-
follow install steps here, EXCEPT the Install Istio part.
-
install istio-base via helm
kubectl create ns istio-system
helm install istio-base istio/base -n istio-system --wait
and then choose one of the below options (marked with OPTION)
-
install istiod with custom values that have our sidecarInjectionWebhook templates:
helm install istiod istio/istiod -n istio-system -f values.yaml --wait
(warning: this also modifies defaultTemplates to ["sidecar", "dikastes"]. so your whole mesh will have that as the default injection templates.)
-
activate calico ext authz
kubectl apply -f 01-calico-ext-authz.yaml
-
activate sidecar injection for target namespace.
kubectl label namespace default istio-injection=enabled --overwrite
pods deployed to this namespace will use calico application layer policy.
If you don't want defaultTemplates
to automatically include calico app policy and wish to do it manually (e.g. per deployment basis),
-
edit
values.yaml
and removedefaultTemplates
fromsidecarInjectionWebhook
configuration. -
ensure your deployment pods will have the following annotation(s):
-
inject.istio.io/templates=sidecar,dikastes
(i.e., you will have to customise your app deployment pod templates to have this annotation. see example httpbin.yaml in this gist)
-