Health Checking of Istio Services
Kubernetes liveness and readiness probes describes several ways to configure liveness and readiness probes including:
The command approach works with Istio regardless of whether or not mutual TLS is enabled.
The HTTP request approach, on the other hand, requires special Istio configuration when mutual TLS is enabled. This is because the health check requests to the liveness-http
service are sent by Kubelet, which does not have an Istio issued certificate. Therefore when mutual TLS is enabled, the health check requests will fail.
Istio solves this problem by rewriting the application PodSpec
readiness/liveness probe, so that the probe request is sent to the sidecar agent. The sidecar agent then redirects the request to the application, strips the response body, only returning the response code.
This feature is enabled by default in all built-in Istio configuration profiles but can be disabled as described below.
Liveness and readiness probes using the command approach
Istio provides a liveness sample that implements this approach. To demonstrate it working with mutual TLS enabled, first create a namespace for the example:
$ kubectl create ns istio-io-health
To configure strict mutual TLS, run:
$ kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-io-health"
spec:
mtls:
mode: STRICT
EOF
Next, run the following command to deploy the sample service:
$ kubectl -n istio-io-health apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
To confirm that the liveness probes are working, check the status of the sample pod to verify that it is running.
$ kubectl -n istio-io-health get pod
NAME READY STATUS RESTARTS AGE
liveness-6857c8775f-zdv9r 2/2 Running 0 4m
Liveness and readiness probes using the HTTP request approach
As stated previously, Istio uses probe rewrite to implement HTTP probes by default. You can disable this feature either for specific pods, or globally.
Disable the HTTP probe rewrite for a pod
You can annotate the pod with sidecar.istio.io/rewriteAppHTTPProbers: "false"
to disable the probe rewrite option. Make sure you add the annotation to the pod resource because it will be ignored anywhere else (for example, on an enclosing deployment resource).
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: liveness-http
spec:
selector:
matchLabels:
app: liveness-http
version: v1
template:
metadata:
labels:
app: liveness-http
version: v1
annotations:
sidecar.istio.io/rewriteAppHTTPProbers: "false"
spec:
containers:
- name: liveness-http
image: docker.io/istio/health:example
ports:
- containerPort: 8001
livenessProbe:
httpGet:
path: /foo
port: 8001
initialDelaySeconds: 5
periodSeconds: 5
EOF
This approach allows you to disable the health check probe rewrite gradually on individual deployments, without reinstalling Istio.
Disable the probe rewrite globally
Install Istio using --set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=false
to disable the probe rewrite globally. Alternatively, update the configuration map for the Istio sidecar injector:
$ kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe": true/"rewriteAppHTTPProbe": false/' | kubectl apply -f -
Cleanup
Remove the namespace used for the examples:
$ kubectl delete ns istio-io-health
See also
Migrate pre-Istio 1.4 Alpha security policy to the current APIs
A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version.
Istio in 2020 - Following the Trade Winds
A vision statement and roadmap for Istio in 2020.
Remove cross-pod unix domain sockets
A more secure way to manage secrets.
Provision and manage DNS certificates in Istio.
Introducing the Istio v1beta1 Authorization Policy
Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.
A more secure way to manage Istio webhooks.