Health Checking of Istio Services

    1. HTTP request

    The command approach works with Istio regardless of whether or not mutual TLS is enabled.

    The HTTP request approach, on the other hand, requires special Istio configuration when mutual TLS is enabled. This is because the health check requests to the service are sent by Kubelet, which does not have an Istio issued certificate. Therefore when mutual TLS is enabled, the health check requests will fail.

    Istio solves this problem by rewriting the application PodSpec readiness/liveness probe, so that the probe request is sent to the . The sidecar agent then redirects the request to the application, strips the response body, only returning the response code.

    This feature is enabled by default in all built-in Istio configuration profiles but can be disabled as described below.

    Istio provides a that implements this approach. To demonstrate it working with mutual TLS enabled, first create a namespace for the example:

    To configure strict mutual TLS, run:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "PeerAuthentication"
    4. metadata:
    6. spec:
    7.   mtls:
    8.     mode: STRICT
    9. EOF

    Next, run the following command to deploy the sample service:

    Zip

    2. NAME                             READY     STATUS    RESTARTS   AGE

    As stated previously, Istio uses probe rewrite to implement HTTP probes by default. You can disable this feature either for specific pods, or globally.

    You can with sidecar.istio.io/rewriteAppHTTPProbers: "false" to disable the probe rewrite option. Make sure you add the annotation to the pod resource because it will be ignored anywhere else (for example, on an enclosing deployment resource).

    This approach allows you to disable the health check probe rewrite gradually on individual deployments, without reinstalling Istio.

    Disable the probe rewrite globally

    Install Istio using --set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=false to disable the probe rewrite globally. Alternatively, update the configuration map for the Istio sidecar injector:

    1. $ kubectl get cm istio-sidecar-injector -n istio-system -o yaml | sed -e 's/"rewriteAppHTTPProbe": true/"rewriteAppHTTPProbe": false/' | kubectl apply -f -

    Remove the namespace used for the examples:

    A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version.

    Istio in 2020 - Following the Trade Winds

    A more secure way to manage secrets.

    DNS Certificate Management

    Provision and manage DNS certificates in Istio.

    Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.

    Secure Webhook Management

    A more secure way to manage Istio webhooks.