Enable native sidecar mode for Istio-based service mesh add-on in Azure Kubernetes Service (AKS) (preview)
Kubernetes native sidecar aims to provide a more robust and user-friendly way to incorporate sidecar patterns into Kubernetes applications, improving efficiency, reliability, and simplicity.
Native sidecar is a good fit for Istio. It offers several benefits, such as simplified sidecar management. Additionally, it improves reliability and coordination. It also optimizes resources and enhances operational efficiency.
Starting from Kubernetes version 1.29, sidecar containers feature is turned on for AKS. With this change, Istio native sidecar mode can be used with the Istio add-on for AKS.
This article walks through how to enable native sidecar mode for Istio based service mesh on AKS.
Register
IstioNativeSidecarModePreviewfeature flag through az feature register.az feature register --namespace Microsoft.ContainerService --name IstioNativeSidecarModePreviewVerify the registration status through az feature show.
az feature show --namespace Microsoft.ContainerService --name IstioNativeSidecarModePreviewIt takes a few minutes for the status to show
Registered.When the status reflects Registered, refresh the registration of the
Microsoft.ContainerServiceresource provider through az provider register.az provider register --namespace Microsoft.ContainerService
Check that the AKS cluster's Kubernetes control plane version is 1.29 or higher using az aks show.
az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER -o json | jq ".kubernetesVersion"If the control plane version is too old, upgrade Kubernetes control plane.
Make sure node pools runs
1.29or newer version and power state is running.az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER -o json | jq ".agentPoolProfiles[] | { currentOrchestratorVersion, powerState}"Caution
Native sidecar mode requires both Kubernetes control plane and data plane on 1.29+. Make sure all your nodes have been upgraded to 1.29 before enabling native sidecar mode. Otherwise, sidecars will not work as expected.
If any node pool version is too old, upgrade-node-image to
1.29or newer version.Make sure Istio add-on is on
asm-1-20or newer revision.az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER -o json | jq ".serviceMeshProfile.istio.revisions"If
istiodis too old, upgrade toasm-1-20or newer by following the steps in Istio upgrade.
AKS cluster needs to be reconciled with az aks update command.
az aks update --resource-group $RESOURCE_GROUP --name $CLUSTER
When native sidecar mode is enabled, environment variable ENABLE_NATIVE_SIDECARS appears with value true in Istio's control plane pod template. Use the following command to check istiod deployment.
kubectl get deployment -l app=istiod -n aks-istio-system -o json | jq '.items[].spec.template.spec.containers[].env[] | select(.name=="ENABLE_NATIVE_SIDECARS")'
Once Istio control plane is ready, do a rolling restart of workloads to let istiod inject native sidecars.
for ns in $(kubectl get ns -l istio.io/rev -o=jsonpath='{.items[0].metadata.name}'); do
kubectl rollout restart deployments -n $ns
done
For deployments having istio sidecars injected with istioctl kube-inject, you need to reinject sidecars.
If native side mode is successfully enabled, istio-proxy container is shown as an init container. Use the following command to check sidecar injection:
kubectl get pods -o "custom-columns=NAME:.metadata.name,INIT:.spec.initContainers[*].name,CONTAINERS:.spec.containers[*].name"
istio-proxy container should be shown as an init container.
NAME INIT CONTAINERS
sleep-7656cf8794-5b5j4 istio-init,istio-proxy sleep
When creating a new AKS cluster with az aks create command, choose a version 1.29 or newer, istio asm-1-20 or newer. The new cluster should have native sidecar mode turned on automatically.
az aks create \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER \
--enable-asm \
--kubernetes-version 1.29 \
--revision asm-1-20 \
--generate-ssh-keys
...