SidecarSet

This controller leverages the admission webhook to automatically inject a sidecar container for every selected Pod when the Pod is created. The Sidecar injection process is similar to the automatic sidecar injection mechanism used in istio.

Besides injection during Pod creation, SidecarSet controller also provides additional capabilities such as in-place Sidecar container image upgrade, mounting Sidecar volumes, etc. Basically, SidecarSet decouples the Sidecar container lifecycle management from the main container lifecycle management.

The SidecarSet is preferable for managing stateless sidecar containers such as monitoring tools or operation agents.

Example

Create SidecarSet

The sidecarset.yaml file below describes a SidecarSet that contains a sidecar container named sidecar1:

  1. # sidecarset.yaml
  2. apiVersion: apps.kruise.io/v1alpha1
  3. kind: SidecarSet
  4. metadata:
  5. name: test-sidecarset
  6. spec:
  7. selector:
  8. matchLabels:
  9. app: nginx
  10. # matchExpressions:
  11. # - {key: tier, operator: In, values: [frontend, middleware]}
  12. updateStrategy:
  13. type: RollingUpdate
  14. maxUnavailable: 1
  15. containers:
  16. - name: sidecar1
  17. image: centos:6.7
  18. command: ["sleep", "999d"] # do nothing at all
  19. volumeMounts:
  20. - name: log-volume
  21. mountPath: /var/log
  22. volumes: # this field will be merged into pod.spec.volumes
  23. - name: log-volume
  24. emptyDir: {}

Create a SidecarSet based on the YAML file:

  1. kubectl apply -f sidecarset.yaml

Create a Pod

Create a pod that matches the sidecarset’s selector:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. labels:
  5. app: nginx # matches the SidecarSet's selector
  6. name: test-pod
  7. spec:
  8. containers:
  9. - name: app
  10. image: nginx:1.15.1

Create this pod and now you will find it’s injected with sidecar1:

  1. $ kubectl get pod
  2. NAME READY STATUS RESTARTS AGE
  3. test-pod 2/2 Running 0 118s

In the meantime, the SidecarSet status updated:

  1. $ kubectl get sidecarset test-sidecarset -o yaml | grep -A4 status
  2. status:
  3. matchedPods: 1
  4. observedGeneration: 1
  5. readyPods: 1
  6. updatedPods: 1

update sidecar container Image

update sidecarSet’s sidecar container image=centos:7

  1. $ kubectl edit sidecarsets test-sidecarset
  2. # sidecarset.yaml
  3. apiVersion: apps.kruise.io/v1alpha1
  4. kind: SidecarSet
  5. metadata:
  6. name: test-sidecarset
  7. spec:
  8. containers:
  9. - name: sidecar1
  10. image: centos:7

The Sidecar container in the pod has been updated to centos:7, and the pod and other containers have not been restarted.

  1. $ kubectl get pods | grep test-pod
  2. test-pod 2/2 Running 1 7m34s
  3. $ kubectl get pods test-pod -o yaml | grep 'image: centos'
  4. image: centos:7
  5. $ kubectl describe pods test-pod
  6. Events:
  7. Type Reason Age From Message
  8. ---- ------ ---- ---- -------
  9. Normal Killing 5m47s kubelet Container sidecar1 definition changed, will be restarted
  10. Normal Pulling 5m17s kubelet Pulling image "centos:7"
  11. Normal Created 5m5s (x2 over 12m) kubelet Created container sidecar1
  12. Normal Started 5m5s (x2 over 12m) kubelet Started container sidecar1
  13. Normal Pulled 5m5s kubelet Successfully pulled image "centos:7"

SidecarSet features

A sample SidecarSet yaml looks like following:

