From 9b9f7b2d482cefde58848f306f46658dd2e93f12 Mon Sep 17 00:00:00 2001
From: Tao Li <taotao12@gmail.com>
Date: Wed, 8 Aug 2018 07:19:25 -0700
Subject: [PATCH] Revise the health check faq (#2175)

---
 content/help/faq/security/k8s-health-checks.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/content/help/faq/security/k8s-health-checks.md b/content/help/faq/security/k8s-health-checks.md
index e6396bf150..9f50173ed1 100644
--- a/content/help/faq/security/k8s-health-checks.md
+++ b/content/help/faq/security/k8s-health-checks.md
@@ -3,10 +3,10 @@ title: How can I use Kubernetes liveness and readiness for service health check
 weight: 50
 ---
 If mutual TLS is enabled, http and tcp health checks from the kubelet will not
-work since they do not have Istio-issued certs. A workaround is to
+work since the kubelet does not have Istio-issued certificates. A workaround is to
 use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)
 for health checks, e.g., one can install `curl` in the service pod and `curl` itself
-within the pod. The Istio team is actively working on a solution.
+within the pod.
 
 An example of a readiness probe:
 
@@ -20,3 +20,8 @@ exec:
 initialDelaySeconds: 10
 periodSeconds: 5
 {{< /text >}}
+
+If you do not want to modify the configuration file, you can enable the `PERMISSIVE`
+mode for your services such they can accept both http and mutual TLS traffic. As
+a result, the health check will not break. Refer to [Health checking of Istio
+services](/docs/tasks/traffic-management/app-health-check/) for more information.