From 45271f7478a35c94c18bf3aa5c9526be75490b21 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Thu, 21 Jun 2018 19:52:07 -0400 Subject: [PATCH 1/2] Apply patch from upstream to allow opt-in in unlabeled namespaces. --- third_party/istio-0.8.0/README.md | 3 ++- third_party/istio-0.8.0/istio.yaml | 12 +++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/third_party/istio-0.8.0/README.md b/third_party/istio-0.8.0/README.md index 8364894adae1..852277db4a70 100644 --- a/third_party/istio-0.8.0/README.md +++ b/third_party/istio-0.8.0/README.md @@ -6,4 +6,5 @@ This istio.yaml file is is generated by running Followed by: (1) adding the `istio-system` namespace (see PATCH #1 in the file), and (2) adding a Prestop sleep in the sidecar proxy, so that the proxy stays up a - little bit longer after Pod is being removed (see PATCH #2 in the file). + little bit longer after Pod is being removed (see PATCH #2 in the file), and +(3) patching in https://github.com/istio/istio/pull/6439 diff --git a/third_party/istio-0.8.0/istio.yaml b/third_party/istio-0.8.0/istio.yaml index 781ce72501b2..78355a17a0b2 100644 --- a/third_party/istio-0.8.0/istio.yaml +++ b/third_party/istio-0.8.0/istio.yaml @@ -630,7 +630,7 @@ metadata: istio: sidecar-injector data: config: |- - policy: enabled + policy: disabled template: |- initContainers: - name: istio-init @@ -3257,10 +3257,12 @@ webhooks: resources: ["pods"] failurePolicy: Fail namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio-injection + operator: NotIn + values: + - disabled + --- # Source: istio/charts/mixer/templates/config.yaml - - From 43dd6541c161fbfcfa69657a2e17adccc94eb442 Mon Sep 17 00:00:00 2001 From: Nghia Tran Date: Wed, 27 Jun 2018 07:41:14 -0700 Subject: [PATCH 2/2] Update docs and scripts to not setting injection policy on namespace. --- DEVELOPMENT.md | 10 ++-------- config/100-namespace.yaml | 2 -- hack/deploy.sh | 2 -- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 5549ad1c8415..d642af7a2a83 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -111,13 +111,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ kubectl apply -f ./third_party/istio-0.8.0/istio.yaml ``` -Then label namespaces with `istio-injection=enabled`: - -```shell -kubectl label namespace default istio-injection=enabled -``` - -Follow the [instructions](./docs/setting-up-ingress-static-ip.md) if you need +Follow the [instructions](./docs/setting-up-ingress-static-ip.md) if you need to set up static IP for Ingresses in the cluster. ### Deploy Build @@ -130,7 +124,7 @@ kubectl apply -f ./third_party/config/build/release.yaml This step includes building Knative Serving, creating and pushing developer images and deploying them to your Kubernetes cluster. -First, edit [config-network.yaml](config/config-network.yaml) as instructed within the file. +First, edit [config-network.yaml](config/config-network.yaml) as instructed within the file. If this file is edited and deployed after Knative Serving installation, the changes in it will be effective only for newly created revisions. diff --git a/config/100-namespace.yaml b/config/100-namespace.yaml index ee4e2fdeef17..7be1b8cc5ef7 100644 --- a/config/100-namespace.yaml +++ b/config/100-namespace.yaml @@ -16,5 +16,3 @@ apiVersion: v1 kind: Namespace metadata: name: knative-serving - labels: - istio-injection: enabled diff --git a/hack/deploy.sh b/hack/deploy.sh index 4c10821f3e6a..7c84ae5eb778 100755 --- a/hack/deploy.sh +++ b/hack/deploy.sh @@ -64,8 +64,6 @@ header "Installing istio" kubectl apply -f ${ISTIO_YAML} wait_until_pods_running istio-system -kubectl label namespace default istio-injection=enabled - header "Installing Knative Serving" kubectl apply -f ${SERVING_RELEASE}