Back
Interactive Explainer

Istio Sidecar Injection

How Istio automatically injects Envoy sidecar and istio-init containers into pods via mutating webhook.

🎯Key Takeaways
Mutating webhook injects istio-init + istio-proxy
istio-init sets iptables rules to redirect traffic to Envoy
Label namespace: istio-injection=enabled for auto-injection

Istio Sidecar Injection

How Istio automatically injects Envoy sidecar and istio-init containers into pods via mutating webhook.

~1 min read
Be the first to complete!
What you'll learn
  • Mutating webhook injects istio-init + istio-proxy
  • istio-init sets iptables rules to redirect traffic to Envoy
  • Label namespace: istio-injection=enabled for auto-injection

Sidecar Injection Process

Istio uses a MutatingAdmissionWebhook to inject two containers: istio-init (sets up iptables rules to redirect traffic through Envoy) and istio-proxy (Envoy sidecar). Injection is automatic for namespaces labeled istio-injection=enabled. Pod net namespace shared: Envoy intercepts all inbound/outbound traffic transparently.

Key takeaways

  • Mutating webhook injects istio-init + istio-proxy
  • istio-init sets iptables rules to redirect traffic to Envoy
  • Label namespace: istio-injection=enabled for auto-injection

Related concepts

Explore topics that connect to this one.

Suggested next

Often learned after this topic.

istio observability tracing

Ready to see how this works in the cloud?

Switch to Career Paths for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths

Sign in to track your progress and mark lessons complete.

Continue learning

istio observability tracing

Discussion

Questions? Discuss in the community or start a thread below.

Join Discord

In-app Q&A

Sign in to start or join a thread.