istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/help/ops/setup/app-health-check/index.html

99 lines
33 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Health Checking of Istio Services"><meta name=description content="Shows how to do health checking for Istio services."><meta name=keywords content=microservices,services,mesh,security,health-check><meta property=og:title content="Health Checking of Istio Services"><meta property=og:type content=website><meta property=og:description content="Shows how to do health checking for Istio services."><meta property=og:url content=/v1.1/help/ops/setup/app-health-check/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Health Checking of Istio Services</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Health Checking of Istio Services";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.1/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<span title="A bunch of resources to help you deploy, configure and use Istio.">Help</span>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/help\/ops\/setup\/app-health-check\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/help\/ops\/setup\/app-health-check\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="A bunch of resources to help you deploy, configure and use Istio."><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#help"/></svg>Need Help?</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label="Operations Guide"><button class=show aria-hidden=true></button><a title="Hints, tips, tricks about running an Istio mesh." href=/v1.1/help/ops/>Operations Guide</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.1/help/ops/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.1/help/ops/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="How to do low-level debugging of Istio components." href=/v1.1/help/ops/component-debugging/>Component Debugging</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.1/help/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.1/help/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment and configuration guidelines." href=/v1.1/help/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li role=none><a role=treeitem title="Describes common networking issues and how to recognize and avoid them." href=/v1.1/help/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.1/help/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.1/help/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.1/help/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Demonstrates how to debug authorization." href=/v1.1/help/ops/security/debugging-authorization/>Debugging Authorization</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.1/help/ops/security/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="What to do if you suspect problems with Istio keys and certificates." href=/v1.1/help/ops/security/keys-and-certs/>Keys and Certificates</a></li><li role=none><a role=treeitem title="What to do if mutual TLS authentication isn't working." href=/v1.1/help/ops/security/mutual-tls/>Mutual TLS</a></li><li role=none><a role=treeitem title="Authorization is enabled, but requests make it through anyway." href=/v1.1/help/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li role=none><a role=treeitem title="Authorization is enabled and no requests make it through to the service." href=/v1.1/help/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li role=none><a role=treeitem title="What to do if end-user authentication doesn't work." href=/v1.1/help/ops/security/end-user-auth/>End User Authentication</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.1/help/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.1/help/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.1/help/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.1/help/ops/telemetry/grafana/>Grafana</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.1/help/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label="Installation and Setup"><button class=show aria-hidden=true></button><a title="Helps you diagnose and repair Istio installations." href=/v1.1/help/ops/setup/>Installation and Setup</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.1/help/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.1/help/ops/setup/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.1/help/ops/setup/injection/>Sidecar Injection Webhook</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.1/help/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><span role=treeitem class=current title="Shows how to do health checking for Istio services.">Health Checking of Istio Services</span></li></ul></li><li role=none><a role=treeitem title="Advice on tackling common problems with Istio." href=/v1.1/help/ops/misc/>Miscellaneous</a></li></ul></li><li role=treeitem aria-label=FAQ><button aria-hidden=true></button><a title="Frequently Asked Questions about Istio." href=/v1.1/help/faq/>FAQ</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General Q &amp; A." href=/v1.1/help/faq/general/>General</a></li><li role=none><a role=treeitem title="Setup Q &amp; A." href=/v1.1/help/faq/setup/>Setup</a></li><li role=none><a role=treeitem title="Security Q &amp; A." href=/v1.1/help/faq/security/>Security</a></li><li role=none><a role=treeitem title="Mixer Q &amp; A." href=/v1.1/help/faq/mixer/>Mixer</a></li><li role=none><a role=treeitem title="Metrics and Logs Q &amp; A." href=/v1.1/help/faq/metrics-and-logs/>Metrics and Logs</a></li><li role=none><a role=treeitem title="Distributed Tracing Q &amp; A." href=/v1.1/help/faq/distributed-tracing/>Distributed Tracing</a></li><li role=none><a role=treeitem title="Traffic Management Q &amp; A." href=/v1.1/help/faq/traffic-management/>Traffic Management</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.1/help/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/help/ title="A bunch of resources to help you deploy, configure and use Istio.">Help</a></li><li><a href=/v1.1/help/ops/ title="Hints, tips, tricks about running an Istio mesh.">Operations Guide</a></li><li><a href=/v1.1/help/ops/setup/ title="Helps you diagnose and repair Istio installations.">Installation and Setup</a></li><li>Health Checking of Istio Services</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Health Checking of Istio Services</h1><p class=byline><span title="925 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>5 