Sidecar Pattern
A secondary container (sidecar) is deployed alongside each service container in the same pod/host, handling infrastructure concerns like logging, proxying, or secret injection on the service's behalf.
Sidecar = a motorcycle sidecar. The passenger (sidecar container) rides alongside handling the map, snacks, and radio — but the driver (main service) does the actual driving.
The sidecar decouples infrastructure concerns from application code. Common sidecars: Envoy proxy (traffic management), Fluentd/Fluent Bit (log forwarding), Vault Agent (secret injection and rotation), OpenTelemetry Collector (telemetry export). The sidecar pattern is the foundation of service meshes. Benefits: infrastructure upgrades (e.g., updating the proxy version) do not require application code changes. The sidecar shares the same network namespace as the main container, enabling it to intercept traffic via iptables rules without application awareness.
The sidecar lifecycle must be managed carefully in Kubernetes. A sidecar that starts after the main container may miss early traffic; a sidecar that dies before the main container during shutdown can cause connection errors. Kubernetes 1.29 introduced native sidecar support (restartPolicy: Always in initContainers) to address lifecycle ordering. The ambassador pattern is a variant where the sidecar acts as a proxy to external services, handling connection pooling, retries, and protocol translation. The adapter pattern is another variant where the sidecar transforms the main container's output into a standard format expected by external monitoring systems.
I use the sidecar pattern for any infrastructure concern that would otherwise require updating 30+ service codebases. Secret injection is the highest-value use case: Vault Agent sidecar renews short-lived credentials automatically, eliminating the 'baked-in secrets' anti-pattern without requiring developers to integrate with Vault's SDK directly.
Putting business logic in a sidecar. Sidecars should be pure infrastructure concerns. If the sidecar needs to understand domain concepts, it belongs in the main service.