Health Checking of Istio Services

Kubernetes liveness and readiness probes offer three different options:

  1. Command
  2. TCP request
  3. HTTP request

This guide shows how to use these approaches in Istio with mutual TLS enabled.

Command and TCP type probes work with Istio regardless of whether or not mutual TLS is enabled. The HTTP request approach requires different Istio configuration with mutual TLS enabled.

Before you begin

Liveness and readiness probes with command option

First, you need to configure health checking with mutual TLS enabled.

To enable mutual TLS for services, you must configure an authentication policy and a destination rule. Follow these steps to complete the configuration:

Run the following command to create namespace:

  1. $ kubectl create ns istio-io-health
  1. To configure the authentication policy, run:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "PeerAuthentication"
    4. metadata:
    5. name: "default"
    6. namespace: "istio-io-health"
    7. spec:
    8. mtls:
    9. mode: STRICT
    10. EOF
  2. To configure the destination rule, run:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "networking.istio.io/v1alpha3"
    3. kind: "DestinationRule"
    4. metadata:
    5. name: "default"
    6. namespace: "istio-io-health"
    7. spec:
    8. host: "*.default.svc.cluster.local"
    9. trafficPolicy:
    10. tls:
    11. mode: ISTIO_MUTUAL
    12. EOF

Run the following command to deploy the service:

Zip

  1. $ kubectl -n istio-io-health apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)

Repeat the check status command to verify that the liveness probes work:

  1. $ kubectl -n istio-io-health get pod
  2. NAME READY STATUS RESTARTS AGE
  3. liveness-6857c8775f-zdv9r 2/2 Running 0 4m

Liveness and readiness probes with HTTP request option

This section shows how to configure health checking with the HTTP request option when mutual TLS is enabled.

Kubernetes HTTP health check request is sent from Kubelet, which does not have Istio issued certificate to the liveness-http service. So when mutual TLS is enabled, the health check request will fail.

We have two options to solve the problem: probe rewrites and separate ports.

Probe rewrite

This approach rewrites the application PodSpec readiness/liveness probe, such that the probe request will be sent to Pilot agent. Pilot agent then redirects the request to application, and strips the response body only returning the response code.

You have two ways to enable Istio to rewrite the liveness HTTP probes.

Enable globally via install option

Install Istio with --set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=true.

Alternatively, update the configuration map of Istio sidecar injection:

  1. $ kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe": false/"rewriteAppHTTPProbe": true/' | kubectl apply -f -

The above installation option and configuration map, each instruct the sidecar injection process to automatically rewrite the Kubernetes pod’s spec, so health checks are able to work under mutual TLS. No need to update your app or pod spec by yourself.

The configuration changes above (by install or by the configuration map) effect all Istio app deployments.

Use annotations on pod

Rather than install Istio with different options, you can annotate the pod with sidecar.istio.io/rewriteAppHTTPProbers: "true". Make sure you add the annotation to the pod resource because it will be ignored anywhere else (for example, on an enclosing deployment resource).

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. name: liveness-http
  5. spec:
  6. selector:
  7. matchLabels:
  8. app: liveness-http
  9. version: v1
  10. template:
  11. metadata:
  12. labels:
  13. app: liveness-http
  14. version: v1
  15. annotations:
  16. sidecar.istio.io/rewriteAppHTTPProbers: "true"
  17. spec:
  18. containers:
  19. - name: liveness-http
  20. image: docker.io/istio/health:example
  21. ports:
  22. - containerPort: 8001
  23. livenessProbe:
  24. httpGet:
  25. path: /foo
  26. port: 8001
  27. initialDelaySeconds: 5
  28. periodSeconds: 5

This approach allows you to enable the health check prober rewrite gradually on each deployment without reinstalling Istio.

Re-deploy the liveness health check app

Instructions below assume you turn on the feature globally via install option. Annotations works the same.

Zip

  1. $ kubectl create ns istio-same-port
  2. $ kubectl -n istio-same-port apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http-same-port.yaml@)
  1. $ kubectl -n istio-same-port get pod
  2. NAME READY STATUS RESTARTS AGE
  3. liveness-http-975595bb6-5b2z7c 2/2 Running 0 1m

This feature is not currently turned on by default. We’d like to hear your feedback on whether we should change this to default behavior for Istio installation.

Separate port

Another alternative is to use separate port for health checking and regular traffic.

Run these commands to re-deploy the service:

Zip

  1. $ kubectl create ns istio-sep-port
  2. $ kubectl -n istio-sep-port apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)

Wait for a minute and check the pod status to make sure the liveness probes work with ‘0’ in the ‘RESTARTS’ column.

  1. $ kubectl -n istio-sep-port get pod
  2. NAME READY STATUS RESTARTS AGE
  3. liveness-http-67d5db65f5-765bb 2/2 Running 0 1m

Note that the image in liveness-http exposes two ports: 8001 and 8002 (source code). In this deployment, port 8001 serves the regular traffic while port 8002 is used for liveness probes.

Cleanup

Remove the mutual TLS policy and corresponding destination rule added in the steps above:

  1. $ kubectl delete ns istio-io-health istio-same-port istio-sep-port

See also

Istio in 2020 - Following the Trade Winds

A vision statement and roadmap for Istio in 2020.

Remove cross-pod unix domain sockets

A more secure way to manage secrets.

DNS Certificate Management

Provision and manage DNS certificates in Istio.

Introducing the Istio v1beta1 Authorization Policy

Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.

Secure Webhook Management

A more secure way to manage Istio webhooks.

Multi-Mesh Deployments for Isolation and Boundary Protection

Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.