[英]K8s Readiness Probes with HTTPS and Certificates
I have a spring boot application hosted on k8s and enforced mTLS on the App itself.我有一个托管在 k8s 上的 spring 引导应用程序,并在应用程序本身上强制执行 mTLS。 I am able to do the mTLS on the connectivity by doing a SSL termination on the Ingress level and then again forwarding the certificates to the springboot pod as well.
我可以通过在入口级别执行 SSL 终止,然后再次将证书转发到 springboot pod 来执行 mTLS。
Problem is, Liveness and Readiness probes as currently not sure how to send the certificates in the readiness/liveness probes?问题是,Liveness 和 Readiness 探针目前不确定如何在就绪/活跃度探针中发送证书?
Any help would be appreciated.任何帮助,将不胜感激。
From the official documentation configuring probes :从官方文档配置探针:
If scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification.
如果 scheme 字段设置为 HTTPS,则 kubelet 发送 HTTPS 请求跳过证书验证。
This is what the manifest would look like:这是清单的样子:
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: alive-n-ready-https
spec:
containers:
- name: nginx
image: viejo/nginx-mockit
livenessProbe:
httpGet:
path: /
port: 443
scheme: HTTPS
readinessProbe:
httpGet:
path: /
port: 443
scheme: HTTPS
And while without scheme, the probes would fail with 400
(bad request), as you are sending a http packet to an endpoint that expects https:虽然没有方案,但探测将失败并显示
400
(错误请求),因为您正在向期望 https 的端点发送 http 数据包:
10.132.15.199 - - [27/May/2020:18:10:36 +0000] "GET / HTTP/1.1" 400 271 "-" "kube-probe/1.17"
With scheme: HTTPS
, it would succeed:使用
scheme: HTTPS
,它将成功:
10.132.15.199 - - [27/May/2020:18:26:28 +0000] "GET / HTTP/2.0" 200 370 "-" "kube-probe/1.17"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.