Health Checking of Istio Services

This task shows how to use Kubernetes liveness and readiness probes for health checking of Istio services.

There are three options for liveness and readiness probes in Kubernetes:

  1. Command
  2. HTTP request
  3. TCP request

This task provides examples for the first two options with Istio mutual TLS enabled and disabled, respectively.

Before you begin

Liveness and readiness probes with command option

In this section, you configure health checking when mutual TLS is disabled, then when mutual TLS is enabled.

Mutual TLS disabled

Run this command to deploy liveness in the default namespace:

$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)

Wait for a minute and check the pod status:

$ kubectl get pod
NAME                             READY     STATUS    RESTARTS   AGE
liveness-6857c8775f-zdv9r        2/2       Running   0           1m

The number ‘0’ in the ‘RESTARTS’ column means liveness probes worked fine. Readiness probes work in the same way and you can modify liveness-command.yaml accordingly to try it yourself.

Mutual TLS enabled

To enable mutual TLS for services in the default namespace, you must configure an authentication policy and a destination rule. Follow these steps to complete the configuration:

  1. To configure the authentication policy, run:

    cat <<EOF | kubectl apply -f -
    apiVersion: "authentication.istio.io/v1alpha1"
    kind: "Policy"
    metadata:
      name: "default"
      namespace: "default"
    spec:
      peers:
      - mtls: {}
    EOF
  2. To configure the destination rule, run:

    cat <<EOF | kubectl apply -f -
    apiVersion: "networking.istio.io/v1alpha3"
    kind: "DestinationRule"
    metadata:
      name: "default"
      namespace: "default"
    spec:
      host: "*.default.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL
    EOF

Run this command to re-deploy the service:

$ kubectl delete -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-command.yaml@)

Repeat the check status command to verify that the liveness probes work:

$ kubectl get pod
NAME                             READY     STATUS    RESTARTS   AGE
liveness-6857c8775f-zdv9r        2/2       Running   0           4m

Cleanup

Remove the mutual TLS policy and corresponding destination rule added in the steps above:

  1. To remove the mutual TLS policy, run:

    $ kubectl delete policies default
  2. To remove the corresponding destination rule, run:

    $ kubectl delete destinationrules default

Liveness and readiness probes with HTTP request option

This section shows how to configure health checking with the HTTP request option.

Mutual TLS is disabled

Run this command to deploy liveness-http in the default namespace:

$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)

Wait for a minute and check the pod status to make sure the liveness probes work with ‘0’ in the ‘RESTARTS’ column.

$ kubectl get pod
NAME                             READY     STATUS    RESTARTS   AGE
liveness-http-975595bb6-5b2z7c   2/2       Running   0           1m

Mutual TLS is enabled

Again, enable mutual TLS for services in the default namespace by adding namespace-wide authentication policy and a destination rule:

  1. To configure the authentication policy, run:

    cat <<EOF | kubectl apply -f -
    apiVersion: "authentication.istio.io/v1alpha1"
    kind: "Policy"
    metadata:
      name: "default"
      namespace: "default"
    spec:
      peers:
      - mtls: {}
    EOF
  2. To configure the destination rule, run:

    cat <<EOF | kubectl apply -f -
    apiVersion: "networking.istio.io/v1alpha3"
    kind: "DestinationRule"
    metadata:
      name: "default"
      namespace: "default"
    spec:
      host: "*.default.svc.cluster.local"
      trafficPolicy:
        tls:
          mode: ISTIO_MUTUAL
    EOF

Run these commands to re-deploy the service:

$ kubectl delete -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)
$ kubectl apply -f <(istioctl kube-inject -f @samples/health-check/liveness-http.yaml@)

Wait for a minute and check the pod status to make sure the liveness probes work with ‘0’ in the ‘RESTARTS’ column.

$ kubectl get pod
NAME                             READY     STATUS    RESTARTS   AGE
liveness-http-67d5db65f5-765bb   2/2       Running   0          1m

Note that the image in liveness-http exposes two ports: 8001 and 8002 (source code). In this deployment, port 8001 serves the regular traffic while port 8002 is used for liveness probes. Because the Istio proxy only intercepts ports that are explicitly declared in the containerPort field, traffic to 8002 port bypasses the Istio proxy regardless of whether Istio mutual TLS is enabled. However, if you use port 8001 for both regular traffic and liveness probes, health check will fail when mutual TLS is enabled because the HTTP request is sent from Kubelet, which does not send client certificate to the liveness-http service.

See also

Shows how to enable Citadel health checking with Kubernetes.

Describe Istio's authorization feature and how to use it in various use cases.

Describes Istio's authorization and authentication functionality.

What to do if Citadel is not behaving properly.

Shows you how to incrementally migrate your Istio services to mutual TLS.

Demonstrates how to debug authorization.