From 481e58c41d18b0f8b980ebaf99eb43902f93a929 Mon Sep 17 00:00:00 2001 From: Tao Li Date: Wed, 8 Aug 2018 12:47:39 -0700 Subject: [PATCH] Revise the health check faq (#2191) * Revise the health check faq * Fix format * Fix format --- .../help/faq/security/k8s-health-checks.md | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/content/help/faq/security/k8s-health-checks.md b/content/help/faq/security/k8s-health-checks.md index 9f50173ed1..8dced8e1ef 100644 --- a/content/help/faq/security/k8s-health-checks.md +++ b/content/help/faq/security/k8s-health-checks.md @@ -2,11 +2,23 @@ title: How can I use Kubernetes liveness and readiness for service health check when mutual TLS is enabled? weight: 50 --- -If mutual TLS is enabled, http and tcp health checks from the kubelet will not -work since the kubelet does not have Istio-issued certificates. A workaround is to -use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command) -for health checks, e.g., one can install `curl` in the service pod and `curl` itself -within the pod. +If mutual TLS is enabled, http and tcp health checks from the kubelet will +not work since the kubelet does not have Istio-issued certificates. + +As of the Istio 1.0 release, we support the [`PERMISSIVE` mode](/docs/tasks/security/mtls-migration) +for Istio services so they can accept both http and mutual TLS traffic +when this mode is turned on. This can solve the health checking issue. +Please keep in mind that mutual TLS is not enforced since others can +communicate with the service with http traffic. + +You can use a separate port for health check and enable mutual TLS only +on the regular service port. Refer to [Health checking of Istio +services](/docs/tasks/traffic-management/app-health-check/) +for more information. + +Another workaround is to use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command) +for health checks, e.g., one can install `curl` in the service pod and +`curl` itself within the pod. An example of a readiness probe: @@ -20,8 +32,3 @@ exec: initialDelaySeconds: 10 periodSeconds: 5 {{< /text >}} - -If you do not want to modify the configuration file, you can enable the `PERMISSIVE` -mode for your services such they can accept both http and mutual TLS traffic. As -a result, the health check will not break. Refer to [Health checking of Istio -services](/docs/tasks/traffic-management/app-health-check/) for more information.