Improve support for Kubernetes probes when server listening on localhost #2002
Assignees
Comments
patrick-east
added a commit
to patrick-east/opa
that referenced
this issue
May 12, 2020
This adds a new config option for the OPA server (along with plumbing from `opa run` downward to the server) to configure separate diagnostic addresses to listen on. These will only be configured to serve the /metrics and /health. This will allow for more secure OPA deployments with the normal "data" or "policies" API's made to be only accessible on localhost. Fixes: open-policy-agent#2002 Signed-off-by: Patrick East <east.patrick@gmail.com>
patrick-east
added a commit
that referenced
this issue
May 13, 2020
This adds a new config option for the OPA server (along with plumbing from `opa run` downward to the server) to configure separate diagnostic addresses to listen on. These will only be configured to serve the /metrics and /health. This will allow for more secure OPA deployments with the normal "data" or "policies" API's made to be only accessible on localhost. Fixes: #2002 Signed-off-by: Patrick East <east.patrick@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If the OPA HTTP server is only listening on localhost the kubelet cannot execute HTTP health checks against the Health API. You can reproduce this problem simply by deploying OPA with
--addr=127.0.0.1:8181. If you enable liveness and readiness probes the pod will fail to start because the kubelet can't connect to the HTTP server.The current workaround is to tell OPA to bind on 0.0.0.0 instead of localhost.
There are a couple ways this could be addressed:
The text was updated successfully, but these errors were encountered: