Kubernetes startup probe

By default, the agent prioritizes quick start up and performance readiness for preliminary inspection. However, quick startup isn't always desirable if you only want the agent to inspect traffic after loading your rules and configuration data. Within Kubernetes environments, you can use startup probes to delay the agent container's startup so that the container is only marked ready after the agent has loaded rules and configuration data.

Limitations and considerations

Configuring a startup probe

You can configure a startup probe in one of two ways: using an httpGet check or using a file-based startup probe.

Configuring an HTTP startup probe

To configure the agent endpoint to respond to httpGet checks, set the SIGSCI_STARTUP_PROBE_LISTENER environment variable to the desired address. Then, on the same prompt, add a startupProbe httpGet definition configured for path /startup.

The agent endpoint will send an HTTP 503 (Service Unavailable) response until the agent has loaded rules. After loading rules, the agent endpoint will send an HTTP 200 response.

Example diff using port 2024 for the startup probe:

2 - name: sigsci-agent
3 image: signalsciences/sigsci-agent:latest
4 ports:
5+ - name: "startup-port"
6+ containerPort: 2024
7 env:
9+ value: ""
10+ startupProbe:
11+ httpGet:
12+ path: /startup
13+ port: startup-port
14+ failureThreshold: 90
15+ periodSeconds: 2

Configuring a file-based startup probe

If you want to avoid using an HTTP-based probe, you can configure the agent to create a file within the container and use an exec check to test for the existence of the file to indicate a ready state.

To configure a file-based startup probe, set the SIGSCI_STARTUP_PROBE_FILEPATH environment variable to the file path where you want the agent to create a file once rules are loaded. Then, use an exec command to check the existence of the file.

The file will be created once the agent has completed loading it's configuration data. The startup probe may generate Kubernetes warning events with a message of Startup probe failed: cat: can't open '/sigsci/tmp/startup': No such file or directory until the agent has finished loading configuration data. This is expected behavior when using the file-based startup probe.

Example diff to use /sigsci/tmp/startup for the startup probe:

2 - name: sigsci-agent
3 image: signalsciences/sigsci-agent:latest
4 env:
6+ value: "/sigsci/tmp/startup"
7+ startupProbe:
8+ exec:
9+ command:
10+ - cat
11+ - /sigsci/tmp/startup
12+ failureThreshold: 90
13+ periodSeconds: 2
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.