Expose health check endpoints to separate ingress controller

I am using official kong helm chart and have setup two kong clusters, one for internal endpoints and other for public. I have two separate ingress controllers called kong-internal and kong-public and api endpoints are marked as public or internal by specifying the annotation on the ingress. The kong proxy service is of type Load Balancer for both the kong clusters. The load balancer of internal kong cluster is marked as internal and hence is accessible only from within the VPC.

Now my requirement is that i want to expose only the health check endpoint of private services to public load balancer so that it can be accessed by external monitoring system, keeping rest of the endpoints for that service internal. I am not very sure of how to do this.

This should be possible by defining strict Ingress rules:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: regex-ingress
  annotations:
    configuration.konghq.com: service-a-health-path
spec:
  rules:
  - http:
      paths:
      - path: "/service-a/health"
        backend:
          serviceName: service-a
          servicePort: 80
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: service-a-health-path
proxy:
  path: "/health-endpoint-of-service-a"

With this, you will only be able to reach the health endpoint of your internal service from outside.

Hope this helps.

Perhaps I am wrong but I can’t understand quite well this practice. Kubernetes provide Liveness and Readiness for check the health of the PODs and is used by the kubelet to know restart containers or when start to accept traffic. A Pod is considered ready when all of its Containers are ready.
kubelet ----> http://<pod_id>:10254//healthz ----> |ingress controller pod|

Am I clear on this?