https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/ossm-vs-community.html#ossm-automatic-injection_ossm-vs-istio

(not sure if we want to mention here, or link back to the differences topic

https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/prepare-to-deploy-applications-ossm.html )

We document that there are differences in how sidecar auto-injection works in Istio and in OSSM.  Mazz added some details in an e-mail to the kiali-internal mailing list. Let's capture them in the docs as well.

 
In short, the namespace label is ignored in OSSM. You cannot opt-in all pods in a namespace by setting a namespace label. And today you also can't use the pod label (though this might change in the next OSSM release that bumps to a newer version of Istio). OSSM requires the pod annotation today (as of OSSM 2.1).
 
Here's the differences:
 
 
UPSTREAM ISTIO:

• Namespace Label: supports "enabled" and "disabled"
• Pod Label: supports "true" and "false"
• Pod Annotation: supports "false" only
   
  OSSM:
• Namespace Label: not supported
• Pod Label: not supported
• Pod Annotation: "true" and "false"
   
   
  The pod label/annotation is "sidecar.istio.io/inject" and the namespace label is "istio-injection" (canary deployments have another option, see the docs).
   
  So you must annotate your Pods when using OSSM - that's the only way you can opt-in for auto-injection in OSSM.
   
   
  Here's the OSSM docs - https://docs.openshift.com/container-platform/4.9/service_mesh/v2x/prepare-to-deploy-applications-ossm.html
   
  Here's the upstream Istio docs: https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/