Configure OCI Service Operator for Kubernetes Service Mesh
OCI Service Operator for Kubernetes provides a seamless experience for the container-native application in managing and connecting to OCI services. OCI Service Operator for Kubernetes is library of operators for OCI services. Kubernetes users can simply install the operators and perform actions on OCI resources like Service Mesh using the Kubernetes API. The operators remove the need to use OCI CLI or other OCI developer tools to interact with the service API. This section describes the configurations that used in Service Mesh for OCI Service Operator for Kubernetes.
Sidecar Injection on Pods
During the OCI Service Operator for Kubernetes bundle installation, the
MutatingWebhookConfiguration callback sets up the namespace
selector to enable or disable sidecar injection to all the pods in a namespace.
Based on the presence of the
servicemesh.oci.oracle.com/sidecar-injection label at the
namespace level and pod level, sidecar injection is enabled or disabled. The
following examples demonstrate labeling at the namespace and pod level.
- Creating a namespace doesn’t invoke sidecar injection as a label isn’t present.
kubectl create namespace <your-namespace> - To enable sidecar injection at the namespace level, set the label to
enabled.kubectl label namespace <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=enabled - To disable sidecar injection at namespace level, set the label to
disabled.kubectl label namespace <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=disabled - Creating pods doesn’t add any labels, the labels are inherited from namespace.
To enable sidecar injection at the pod level, set the label to
enabled.kubectl label pods <pod-name> -n <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=enabled - To disable sidecar injection at the pod level, set the label to
disabled.kubectl label pods <pod-name> -n <your-namespace> servicemesh.oci.oracle.com/sidecar-injection=disabled
The logic for the
sidecar-injection label works
as follows. - If the
sidecar-injectionlabel is set on the pod level, then sidecar injection is enabled or disabled based on the pod label value. - If the
sidecar-injectionlabel isn’t set on the pod level, thensidecar-injectionis enabled or disabled based on the namespace label value. - If no labels are set, by default, sidecar injection is disabled.
Configuring Service Mesh Proxy Servers
For more information on configuring Service Mesh proxy services, see the following.