Resolving sidecar proxies issues in Cloud Service Mesh

This section explains common Cloud Service Mesh sidecar proxies problems and how to resolve them. If you need additional assistance, see Getting support.

The istio-proxy container is killed because of a OOM event

In this section we assume that the istio-proxy container is not killed by a SystemOOM event, and the kubernetes node is not in MemoryPressure condition. The istio-proxy sidecar container has by default resource limits. If the istio-proxy container gets killed with Reason: OOMKilled it is necessary to understand why Envoy is consuming the memory.

If you are facing a production outage, a quick workaround is to raise the limits for all containers using IstioOperator:

---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  values:
    global:
      proxy:
        resources:
          requests:
               memory: 128Mi
          limits:
               memory: 1Gi

If you are facing this issue with specific workloads, you can change the limit just on those workloads by adding the following annotations.

• sidecar.istio.io/proxyMemory
• sidecar.istio.io/proxyMemoryLimit

Please make sure you don't have limits that are lower of the default values.

The long term solution is to reduce the memory footprint of your istio-proxy sidecar containers. By default all sidecar proxies are programmed with the necessary configuration to reach any other workload instance in the mesh. Istio provides the custom resource definition Sidecar to limit the number of endpoints programmed to sidecar proxies, and therefore reduce the memory consumption of the istio-proxy container.