Readiness probe with redirect results in 403

[rogu-beta]

Linkerd appears to handle responses to readiness probes with status code 302 as an error and as a consequence reports a 403 to EKS.

The setup deployed multiple pods one of which is an nginx as reverse proxy. The readiness probe for the nginx sends a request, for which nginx forwards the request to the web application hosted behind it. This service responds with a 302 as the path in the readiness probe is not the final destination path (e.g. redirecting from / to /login/). This response is for some reason treated as an error and the redirect is not being followed, unlike in regular EKS without linkerd. Lastly the returned HTTP code for readiness probe of the nginx reported back toe EKS is 403 (unauthorized).

This appears to be similar to #11590, it is also a Django application but we do not use Server.

Is this a difference in behavior that is not documented or did we miss this somewhere? Does linkerd prevent following redirects for some reason?

[kflynn]

Hey @rogu-beta! Since it's a 403, I wonder -- are you using AuthorizationPolicies or HTTPRoutes? Linkerd normally permits probes by default, but if you start creating auth policy it removes those defaults so that you have explicit control.