istio: endpoint /healthz/ready always show 200 response after /healthcheck/fail

Bug Description

Description We run the ingress-gateways with external loadbalancer in front of the nodes. The loadbalancer calls the /healthz/readyendpoint to check if the ingress-gateways are ready.

/healthz/readyendpoint always show 200 response, after call http://localhost:15000/healthcheck/fail

[step 1] Initially, it is in the LIVE state.
$ curl http://localhost:15000/ready 
LIVE
$ curl http://localhost:15021/healthz/ready -w '%{http_code}'
200

[step 2] call /healthcheck/fail and endpoint /ready show 503 DRAINING 
$ curl http://localhost:15000/healthcheck/fail -X POST
OK
$ curl http://localhost:15000/ready -w '%{http_code}'
DRAINING
503

[step 3] but /healthz/ready show 200 response
$ curl http://localhost:15021/healthz/ready -w '%{http_code}'
200
-> I hope to get 503 response, but I get 200 response

Expected behavior The http://localhost:15021/healthz/ready endpoint show 503 response after call http://localhost:15000/healthcheck/fail

Version

$ istioctl version
client version: 1.12.1
control plane version: 1.12.1
data plane version: 1.12.1 (7 proxies)

Additional Information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 23 (12 by maintainers)

Most upvoted comments

I think many people use ingressgateway with NodePort or hostnetwork=true in on-premise If they are running a critical service, they will use an external loadbalancer and will face the same problem as me.

+3
duckys87 on Mar 23, 2022
Read more comments on GitHub
← istio: End user JWT authentication is not working in istio-1.0 release build
istio: envoy crash when setup envoy access log service →