Skip to content
AWS AppMesh sidecar injector for EKS.
Go Shell Makefile Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Don't use the VERSION file for the install script Oct 17, 2019
.github Creating initial file from template Feb 20, 2019
cmd/app-mesh-inject
deploy Update default app mesh envoy sidecar to v1.12.1.1 Nov 26, 2019
kustomize Update default app mesh envoy sidecar to v1.12.1.1 Nov 26, 2019
pkg Added test for fargate-profile and appmeshCNI=disabled Dec 4, 2019
scripts Release v0.3.0 Nov 15, 2019
.gitignore Added test for fargate-profile and appmeshCNI=disabled Dec 4, 2019
ATTRIBUTION.txt Attribution document Nov 13, 2019
CHANGELOG.md Update CHANGELOG.md for release v0.3.1 (#110) Dec 1, 2019
CODE_OF_CONDUCT.md Creating initial file from template Feb 20, 2019
CONTRIBUTING.md Rename go imports to match GitHub org Mar 26, 2019
Dockerfile Add support for Envoy static config injection Oct 4, 2019
INSTALL.md Change namespace to appmesh-system (#92) Nov 11, 2019
LICENSE Creating initial file from template Feb 20, 2019
Makefile Change namespace to appmesh-system (#92) Nov 11, 2019
NOTICE Creating initial file from template Feb 20, 2019
README.md Change namespace to appmesh-system (#92) Nov 11, 2019
VERSION Release v0.3.0 Nov 15, 2019
ecr-secret-patch.json initial commit Mar 6, 2019
go.mod Add support for Envoy static config injection Oct 4, 2019
go.sum Replace logrus with klog Mar 26, 2019

README.md

CircleCI Go Report Card

App Mesh Inject

The AWS App Mesh Kubernetes sidecar injecting Admission Controller.

Security disclosures

If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.

Installation

Please reference the install instructions.

Warning

To align our helm repository and this repository we have changed the namespace to appmesh-system and resource names to appmesh-inject.

Under the hood

Enable Sidecar injection

To enable sidecar injection for a namespace, you need to label the namespace with appmesh.k8s.aws/sidecarInjectorWebhook=enabled

kubectl label namespace appmesh-demo appmesh.k8s.aws/sidecarInjectorWebhook=enabled

Default behavior and how to override

For namespaces with sidecar injection enabled, pods will be injected if the appmesh.k8s.aws/sidecarInjectorWebhook annotation is enabled and will not be injected if it is disabled. For pods with no annotation, they will be injected if the -inject-default=true flag is passed (the default for this flag) and will not be injected if the -inject-default=false flag is passed.

All container ports defined in the pod spec will be passed to sidecars as application ports. To override, add appmesh.k8s.aws/ports: "<ports>" annotation to the pod spec.

By default all egress traffic ports will be routed, except SSH. To override, add appmesh.k8s.aws/egressIgnoredPorts: "<ports>" annotation to the pod spec. ( Comma separated list of ports for which egress traffic will be ignored )

The name of the controller that creates the pod will be used as virtual node name and pass over to the sidecar. For example, if a pod is created by a deployment, the virtual node name will be <deployment name>-<namespace>. To override, add appmesh.k8s.aws/virtualNode: <virtual node name> annotation to the pod spec.

The mesh name provided at install time can be overridden with the appmesh.k8s.aws/mesh: <mesh name> annotation at POD spec level.

For example:

apiVersion: appsv1
kind: Deployment
metadata:
  labels:
    name: my-cool-deployment
spec:
  template:
    metadata:
      annotations:
        appmesh.k8s.aws/mesh: my-mesh
        appmesh.k8s.aws/ports: "8079,8080"
        appmesh.k8s.aws/egressIgnoredPorts: "22"
        appmesh.k8s.aws/virtualNode: my-app
        appmesh.k8s.aws/sidecarInjectorWebhook: disabled

To see an example on how to use this sidecar injector you can visit the demo page.

Troubleshooting

CA bundle not configured properly

If the CA bundle isn't configured properly, the pod will log the following log message:

TLS handshake error from 10.0.0.1:45390: remote error: tls: bad certificate

If this happens, set the CA_BUNDLE environment variable to the content of the CA bundle. Make sure that this value is base64 encoded (e.g. it shouldn't start with -----BEGIN CERTIFICATE-----).

You can’t perform that action at this time.