Istio Sidecar Proxy Injection Issues

Symptom

Some Pods don't have an Istio sidecar proxy injected.

Cause

By default, the Istio module does not automatically inject an Istio sidecar proxy into any Pods you create. To inject a Pod with an Istio sidecar proxy, you must explicitly enable injection for the Pod's Deployment or for the entire namespace. If you have done this and the sidecar is still not installed, follow the remedy steps to identify which settings are preventing the injection.

A Pod is not injected with an Istio sidecar proxy if:

Istio sidecar proxy injection is disabled at the namespace level
The sidecar.istio.io/inject label on the Pod is set to false
The Pod's spec contains hostNetwork: true

Solution

Find out which Pods do not have Istio sidecar proxy injection enabled and why. You can either inspect Pods across all namespaces, focus on a specific namespace, or verify why a selective Pod is not injected.

Check Pods in All Namespaces

Download the script.
Run the script.
bash
```
./sidecar-analysis.sh
```

You get an output similar to this one:

bash

See all Pods that are not part of the Istio service mesh:
Pods in namespaces labeled with "istio-injection=disabled":
    - namespace/Pod
    ...
Pods labeled with "sidecar.istio.io/inject=false" in namespaces labeled with "istio-injection=enabled":
    - namespace/Pod
    ...
Pods not labeled with "sidecar.istio.io/inject=true" in unlabeled namespaces:
    - namespace/Pod
    ...

To learn how to include a Pod into the Istio service mesh, see Enabling Istio Sidecar Proxy Injection.

Check Pods in a Selective Namespace

Download the script.
Run the script passing the namespace name as a parameter.
bash
```
./sidecar-analysis.sh {NAMESPACE}
```

You get an output similar to this one:

bash

In the namespace default, the following Pods are not part of the Istio service mesh:
 - Pod
 - Pod
 ...
Reason: The namespace default has Istio sidecar proxy injection disabled, so none of its Pods have been injected with an Istio sidecar proxy.

To learn how to include a Pod into the Istio service mesh, see Enabling Istio Sidecar Proxy Injection.

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Tutorials

Expose a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Expose and Secure a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Security

Custom Resources

APIGateway Custom Resource

APIRule Custom Resource

v2

v2alpha1

v1beta1

APIRule Migration

Technical Reference

Troubleshooting Guides

APIRule and Service Connection Issues

APIRule v2

APIRule v2alpha1

APIRule v1beta1

External DNS Management Errors

APIRule v2 Introduction

Resources

Tutorials

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Tutorials

Commands

Istio Sidecar Proxy Injection Issues ​

Symptom ​

Cause ​

Solution ​

Check Pods in All Namespaces ​

Check Pods in a Selective Namespace ​

Check a Selective Pod ​

Istio Sidecar Proxy Injection Issues

Symptom

Cause

Solution

Check Pods in All Namespaces

Check Pods in a Selective Namespace

Check a Selective Pod