How to do Pod Health check with MTLS


#1

after force the MTLS

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
spec:
  peers:
  - mtls: {}

the health check (livenessProbe and readinessProbe) does not work any more.

Readiness probe failed: Get http://100.105.60.17:8080/info: read tcp 10.110.37.206:17462->100.105.60.17:8080: read: connection reset by peer

I changed the schema to HTTPS and get another error

Readiness probe failed: Get https://100.124.147.183:8080/info: remote error: tls: handshake failure

#2

Check this out for recommendation for 1.0: https://istio.io/help/faq/security/#k8s-health-checks


#3

We’ll have an improvement coming in 1.1 release, to allow no manual change when mTLS is turned on.