1.5 KiB
| title | weight |
|---|---|
| How can I use Kubernetes liveness and readiness for pod health checks when mutual TLS is enabled? | 50 |
If mutual TLS is enabled, HTTP and TCP health checks from the kubelet will not work without modification, since the kubelet does not have Istio-issued certificates.
As of Istio 1.1, we have several options to solve this issue.
-
Using probe rewrite to rewrite the liveness/readiness probe such that the probe request will be redirected to the workload directly. Please refer to Probe Rewrite for more information.
-
Using a separate port for health checks and enabling mutual TLS only on the regular service port. Please refer to Health Checking of Istio Services for more information.
-
Using the
PERMISSIVEmode for Istio services so they can accept both HTTP and mutual TLS traffic. Please keep in mind that mutual TLS is not enforced since others can communicate with the service with HTTP traffic. -
Using a liveness command for health checks, e.g., one can install
curlin the service pod andcurlitself within the pod.
An example of a readiness probe:
{{< text yaml >}} livenessProbe: exec: command:
- curl
- -f
- http://localhost:8080/healthz # Replace port and URI by your actual health check initialDelaySeconds: 10 periodSeconds: 5 {{< /text >}}