app: Implement a separate health check server #1428
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AaronFriel
force-pushed
the
separate-health-port
branch
from
1cbf6a5
to
ddc0b9d
Compare
AaronFriel
added a commit
to AaronFriel/linkerd2
that referenced
this pull request
Jan 4, 2022
Related to linkerd#7560, this modifies the proxy injector to use port 4192 and updates the multicluster manifest to match. See: linkerd/linkerd2-proxy#1428 Signed-off-by: Aaron Friel <[email protected]>
AaronFriel
force-pushed
the
separate-health-port
branch
from
ddc0b9d
to
50f6c5b
Compare
AaronFriel
added a commit
to AaronFriel/linkerd2
that referenced
this pull request
Jan 4, 2022
Related to linkerd#7560, this modifies the proxy injector to use port 4192 and updates the multicluster manifest to match. See: linkerd/linkerd2-proxy#1428 Signed-off-by: Aaron Friel <[email protected]>
AaronFriel
force-pushed
the
separate-health-port
branch
from
50f6c5b
to
8e6f4d7
Compare
AaronFriel
added a commit
to AaronFriel/linkerd2
that referenced
this pull request
Jan 4, 2022
Related to linkerd#7560, this modifies the proxy injector to use port 4192 and updates the multicluster manifest to match. See: linkerd/linkerd2-proxy#1428 Signed-off-by: Aaron Friel <[email protected]>
A separate server provides identically behaving /live and /ready routes to the admin server. Does not remove the existing admin server's routes. Background: On some Kubernetes distributions, requests from the control plane may not come from a private address range IP address or even a consistent IP address. This poses a problem, because the admin server used in a multicluster mesh needs to simultaneously serve /live and /ready routes to: * The Kubernetes control plane, for liveness and readiness probes respectively * Remote clusters as part of probing for remote gateway In order to avoid exposing the other admin routes, the multicluster gateway uses an authorization policy forbidding unauthorized and out-of-cluster requests. This causes the gateway to fail readiness and liveness probes. Resolution: Implement a separate server in the proxy app that can securely serve /live and /ready routes. The port that server listens on can be used for health check probes internally, without an authorization policy. See: linkerd/linkerd2#7548 Signed-off-by: Aaron Friel <[email protected]>
AaronFriel
force-pushed
the
separate-health-port
branch
from
8e6f4d7
to
c7ac4ee
Compare
AaronFriel
added a commit
to AaronFriel/linkerd2
that referenced
this pull request
Jan 23, 2022
Related to linkerd#7560, this modifies the proxy injector to use port 4192 and updates the multicluster manifest to match. See: linkerd/linkerd2-proxy#1428 Signed-off-by: Aaron Friel <[email protected]>
AaronFriel
added a commit
to AaronFriel/linkerd2
that referenced
this pull request
Jan 24, 2022
Related to linkerd#7560, this modifies the proxy injector to use port 4192 and updates the multicluster manifest to match. See: linkerd/linkerd2-proxy#1428 Signed-off-by: Aaron Friel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Do not merge before issue/resolution is accepted here: linkerd/linkerd2/issues/7560
A separate server provides identically behaving /live and /ready routes
to the admin server. Does not remove the existing admin server's routes.
Background:
On some Kubernetes distributions, requests from the control plane may
not come from a private address range IP address or even a consistent IP
address. This poses a problem, because the admin server used in a
multicluster mesh needs to simultaneously serve /live and /ready routes
to:
respectively
In order to avoid exposing the other admin routes, the multicluster
gateway uses an authorization policy forbidding unauthorized and
out-of-cluster requests. This causes the gateway to fail readiness and
liveness probes.
Resolution:
Implement a separate server in the proxy app that can securely serve
/live and /ready routes. The port that server listens on can be used for
health check probes internally, without an authorization policy.
See: linkerd/linkerd2#7548