14

How to disable Istio sidecar injection for the Kubernetes Job?

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: pod-restart
spec:
  concurrencyPolicy: Forbid
  schedule: '0 8 * * *'
  jobTemplate:
    metadata:
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      backoffLimit: 2
      activeDeadlineSeconds: 600
      template:
        spec:
          serviceAccountName: pod-restart
          restartPolicy: Never
          containers:
            - name: kubectl
              image: bitnami/kubectl
              command: ['kubectl', 'rollout', 'restart', 'deployment/myapp']

Sidecar still gets injected.

Jonas
  • 4,683
  • 4
  • 45
  • 81

2 Answers2

23

The annotation is in wrong place. You have to put it on the pod template.

apiVersion: batch/v1beta1
kind: CronJob
metadata:
spec:
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "false"

There is working CronJob example with istio injection disabled.

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "false"
        spec:
          containers:
          - name: hello
            image: busybox
            args:
            - /bin/sh
            - -c
            - date; echo "Hello, World!"
          restartPolicy: OnFailure

Also there is related github issue about that.

Jakub
  • 8,189
  • 1
  • 17
  • 31
5

Now the annotation has been deprecated as per doc https://istio.io/latest/docs/reference/config/annotations/ it would be best if you use a label instead:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: jobs-cleanup
spec:
  schedule: "*/4 * * * *"
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        metadata:
          labels:
            sidecar.istio.io/inject: "false"
        spec:
          serviceAccountName: cleaner
          containers:
          - name: kubectl-container
            image: bitnami/kubectl:latest
            command: ["sh", "/tmp/clean.sh"]
            volumeMounts:
            - name: cleaner-script
              mountPath: /tmp/
          restartPolicy: Never
          volumes:
          - name: cleaner-script
            configMap:
              name: cleaner-script
Michal Lis
  • 491
  • 5
  • 4