0
0
Kubernetesdevops~5 mins

Sidecar proxy concept (Envoy) in Kubernetes - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes applications need help managing network traffic and security. A sidecar proxy like Envoy runs alongside your app to handle these tasks without changing your app code.
When you want to add secure communication between microservices without changing their code
When you need to monitor and control traffic going in and out of your application
When you want to add retries or timeouts to your app's network calls easily
When you want to collect detailed logs and metrics about your app's network traffic
When you want to isolate network features from your app for easier updates and maintenance
Config File - pod.yaml
pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: my-app-pod
spec:
  containers:
  - name: my-app
    image: nginx:1.23
    ports:
    - containerPort: 80
  - name: envoy-proxy
    image: envoyproxy/envoy:v1.23.0
    ports:
    - containerPort: 9901 # Envoy admin port
    - containerPort: 10000 # Envoy listener port
    command:
    - /usr/local/bin/envoy
    - -c
    - /etc/envoy/envoy.yaml
    - --service-node
    - sidecar-proxy
    - --service-cluster
    - my-app-cluster
    volumeMounts:
    - name: envoy-config
      mountPath: /etc/envoy
  volumes:
  - name: envoy-config
    configMap:
      name: envoy-config

This YAML defines a Kubernetes Pod with two containers: your app container running nginx and a sidecar container running Envoy proxy.

The Envoy container uses a ConfigMap for its configuration, listens on ports 9901 (admin) and 10000 (proxy traffic), and runs with command-line arguments to identify itself.

This setup allows Envoy to intercept and manage network traffic for your app without changing the app itself.

Commands
This command creates the Pod with both your app and the Envoy sidecar proxy running together.
Terminal
kubectl apply -f pod.yaml
Expected OutputExpected
pod/my-app-pod created
Check that the Pod is running and both containers are ready.
Terminal
kubectl get pods
Expected OutputExpected
NAME READY STATUS RESTARTS AGE my-app-pod 2/2 Running 0 10s
View logs from the Envoy sidecar to see how it is managing traffic and if it started correctly.
Terminal
kubectl logs my-app-pod -c envoy-proxy
Expected OutputExpected
[2024-06-01T12:00:00.000Z] [info] Envoy proxy starting up [2024-06-01T12:00:01.000Z] [info] Listener started on 0.0.0.0:10000
-c - Specify the container name inside the Pod
Test that Envoy is listening on the proxy port inside the Pod by curling it from the app container.
Terminal
kubectl exec my-app-pod -c my-app -- curl -s http://localhost:10000
Expected OutputExpected
<!DOCTYPE html> <html> <head><title>Envoy Proxy</title></head> <body> <h1>Envoy Proxy is running</h1> </body> </html>
-c - Run command inside the app container
Key Concept

If you remember nothing else from this pattern, remember: a sidecar proxy runs alongside your app to handle network tasks without changing your app code.

Common Mistakes
Not defining both the app and Envoy containers in the same Pod spec
The sidecar proxy must run in the same Pod to intercept traffic properly; separate Pods won't work as a sidecar.
Always include the Envoy container alongside your app container in the same Pod YAML.
Forgetting to expose or map the ports Envoy listens on
Without exposing Envoy's ports, traffic cannot be routed through the proxy.
Define the necessary container ports for Envoy in the Pod spec.
Not mounting the Envoy configuration file correctly
Envoy needs its config file to know how to route and manage traffic; missing config causes startup failure.
Use a ConfigMap and mount it properly into the Envoy container.
Summary
Create a Pod with both your app and Envoy sidecar proxy containers defined together.
Use kubectl commands to deploy the Pod, check its status, and view Envoy logs.
Test Envoy's proxy port from inside the Pod to confirm it is running and managing traffic.