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. selector:
  7. matchLabels:
  8. app: sample
  9. # matchExpressions:
  10. # - {key: tier, operator: In, values: [frontend, middleware]}
  11. containers:
  12. - name: nginx
  13. image: nginx:alpine
  14. initContainers:
  15. - name: init-container
  16. image: busybox:latest
  17. command: [ "/bin/sh", "-c", "sleep 5 && echo 'init container success'" ]
  18. updateStrategy:
  19. type: RollingUpdate
  20. namespace: ns-1
  • spec.selector Select the POD that needs to be injected and updated by Label. MatchLabels and MatchExpressions are supported. Please refer to the details: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  • spec.containers Define pod.spec.containers[x] that need to be injected and updated, supporting the full K8S Container field. Please refer to the details: https://kubernetes.io/docs/concepts/containers/
  • spec.initContainers Define the pod.spec.initContainers[x] you need to inject, supporting the full K8S InitContainer field. Please refer to the details:https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
    • We will inject those containers by their name in ascending order
    • InitContainers only support injection and do not support POD in-place update
  • spec.updateStrategy sidecarSet update strategy, type indicates the upgrade method:
    • NotUpdate No updates, in this type only inject sidecar containers in pod
    • RollingUpdate Injection and rolling update, which contains a rich update strategy, will be described in more detail later
  • spec.namespace By default, sidecarset is cluster scope in k8s, that is, for all namespaces (except kube-system, kube-public). When spec.namespace field set, it only applies to pods of that namespace

Note: Since Kruise v1.3.0, SidecarSet no longer excludes the namespace kube-system, kube-public by default. If you want to exclude some namespaces, please use the following namespace selector.

namespace selector

FEATURE STATE: Kruise v1.4.0

The spec.namespace field can only specify one Namespace and cannot exclude specific Namespaces. If facing complex namespace selector scenarios, it is recommended to use the namespaceSelector field:

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. ...
  7. namespaceSelector:
  8. matchLabels:
  9. environment: production
  10. # matchExpressions:
  11. # - {key: tier, operator: In, values: [frontend, middleware]}

sidecar container injection

The injection of sidecar containers happens at Pod creation time and only Pod spec is updated. The workload template spec will not be updated. In addition to the default K8s Container field, the following fields have been extended to injection:

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. selector:
  7. matchLabels:
  8. app: sample
  9. containers:
  10. # default K8s Container fields
  11. - name: nginx
  12. image: nginx:alpine
  13. volumeMounts:
  14. - mountPath: /nginx/conf
  15. name: nginx.conf
  16. # extended sidecar container fields
  17. podInjectPolicy: BeforeAppContainer
  18. shareVolumePolicy:
  19. type: disabled | enabled
  20. transferEnv:
  21. - sourceContainerName: main
  22. envName: PROXY_IP
  23. - sourceContainerNameFrom:
  24. fieldRef:
  25. apiVersion: "v1"
  26. fieldPath: "metadata.labels['cName']"
  27. # fieldPath: "metadata.annotations['cName']"
  28. envName: TC
  29. volumes:
  30. - name: nginx.conf
  31. hostPath:
  32. path: /data/nginx/conf
  • podInjectPolicy Define where Containers are injected into pod.spec.containers
    • BeforeAppContainer(default) Inject into the front of the original pod containers
    • AfterAppContainer Inject into the backend of the original pod containers
  • data volume sharing
    • Share specific volumes: Use spec.volumes to define the volumes needed by Sidecar itself. See details:https://kubernetes.io/docs/concepts/storage/volumes/
    • Share pod containers volumes: If ShareVolumePolicy.type is enabled, the sidecar container will share the other container’s VolumeMounts in the pod(don’t contains the injected sidecar container)
  • Environment variable sharing
    • Environment variables can be fetched from another container through spec.containers[x].transferenv, and the environment variable named envName from the container named sourceContainerName is copied to this container
    • sourceContainerNameFrom support downwardAPI for container name, such as metadata.name, metadata.labels['<KEY>'], metadata.annotations['<KEY>']

injection pause

FEATURE STATE: Kruise v0.10.0

For existing SidecarSets,users can pause sidecar injection by setting spec.injectionStrategy.paused=true

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. ... ...
  7. injectionStrategy:
  8. paused: true

This feature only works on the newly-created Pods, and has no impact on the sidecar containers that have been injected.

imagePullSecrets

FEATURE STATE: Kruise v0.10.0

The SidecarSet can be configured with spec.imagePullSecrets to pull private sidecar images with Secret . When sidecar is injected, SidecarSet injects its spec.imagePullSecrets into Pods spec.imagePullSecrets.

