All Products
Search

This Product

    Alibaba Cloud Service Mesh:Why is no valid health check information displayed after sidecar injection?

    Document Center

    Alibaba Cloud Service Mesh:Why is no valid health check information displayed after sidecar injection?

    Last Updated:Jul 20, 2023

    This topic describes the issue in which no valid health check information is displayed after sidecar injection. This topic also describes the cause of the issue and provides a solution.

    Problem description

    No valid health check information is displayed after sidecar injection. In this example, port 8087 is used for TCP health checks. After you enable mutual Transport Layer Security (mTLS), no health check information of port 8087 is displayed on the Events tab of the details page of a pod in the Container Service for Kubernetes console.

    Events tab

    Cause

    After you enable mTLS in Service Mesh (ASM), the requests for health checks sent by the kubelet to the pod are intercepted by the sidecar proxy. If the kubelet cannot provide the required TLS certificate, the health checks fail.

    Solution

    You can configure settings to allow the traffic of health checks to bypass the sidecar proxy. Perform the following steps:

    Allow the traffic of health checks to bypass the sidecar proxy

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Dataplane Component Management > Sidecar Proxy Setting in the left-side navigation pane.

    5. On the Namespace tab, select the namespace that you want to manage, click enable/disable Sidecar proxy by port or address, and then set the required parameters.

      The following table describes the parameters.

      Parameter

      Description

      Set the port numbers to prevent InboundTraffic from passing through the sidecar proxy

      The port on which you want to allow the inbound traffic to bypass the sidecar proxy. In this example, port 8087 is used.

      Set the port numbers to prevent OutboundTraffic from passing through the sidecar proxy

      The port on which you want to allow the outbound traffic to bypass the sidecar proxy. In this example, port 8087 is used.

    6. Click Update Settings.

    View health check results

    1. Log on to the ACK console.

    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Pods.

    5. Click the name of the pod whose details you want to view to go to the details page of the pod. Alternatively, you can click Details in the Actions column that corresponds to the pod.

    6. On the details page of the pod, click the Events tab.

      The following figure shows the health check results of port 8087. events