istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add health check task (#1571) 

* Add health check task

* Fix format

* Address comments

* Fix spell

* Fix lint

* Fix lint

* Fix lint
This commit is contained in:
Tao Li 2018-06-25 16:48:28 -07:00 committed by istio-bot
parent 4203f1b102
commit 1057bd6387
1 changed files with 131 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
content/docs/tasks/traffic-management/app-health-check.md Normal file
View File

@ -0,0 +1,131 @@
---
title: Health Checking of Istio Services
description: Shows how to do health checking for Istio services.
weight: 65
keywords: [security,health-check]
---
This task shows how to use [Kubernetes liveness and readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) for health checking on Istio services.
There are three options for liveness and readiness probes in Kubernetes: 1) command; 2) http request; 3) tcp request. In this task, we provide examples for the first two options with Istio mutual TLS enabled and disabled, respectively.
## Before you begin
* Understand [Kubernetes liveness and readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/), Istio [authentication policy](/docs/concepts/security/authn-policy/) and [mutual TLS authentication](/docs/concepts/security/mutual-tls/) concepts.
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use istio-demo.yaml as described in [installation steps](/docs/setup/kubernetes/quick-start/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/kubernetes/helm-install/)).
## Liveness and readiness probes with command option
In this section, we show how to configure health checking when mutual TLS is disabled, then how it works when mutual TLS is enabled.
### Mutual TLS disabled
Run this command to deploy [liveness](https://github.com/istio/istio/blob/{{<branch_name>}}/samples/health-check/liveness-command.yaml) in the default namespace:
```command
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
```
Wait for a minute and check the pod status
```command
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-6857c8775f-zdv9r 2/2 Running 0 1m
```
The number '0' in the 'RESTARTS' column means liveness probes works fine. Readiness probes works in the same way and you can modify liveness-command.yaml accordingly to try it yourself.
### Mutual TLS enabled
Run this command to enable mutual TLS for services in the default namespace.
```bash
cat <<EOF | istioctl create -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "example-1"
namespace: "default"
spec:
peers:
- mtls:
EOF
```
Run this command to re-deploy the service:
```command
$ kubectl delete -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
```
And repeat the same steps as in above section to verify that the liveness probes works.
## Liveness and readiness probes with http request option
This section shows how to configure health checking with the HTTP request option.
### Mutual TLS is disabled
Run this command to remove the mutual TLS policy.
```bash
cat <<EOF | istioctl delete -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "example-1"
namespace: "default"
spec:
peers:
- mtls:
EOF
```
Run this command to deploy [liveness-http](https://github.com/istio/istio/blob/{{<branch_name>}}/samples/health-check/liveness-http.yaml) in the default namespace:
```command
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
```
Wait for a minute and check the pod status to make sure the liveness probes works with the 'RESTARTS' column to be '0'.
```command
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-975595bb6-5b2z7c 2/2 Running 0 1m
```
### Mutual TLS is enabled
Run this command to enable mutual TLS for services in the default namespace.
```bash
cat <<EOF | istioctl create -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "example-1"
namespace: "default"
spec:
peers:
EOF
```
Run these commands to re-deploy the service:
```command
$ kubectl delete -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
```
Wait for a minute and check the pod status to make sure the liveness probes works with the 'RESTARTS' column to be '0'.
```command
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-67d5db65f5-765bb 2/2 Running 0 1m
```
Note that the image in [liveness-http](https://github.com/istio/istio/blob/{{<branch_name>}}/samples/health-check/liveness-http.yaml) exposes two ports: 8001 and 8002 ([source code](https://github.com/istio/istio/blob/{{<branch_name>}}/samples/health-check/server.go)). In this deployment, port 8001 serves the regular traffic while port 8002 is used for liveness probes. Since Istio proxy only intercepts ports that are explicitly declared at ```containerPort``` field, traffic to 8002 port will bypass Istio proxy no matter Istio mutual TLS is enabled or not. However, if we use port 8001 for both regular traffic and liveness probes, health check will fail when mutual TLS is enabled since the http request is sent from Kubelet, which does not send client certificate to the liveness-http service.