Sidecar Pattern
The sidecar is the most common multi-container Pod pattern in Kubernetes. This page covers when to use it, how to implement it, and the anti-patterns that turn sidecars into liabilities. Synthesized from CKA Day 11 — Multi Container Pod Kubernetes: Sidecar vs Init Container.
What Is a Sidecar?
A sidecar container is a secondary container that runs alongside the main application container within the same Pod. It extends or enhances the main application’s functionality without modifying the main application’s code.
Key properties:
- Runs concurrently with the main container (not sequentially like init containers)
- Shares the Pod’s network namespace and storage volumes
- Has an independent lifecycle within the Pod — if it crashes, the main container may keep running (depending on
restartPolicy) - Should be loosely coupled to the main app
Best practice: A sidecar should be able to start and stop independently without crashing the main app. Avoid hard dependencies where the main app fails if the sidecar is not yet ready. Source: CKA Day 11
Classic Sidecar Use Cases
1. Log Shipping
The sidecar reads application logs from a shared volume and forwards them to a centralized logging system (ELK, Loki, CloudWatch).
containers:
- name: app
image: my-app
volumeMounts:
- name: app-logs
mountPath: /var/log/app
- name: log-shipper
image: fluentd
volumeMounts:
- name: app-logs
mountPath: /var/log/app
volumes:
- name: app-logs
emptyDir: {}2. Monitoring / Metrics Exporter
The sidecar exposes application metrics in a format that Prometheus can scrape, or translates proprietary metrics into OpenTelemetry.
containers:
- name: redis
image: redis:7
- name: redis-exporter
image: oliver006/redis_exporter
args: ["--redis.addr", "redis://localhost:6379"]3. Service Mesh Proxy
The sidecar intercepts all network traffic to and from the main app, adding mTLS, traffic shaping, and observability (Istio, Linkerd).
containers:
- name: app
image: my-app
- name: istio-proxy
image: istio/proxyv2:1.20.04. Configuration Reloader
The sidecar watches a ConfigMap or Secret mounted as a volume and signals the main app (e.g., via SIGHUP) when configuration changes.
containers:
- name: nginx
image: nginx
- name: config-reloader
image: jimmidyson/configmap-reload
args: ["--webhook-url", "http://localhost:8080/-/reload", "--volume-dir", "/etc/nginx/conf.d"]5. TLS Termination
The sidecar handles TLS encryption/decryption so the main app can operate in plain HTTP.
containers:
- name: app
image: my-app
- name: tls-proxy
image: nginx:alpine
volumeMounts:
- name: tls-certs
mountPath: /etc/nginx/sslSidecar vs Init Container
| Aspect | Init Container | Sidecar Container |
|---|---|---|
| Lifecycle | Runs to completion before main app | Runs concurrently with main app |
| YAML section | spec.initContainers | spec.containers |
| Purpose | Setup, validation, migration | Auxiliary service (logging, proxy, monitoring) |
| Failure behavior | Blocks main app startup; may restart Pod | Independent; main app may continue running |
| Probes | Not supported | Supports liveness, readiness, startup |
| Resource scheduling | Affects total requested resources | Affects total requested resources |
Anti-Patterns
| Anti-Pattern | Why It’s Bad |
|---|---|
| Heavy sidecar | Consumes CPU/memory that the main app needs; can trigger OOMKills |
| Tight coupling | Main app crashes if sidecar is unavailable; defeats the purpose of loose coupling |
| Stateful sidecar | Sidecars should be stateless or use external storage; losing a Pod means losing the sidecar’s state |
| Business logic in sidecar | Sidecars are infrastructure concerns; business logic belongs in the main app or a separate service |
| Sidecar as a substitute for a Service | If the auxiliary function could be a standalone microservice, it probably should be |
CKA Exam Relevance
- You may be asked to write a Pod spec with a sidecar that shares a volume with the main app
- Understand that sidecars appear in the same
containerslist as the main app - Know how to get logs from a specific sidecar container:
kubectl logs <pod> -c <sidecar> - Be able to explain why a sidecar is preferred over an init container for long-running auxiliary tasks
Related Pages
- Multi-Container Pods — overview of multi-container patterns including adapter and ambassador
- Init Containers — setup containers that run before the main app
- Pod Fundamentals — Pod basics and shared namespace behavior
- Kubernetes Environment Variables — configuration injection into sidecars
- Pod Commands and Arguments — customizing sidecar startup behavior
- Deployment, ReplicaSet & Replication Controller — scaling Pods with sidecars
- Kubernetes Namespaces — isolating sidecar-instrumented workloads
- CKA Certification — exam domains where sidecars appear
- CKA Study Roadmap — Day 11 in the 40-day plan
Tags: kubernetes sidecar pattern multi-container pod cka devops observability