All Products
Search

This Product

    Alibaba Cloud Service Mesh:Why health checks fail or become invalid after sidecar injection

    Document Center

    Alibaba Cloud Service Mesh:Why health checks fail or become invalid after sidecar injection

    Last Updated:Mar 25, 2025

    This topic describes the issue description, causes, and solutions for health check failures or invalid health checks after sidecar injection.

    Issue description

    Health checks fail or become invalid after sidecar injection. This topic uses TCP health check port 8087 as an example. After mTLS is enabled, no health check information for port 8087 is displayed on the Events tab of the pod details page in the Container Service console.

    Causes

    After mTLS is enabled in Service Mesh, health check requests sent by kubelet to the pod are intercepted by the sidecar. Because kubelet does not have the corresponding TLS certificate, health checks fail.

    Solution

    Configure port health check traffic to bypass the sidecar proxy by performing the following steps:

    Configure port health check traffic to bypass the Sidecar proxy

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

    4. On the details page of the ASM instance, choose Data Plane Component Management > Sidecar Proxy Setting in the left-side navigation pane.

    5. On the Namespace tab, select the corresponding namespace, click the Enable/disable Sidecar Proxy By Port Or Address tab, and configure the parameters.

      The following table describes the parameters.

      Parameter

      Description

      Set Ports To Bypass The Sidecar Proxy For Inbound Traffic

      Configure the ports for inbound traffic to bypass the sidecar proxy. In this topic, the port is set to 8087.

      Set Ports To Bypass The Sidecar Proxy For Outbound Traffic

      Configure the ports for outbound traffic to bypass the sidecar proxy. In this topic, the port is set to 8087.

    6. After the configuration is complete, click Update Settings.

    View health check results

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.

    3. In the left-side navigation pane of the details page, choose Workloads > Pods.

    4. Click the name of the target pod or click Details on the right to go to the pod details page.

    5. On the pod details page, click the Events tab. Check whether the health check for port 8087 is effective.