OSM Components & Interations

OSM Components & Interations

OSM Components & Interactions

OSM Components & Interactions

Containers

When a new Pod creation is initiated, OSM’s MutatingWebhookConfiguration intercepts the create pod operations for namespaces joined to the mesh, and forwards these API calls to the OSM control plane. OSM control plane augments (patches) the Pod spec with 2 new containers. One is the Envoy sidecar, the other is an init container. The init container is ephemeral. It executes the init-iptables.sh bash script and terminates. The init container requires NET_ADMIN Kernel capability for iptables changes to be applied. OSM uses iptables to ensure that all inbound and outbound traffic flows through the Envoy sidecar. The init container Docker image is passed as a string pointing to a container registry. This is passed via the --init-container-image CLI param to the OSM controller on startup. The default value is defined in the OSM Deployment chart.