zh-translation: /faq/security/k8s-health-checks.md (#5501)

* update k8s-security-checks.md * update mtls-migration content/zh/docs/tasks/security/authorization/mtls-migration/ => content/zh/docs/tasks/security/mtls-migration/
2019-11-11 12:46:00 +08:00 · 2019-11-11 12:46:00 +08:00 · 20129c6796
parent 75647524c6
commit 20129c6796
1 changed files with 9 additions and 12 deletions
--- a/content/zh/faq/security/k8s-health-checks.md
+++ b/content/zh/faq/security/k8s-health-checks.md
@ -1,24 +1,20 @@
 ---
-title: How can I use Kubernetes liveness and readiness for pod health checks when mutual TLS is enabled?
+title: 当启用双向 TLS 认证时应该如何使用 Kubernetes liveness 和 readiness 对服务进行健康检查？
 weight: 50
 ---
+如果启用了双向 TLS 认证，则来自 kubelet 的 HTTP 和 TCP 健康检查将不能正常工作，因为 kubelet 没有 Istio 颁发的证书。

-If mutual TLS is enabled, HTTP and TCP health checks from the kubelet will not work without modification, since the kubelet does not have Istio-issued certificates.
+从Istio 1.1 开始，我们提供了多种解决方案。

-As of Istio 1.1, we have several options to solve this issue.
+1. 使用 probe rewrite 将 liveness 和 readiness 的请求直接重定向到工作负载。有关更多信息，请参阅 [Probe Rewrite](/zh/docs/ops/setup/app-health-check/#probe-rewrite)。

-1.  Using probe rewrite to redirect liveness and readiness requests to the
-    workload directly. Please refer to [Probe Rewrite](/docs/ops/setup/app-health-check/#probe-rewrite)
-    for more information.
+1. 使用单独的端口进行健康检查，并且仅在常规服务端口上启用双向 TLS。有关更多信息，请参阅 [Istio 服务的运行状况检查](/zh/docs/ops/setup/app-health-check/#separate-port)。

-1.  Using a separate port for health checks and enabling mutual TLS only on the regular service port. Please refer to [Health Checking of Istio Services](/docs/ops/setup/app-health-check/#separate-port) for more information.
+1. 如果对 Istio 服务使用 [`PERMISSIVE` 模式](/zh/docs/tasks/security/mtls-migration)，那么他们可以接受 HTTP 和双向 TLS 流量。请记住，由于其他人可以通过 HTTP 流量与该服务进行通信，因此不强制执行双向 TLS。

-1.  Using the [`PERMISSIVE` mode](/docs/tasks/security/authentication/mtls-migration) for Istio services so they can accept both HTTP and mutual TLS traffic. Please keep in mind that mutual TLS is not enforced since others can communicate with the service with HTTP traffic.
+1. 健康检查使用 [liveness 命令](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)，例如，可以在服务 Pod 中安装 `curl` 并在 Pod 内对自身执行 `curl` 操作。

-1.  Using a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command) for health checks, e.g., one can install `curl` in the service pod and
-`curl` itself within the pod.
-
-An example of a readiness probe:
+一个 readiness 探针的例子：

 {{< text yaml >}}
 livenessProbe:
@ -30,3 +26,4 @@ exec:
 initialDelaySeconds: 10
 periodSeconds: 5
 {{< /text >}}
+