Basic setup for istio sidecar auto injection

To enable auto sidecar injection on specific namespace,
you only need label the namespace with `istio-injection=enabled`, e.g.:
    kubectl label namespace default istio-injection=enabled

For details please refer:
    https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection

Change-Id: I2059aa0be2ab3f4f942342850d286281c5f940d4
Signed-off-by: QiLiang <liangqi1@huawei.com>

1 files changed, 23 insertions, 0 deletions

diff --git a/src/vagrant/kubeadm_istio/master_setup.sh b/src/vagrant/kubeadm_istio/master_setup.sh
index b181582..f308244 100644
--- a/src/vagrant/kubeadm_istio/master_setup.sh
+++ b/src/vagrant/kubeadm_istio/master_setup.sh
@@ -2,9 +2,32 @@
 
 set -ex
 
+ADMISSION_CONTROL="Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota"
+KUBE_APISERVER_CONF="/etc/kubernetes/manifests/kube-apiserver.yaml"
+
 sudo kubeadm init --apiserver-advertise-address=192.168.1.10  --service-cidr=10.96.0.0/16 --pod-network-cidr=10.32.0.0/12 --token 8c5adc.1cec8dbf339093f0
 mkdir ~/.kube
 sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config
 sudo chown $(id -u):$(id -g) $HOME/.kube/config
 
 kubectl apply -f http://git.io/weave-kube-1.6
+
+# Enable mutating webhook admission controller
+# kube-apiserver will be automatically restarted by kubelet when its manifest file update.
+# https://istio.io/docs/setup/kubernetes/sidecar-injection.html
+sudo sed -i "s/admission-control=.*/admission-control=$ADMISSION_CONTROL/g" $KUBE_APISERVER_CONF
+
+set +e
+# wait for kube-apiserver restart
+r="1"
+while [ $r -ne "0" ]
+do
+   sleep 2
+   kubectl version > /dev/null
+   r=$?
+done
+set -e
+
+# check if admissionregistration.k8s.io/v1beta1 API is enabled
+kubectl api-versions | grep admissionregistration
+