Hi all, in default deny setting, is there any particular reason for linkerd to denies probe for certain pod but allows probe to another pod? I had to explicitly allow all access to the port of one particullar pod meanwhile others pod are fine. The failed liveness probe are the one targeting this port, while all other probe on my cluster are running fine and i don’t have to define any explicit policy (i don’t use HTTPRoute)
Here are the screenshot of linkerd metrics. you can see that the probe to port 8081 have different authz_name (since i need to explicitly create the authorization policy)
Hey @rucciva, thanks for raising this!
We had a bug report filed for something that looks very similar to this. Probes weren’t being allowed on default routes when the probe path included parameters. I can see from the code you linked that you use URL parameters for the probe path. You might be bumping into the same issue. I assume the other probes succeed and they don’t have any path params in the probe spec?
We’ve since fixed this and the change was released in last week’s edge (
edge-23.5.3). Let me know if this answers your question
ah yes, removing the url parameters fix the probe. thanks @matei