yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/asm/umn/asm_01_0041.html
qiujiandong1 719033eb05 ASM UMN update 20250506 version 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2025-07-14 13:38:34 +00:00

48 lines
12 KiB
HTML
Raw Blame History

<a name="asm_01_0041"></a><a name="asm_01_0041"></a>
<h1 class="topictitle1">Sidecar Management</h1>
<div id="body0000001083107046"><p id="asm_01_0041__p84481631152714">On the <strong id="asm_01_0041__b712243010246">Sidecar Management</strong> tab, you can view information about all workloads injected with sidecars, inject sidecars, and configure sidecar resource limits.</p>
<div class="section" id="asm_01_0041__section65931513505"><a name="asm_01_0041__section65931513505"></a><a name="section65931513505"></a><h4 class="sectiontitle">Injecting a Sidecar</h4><p id="asm_01_0041__p1820212632111">You can view the namespace and cluster that the injected sidecar belongs to. If no sidecar has been injected or you need to inject sidecars for more namespaces, perform the following operations:</p>
<ol id="asm_01_0041__ol13641175216560"><li id="asm_01_0041__li683575385614"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0041__li987742619292"><span>In the navigation pane, choose <strong id="asm_01_0041__b23024965310246">Mesh Configuration</strong>. Then, click the <strong id="asm_01_0041__b79698741510246">Sidecar Management</strong> tab.</span></li><li id="asm_01_0041__li122863200343"><span>Click <strong id="asm_01_0041__b212025475310246">Sidecar Management</strong>, select a namespace, determine whether enable <strong id="asm_01_0041__b34328513417">Restart Existing Services</strong>, and click <strong id="asm_01_0041__b163426572510246">OK</strong>.</span><p><p id="asm_01_0041__p5867153384619">Parameter description:</p>
<ul id="asm_01_0041__ul1213414267113"><li id="asm_01_0041__li151346264113"><strong id="asm_01_0041__b162639501293">Namespace</strong>: Select one or more namespaces. The system adds labels for namespaces based on Istio versions.<ul id="asm_01_0041__ul715833017173"><li id="asm_01_0041__li115810307178"><strong id="asm_01_0041__b93355351461">istio-injection=enabled</strong> can be used in Istio 1.13.9-r3 and earlier versions, as well as Istio 1.15.5-r2 and earlier versions.</li></ul>
<ul id="asm_01_0041__ul196772518187"><li id="asm_01_0041__li6677853189"><strong id="asm_01_0041__b5658241104719">istio.io/rev=&lt;revision&gt;</strong> can be used in Istio later than 1.13.9-r3, Istio later than 1.15.5-r2, and all Istio 1.18 versions.</li></ul>
</li><li id="asm_01_0041__li1283731219"><strong id="asm_01_0041__b176898850910246">Restart Existing Services</strong><p id="asm_01_0041__p16974516217"><span><img id="asm_01_0041__image1251935012150" src="en-us_image_0000001930216052.png"></span>: Enabling <strong id="asm_01_0041__b178031814163717">Restart Existing Services</strong> will restart the pods of existing services and temporarily interrupt your services. New pods will have istio-proxy sidecars automatically injected.</p>
<ul id="asm_01_0041__ul1893924912361"><li id="asm_01_0041__li149404492367">If you select a new namespace, an automatic injection label is added. After all pods running the Deployment in that namespace are restarted, the istio-proxy sidecars will be automatically injected into new pods.</li></ul>
<ul id="asm_01_0041__ul330205410366"><li id="asm_01_0041__li5302135413618">If you deselect a namespace, the automatic injection label is deleted. After all pods running the Deployment in that namespace are restarted, new pods do not have istio-proxy sidecars.</li></ul>
<ul id="asm_01_0041__ul157408585364"><li id="asm_01_0041__li074055833619">If there are pods that are not injected with sidecars in selected namespaces, all pods running the Deployment will be restarted to inject sidecars. If all pods have sidecars injected, the pods will not be restarted.</li></ul>
