Verifying Istio Sidecar Injection with Istioctl Check-Inject

istioctl experimental check-inject is a diagnostic tool that helps you verify if specific webhooks will perform Istio sidecar injection in your pods. Use this tool to check if the sidecar injection configuration is correctly applied to a live cluster.

Quick Start

To check why Istio sidecar injection did/didn’t (or will/won’t) occur for a specific pod, run:

  1. $ istioctl experimental check-inject -n <namespace> <pod-name>

For a deployment, run:

  1. $ istioctl experimental check-inject -n <namespace> deploy/<deployment-name>

Or, for label pairs:

  1. $ istioctl experimental check-inject -n <namespace> -l <label-key>=<label-value>

For example, if you have a deployment named httpbin in the hello namespace and a pod named httpbin-1234 with the label app=httpbin, the following commands are equivalent:

  1. $ istioctl experimental check-inject -n hello httpbin-1234
  2. $ istioctl experimental check-inject -n hello deploy/httpbin
  3. $ istioctl experimental check-inject -n hello -l app=httpbin

Example results:

  1. WEBHOOK REVISION INJECTED REASON
  2. istio-revision-tag-default default Namespace label istio-injection=enabled matches
  3. istio-sidecar-injector-1-18 1-18 No matching namespace labels (istio.io/rev=1-18) or pod labels (istio.io/rev=1-18)

If the INJECTED field is marked as , the webhook in that row will perform the injection, with the reason why the webhook will do the sidecar injection.

If the INJECTED field is marked as , the webhook in that row will not perform the injection, and the reason is also shown.

Possible reasons the webhook won’t perform injection or the injection will have errors:

  1. No matching namespace labels or pod labels: Ensure proper labels are set on the namespace or pod.

  2. No matching namespace labels or pod labels for a specific revision: Set correct labels to match the desired Istio revision.

  3. Pod label preventing injection: Remove the label or set it to the appropriate value.

  4. Namespace label preventing injection: Change the label to the appropriate value.

  5. Multiple webhooks injecting sidecars: Ensure only one webhook is enabled for injection, or set appropriate labels on the namespace or pod to target a specific webhook.