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. ... ....
  7. imagePullSecrets:
  8. - name: my-secret

Note: Users must ensure that the corresponding Secrets have already existed in the namespaces where Pods need to pull the private images. Otherwise, pulling private images will not succeed.

version control for injection

FEATURE STATE: Kruise v1.3.0

SidecarSet will record historical revision of some fields such as containers, volumes, initContainers, imagePullSecrets and patchPodMetadata via ControllerRevision. You can easily select a specific historical revision to inject when creating Pods, rather than always inject the latest revision of sidecar.

Based on this feature, users can address the risk of SidecarSet publishing due to scaling and rolling workload.

Note: SidecarSet records ControllerRevision in the same namespace as Kruise Manager. You can execute kubectl get controllerrevisions -n kruise-system -l kruise.io/sidecarset-name=<your-sidecarset-name> to list the ControllerRevisions of your SidecarSet. Moreover, the ControllerRevision name of current SidecarSet revision is shown in status.latestRevision field, so you can record it very easily.

select revision via ControllerRevision name

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. ...
  7. updateStrategy:
  8. partition: 90%
  9. injectionStrategy:
  10. revision:
  11. revisionName: <specific-controllerrevision-name>

select revision via custom version label

You can add or update the label apps.kruise.io/sidecarset-custom-version=<your-version-id> to SidecarSet when creating or publishing SidecarSet, to mark each historical revision. SidecarSet will bring this label down to the corresponding ControllerRevision object, and you can easily use the <your-version-id> to describe which historical revision you want to inject.

Assume that you are publishing version-2 in canary way (you wish only 10% Pods will be upgraded), and you want to inject the stable version-1 to newly-created Pods to reduce the risk of the canary publishing:

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. labels:
  6. apps.kruise.io/sidecarset-custom-version: example/version-2
  7. spec:
  8. ...
  9. updateStrategy:
  10. partition: 90%
  11. injectionStrategy:
  12. revision:
  13. customVersion: example/version-1

Just choose one of the ways above.

support k8s 1.28 Sidecar Containers

FEATURE STATE: Kruise v1.7.0

Kubernetes supports Native Sidecar Containers from version 1.28 using initContainers with initContainers[x].restartPolicy=Always. The native sidecar container differ from sidecar containers in the form of normal containers in two ways:

  1. Sidecar containers ensure that the container is ready before the main application container starts. e.g. the log collection container is ready, and the logs of the main application container startup Crash can also be collected.
  2. For job pod that runs to completion, when the application containers exit, native sidecar containers will exit on their own even if restartPolicy is Always, without blocking the completion of the pod. Sidecar container in the form of normal containers, however, will restart if the restartPolicy is Always, which will prevent the pod from completed.

SidecarSet will also support injecting Sidecar Containers starting from v1.7.0 version as follows:

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: test-sidecarset
  5. spec:
  6. selector:
  7. matchLabels:
  8. app: sample
  9. updateStrategy:
  10. type: NotUpdate
  11. initContainers:
  12. - name: sidecar
  13. image: nginx:alpine
  14. restartPolicy: Always
  15. lifecycle:
  16. postStart:
  17. exec:
  18. command: ["/bin/sh", "-c", "sleep 10"]

Note:

  • k8s 1.28 feature-gate SidecarContainers is off by default and needs to be actively turned on, k8s 1.29 is on by default.
  • If your kubernetes version < 1.28, you can use kruise Job Sidecar Terminator and Container Launch Priority to solve the above problem.

Additionally, the current version only supports automatic injection of Sidecar Containers, and does not yet support in-place update capability.

sidecarset update strategy

Sidecarset not only supports the in-place update of Sidecar container, but also provides a very rich upgrade strategy.

partition

Partition is the desired number or percent of Pods in old revisions, defaults to 0. This field does NOT imply any update order.

When partition is set during update:

  • If it is a number: (replicas - partition) number of pods will be updated with the new version.
  • If it is a percent: (replicas * (100% - partition)) number of pods will be updated with the new version.
  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. # ...
  7. updateStrategy:
  8. type: RollingUpdate
  9. partition: 90

Assuming that the number of PODs associated with this Sidecarset is 100, this upgrade will only upgrade 10 pods to latest and keep 90 pods old versions.