<p id="asm_01_0041__p45731657222"><span><img id="asm_01_0041__image1736110311031" src="en-us_image_0000001256463368.png"></span>: When you do not enable <strong id="asm_01_0041__b198411563510">Restart Existing Services</strong>, the istio-proxy sidecars cannot be automatically injected into the pods of existing services. In this case, you need to manually restart the pods on the CCE console to inject the sidecars. This parameter affects only existing services. If the namespaces are labeled with <strong id="asm_01_0041__b1545117533412">istio-injection=enabled</strong>, sidecars will be automatically injected into new pods.</p>
</li><li id="asm_01_0041__li975935132613"><strong id="asm_01_0041__b4935192843517">Traffic Interception Settings</strong><div class="note" id="asm_01_0041__note130182311537"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0041__p5301112325320">By default, sidecars intercept all inbound and outbound traffic of pods. You can modify the default traffic rules in <strong id="asm_01_0041__b15949143017359">Traffic Interception Settings</strong>.</p>
</div></div>
<p id="asm_01_0041__p10174123175619"><strong id="asm_01_0041__b97421432123511">Inbound Ports</strong>: Inbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for inbound traffic redirection.</p>
<ul id="asm_01_0041__ul19912133010017"><li id="asm_01_0041__li891233017016"><strong id="asm_01_0041__b13234113463514">Include only specified ports</strong> means that the traffic to services in a service mesh over specified ports will be redirected to the sidecar.</li></ul>
<ul id="asm_01_0041__ul192771149401"><li id="asm_01_0041__li427774912017"><strong id="asm_01_0041__b954213352357">Exclude only specified ports</strong> means that the traffic to services in a service mesh over the ports except the specified ports will be redirected to the sidecar.</li></ul>
<p id="asm_01_0041__p1492182965613"><strong id="asm_01_0041__b1262643613359">Outbound Ports</strong>: Outbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for outbound traffic redirection.</p>
<ul id="asm_01_0041__ul887675114113"><li id="asm_01_0041__li208771351116"><strong id="asm_01_0041__b20581938193512">Include only specified ports</strong> means that the traffic from services in a service mesh over specified ports will be redirected to the sidecar.</li></ul>
<ul id="asm_01_0041__ul91091571217"><li id="asm_01_0041__li9109125715112"><strong id="asm_01_0041__b8850163916356">Exclude only specified ports</strong> means that the traffic from services in a service mesh over the ports except the specified ports will be redirected to the sidecar.</li></ul>
<p id="asm_01_0041__p14346164816561"><strong id="asm_01_0041__b1117210221271">Outbound IP Ranges</strong>: IP address ranges separated by commas (,) in CIDR format. You can use this field to specify the IP ranges that will be included or excluded for outbound traffic redirection.</p>
<ul id="asm_01_0041__ul13301528313"><li id="asm_01_0041__li5311221939"><strong id="asm_01_0041__b922854213514">Include only specified IP ranges</strong> means that the traffic from specified IP ranges will be redirected to the sidecar.</li></ul>
<ul id="asm_01_0041__ul112121251130"><li id="asm_01_0041__li42121455318"><strong id="asm_01_0041__b19623164303511">Exclude only specified IP ranges</strong> means that the traffic from IP ranges except the specified IP ranges will be redirected to the sidecar.</li></ul>
</li></ul>
<div class="note" id="asm_01_0041__note1279618584133"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0041__ul97451116162713"><li id="asm_01_0041__li1974521615271">If the system displays a message indicating that modification of namespace injection is not enabled in the following clusters, you need to run the <strong id="asm_01_0041__b11447123395415">kubectl</strong> command to enable namespace injection. For details, see <a href="asm_faq_0036.html">How Do I Enable Namespace Injection for a Cluster?</a>.</li><li id="asm_01_0041__li12746181642719">After sidecar injection is enabled for a namespace of a cluster, sidecars are automatically injected for pods of all workloads in the namespace. If you do not want to inject sidecars for some workloads, see <a href="asm_faq_0037.html">How Do I Disable Sidecar Injection for Workloads?</a>.</li></ul>
