Health Checking of Istio Services
Kubernetes liveness and readiness probesoffer three different options:
- Command
- TCP request
- HTTP requestThis guide shows how to use these approaches in Istio with mutual TLS enabled.
Command and TCP type probes work with Istio regardless of whether or not mutual TLS is enabled. The HTTP request approach requires different Istio configuration withmutual TLS enabled.
Before you begin
Understand Kubernetes liveness and readiness probes, Istioauthentication policy and mutual TLS authentication concepts.
Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled.
Liveness and readiness probes with command option
First, you need to configure health checking with mutual TLS enabled.
To enable mutual TLS for services in the default namespace, you must configure an authentication policy and a destination rule.Follow these steps to complete the configuration:
- To configure the authentication policy, run:
$ kubectl apply -f - <<EOF
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: "default"
spec:
peers:
- mtls: {}
EOF
- To configure the destination rule, run:
$ kubectl apply -f - <<EOF
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "default"
namespace: "default"
spec:
host: "*.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
Run the following command to deploy the service:
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
Repeat the check status command to verify that the liveness probes work:
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-6857c8775f-zdv9r 2/2 Running 0 4m
Liveness and readiness probes with HTTP request option
This section shows how to configure health checking with the HTTP request option when mutual TLS is enabled.
Kubernetes HTTP health check request is sent from Kubelet, which does not have Istio issued certificate to the liveness-http
service. So when mutual TLS is enabled, the health check request will fail.
We have two options to solve the problem: probe rewrites and separate ports.
Probe rewrite
This approach rewrites the application PodSpec
readiness/liveness probe, such that the probe request will be sent toPilot agent. Pilot agent then redirects therequest to application, and strips the response body only returning the response code.
You have two ways to enable Istio to rewrite the liveness HTTP probes.
Enable globally via install option
Install Istio with —set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=true
.
Alternatively, update the configuration map of Istio sidecar injection:
$ kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe":false/"rewriteAppHTTPProbe":true/' | kubectl apply -f -
The above installation option and configuration map, each instruct the sidecar injection process to automaticallyrewrite the Kubernetes pod’s spec, so health checks are able to work under mutual TLS. No need to update your app or podspec by yourself.
The configuration changes above (by install or by the configuration map) effect all Istio app deployments.
Use annotations on pod
Rather than install Istio with different options, you can annotate the pod with sidecar.istio.io/rewriteAppHTTPProbers: "true"
. Make sure you add the annotation to the pod resource because it will be ignored anywhere else (for example, on an enclosing deployment resource).
apiVersion: apps/v1
kind: Deployment
metadata:
name: liveness-http
spec:
template:
metadata:
labels:
app: liveness-http
version: v1
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "true"
spec:
containers:
- name: liveness-http
image: docker.io/istio/health:example
ports:
- containerPort: 8001
livenessProbe:
httpGet:
path: /foo
port: 8001
initialDelaySeconds: 5
periodSeconds: 5
This approach allows you to enable the health check prober rewrite gradually on each deployment without reinstalling Istio.
Re-deploy the liveness health check app
Instructions below assume you turn on the feature globally via install option.Annotations works the same.
$ kubectl delete -f <(istioctl kube-inject -f @samples/health-check/liveness-http-same-port.yaml@)
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http-same-port.yaml@)
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-975595bb6-5b2z7c 2/2 Running 0 1m
This feature is not currently turned on by default. We’d like to hear your feedbackon whether we should change this to default behavior for Istio installation.
Separate port
Another alternative is to use separate port for health checking and regular traffic.
Run these commands to re-deploy the service:
$ kubectl delete -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
Wait for a minute and check the pod status to make sure the liveness probes work with ‘0’ in the ‘RESTARTS’ column.
$ kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-http-67d5db65f5-765bb 2/2 Running 0 1m
Note that the image in liveness-http exposes two ports: 8001 and 8002 (source code). In this deployment, port 8001 serves the regular traffic while port 8002 is used for liveness probes.
Cleanup
Remove the mutual TLS policy and corresponding destination rule added in the steps above:
$ kubectl delete policies default
$ kubectl delete destinationrules default
See also
Shows how to enable Citadel health checking with Kubernetes.
Provision and manage DNS certificates in Istio.
Introducing the Istio v1beta1 Authorization Policy
Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.
A more secure way to manage Istio webhooks.
Multi-Mesh Deployments for Isolation and Boundary Protection
Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.
App Identity and Access Adapter
Using Istio to secure multi-cloud Kubernetes applications with zero code changes.