This project is in the process of being donated to the CNCF and is not affiliated with the Kubernetes project.

Gateway health checks

Enable a health check plugin on your gateway proxy to respond with common HTTP codes.


Kgateway includes an HTTP health checking plug-in that you can enable for a gateway proxy listener. This plug-in responds to health check requests directly with either a 200 OK or 503 Service Unavailable message, depending on the current draining state of Envoy.

Before you begin

  1. Follow the Get started guide to install kgateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

    export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
    kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Configure a health check on a gateway

  1. Create an HTTPListenerOption resource to configure a health check path for the HTTP or HTTPS listener on the gateway. You can define any path, such as /check/healthz.

    kubectl apply -f- <<EOF
    kind: HttpListenerOption
      name: healthcheck
      namespace: kgateway-system
      - group:
        kind: Gateway
        name: http
          path: <path>
  2. To test the health check, drain the Envoy connections by sending an HTTP POST request to the /healthcheck/fail endpoint of the Envoy admin port.

    1. Port-forward the gloo-gateway-http deployment on port 19000.
      kubectl port-forward deploy/gloo-proxy-http -n kgateway-system 19000 &
    2. Send an HTTP POST request to the /healthcheck/fail endpoint. This causes Envoy connections to begin draining.
      curl -X POST
  3. Send a request to the health check path. Because Envoy is in a draining state, the 503 Service Unavailable message is returned.

    curl -i $INGRESS_GW_ADDRESS:8080/<path>
    curl -i localhost:8080/<path>

  4. After you finish testing, resume Envoy connections by sending an HTTP POST request to the /healthcheck/ok endpoint of the Envoy admin port.

    curl -X POST
  5. Send another request to the health check path. Because Envoy is operating normally, the 200 OK message is returned.

    curl -i $INGRESS_GW_ADDRESS:8080/<path>
    curl -i localhost:8080/<path>

  6. Stop port-forwarding the gloo-gateway-http deployment.

    lsof -ti:19000 | xargs kill -9


You can remove the resources that you created in this guide.
kubectl delete HttpListenerOption healthcheck -n kgateway-system