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Liveness and readiness probes with command option"><a href=#liveness-and-readiness-probes-with-command-option>Liveness and readiness probes with command option</a><ol><li role=none aria-label="Mutual TLS disabled"><a href=#mutual-tls-disabled>Mutual TLS disabled</a><li role=none aria-label="Mutual TLS enabled"><a href=#mutual-tls-enabled>Mutual TLS enabled</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a></ol></li><li role=none aria-label="Liveness and readiness probes with HTTP request option"><a href=#liveness-and-readiness-probes-with-http-request-option>Liveness and readiness probes with HTTP request option</a><ol><li role=none aria-label="Mutual TLS is disabled"><a href=#mutual-tls-is-disabled>Mutual TLS is disabled</a><li role=none aria-label="Mutual TLS is enabled"><a href=#mutual-tls-is-enabled>Mutual TLS is enabled</a><ol><li role=none aria-label="Probe rewrite"><a href=#probe-rewrite>Probe rewrite</a><ol><li role=none aria-label="Configure Istio to rewrite liveness HTTP probes"><a href=#configure-istio-to-rewrite-liveness-http-probes>Configure Istio to rewrite liveness HTTP probes</a><li role=none aria-label="Re-deploy the liveness health check app"><a href=#re-deploy-the-liveness-health-check-app>Re-deploy the liveness health check app</a></ol></li><li role=none aria-label="Separate port"><a href=#separate-port>Separate port</a></ol></li></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This task shows how to use <a href=https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/>Kubernetes liveness and readiness probes</a> for health checking of Istio services.</p><p>There are three options for liveness and readiness probes in Kubernetes:</p><ol><li>Command</li><li>HTTP request</li><li>TCP request</li></ol><p>This task provides examples for the first two options with Istio mutual TLS enabled and disabled, respectively.</p><h2 id=before-you-begin>Before you begin</h2><ul><li><p>Understand <a href=https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/>Kubernetes liveness and readiness probes</a>, Istio
<a href=/v1.1/docs/concepts/security/#authentication-policies>authentication policy</a> and <a href=/v1.1/docs/concepts/security/#mutual-tls-authentication>mutual TLS authentication</a> concepts.</p></li><li><p>Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (meaning use <code>istio.yaml</code> as described in <a href=/v1.1/docs/setup/kubernetes/install/kubernetes/#installation-steps>installation steps</a>, or set <code>global.mtls.enabled</code> to false using <a href=/v1.1/docs/setup/kubernetes/install/helm/>Helm</a>).</p></li></ul><h2 id=liveness-and-readiness-probes-with-command-option>Liveness and readiness probes with command option</h2><p>In this section, you configure health checking when mutual TLS is disabled, then when mutual TLS is enabled.</p><h3 id=mutual-tls-disabled>Mutual TLS disabled</h3><p>Run this command to deploy <a href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-command.yaml>liveness</a> in the default namespace:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-command.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
</code></pre></div><p>Wait for a minute and check the pod status:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-6857c8775f-zdv9r 2/2 Running 0 1m
</code></pre><p>The number &lsquo;0&rsquo; in the &lsquo;RESTARTS&rsquo; column means liveness probes worked fine. Readiness probes work in the same way and you can modify <code>liveness-command.yaml</code> accordingly to try it yourself.</p><h3 id=mutual-tls-enabled>Mutual TLS enabled</h3><p>To enable mutual TLS for services in the default namespace, you must configure an authentication policy and a destination rule.
Follow these steps to complete the configuration:</p><ol><li><p>To configure the authentication policy, run:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;default&#34;
spec:
peers:
- mtls: {}
EOF
</code></pre></li><li><p>To configure the destination rule, run:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;default&#34;
spec:
host: &#34;*.default.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre></li></ol><p>Run this command to re-deploy the service:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-command.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-command.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl delete -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
</code></pre></div><p>Repeat the check status command to verify that the liveness probes work:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-6857c8775f-zdv9r 2/2 Running 0 4m
</code></pre><h3 id=cleanup>Cleanup</h3><p>Remove the mutual TLS policy and corresponding destination rule added in the steps above:</p><ol><li><p>To remove the mutual TLS policy, run:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete policies default
</code></pre></li><li><p>To remove the corresponding destination rule, run:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete destinationrules default
</code></pre></li></ol><h2 id=liveness-and-readiness-probes-with-http-request-option>Liveness and readiness probes with HTTP request option</h2><p>This section shows how to configure health checking with the HTTP request option.</p><h3 id=mutual-tls-is-disabled>Mutual TLS is disabled</h3><p>Run this command to deploy <a href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-http.yaml>liveness-http</a> in the default namespace:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-http.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
</code></pre></div><p>Wait for a minute and check the pod status to make sure the liveness probes work with &lsquo;0&rsquo; in the &lsquo;RESTARTS&rsquo; column.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-975595bb6-5b2z7c 2/2 Running 0 1m
</code></pre><h3 id=mutual-tls-is-enabled>Mutual TLS is enabled</h3><p>When mutual TLS is enabled, we have two options to support HTTP probes: probe rewrites and separate ports.</p><h4 id=probe-rewrite>Probe rewrite</h4><p>This approach rewrites the application <code>PodSpec</code> liveness probe, such that the probe request will be sent to
<a href=/v1.1/docs/reference/commands/pilot-agent/>Pilot agent</a>. Pilot agent then redirects the
