mirror of https://github.com/istio/istio.io.git
Mention gRPC probe in health checking of istio services page (#12913)
This commit is contained in:
Kevin Park
GitHub
parent
666e3459fd
commit
284f896534
|
|
@ -20,18 +20,19 @@ describes several ways to configure liveness and readiness probes:
|
|||
1. [Command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-command)
|
||||
1. [HTTP request](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request)
|
||||
1. [TCP probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-tcp-liveness-probe)
|
||||
1. [gRPC probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe)
|
||||
|
||||
The command approach works with no changes required, but HTTP requests and TCP probes require Istio to make changes to the pod configuration.
|
||||
The command approach works with no changes required, but HTTP requests, TCP probes, and gRPC probes require Istio to make changes to the pod configuration.
|
||||
|
||||
The health check requests to the `liveness-http` service are sent by Kubelet.
|
||||
This becomes a problem when mutual TLS is enabled, because the Kubelet does not have an Istio issued certificate.
|
||||
Therefore the health check requests will fail.
|
||||
|
||||
TCP probe checks need special handling, because Istio redirects all incoming traffic into the sidecar, and so all TCP ports appear open. The Kubelet simply checks if some process is listening on the specified port, and so the probe will always succeed as long as the sidecar is running.
|
||||
TCP probe checks need special handling, because Istio redirects all incoming traffic into the sidecar, and so all TCP ports appear open. The Kubelet simply checks if some process is listening on the specified port, and so the probe will always succeed as long as the sidecar is running.
|
||||
|
||||
Istio solves both these problems by rewriting the application `PodSpec` readiness/liveness probe,
|
||||
so that the probe request is sent to the [sidecar agent](/docs/reference/commands/pilot-agent/).
|
||||
For HTTP requests, the sidecar agent redirects the request to the application and strips the response body, only returning the response code. For TCP probes, the sidecar agent will then do the port check while avoiding the traffic redirection.
|
||||
For HTTP and gRPC requests, the sidecar agent redirects the request to the application and strips the response body, only returning the response code. For TCP probes, the sidecar agent will then do the port check while avoiding the traffic redirection.
|
||||
|
||||
The rewriting of problematic probes is enabled by default in all built-in Istio
|
||||
[configuration profiles](/docs/setup/additional-setup/config-profiles/) but can be disabled as described below.
|
||||
|
|
@ -75,9 +76,9 @@ NAME READY STATUS RESTARTS AGE
|
|||
liveness-6857c8775f-zdv9r 2/2 Running 0 4m
|
||||
{{< /text >}}
|
||||
|
||||
## Liveness and readiness probes using the HTTP or TCP approach {#liveness-and-readiness-probes-using-the-http-request-approach}
|
||||
## Liveness and readiness probes using the HTTP, TCP, and gRPC approach {#liveness-and-readiness-probes-using-the-http-request-approach}
|
||||
|
||||
As stated previously, Istio uses probe rewrite to implement HTTP/TCP probes by default. You can disable this
|
||||
As stated previously, Istio uses probe rewrite to implement HTTP, TCP, and gRPC probes by default. You can disable this
|
||||
feature either for specific pods, or globally.
|
||||
|
||||
### Disable the probe rewrite for a pod {#disable-the-http-probe-rewrite-for-a-pod}
|
||||
|
|
@ -87,6 +88,10 @@ to disable the probe rewrite option. Make sure you add the annotation to the
|
|||
[pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored
|
||||
anywhere else (for example, on an enclosing deployment resource).
|
||||
|
||||
{{< tabset category-name="disable-probe-rewrite" >}}
|
||||
|
||||
{{< tab name="HTTP Probe" category-value="http-probe" >}}
|
||||
|
||||
{{< text yaml >}}
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: apps/v1
|
||||
|
|
@ -120,6 +125,47 @@ spec:
|
|||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
{{< /tab >}}
|
||||
|
||||
{{< tab name="gRPC Probe" category-value="grpc-probe" >}}
|
||||
|
||||
{{< text yaml >}}
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: liveness-grpc
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: liveness-grpc
|
||||
version: v1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: liveness-grpc
|
||||
version: v1
|
||||
annotations:
|
||||
sidecar.istio.io/rewriteAppHTTPProbers: "false"
|
||||
spec:
|
||||
containers:
|
||||
- name: etcd
|
||||
image: registry.k8s.io/etcd:3.5.1-0
|
||||
command: ["--listen-client-urls", "http://0.0.0.0:2379", "--advertise-client-urls", "http://127.0.0.1:2379", "--log-level", "debug"]
|
||||
ports:
|
||||
- containerPort: 2379
|
||||
livenessProbe:
|
||||
grpc:
|
||||
port: 2379
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 5
|
||||
EOF
|
||||
{{< /text >}}
|
||||
|
||||
{{< /tab >}}
|
||||
|
||||
{{< /tabset >}}
|
||||
|
||||
This approach allows you to disable the health check probe rewrite gradually on individual deployments,
|
||||
without reinstalling Istio.
|
||||
|
||||
|
|
|
|||
|
|
@ -83,6 +83,39 @@ spec:
|
|||
EOF
|
||||
ENDSNIP
|
||||
|
||||
! read -r -d '' snip_disable_the_probe_rewrite_for_a_pod_disablethehttpproberewriteforapod_2 <<\ENDSNIP
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: liveness-grpc
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: liveness-grpc
|
||||
version: v1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: liveness-grpc
|
||||
version: v1
|
||||
annotations:
|
||||
sidecar.istio.io/rewriteAppHTTPProbers: "false"
|
||||
spec:
|
||||
containers:
|
||||
- name: etcd
|
||||
image: registry.k8s.io/etcd:3.5.1-0
|
||||
command: ["--listen-client-urls", "http://0.0.0.0:2379", "--advertise-client-urls", "http://127.0.0.1:2379", "--log-level", "debug"]
|
||||
ports:
|
||||
- containerPort: 2379
|
||||
livenessProbe:
|
||||
grpc:
|
||||
port: 2379
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 5
|
||||
EOF
|
||||
ENDSNIP
|
||||
|
||||
snip_disable_the_probe_rewrite_globally_1() {
|
||||
kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe": true/"rewriteAppHTTPProbe": false/' | kubectl apply -f -
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue