From ff2870e25cfbb94d4bbdaf1c8086d3d21a6cbb25 Mon Sep 17 00:00:00 2001 From: Tao Li Date: Thu, 26 Jul 2018 16:57:13 -0700 Subject: [PATCH] Faq (#1997) --- content/help/faq/security/k8s-health-checks.md | 10 +++++----- content/help/faq/security/use-k8s-secrets.md | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/help/faq/security/k8s-health-checks.md b/content/help/faq/security/k8s-health-checks.md index 54d88a025b..e6396bf150 100644 --- a/content/help/faq/security/k8s-health-checks.md +++ b/content/help/faq/security/k8s-health-checks.md @@ -1,14 +1,14 @@ --- -title: How can I use Kubernetes liveness and readiness for service health check with Istio Auth enabled? +title: How can I use Kubernetes liveness and readiness for service health check when mutual TLS is enabled? weight: 50 --- -If Istio Auth is enabled, http and tcp health check from kubelet will not -work since they do not have Istio Auth issued certs. A workaround is to +If mutual TLS is enabled, http and tcp health checks from the kubelet will not +work since they do not have Istio-issued certs. A workaround is to use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command) -for health check, e.g., one can install curl in the service pod and curl itself +for health checks, e.g., one can install `curl` in the service pod and `curl` itself within the pod. The Istio team is actively working on a solution. -An example of readinessProbe: +An example of a readiness probe: {{< text yaml >}} livenessProbe: diff --git a/content/help/faq/security/use-k8s-secrets.md b/content/help/faq/security/use-k8s-secrets.md index 597ed628d5..b6368b5da1 100644 --- a/content/help/faq/security/use-k8s-secrets.md +++ b/content/help/faq/security/use-k8s-secrets.md @@ -1,9 +1,9 @@ --- -title: Does Istio Auth use Kubernetes secrets? +title: Does Istio authentication use Kubernetes secrets? weight: 120 --- -Yes. The key and certificate distribution in Istio Auth is based on [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/). +Yes. The key and certificate distribution in Istio Authentication is based on [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/). Secrets have known [security risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). The Kubernetes team is working on [several features](https://docs.google.com/document/d/1T2y-9geg9EfHHtCDYTXptCa-F4kQ0RyiH-c_M1SyD0s) to improve