + name: http + resources: {} + volumeMounts: + - mountPath: /var/lib/data + name: data + - args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - /etc/istio/proxy + - --binaryPath + - /usr/local/bin/envoy + - --serviceCluster + - hello.$(POD_NAMESPACE) + - --drainDuration + - 45s + - --parentShutdownDuration + - 1m0s + - --discoveryAddress + - istio-pilot:15010 + - --dnsRefreshRate + - 300s + - --connectTimeout + - 1s + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --statusPort + - "15020" + - --applicationPorts + - "80" + - --concurrency + - "2" + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "80" + - name: ISTIO_METAJSON_LABELS + value: | + {"app":"hello","tier":"backend","track":"stable"} + image: docker.io/istio/proxyv2:unittest + imagePullPolicy: IfNotPresent + name: istio-proxy + ports: + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: 1 + periodSeconds: 2 + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + initContainers: + - args: + - -p + - "15001" + - -u + - "1337" + - -m + - REDIRECT + - -i + - '*' + - -x + - "" + - -b + - "80" + - -d + - "15020" + image: docker.io/istio/proxy_init:unittest + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsNonRoot: false + runAsUser: 0 + volumes: + - hostPath: + path: /mnt/disks/ssd0 + name: data + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + secretName: istio.default + updateStrategy: {} +status: + replicas: 0 +--- diff --git a/pilot/pkg/kube/inject/inject.go b/pilot/pkg/kube/inject/inject.go index db41c6668db8..85ff90dfc981 100644 --- a/pilot/pkg/kube/inject/inject.go +++ b/pilot/pkg/kube/inject/inject.go @@ -386,7 +386,7 @@ func ValidateExcludeInboundPorts(ports string) error { return validatePortList("excludeInboundPorts", ports) } -// ValidateExcludeInboundPorts validates the excludeInboundPorts parameter +// ValidateExcludeOutboundPorts validates the excludeOutboundPorts parameter func ValidateExcludeOutboundPorts(ports string) error { return validatePortList("excludeOutboundPorts", ports) } @@ -653,7 +653,7 @@ func IntoResourceFile(sidecarTemplate string, valuesConfig string, meshconfig *m return err } - obj, err := fromRawToObject(raw) + obj, err := FromRawToObject(raw) if err != nil && !runtime.IsNotRegisteredError(err) { return err } @@ -681,7 +681,8 @@ func IntoResourceFile(sidecarTemplate string, valuesConfig string, meshconfig *m return nil } -func fromRawToObject(raw []byte) (runtime.Object, error) { +// FromRawToObject is used to convert from raw to the runtime object +func FromRawToObject(raw []byte) (runtime.Object, error) { var typeMeta metav1.TypeMeta if err := yaml.Unmarshal(raw, &typeMeta); err != nil { return nil, err @@ -711,7 +712,7 @@ func intoObject(sidecarTemplate string, valuesConfig string, meshconfig *meshcon result := list for i, item := range list.Items { - obj, err := fromRawToObject(item.Raw) + obj, err := FromRawToObject(item.Raw) if runtime.IsNotRegisteredError(err) { continue }