Skip to content

Commit

Permalink
Revise the health check faq (#2191)
Browse files Browse the repository at this point in the history 
* Revise the health check faq

* Fix format

* Fix format
  • Loading branch information
@wattli @istio-testing
wattli authored and istio-testing committed Aug 8, 2018
1 parent a2901dd commit 481e58c
Showing 1 changed file with 17 additions and 10 deletions.
27 changes: 17 additions & 10 deletions content/help/faq/security/k8s-health-checks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,23 @@
title: How can I use Kubernetes liveness and readiness for service health check when mutual TLS is enabled?
weight: 50
---
If mutual TLS is enabled, http and tcp health checks from the kubelet will not
work since the kubelet does not have Istio-issued certificates. A workaround is to
use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)
for health checks, e.g., one can install `curl` in the service pod and `curl` itself
within the pod.
If mutual TLS is enabled, http and tcp health checks from the kubelet will
not work since the kubelet does not have Istio-issued certificates.

As of the Istio 1.0 release, we support the [`PERMISSIVE` mode](/docs/tasks/security/mtls-migration)
for Istio services so they can accept both http and mutual TLS traffic
when this mode is turned on. This can solve the health checking issue.
Please keep in mind that mutual TLS is not enforced since others can
communicate with the service with http traffic.

You can use a separate port for health check and enable mutual TLS only
on the regular service port. Refer to [Health checking of Istio
services](/docs/tasks/traffic-management/app-health-check/)
for more information.

Another workaround is to use a [liveness command](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#define-a-liveness-command)
for health checks, e.g., one can install `curl` in the service pod and
`curl` itself within the pod.

An example of a readiness probe:

Expand All @@ -20,8 +32,3 @@ exec:
initialDelaySeconds: 10
periodSeconds: 5
{{< /text >}}

If you do not want to modify the configuration file, you can enable the `PERMISSIVE`
mode for your services such they can accept both http and mutual TLS traffic. As
a result, the health check will not break. Refer to [Health checking of Istio
services](/docs/tasks/traffic-management/app-health-check/) for more information.

0 comments on commit 481e58c

Please sign in to comment.