request to application, and strips the response body only returning the response code.</p><p>To use this approach, you need to configure Istio to rewrite the liveness HTTP probes.</p><h5 id=configure-istio-to-rewrite-liveness-http-probes>Configure Istio to rewrite liveness HTTP probes</h5><p><a href=/v1.1/docs/setup/kubernetes/install/helm/>Install Istio</a> with the <code>sidecarInjectorWebhook.rewriteAppHTTPProbe=true</code>
<a href=/v1.1/docs/reference/config/installation-options/#sidecarinjectorwebhook-options>Helm installation option</a>.</p><p><strong>Alternatively</strong>, update the configuration map of Istio sidecar injection:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e &#34;s/ rewriteAppHTTPProbe: false/ rewriteAppHTTPProbe: true/&#34; | kubectl apply -f -
</code></pre><p>The above installation option and configuration map, each instruct the sidecar injection process to automatically
rewrite the Kubernetes pod&rsquo;s spec, so health checks are able to work under mutual TLS. No need to update your app or pod
spec by yourself.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-warning"/></svg></div><div class=content>The configuration changes above (by Helm or by the configuration map) effect all Istio app deployments.</div></aside></div><h5 id=re-deploy-the-liveness-health-check-app>Re-deploy the liveness health check app</h5><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-command.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-command.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl delete -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
</code></pre></div><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-975595bb6-5b2z7c 2/2 Running 0 1m
</code></pre><p>This feature is not currently turned on by default. We&rsquo;d like to <a href=https://github.com/istio/istio/issues/10357>hear your feedback</a>
on whether we should change this to default behavior for Istio installation.</p><h4 id=separate-port>Separate port</h4><p>Again, enable mutual TLS for services in the default namespace by adding namespace-wide authentication policy and a destination rule:</p><ol><li><p>To configure the authentication policy, run:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;default&#34;
spec:
peers:
- mtls: {}
EOF
</code></pre></li><li><p>To configure the destination rule, run:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: &#34;networking.istio.io/v1alpha3&#34;
kind: &#34;DestinationRule&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;default&#34;
spec:
host: &#34;*.default.svc.cluster.local&#34;
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
</code></pre></li></ol><p>Run these commands to re-deploy the service:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-http.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-http.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl delete -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
$ kubectl apply -f &lt;(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
</code></pre></div><p>Wait for a minute and check the pod status to make sure the liveness probes work with &lsquo;0&rsquo; in the &lsquo;RESTARTS&rsquo; column.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-67d5db65f5-765bb 2/2 Running 0 1m
</code></pre><p>Note that the image in <a href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/liveness-http.yaml>liveness-http</a> exposes two ports: 8001 and 8002 (<a href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/health-check/server.go>source code</a>). In this deployment, port 8001 serves the regular traffic while port 8002 is used for liveness probes. Because the Istio proxy only intercepts ports that are explicitly declared in the <code>containerPort</code> field, traffic to 8002 port bypasses the Istio proxy regardless of whether Istio mutual TLS is enabled. However, if you use port 8001 for both regular traffic and liveness probes, health check will fail when mutual TLS is enabled because the HTTP request is sent from Kubelet, which does not send client certificate to the <code>liveness-http</code> service.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/health-check/>Citadel Health Checking</a></p><p class=desc>Shows how to enable Citadel health checking with Kubernetes.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></p><p class=desc>Learn how to extend the lifetime of Istio self-signed root certificate.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio&#39;s authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authn-policy/>Authentication Policy</a></p><p class=desc>Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></p><p class=desc>Shows how to set up role-based access control for HTTP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></p><p class=desc>Shows how to set up role-based access control for TCP services.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Describes how to check which capabilities are allowed for your pods." href=/v1.1/help/ops/setup/required-pod-capabilities/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>Required Pod Capabilities</a></div><div class=right></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Liveness and readiness probes with command option"><a href=#liveness-and-readiness-probes-with-command-option>Liveness and readiness probes with command option</a><ol><li role=none aria-label="Mutual TLS disabled"><a href=#mutual-tls-disabled>Mutual TLS disabled</a><li role=none aria-label="Mutual TLS enabled"><a href=#mutual-tls-enabled>Mutual TLS enabled</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a></ol></li><li role=none aria-label="Liveness and readiness probes with HTTP request option"><a href=#liveness-and-readiness-probes-with-http-request-option>Liveness and readiness probes with HTTP request option</a><ol><li role=none aria-label="Mutual TLS is disabled"><a href=#mutual-tls-is-disabled>Mutual TLS is disabled</a><li role=none aria-label="Mutual TLS is enabled"><a href=#mutual-tls-is-enabled>Mutual TLS is enabled</a><ol><li role=none aria-label="Probe rewrite"><a href=#probe-rewrite>Probe rewrite</a><ol><li role=none aria-label="Configure Istio to rewrite liveness HTTP probes"><a href=#configure-istio-to-rewrite-liveness-http-probes>Configure Istio to rewrite liveness HTTP probes</a><li role=none aria-label="Re-deploy the liveness health check app"><a href=#re-deploy-the-liveness-health-check-app>Re-deploy the liveness health check app</a></ol></li><li role=none aria-label="Separate port"><a href=#separate-port>Separate port</a></ol></li></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink