Issue#138 add probes and resource limits#139
Open
amaanx86 wants to merge 9 commits intooracle:mainfrom
Open
Conversation
Add TCP socket readiness probe on webhook-server port (9443) for CloudGuard compliance and operational reliability. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
Add TCP socket liveness probe on webhook-server port (9443) for CloudGuard compliance and operational reliability. Ensures container restarts automatically if unhealthy. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
Add comments explaining readiness and liveness probe behavior for Cloud Guard compliance. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
oracle-contributor-agreement
bot
added
the
OCA Verified
AkarshES
previously approved these changes
Feb 16, 2026
Author
|
Thank you @AkarshES for approving the changes, let me know what is further required to finalize this pull request! |
nirpai
previously approved these changes
Feb 18, 2026
… server Replace TCP socket probes on webhook-server with HTTP GET endpoints (/healthz/ready for readiness, /healthz/live for liveness) that connect to the metrics server port. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
Signal to the health checker that all informer caches have been synced after setup, enabling readiness checks to report ready status. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
…racking Register /healthz/ready and /healthz/live HTTP endpoints on the metrics server and mark controllers as ready after initialization for proper health probe support. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
…iveness probes Implement HealthChecker with endpoints for tracking cache synchronization and controller readiness status. Provides /healthz/ready and /healthz/live handlers for Kubernetes probe support. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
amaanx86
force-pushed
the
138-add-probes-and-resource-limits
branch
from
d433363 to
0373bae
Compare
Author
|
Hi @nirpai, @AkarshES, Helm Deployment TestController deployed from my branch image: 
Health endpoints verified inside the pod
Ingress Functional Test
|
Document HTTP readiness and liveness endpoints on the metrics server. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
AkarshES
previously approved these changes
Feb 20, 2026
AkarshES
left a comment
AkarshES
left a comment
There was a problem hiding this comment.
Thanks for adding the HTTP healthcheck as Niranjan requested
nirpai
previously approved these changes
Feb 20, 2026
| # maxUnavailable: 1 | ||
|
|
||
| # The TCP port the Webhook server binds to. (default 9443) | ||
| # Health probes for operational reliability and Cloud Guard compliance |
Contributor
There was a problem hiding this comment.
The comment is misplaced on webhook Port.
Author
Relocate health probe documentation from webhookBindPort to the metrics section where the probes actually connect. Signed-off-by: Amaan Ul Haq Siddiqui <amaanulhaq.s@outlook.com>
nirpai
approved these changes
Feb 20, 2026
AkarshES
approved these changes
Feb 23, 2026
Author
|
We are doing some validation in OKE environment so that we can go ahead and merge this change. Thank you for your effort and patience on this |
Author
|
@AkarshES Thank you for keeping me updated |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix Cloud Guard Container Security Findings by Adding Health Probes
Subject
Resolve OCI Cloud Guard findings (missing health probes) in OCI Native Ingress Controller by adding readiness and liveness probes to the deployment template.
Problem Statement
Cloud Guard was flagging multiple Container Security findings against the OCI Native Ingress Controller deployed as an OKE managed add-on, specifically:
This issue persisted across our OCI environment and could not be resolved by end users since the controller is deployed as a managed add-on (Deployment spec cannot be safely modified). However, these same findings would affect Helm-based deployments as well.
Solution
Added TCP socket-based health probes to the Helm deployment template:
Readiness Probe:
Liveness Probe:
Implementation Details
Testing
Relates To
Closes #138
Commits