3.8. Monitoring Firewall Health

Liveness probes allow Kubernetes to continuously monitor the health of the firewall to detect if the container cannot forward traffic reliably and should be restarted. Both TCP and HTTP probes are supported.

It is recommended to configure startup probes in addition to liveness probes to make sure that the system has sufficient time to start up. Below is an example of this using a named port, in this case 8080. The system waits for 10 seconds before checking if the container has started each second. Once the container is up and running, Kubernetes will move on to monitor the health of the system every 10 seconds. If the container has not responded within a total of 10 + 30 seconds on startup or to three consecutive liveness probes, the firewall pod considered to be malfunctioning and will be restarted. Kubernetes will then wait for an additional 60 seconds to allow the system to shutdown gracefully.

[Note] Note: Grace period

If the grace period is set too low, the system may not have enough time to save states to permanent storage, some of which can be used for troubleshooting.

ports:
- name: health-port
	containerPort: 8080

startupProbe:
  httpGet:
	port: health-port
	path: /health
  initialDelaySeconds: 10
  periodSeconds: 1
  timeoutSeconds: 1
  failureThreshold: 30
	 
livenessProbe:
  httpGet:
	port: health-port
	path: /health
  periodSeconds: 10
  timeoutSeconds: 1
  failureThreshold: 3
  terminationGracePeriodSeconds: 60

TCP probes are setup similarly with tcpSocket instead of httpGet and `path` omitted. The HEALTH_PORT_TCP_HTTP environment variable is used to specify which port the firewall should listen on for probes.

- name: HEALTH_PORT_TCP_HTTP
	value: '8880'