Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/amazon-archives/aws-app-mesh-inject

AWS AppMesh sidecar injector for EKS.
https://github.com/amazon-archives/aws-app-mesh-inject

Last synced: 16 days ago
JSON representation

AWS AppMesh sidecar injector for EKS.

Awesome Lists containing this project

README 

        
[![CircleCI](https://circleci.com/gh/aws/aws-app-mesh-inject/tree/master.svg?style=svg)](https://circleci.com/gh/aws/aws-app-mesh-inject/tree/master)

[![Go Report Card](https://goreportcard.com/badge/github.com/aws/aws-app-mesh-inject)](https://goreportcard.com/report/github.com/aws/aws-app-mesh-inject)



# App Mesh Inject



The AWS App Mesh Kubernetes sidecar injecting Admission Controller.



## Security disclosures



If you think you’ve found a potential security issue, please do not post it in the Issues.  Instead, please follow the instructions [here](https://aws.amazon.com/security/vulnerability-reporting/) or [email AWS security directly](mailto:[email protected]).



## Installation

Please reference the [install instructions](INSTALL.md).



### Warning

To align our helm repository and this repository we have changed the namespace to appmesh-system and resource names to appmesh-inject. 



## Under the hood

### Enable Sidecar injection



To enable sidecar injection for a namespace, you need to label the namespace with `appmesh.k8s.aws/sidecarInjectorWebhook=enabled`



```

kubectl label namespace appmesh-demo appmesh.k8s.aws/sidecarInjectorWebhook=enabled

```



### Default behavior and how to override



For namespaces with sidecar injection enabled, pods will be injected if the `appmesh.k8s.aws/sidecarInjectorWebhook` annotation is `enabled` and will not be injected if it is `disabled`.

For pods with no annotation, they will be injected if the `-inject-default=true` flag is passed (the default for this flag) and will not be injected if the `-inject-default=false` flag is passed.



All container ports defined in the pod spec will be passed to sidecars as application ports.

To override, add `appmesh.k8s.aws/ports: ""` annotation to the pod spec.



By default all egress traffic ports will be routed, except SSH.

To override, add `appmesh.k8s.aws/egressIgnoredPorts: ""` annotation to the pod spec. ( Comma separated list of ports for which egress traffic will be ignored )



The name of the controller that creates the pod will be used as virtual node name and pass over to the sidecar. For example, if a pod

is created by a deployment, the virtual node name will be `-`.

To override, add `appmesh.k8s.aws/virtualNode: ` annotation to the pod spec.



The mesh name provided at install time can be overridden with the `appmesh.k8s.aws/mesh: ` annotation at POD spec level.



For example:

```yaml

apiVersion: apps/v1

kind: Deployment

metadata:

  labels:

    name: my-cool-deployment

spec:

  selector:

    matchLabels:

      name: appmesh-inject

  template:

    metadata:

      annotations:

        appmesh.k8s.aws/mesh: my-mesh

        appmesh.k8s.aws/ports: "8079,8080"

        appmesh.k8s.aws/egressIgnoredPorts: "22"

        appmesh.k8s.aws/virtualNode: my-app

        appmesh.k8s.aws/sidecarInjectorWebhook: disabled

```



To see an example on how to use this sidecar injector you can visit the [demo page](https://github.com/aws/aws-app-mesh-examples/tree/master/examples/). 



## Troubleshooting



### CA bundle not configured properly



If the CA bundle isn't configured properly, the pod will log the following log message:



```

TLS handshake error from 10.0.0.1:45390: remote error: tls: bad certificate

```



If this happens, set the `CA_BUNDLE` environment variable to the content of the CA bundle. Make sure that this value is base64 encoded (e.g. it shouldn't start with `-----BEGIN CERTIFICATE-----`).