- What's New
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
- Application Service Mesh
- Buying a Service Mesh
- Mesh Management
- Service Management
- Gateway Management
- Grayscale Release
- Mesh Configuration
- Traffic Management
- Security
-
Best Practices
- Upgrading Data Plane Sidecars Without Service Interruption
- Service Governance for Dubbo-based Applications
- Reserving Source IP Address for Gateway Access
- Creating a Service Mesh with IPv4/IPv6 Dual Stack Enabled
- How Do I Query Application Metrics in AOM?
- Reducing the Agency Permissions of ASM Users
- Istio-ingressgateway HA Configuration
-
FAQs
- Service Mesh Cluster
-
Mesh Management
- Why Cannot I Create a Mesh for My Cluster?
- Why Are Exclusive Nodes Still Exist After Istio Is Uninstalled?
- How Do I Upgrade ICAgent?
- How Do I Enable Namespace Injection for a Cluster?
- How Do I Disable Sidecar Injection for Workloads?
- What Can I Do If A Pod Cannot Be Started Due to Unready Sidecar
- How Do I Handle a Canary Upgrade Failure?
-
Adding a Service
- What Do I Do If an Added Gateway Does Not Take Effect?
- Why Does It Take a Long Time to Start the Demo Application in Experiencing Service Mesh in One Click?
- Why Cannot I Access the page of the Demo Application After It Is Successfully Deployed?
- Why Cannot I Select the Corresponding Service When Adding a Route?
- How Do I Inject a Sidecar for the Pod Created Using a Job or CronJob?
- Performing Grayscale Release
-
Managing Traffic
- Why Are the Created Clusters, Namespaces, and Applications Not Displayed on the Traffic Management Page?
- How Do I Change the Resource Requests of the istio-proxy Container?
- Does ASM Support HTTP/1.0?
- How Can I Block Access from Some IP Address Ranges or Ports for a Service Mesh?
- How Do I Configure max_concurrent_streams for a Gateway?
- How Do I Fix Compatibility Issues Between Istio CNI and Init Containers?
-
Monitoring Traffic
- Why Cannot I View Traffic Monitoring Data Immediately After a Pod Is Started?
- Why Are the Latency Statistics on the Dashboard Page Inaccurate?
- Why Is the Traffic Ratio Inconsistent with That in the Traffic Monitoring Chart?
- Why Can't I Find Certain Error Requests in Tracing?
- Why Cannot I Find My Service in the Traffic Monitoring Topology?
- How Do I Connect a Service Mesh to Jaeger or Zipkin for Viewing Traces?
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
- User Guide
-
FAQs
- Service Mesh Cluster
- Mesh Management
-
Adding a Service
- What Do I Do If an Added Gateway Does Not Take Effect?
- Why Does It Take a Long Time to Start the Demo Application in Experiencing Service Mesh in One Click?
- Why Cannot I Access the page of the Demo Application After It Is Successfully Deployed?
- Why Cannot I Select the Corresponding Service When Adding a Route?
- Performing Grayscale Release
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Show all
Copied.
What Can I Do If A Pod Cannot Be Started Due to Unready Sidecar
Description
Pods of services managed by a mesh may fail to be started and keep restarting. When the service container communicates with external systems, the traffic passes through the istio-proxy container. However, the service container is started earlier than the istio-proxy container. As a result, the communication with external systems fails and the pod keeps restarting.
Solution
In Istio 1.7 and later versions, the community adds a switch named HoldApplicationUntilProxyStarts to the istio-injector injection logic. After the switch is enabled, the proxy is injected to the first container and the istio-proxy container is started earlier than the service container.
The switch can be configured globally or locally. The following describes two ways to enable the switch.
After this switch is enabled, the service container cannot be started until the sidecar is fully ready, which slows down pod startup and reduces scalability for burst traffic. You are advised to evaluate service scenarios and enable this switch only for required services.
- Global Configuration
- Run the following command to edit the IOP CR resource:
kubectl edit iop private-data-plane -n istio-system
Add the following command to the spec.values.global.proxy field:
holdApplicationUntilProxyStarts: true
- Run the following command to check whether the latest logs contain no error information:
kubectl logs -n istio-operator $(kubectl get po -n istio-operator | awk '{print $1}' | grep -v NAME)
- Run the following command to check whether the IOP CR is normal:
kubectl get iop -n istio-system
- Run the following command to upgrade the services in the mesh in a rolling manner:
kubectl rollout restart deployment nginx -n default
where, nginx is an example service, and default is the namespace. Replace them with the actual values.
- Run the following command to check whether the pod is restarted:
kubectl get pod -n default | grep nginx
- Run the following command to check whether postStart lifecycle is added to the pod and whether the istio-proxy container is placed in the first position:
kubectl edit pod nginx-7bc96f87b9-l4dbl
- Run the following command to edit the IOP CR resource:
- Local Configuration
For Istio 1.8 or later versions, you can label the pods for which this function needs to be enabled with proxy.istio.io/config and set holdApplicationUntilProxyStarts to true.
The following uses the nginx service in the default namespace as an example. The operations for other services are similar.
kubectl edit deploy nginx -n default
Add the following commands to the spec.template.metadata.annotations field:
proxy.istio.io/config: | holdApplicationUntilProxyStarts: true
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot