Using the Tanzu Service Mesh API, you can define rules to specify which namespaces on your clusters are included for automatic Istio sidecar injection.

You include a namespace if you want the pods in that namespace take advantage of Istio features. To use Istio features, a pod must be running an Istio sidecard proxy. If you enable automatic Istio sidecar injection for a namespace, all new pods that are created in that namespace will automatically have a sidecar proxy added to them. For overview information about namespace inclusions in Tanzu Service Mesh, see Namespace Onboarding Workflow in Getting Started with VMware Tanzu Service Mesh. For more information about sidecar proxy injection, see the Istio documentation.

Using the Tanzu Service Mesh API, you can define namespace inclusion rules for your clusters based on namespace naming patterns. If the name of a namespace on a cluster matches a rule, that namespace will be included for automatic sidecar injection.

Important:

You cannot set namespace inclusion rules for a cluster through the API if the Cluster admin owned option was selected for the cluster. This option specifies that a cluster administrator owns the labeling of namespaces for Istio injection in the cluster and can create and label namespaces on the cluster as needed, without having the changes overridden by Tanzu Service Mesh. If the adminOwnedNamespaceManagement parameter is set to true for the cluster through the API, the Cluster admin owned option is selected for the cluster. For more information about the adminOwnedNamespaceManagement parameter, see Onboard a Cluster to Tanzu Service Mesh. For more information about customer-mananaged namespace labeling, see Customer-Managed Namespace Labeling.

Prerequisites

Procedure

  1. Retrieve the configuration details of the cluster for which you want to define namespace inclusion rules by making the following call. 
    GET https://{server_name}/tsm/v1alpha2/projects/default/clusters/{clusterId}

    Where {server_name} is the host name of the Tanzu Service Mesh server, and {clusterId} is the ID of the cluster.

  2. Copy the cluster configuration details in the response.
  3. Submi the following request. 
    PUT https://{server_name}/tsm/v1alpha2/projects/default/clusters/{clusterId}

    Paste the cluster configuration details returned by the request in step 1 as the request body for this request.

    Make the following changes to the pasted cluster configuration details in the request body:

    • Remove the following irrelevant fields from the request body. Including any of these fields will cause the API to return an error code in the response.

      • id

      • name

      • type

      • version

      • status

      • caStatusHistory

      • caStatus

      • systemNamespaceInclusions

      • statusHistory

      • componentStatusesHistory

      • syncStatus

    The resultant response body should look like this.

    {
  "displayName": "my-cluster",
  "description": "",
  "tags": [],
  "labels": [],
  "autoInstallServiceMesh": false,
  "enableNamespaceExclusions": false,
  "namespaceExclusions": [],
  "proxyConfig": {},
  "autoInstallServiceMeshConfig": {
    "restrictDefaultExternalAccess": false
  },
  "registryAccount": "",
  "caLabels": [
    {
      "key": "CertificateAuthority",
      "value": "TSM"
    }
  ],
  "enableInternalGateway": false,
  "enableNamespaceInclusions": true,
  "namespaceInclusions": [{
      "match": "prod-cluster",
      "type": "EXACT"
    }, 
    {"match": "acme",
      "type": "START_WITH"
    },]
}
  4. To enable automatic Istio sidecar injection for namespaces in the cluster, set enableNamespaceInclusions to true.
  5. Under namespaceInclusions, define namespace inclusion rules.

    • To enable automatic Istio sidecar injection for all the namespaces on the cluster, set enableNamespaceInclusions to true and add the following rule to serve as a wildcard rule for all namespaces:

      {"match": "*",       
  "type": "START_WITH"     
}

    • To disable automatic Istio sidecar injection for the namespaces on the cluster, set enableNamespaceInclusions to false.

    Note:

    Set enableNamespaceExclusions to false and set namespaceExclusions to an empty array ([]). These fields, which are used to define namespace exclusion rules, are being deprecated and are included for backward compatibility.

    Important:

    If you set both enableNamespaceInclusions and enableNamespaceExclusions to false, the system will exclude namespaces from automatic Istio sidecar injection based on the conditions provided in the namespaceExclusions field. If no namespace exclusion conditions are given, all the namespaces in the cluster, except Kubernetes system namespaces such as kube-system and kube-public, will be included for automatic sidecar injection.

    1. To specify that the name of a namespace must exactly match a specific name, set type to EXACT and enter the name as the value of match.

      See an example of an EXACT namespace inclusion rule in the example of the request body in step 3.

    2. To define a name start pattern that the name of a namespace must match, set type to START_WITH and enter the pattern as the value of match.

      If the name of a namespace must begin with acme, set type to START_WITH and enter acme as the value of match. See this example in the example of the request body in step 3.

    3. Save the changes in the request body.
  6. To apply the namespace inclusion rules, make a call to PUT /v1alpha/clusters/{clusterId}.
  7. To define namespace inclusion rules for another cluster, repeat steps 1‒6.

Results

The namespace inclusion rules will be applied to the matching namespaces on the cluster, and the istio-injection=enabled label will be set on each matching namespace.