mirror of
https://github.com/status-im/consul.git
synced 2025-01-22 19:50:36 +00:00
a17f4a0b89
* first commit; reformat PD conf entry * updated proxies overview page * added Deploy SM proxy usage and removed reg index * moved sidecar proxy usage to main proxy folder * recast sidecar reg page as Deploy sidecar services * fix typos * recast SM reg as conf reference- set the sidebar * add redirects * fix links * add PD conf entry usage to appropro pages * edits to proxy conf ref * fix links on index page * example command to write PD conf entry * updated links to old SM proxy reg page * updated links to sidecar service reg page * tryna fix front matter issues * Apply suggestions from code review Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com> * added paragraph about SM proxies to overivew * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> --------- Co-authored-by: Ronald <roncodingenthusiast@users.noreply.github.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
40 lines
2.6 KiB
Plaintext
40 lines
2.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Configure Health Checks for Consul on Kubernetes
|
|
description: >-
|
|
Kubernetes has built-in health probes you can sync with Consul's health checks to ensure service mesh traffic is routed to healthy pods.
|
|
---
|
|
|
|
# Configure Health Checks for Consul on Kubernetes
|
|
|
|
~> This topic requires familiarity with [Kubernetes Health Checks](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/).
|
|
|
|
This page describes how Consul on Kubernetes will sync the status of Kubernetes health probes of a pod to Consul for service mesh use cases.
|
|
Health check synchronization with Consul is done automatically whenever `connectInject.enabled` is `true`.
|
|
|
|
For each Kubernetes pod that is connect-injected the following will be configured:
|
|
|
|
1. A [Consul health check](/consul/api-docs/catalog#register-entity) is registered within Consul catalog.
|
|
The Consul health check's state reflects the pod's readiness status.
|
|
|
|
1. If the pod is using [transparent proxy mode](/consul/docs/connect/transparent-proxy),
|
|
the mutating webhook redirects all `http` based startup, liveness, and readiness probes in the pod through the Envoy proxy.
|
|
This webhook is defined in the
|
|
[`ExposePaths` configuration](/consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference)
|
|
for each probe so that kubelet can access the endpoint through the Envoy proxy.
|
|
|
|
The mutation behavior can be disabled, by setting either the `consul.hashicorp.com/transparent-proxy-overwrite-probes`
|
|
pod annotation to `false` or the `connectInject.defaultOverwriteProbes` Helm value to `false`.
|
|
|
|
When readiness probes are set for a pod, the status of the pod will be reflected within Consul and will cause Consul to redirect service
|
|
mesh traffic to the pod based on the pod's health. If the pod has failing health checks, Consul will no longer use
|
|
the service instance associated with the pod for service mesh traffic. When the pod passes its health checks, Consul will
|
|
then use the respective service instance for service mesh traffic.
|
|
|
|
In the case where no user defined health checks are assigned to a pod, the default behavior is that the Consul health check will
|
|
be marked `passing` until the pod becomes unready.
|
|
|
|
-> It is highly recommended to [enable TLS](/consul/docs/k8s/helm#v-global-tls-enabled) for all production configurations to mitigate any
|
|
security concerns should the pod network ever be compromised. The controller makes calls across the network to Consul agents on all
|
|
nodes so an attacker could potentially sniff ACL tokens *if those calls are not encrypted* via TLS.
|