</div></div>
</p></li></ol>
</div>
<div class="section" id="asm_01_0041__section259115115019"><h4 class="sectiontitle">Viewing Workload Details</h4><p id="asm_01_0041__p559725563016">The list displays all workloads created in the clusters managed by a mesh. You can view the workload name, cluster to which the workload belongs, service, and sidecar information of the workload, including the sidecar name, version, status, CPU usage, and memory usage. The procedure is as follows:</p>
</div>
<ol id="asm_01_0041__ol1959415165017"><li id="asm_01_0041__li98334469347"><span>In the drop-down list and search box in the upper right corner of the workload list, select a cluster and namespace, and enter the target workload name.</span></li><li id="asm_01_0041__li6382131161915"><span>Click <span><img id="asm_01_0041__image43913457208" src="en-us_image_0000001200574170.png"></span> in front of the workload to view the sidecar information of the workload.</span><p><p id="asm_01_0041__p742812107217">If the system displays a message indicating that there is no sidecar in the workload, no sidecar has been injected into the namespace to which the workload belongs. In this case, you can inject one into the namespace. For details, see <a href="#asm_01_0041__section65931513505">Injecting a Sidecar</a>.</p>
</p></li></ol>
<div class="section" id="asm_01_0041__section1260131575013"><h4 class="sectiontitle">Configuring Sidecar Resource Limits</h4><p id="asm_01_0041__p129031261127">You can configure the upper and lower limits of CPU and memory resources for sidecars (istio-proxy container). If the upper and lower resource limits are not set for a workload, a resource leak of this workload will make resources unavailable for other workloads deployed on the same node. In addition, workloads that do not have upper and lower resource limits cannot be accurately monitored.</p>
<p id="asm_01_0041__p2666114504610">The default upper and lower limits of sidecar resources are as follows:</p>
<ul id="asm_01_0041__ul1705179111210"><li id="asm_01_0041__li0705159111220">CPU (core): 0.1 to 2 (included)</li><li id="asm_01_0041__li17053919120">MEM (MiB): 128 to 1,024 (included)</li></ul>
<p id="asm_01_0041__p73903163125">To change the value, perform the following operations:</p>
<ol id="asm_01_0041__ol716113613716"><li id="asm_01_0041__li4161136476"><span>Click <strong id="asm_01_0041__b192440389810246">Set Resource Limit</strong> in the <strong id="asm_01_0041__b195764109210246">Operation</strong> column of the target workload. You can also select multiple workloads and click <strong id="asm_01_0041__b154266620810246">Set Resource Limit</strong> in the upper left corner of the workload list to configure sidecar resource limits in batches.</span><p><ul id="asm_01_0041__ul11852132105414"><li id="asm_01_0041__li25681305545">Minimum CPU: CPU request, the minimum number of CPU cores required by a container. Resources are scheduled for the container based on this value. The container can be scheduled to a node only when the total available CPU on the node is greater than or equal to the number of CPU cores applied for the container.</li><li id="asm_01_0041__li17568143045420">Maximum CPU: CPU limit, the maximum number of CPU cores required by a container.</li><li id="asm_01_0041__li155691330135411">Minimum memory: memory request, the minimum amount of memory required by a container. Resources are scheduled for the container based on this value. The container can be scheduled to this node only when the total available memory on the node is greater than or equal to the requested container memory.</li><li id="asm_01_0041__li95692304544">Maximum memory: memory limit, the maximum amount of memory required by a container. When the memory usage exceeds the specified memory limit, the pod may be restarted, which affects the normal use of the workload.</li></ul>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0038.html">Mesh Configuration</a></div>
</div>
</div>
View Git Blame Copy Permalink