• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Consul
  • Install
  • Tutorials
  • Documentation
  • API
  • CLI
  • Try Cloud(opens in new tab)
  • Sign up
Consul Home

Documentation

Skip to main contentOverview
  • What is Consul?



    • Overview
    • Architecture
      • Overview
      • Admin Partitions
      • Transparent Proxy
      • Ingress Gateways
      • Terminating Gateways
      • Ingress Controllers
      • Configuring a Connect CA Provider
      • Health Checks
    • Service Sync
    • Annotations and Labels
    • Consul DNS
    • Compatibility Matrix
    • Helm Chart Configuration
    • Consul K8s CLI Reference

  • HCP Consul


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Consul
  3. Documentation
  4. Kubernetes
  5. Service Mesh
  6. Health Checks
  • Consul
  • v1.13.x
  • v1.12.x
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x

»Configure Health Checks for Consul on Kubernetes

This topic requires familiarity with Kubernetes Health Checks.

This page describes how Consul on Kubernetes will sync the status of Kubernetes health probes of a pod to Consul for service mesh use cases. Health check synchronization with Consul is done automatically whenever connectInject.enabled is true.

For each Kubernetes pod that is connect-injected the following will be configured:

  1. A Consul health check is registered within Consul catalog. The Consul health check's state reflects the pod's readiness status.

  2. If the pod is using transparent proxy mode, the mutating webhook redirects all http based startup, liveness, and readiness probes in the pod through the Envoy proxy. This webhook is defined in the ExposePaths configuration for each probe so that kubelet can access the endpoint through the Envoy proxy.

The mutation behavior can be disabled, by setting either the consul.hashicorp.com/transparent-proxy-overwrite-probes pod annotation to false or the connectInject.defaultOverwriteProbes Helm value to false.

When readiness probes are set for a pod, the status of the pod will be reflected within Consul and will cause Consul to redirect service mesh traffic to the pod based on the pod's health. If the pod has failing health checks, Consul will no longer use the service instance associated with the pod for service mesh traffic. When the pod passes its health checks, Consul will then use the respective service instance for service mesh traffic.

In the case where no user defined health checks are assigned to a pod, the default behavior is that the Consul health check will be marked passing until the pod becomes unready.

It is highly recommended to enable TLS for all production configurations to mitigate any security concerns should the pod network ever be compromised. The controller makes calls across the network to Consul agents on all nodes so an attacker could potentially sniff ACL tokens if those calls are not encrypted via TLS.

Edit this page on GitHub
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)