MaxUnavailable

MaxUnavailable is the maximum number of PODs that are unavailable at the same time that is guaranteed during the Posting process. The default value is 1.

The user can set it to either an absolute value or a percentage (the percentage is calculated by the controller as the cardinality of the selected pod to calculate the absolute value behind one).

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. # ...
  7. updateStrategy:
  8. type: RollingUpdate
  9. maxUnavailable: 20%

Note that maxUnavailable and partition are not necessarily related. For example:

  • When {matched pod}=100,partition=50,maxUnavailable=10, the controller will update 50 PODS to the new version, and only 10 PODS will be updated at the same time, until the 50 updated is completed.
  • When {matched pod}=100,partition=80,maxUnavailable=30, the controller will update 20 PODS to the new version, because the maxUnavailable number is 30, so the 20 PODS will be updated simultaneously.

Pause

A user can pause the release by setting pause to true, and the injection capability will remain for newly created, expanded PODS, while updated PODS will remain the updated version, and those that have not been updated will be paused.

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. # ...
  7. updateStrategy:
  8. type: RollingUpdate
  9. paused: true

Selector

For businesses that have Canary update requirements, this can be done through Strategy.selector filed. First: take the canary updated pods on fixed labels [canary. Release] = true, second fix the strategy.selector.MatchLabels to select the pod

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. # ...
  7. updateStrategy:
  8. type: RollingUpdate
  9. selector:
  10. matchLabels:
  11. canary.release: "true"

sidecarset update order

  • The PODs of upgrade is sorted by default to ensure the same order of multiple upgrades
  • The default priority is (the smaller the higher the priority): unscheduled < scheduled, pending < unknown < running, not-ready < ready, newer pods < older pods
  • scatter order

scatter

The scatter policy allows users to define the scatters of PODs that conform to certain tags throughout the publishing process. For example, if a SidecarSet manages 10 PODS, if there are 3 PODS below with the tag foo=bar, and the user sets this tag in the shatter policy, then these 3 PODS will be published in the 1st, 6th, and 10th positions.

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: sidecarset
  5. spec:
  6. # ...
  7. updateStrategy:
  8. type: RollingUpdate
  9. scatterStrategy:
  10. - key: foo
  11. value: bar

Note: If you use Scatter, it is recommended to set only a pair of key-values for scatter. It will be easier to understand.

priority

FEATURE STATE: Kruise v1.5.0

This strategy defines rules for calculating the priority of updating pods. All update candidates will be applied with the priority terms. priority can be calculated either by weight or by order.

  • weight: Priority is determined by the sum of weights for terms that match selector. For example,
  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. spec:
  4. # ...
  5. updateStrategy:
  6. priorityStrategy:
  7. weightPriority:
  8. - weight: 50
  9. matchSelector:
  10. matchLabels:
  11. test-key: foo
  12. - weight: 30
  13. matchSelector:
  14. matchLabels:
  15. test-key: bar
  • order: Priority will be determined by the value of the orderKey. The update candidates are sorted based on the “int” part of the value string. For example, 5 in string “5” and 10 in string “sts-10”.
  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. spec:
  4. # ...
  5. updateStrategy:
  6. priorityStrategy:
  7. orderPriority:
  8. - orderedKey: some-label-key

Hot Upgrade Sidecar

FEATURE STATE: Kruise v0.9.0

SidecarSet’s in-place upgrade will stop the container of old version first and then create the container of new version. Such method is more suitable for sidecar containers that cannot affects service availability, e.g. logging collector.

But for many proxy or runtime sidecar containers, e.g. Istio Envoy, this upgrade method is problematic. Envoy, as a proxy container in the Pod, proxies all the traffic, and if restarted directly, the availability of service is affected. Complex grace termination and coordination is required if one need to upgrade envoy sidecar independently of the application container. So we provide a new solution for such sidecar container upgrade.

