Oracle Cloud Infrastructure Documentation

Configure OCI Service Operator for Kubernetes Service Mesh

OCI Service Operator for Kubernetes provides a seamless experience for the container-native application in managing and connecting to OCI services. OCI Service Operator for Kubernetes is library of operators for OCI services. Kubernetes users can simply install the operators and perform actions on OCI resources like Service Mesh using the Kubernetes API. The operators remove the need to use OCI CLI or other OCI developer tools to interact with the service API. This section describes the configurations that used in Service Mesh for OCI Service Operator for Kubernetes.

Sidecar Injection on Pods

During the OCI Service Operator for Kubernetes bundle installation, the MutatingWebhookConfiguration callback sets up the namespace selector to enable or disable sidecar injection to all the pods in a namespace. Based on the presence of the servicemesh.oci.oracle.com/sidecar-injection label at the namespace level and pod level, sidecar injection is enabled or disabled. The following examples demonstrate labeling at the namespace and pod level.

  • Creating a namespace doesn't invoke sidecar injection as a label isn't present. 
    kubectl create namespace <your-namespace>
  • To enable sidecar injection at the namespace level, set the label to enabled. 
    kubectl label namespace <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=enabled
  • To disable sidecar injection at namespace level, set the label to disabled. 
    kubectl label namespace <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=disabled
  • Creating pods doesn't add any labels, the labels are inherited from namespace. To enable sidecar injection at the pod level, set the label to enabled. 
    kubectl label pods <pod-name> -n <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=enabled
  • To disable sidecar injection at the pod level, set the label to disabled. 
    kubectl label pods <pod-name> -n <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=disabled
Important

The logic for the sidecar-injection label works as follows.
  • If the sidecar-injection label is set on the pod level, then sidecar injection is enabled or disabled based on the pod label value.
  • If the sidecar-injection label isn't set on the pod level, then sidecar-injection is enabled or disabled based on the namespace label value.
  • If no labels are set, by default, sidecar injection is disabled.

Configuring Service Mesh Proxy Servers

For more information on configuring Service Mesh proxy services, see the following.