A sidecar container is commonly used in real-world applications to augment the functionality of the primary container. And here we will see some simplified examples of typical sidecar container use cases, along with their scripts or configurations.
1. Logging and Monitoring
Scenario: A sidecar container collects logs from the primary application and sends them to a logging service.
apiVersion: v1
kind: Pod
metadata:
name: logging-sidecar
spec:
containers:
- name: app-container
image: nginx
volumeMounts:
- name: shared-logs
mountPath: /var/log/nginx
- name: log-collector
image: busybox
command: ["sh", "-c", "tail -f /var/log/nginx/access.log"]
volumeMounts:
- name: shared-logs
mountPath: /var/log/nginx
volumes:
- name: shared-logs
emptyDir: {}
- The
nginxapp writes logs to/var/log/nginx.- default logs:
access.logrecord the access messages;error.logrecord error messages.
- default logs:
- The
log-collectorsidecar tails the log file and can send it to an external logging service.
# when we access the ngnix
controlplane $ curl 192.168.1.4
# it will record the access msg
controlplane $ k exec -it pods/logging-sidecar -c log-collector -- cat /var/log/nginx/access.log
192.168.1.4 - - [07/Dec/2024:21:34:51 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.88.1" "-"
192.168.0.0 - - [07/Dec/2024:21:35:13 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.68.0" "-"
2. Security Proxy
Scenario: A sidecar acts as a proxy to add authentication or encryption to requests before they reach the primary container.
-
main-appcontainer serves traffic. - Sidecar container intercepts and routes traffic.
apiVersion: v1
kind: Pod
metadata:
name: proxy-sidecar
spec:
containers:
- name: main-app
image: httpd
ports:
- containerPort: 80
- name: envoy-proxy
image: envoyproxy/envoy:v1.27.0
args: ["-c", "/etc/envoy/envoy.yaml"]
ports:
- containerPort: 10000
Then configure envoy.yaml to route traffic. Access the service through the proxy and verify logs in Envoy. The configure file envoy.yaml can be found here.
And the
envoy-proxycontainer not installvimornanoeditor, so you can use
kubectl cp <local-file-path> <pod-name>:<pod-destination-path> -c <container-name>
kubectl cp <pod-name>:<source-path> <destination-path> -c <container-name>
# eg.
kubectl cp proxy-sidecar:/etc/envoy/envoy.yaml ./envoy.yaml -c envoy-proxy
to copy it outside pod to edit it.
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
proxy-sidecar 2/2 Running 0 13m 192.168.1.4 node01 <none> <none>
controlplane $ curl http://192.168.1.4:10000
The auth-proxy sidecar intercepts requests to the main-app, applies authentication, and forwards them.
3. File Synchronization
Scenario: A sidecar container keeps files synchronized between the application and an external storage system:
-
main-appcontainer save file under/data -
syncersidecar container synchronize it at/backup
apiVersion: v1
kind: Pod
metadata:
name: data-sync-sidecar
spec:
containers:
- name: main-app
image: busybox
command: ["/bin/sh", "-c"]
args: ["echo 'hallo syncer!' > /data/file.txt; sleep 3600"]
volumeMounts:
- name: data-volume
mountPath: /data
- name: syncer
image: alpine
command: ["/bin/sh", "-c"]
args: ["apk add --no-cache rsync; while true; do rsync -av /data/ /backup/; sleep 10; done"]
volumeMounts:
- name: data-volume
mountPath: /data
- name: backup-volume
mountPath: /backup
volumes:
- name: data-volume
emptyDir: {}
- name: backup-volume
emptyDir: {}
The sync-agent periodically synchronizes files between /data and /backup.
4. Initialization with InitContainer
Scenario: A initContainers init-db container, which used to init the db provided for main application to use. (The whole yaml file can be checked at this GitHub Repo).
Here we use a busybox as the main app container, but it just a placeholder. We can run the actual application that relies on the initialization performed by the initContainer. For example, the main container is some web application.
You can check this Repo which is the full yaml file for a flask app to use the initContainers container.
apiVersion: v1
kind: Pod
metadata:
name: db-init-pod
spec:
initContainers:
- name: init-db
image: postgres:latest
command: ["sh", "-c"]
args:
- |
until pg_isready -h postgres -U user; do
echo "Waiting for PostgreSQL to be ready...";
sleep 2;
done;
psql -h postgres -U user -d mydb -c "CREATE TABLE IF NOT EXISTS test (id SERIAL PRIMARY KEY, name TEXT);"
env:
- name: PGPASSWORD
value: "password" # Match the PostgreSQL password
containers:
- name: app
image: busybox
command: ["/bin/sh", "-c"]
args: ["echo 'App starting'; sleep 3600"]
And then we can verify Database Initialization by logging into the PostgreSQL container and check for the test table. or inspect the init-db logs for progress or errors.
NAME READY STATUS RESTARTS AGE
db-init-pod 1/1 Running 0 33s
postgres-7c8f74d97b-cxdmp 1/1 Running 0 32s
# check the log
controlplane $ k logs db-init-pod -c init-db
# logging into postgres container verify the db
controlplane $ k exec -it postgres-7c8f74d97b-cxdmp -- psql -U user -d mydb -c "\dt"
List of relations
Schema | Name | Type | Owner
--------+------+-------+-------
public | test | table | user
(1 row)
or if you change the busybox image to what your app used eg. flask
controlplane $ kubectl logs db-init-pod -c init-db
postgres:5432 - no response
Waiting for PostgreSQL to be ready...
postgres:5432 - accepting connections
CREATE TABLE
controlplane $ kubectl logs db-init-pod -c app
And then we can add a svc to access the Flask application.
Benefits of Sidecars:
The sidecars container has many other usages, such as debugging, caching. And it's better to use a sidecar container, as:
- Modularity: Sidecars add functionality without altering the primary app.
- Scalability: The same sidecar logic can be reused across different apps.
- Separation of Concerns: Keeps application code clean and focused.
Therefore it is a powerful tool for extending functionality while maintaining a clean architecture.
Reference
In official document, we can see more details about the sidecar container.
Also we can check here for the init containers.
Top comments (0)