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. metadata:
  4. name: hotupgrade-sidecarset
  5. spec:
  6. selector:
  7. matchLabels:
  8. app: hotupgrade
  9. containers:
  10. - name: sidecar
  11. image: openkruise/hotupgrade-sample:sidecarv1
  12. imagePullPolicy: Always
  13. lifecycle:
  14. postStart:
  15. exec:
  16. command:
  17. - /bin/sh
  18. - /migrate.sh
  19. upgradeStrategy:
  20. upgradeType: HotUpgrade
  21. hotUpgradeEmptyImage: openkruise/hotupgrade-sample:empty
  • upgradeType: HotUpgrade indicates hot upgrade for stateful sidecar container.
  • hotUpgradeEmptyImage: when upgradeType=HotUpgrade, user needs to provide an empty container for hot upgrades. hotUpgradeEmptyImage has the same configuration as the sidecar container, for example: command, lifecycle, probe, etc, but it doesn’t do anything.
  • lifecycle.postStart: State Migration, the process completes the state migration of stateful container, which needs to be provided by the sidecar image developer.

Hot upgrade consists of the following two processes:

  • inject hot upgrade sidecar containers
  • in-place hot upgrade sidecar container

Inject Containers

When the sidecar container upgradeStrategy=HotUpgrade, the SidecarSet Webhook will inject two containers into the Pod:

  1. {sidecarContainer.name}-1: as shown in the figure below: envoy-1, the container run the actual working sidecar container, such as envoy:1.16.0
  2. {sidecarContainer.name}-2: as shown in the figure below: envoy-2, the container run the hot upgrade empty container, and it doesn’t have to deal with any real logic, as long as it stays in place, such as empty:1.0

sidecarset hotupgrade_injection

Hot Upgrade

The SidecarSet Controller breaks down the hot upgrade process of the sidecar container into three steps:

  1. Upgrade: upgrade the empty container to the new version of the sidecar container, such as envoy-2.Image = envoy:1.17.0
  2. Migration: the process completes the state migration of stateful container, which needs to be provided by the sidecar image developer. PostStartHook completes the migration of the above process. (Note: PostStartHook must block during the migration, and exit when migration complete.)
  3. Reset: the step resets the old version sidecar container into empty container, such as envoy-1.Image = empty:1.0

The above is the complete hot upgrade process. If a Pod needs to be hot upgraded several times, the above three steps can be repeated.

sidecarset hotupgrade

Migration Demo

The SidecarSet hot upgrade mechanism not only completes the switching between mesh containers,but also provides a coordination mechanism for old and new versions. Yet this is only the first step of a long journey. The mesh container also needs to provide a PostStartHook script to complete the hot migration of the mesh service itself (the above Migration process), such as Envoy hot restart and Mosn lossless restart. To facilitate a better understanding of the Migration process, a migration demo is provided below the kruise repository: Migration Demo

For design documentation, please refer to: proposals sidecarset hot upgrade

Currently known cases that utilize the SidecarSet hot upgrade mechanism:

  • ALIYUN ASM implements lossless upgrade of Data Plane in Service Mesh.

Inject Pod Metadata (Annotations)

FEATURE STATE: Kruise v1.3.0

SidecarSet support inject pod annotations, as follows:

  1. apiVersion: apps.kruise.io/v1alpha1
  2. kind: SidecarSet
  3. spec:
  4. containers:
  5. ...
  6. patchPodMetadata:
  7. - annotations:
  8. oom-score: '{"log-agent": 1}'
  9. custom.example.com/sidecar-configuration: '{"command": "/home/admin/bin/start.sh", "log-level": "3"}'
  10. patchPolicy: MergePatchJson
  11. - annotations:
  12. apps.kruise.io/container-launch-priority: Ordered
  13. patchPolicy: Overwrite | Retain

patchPolicy is the injected policy, as follows:

  • Retain: By default, if annotation[key]\=value exists in the Pod, the original value of the Pod will be retained. Inject annotations[key]\=value2 only if annotation[key] does not exist in the Pod.
  • Overwrite: Corresponding to Retain, when annotation[key]\=value exists in the Pod, it will be overwritten value2.
  • MergePatchJson: Corresponding to Overwrite, the annotations value is a json string. If the annotations[key] does not exist in the Pod, it will be injected directly. If it exists, do a json value merge. For example: annotations[oom-score]\=’{“main”: 2}’ exists in the Pod, after injection, the value json is merged into annotations[oom-score]\=’{“log-agent”: 1, “main”: 2}’.

