istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revise the health check faq (#2191) 

* Revise the health check faq

* Fix format

* Fix format
This commit is contained in:
Tao Li 2018-08-08 12:47:39 -07:00 committed by istio-bot
parent a2901ddd2c
commit 481e58c41d
1 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
content/help/faq/security/k8s-health-checks.md
View File

@ -2,11 +2,23 @@
title: How can I use Kubernetes liveness and readiness for service health check when mutual TLS is enabled?
weight: 50
---
If mutual TLS is enabled, http and tcp health checks from the kubelet will not
work since the kubelet does not have Istio-issued certificates. A workaround is to
use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)
for health checks, e.g., one can install `curl` in the service pod and `curl` itself
within the pod.
If mutual TLS is enabled, http and tcp health checks from the kubelet will
not work since the kubelet does not have Istio-issued certificates.
As of the Istio 1.0 release, we support the [`PERMISSIVE` mode](/docs/tasks/security/mtls-migration)
for Istio services so they can accept both http and mutual TLS traffic
when this mode is turned on. This can solve the health checking issue.
Please keep in mind that mutual TLS is not enforced since others can
communicate with the service with http traffic.
You can use a separate port for health check and enable mutual TLS only
on the regular service port. Refer to [Health checking of Istio
services](/docs/tasks/traffic-management/app-health-check/)
for more information.
Another workaround is to use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)
for health checks, e.g., one can install `curl` in the service pod and
`curl` itself within the pod.
An example of a readiness probe:
@ -20,8 +32,3 @@ exec:
initialDelaySeconds: 10
periodSeconds: 5
{{< /text >}}
If you do not want to modify the configuration file, you can enable the `PERMISSIVE`
mode for your services such they can accept both http and mutual TLS traffic. As
a result, the health check will not break. Refer to [Health checking of Istio
services](/docs/tasks/traffic-management/app-health-check/) for more information.