execfor liveness and readiness checks since kubelet is not part of the service mesh and doesn't have access to the TLS cert.
SIGTERMsignal to every container and waits for period of time (30s by default) for all containers to exit gracefully. If your app doesn't handle the
SIGTERMsignal or if it doesn't exit within the grace period, Kubernetes will kill the container and any inflight requests that your app is processing will fail.
preStophook that delays the container shutdown. This will allow the service mesh to drain the traffic and remove this pod from all other Envoy sidecars before your app becomes unavailable.
SIGTERMand tries to complete the inflight requests before shutdown, that doesn't mean that the response will make it back to the caller. If the Envoy sidecar shuts down before your app, then the caller will receive a 503 error.
preStophook to the Istio proxy and wait for the main app to exit before Envoy exits.