The AWS App Mesh Kubernetes sidecar injecting Admission Controller.
If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.
Please reference the install instructions.
To align our helm repository and this repository we have changed the namespace to appmesh-system and resource names to appmesh-inject.
To enable sidecar injection for a namespace, you need to label the namespace with appmesh.k8s.aws/sidecarInjectorWebhook=enabled
kubectl label namespace appmesh-demo appmesh.k8s.aws/sidecarInjectorWebhook=enabled
For namespaces with sidecar injection enabled, pods will be injected if the appmesh.k8s.aws/sidecarInjectorWebhook annotation is enabled and will not be injected if it is disabled.
For pods with no annotation, they will be injected if the -inject-default=true flag is passed (the default for this flag) and will not be injected if the -inject-default=false flag is passed.
All container ports defined in the pod spec will be passed to sidecars as application ports.
To override, add appmesh.k8s.aws/ports: "<ports>" annotation to the pod spec.
By default all egress traffic ports will be routed, except SSH.
To override, add appmesh.k8s.aws/egressIgnoredPorts: "<ports>" annotation to the pod spec. ( Comma separated list of ports for which egress traffic will be ignored )
The name of the controller that creates the pod will be used as virtual node name and pass over to the sidecar. For example, if a pod
is created by a deployment, the virtual node name will be <deployment name>-<namespace>.
To override, add appmesh.k8s.aws/virtualNode: <virtual node name> annotation to the pod spec.
The mesh name provided at install time can be overridden with the appmesh.k8s.aws/mesh: <mesh name> annotation at POD spec level.
For example:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
name: my-cool-deployment
spec:
selector:
matchLabels:
name: appmesh-inject
template:
metadata:
annotations:
appmesh.k8s.aws/mesh: my-mesh
appmesh.k8s.aws/ports: "8079,8080"
appmesh.k8s.aws/egressIgnoredPorts: "22"
appmesh.k8s.aws/virtualNode: my-app
appmesh.k8s.aws/sidecarInjectorWebhook: disabledTo see an example on how to use this sidecar injector you can visit the demo page.
If the CA bundle isn't configured properly, the pod will log the following log message:
TLS handshake error from 10.0.0.1:45390: remote error: tls: bad certificate
If this happens, set the CA_BUNDLE environment variable to the content of the CA bundle. Make sure that this value is base64 encoded (e.g. it shouldn't start with -----BEGIN CERTIFICATE-----).