Note: When the patchPolicy is Overwrite and MergePatchJson, the annotations can be updated synchronously when the SidecarSet in-place update the Sidecar Container. However, if only the annotations are modified, it will not take effect. It must be in-place update together with the sidecar container image. When patchPolicy is Retain, the annotations will not be updated when the SidecarSet in-place update the Sidecar Container.

According to the above configuration, when the sidecarSet is injected into the sidecar container, it will inject Pod annotations synchronously, as follows:

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. annotations:
  5. apps.kruise.io/container-launch-priority: Ordered
  6. oom-score: '{"log-agent": 1, "main": 2}'
  7. custom.example.com/sidecar-configuration: '{"command": "/home/admin/bin/start.sh", "log-level": "3"}'
  8. name: test-pod
  9. spec:
  10. containers:
  11. ...

Metadata WhiteList

SidecarSet should not modify any configuration outside the sidecar container for security consideration. Metadata, as an important configuration of Pod, should not be modified by sidecarSet by default. So if you want to use this capability, you need to first configure SidecarSet_PatchPodMetadata_WhiteList whitelist, as follows:

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: kruise-configuration
  5. namespace: kruise-system
  6. data:
  7. "SidecarSet_PatchPodMetadata_WhiteList": |
  8. {
  9. "rules": [
  10. {
  11. "selector":{
  12. "matchLabels":{
  13. "sidecar":"log-agent"
  14. }
  15. },
  16. "allowedAnnotationKeyExprs": [
  17. "^apps.kruise.io/container-launch-priority$",
  18. "^oom-score$",
  19. "^custom.example.com/sidecar-configuration$"
  20. ]
  21. }
  22. ]
  23. }
  • selector: Select matching SidecarSets based on Labels, both MatchLabels and MatchExpressions are supported. If not configured, it will take effect for all SidecarSets in the cluster.
  • allowedAnnotationKeyExprs: Whitelist of Pod annotation keys allowed to be modified, must be a regular expression.

Feature-gate

SidecarSet_PatchPodMetadata_WhiteList is mainly for security reasons. If the user’s business cluster scenario is relatively simple, you can turn off the verification of the whitelist through feature-gate.

  1. $ helm install kruise https://... --set featureGates="SidecarSetPatchPodMetadataDefaultsAllowed=true"

SidecarSet Status

When upgrading sidecar containers with a SidecarSet, you can observe the process of upgrading through SidecarSet.Status

  1. # kubectl describe sidecarsets sidecarset-example
  2. Name: sidecarset-example
  3. Kind: SidecarSet
  4. Status:
  5. Matched Pods: 10 # The number of PODs injected and managed by the Sidecarset
  6. Updated Pods: 5 # 5 PODs have been updated to the container version in the latest SidecarSet
  7. Ready Pods: 8 # Matched Pods pod.status.condition.Ready = true number
  8. Updated Ready Pods: 3 # Updated Pods && Ready Pods number

How to troubleshoot SidecarSet in-place upgrade blocking

The community kubernetes only allows patch pod.spec image fields, so SidecarSet upgrading sidecar containers independently can only support image fields. SidecarSet will not trigger in-place upgrades if non-Image fields are changed, e.g. Env, Resources, etc.

To make it easier for you to locate similar issues, since v1.5.0 kruise will report information to pod condition and sidecarSet event as follows:

  1. # kubectl describe sidecarsets test-sidecarset
  2. Status:
  3. Collision Count: 0
  4. Latest Revision: test-sidecarset-5f6d95f777
  5. Matched Pods: 1
  6. Observed Generation: 2
  7. Ready Pods: 1
  8. Updated Pods: 0
  9. Events:
  10. Type Reason Age From Message
  11. ---- ------ ---- ---- -------
  12. Normal NotUpgradablePods 63s sidecarset-controller SidecarSet in-place update detected 1 not upgradable pod(s) in this round, will skip them
  13. # kubectl get pods test-pod -oyaml
  14. status:
  15. conditions:
  16. - lastProbeTime: null
  17. lastTransitionTime: "2023-09-09T11:10:17Z"
  18. message: '{"test-sidecarset":false}'
  19. reason: UpdateImmutableField
  20. status: "False"
  21. type: SidecarSetUpgradable