istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/injector-selectors.yaml (about) 1 apiVersion: release-notes/v2 2 kind: feature 3 area: installation 4 issue: 5 - 30013 6 7 releaseNotes: 8 - | 9 **Improved** the sidecar injector to better utilize pod labels to determine if injection is required. 10 upgradeNotes: 11 - title: Sidecar Injector Changes 12 content: | 13 The logic to determine if a pod requires sideacr injection or not has been updated to make use of 14 new Kubernetes features. Previously, the webhook was triggered at a coarse grain level, selecting any 15 pods in a namespace with a matching `istio-injection=enabled` label. 16 17 This has two limitations: 18 19 * Opting out individual pods with the `sidecar.istio.io/inject` label would still trigger the webhook, 20 only to be filtered out by Istio. This can have the unexpected impact of adding a dependency on Istio 21 when one is not expected. 22 23 * There is no way to opt-in an individual pod, with `sidecar.istio.io/inject`, without enabling injection 24 for the entire namespace. 25 26 These limitations have both been resolved. As a result, additional pods may be injected that were not in previous versions, 27 if they exist in a namespace without an `istio-injection` label set but have the `sidecar.istio.io/inject` label set on the pod. 28 This is expected to be an uncommon case, so for most users there will be no behavioral changes to existing pods. 29 30 If this behavior is not desired, it can be temporarily disabled with `--set values.sidecarInjectorWebhook.useLegacySelectors=true`. 31 This option will be removed in future releases. 32 33 See the updated [Automatic sidecar injection](/docs/setup/additional-setup/sidecar-injection/) documentation for more information.