Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

app: Implement a separate health check server #1428

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

AaronFriel
Copy link
Contributor

Do not merge before issue/resolution is accepted here: linkerd/linkerd2/issues/7560

A separate server provides identically behaving /live and /ready routes
to the admin server. Does not remove the existing admin server's routes.

Background:

On some Kubernetes distributions, requests from the control plane may
not come from a private address range IP address or even a consistent IP
address. This poses a problem, because the admin server used in a
multicluster mesh needs to simultaneously serve /live and /ready routes
to:

  • The Kubernetes control plane, for liveness and readiness probes
    respectively
  • Remote clusters as part of probing for remote gateway

In order to avoid exposing the other admin routes, the multicluster
gateway uses an authorization policy forbidding unauthorized and
out-of-cluster requests. This causes the gateway to fail readiness and
liveness probes.

Resolution:

Implement a separate server in the proxy app that can securely serve
/live and /ready routes. The port that server listens on can be used for
health check probes internally, without an authorization policy.

See: linkerd/linkerd2#7548

@AaronFriel AaronFriel requested a review from a team January 3, 2022 23:36
@AaronFriel AaronFriel force-pushed the separate-health-port branch from 1cbf6a5 to ddc0b9d Compare January 3, 2022 23:37
AaronFriel added a commit to AaronFriel/linkerd2 that referenced this pull request Jan 4, 2022
Related to linkerd#7560, this
modifies the proxy injector to use port 4192 and updates the
multicluster manifest to match.

See: linkerd/linkerd2-proxy#1428

Signed-off-by: Aaron Friel <[email protected]>
@AaronFriel AaronFriel force-pushed the separate-health-port branch from ddc0b9d to 50f6c5b Compare January 4, 2022 02:43
AaronFriel added a commit to AaronFriel/linkerd2 that referenced this pull request Jan 4, 2022
Related to linkerd#7560, this
modifies the proxy injector to use port 4192 and updates the
multicluster manifest to match.

See: linkerd/linkerd2-proxy#1428

Signed-off-by: Aaron Friel <[email protected]>
@AaronFriel AaronFriel force-pushed the separate-health-port branch from 50f6c5b to 8e6f4d7 Compare January 4, 2022 05:28
AaronFriel added a commit to AaronFriel/linkerd2 that referenced this pull request Jan 4, 2022
Related to linkerd#7560, this
modifies the proxy injector to use port 4192 and updates the
multicluster manifest to match.

See: linkerd/linkerd2-proxy#1428

Signed-off-by: Aaron Friel <[email protected]>
A separate server provides identically behaving /live and /ready routes
to the admin server. Does not remove the existing admin server's routes.

Background:

On some Kubernetes distributions, requests from the control plane may
not come from a private address range IP address or even a consistent IP
address. This poses a problem, because the admin server used in a
multicluster mesh needs to simultaneously serve /live and /ready routes
to:

* The Kubernetes control plane, for liveness and readiness probes
  respectively
* Remote clusters as part of probing for remote gateway

In order to avoid exposing the other admin routes, the multicluster
gateway uses an authorization policy forbidding unauthorized and
out-of-cluster requests. This causes the gateway to fail readiness and
liveness probes.

Resolution:

Implement a separate server in the proxy app that can securely serve
/live and /ready routes. The port that server listens on can be used for
health check probes internally, without an authorization policy.

See: linkerd/linkerd2#7548

Signed-off-by: Aaron Friel <[email protected]>
@AaronFriel AaronFriel force-pushed the separate-health-port branch from 8e6f4d7 to c7ac4ee Compare January 4, 2022 20:47
AaronFriel added a commit to AaronFriel/linkerd2 that referenced this pull request Jan 23, 2022
Related to linkerd#7560, this
modifies the proxy injector to use port 4192 and updates the
multicluster manifest to match.

See: linkerd/linkerd2-proxy#1428

Signed-off-by: Aaron Friel <[email protected]>
AaronFriel added a commit to AaronFriel/linkerd2 that referenced this pull request Jan 24, 2022
Related to linkerd#7560, this
modifies the proxy injector to use port 4192 and updates the
multicluster manifest to match.

See: linkerd/linkerd2-proxy#1428

Signed-off-by: Aaron Friel <[email protected]>
@olix0r olix0r marked this pull request as draft August 15, 2022 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant