Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS1002 - Global Default Sidecar Should Not Have a workloadSelector

The global default Sidecar configuration should not have a workloadSelector.

Recommendation: Global Sidecar Should Be Generic Without workloadSelector

To maintain proper global defaults, ensure that the global Sidecar in the istio-system namespace does not include a workloadSelector. Use specific Sidecar resources for configuring individual workloads.

Examples

  1. Global Sidecar with a workloadSelector

    apiVersion: networking.istio.io/v1beta1
    kind: Sidecar
    metadata:
      name: default-sidecar
      namespace: istio-system
    spec:
      workloadSelector:
        labels:
          app: my-app
      egress:
      - hosts:
        - "*/*"

    Explanation: The global Sidecar resource in the istio-system namespace is configured with a workloadSelector. This is not appropriate for a global default configuration, as the workloadSelector should be used only for specifying configurations for individual workloads. The global default should apply to all workloads in the absence of more specific configurations.

Recommendation

Ensure the global Sidecar resource does not include the workloadSelector. Move specific settings for specific workloads to sidecar resources in application namespaces.

  1. Remove workloadSelector from the Global Sidecar

    Update the global Sidecar configuration to remove the workloadSelector, making it apply universally to all workloads without specific sidecar configurations.

    apiVersion: networking.istio.io/v1beta1
    kind: Sidecar
    metadata:
      name: default-sidecar
      namespace: istio-system
    spec:
      egress:
      - hosts:
        - "*/*"

    Explanation: Removing the workloadSelector from the global Sidecar resource ensures that the configuration applies to all workloads, providing a consistent default configuration for traffic egress.

  2. Move Specific Settings to Workload-Specific Sidecar Resources

    If specific settings are required for a particular workload, move those settings to a workload-specific Sidecar resource in the appropriate namespace.

    apiVersion: networking.istio.io/v1beta1
    kind: Sidecar
    metadata:
      name: my-app-sidecar
      namespace: example-namespace
    spec:
      workloadSelector:
        labels:
          app: my-app
      egress:
      - hosts:
        - "external-service.com/*"

    Explanation: By creating a workload-specific Sidecar resource, the configuration is applied only to the relevant workloads, while the global Sidecar remains generic.