Right now we run LVS services for istio-ingressgateway with:
monitors:
IdleConnection:
max-delay: 300
timeout-clean-reconnect: 3
This has the downside of PyBal showing all nodes of a cluster where no ingress route/backend is configured as down as ingressgateways envoy will not accept connections in that case.
In addition this might not catch errors reported by ingressgateway via it's internal health check. Although it's currently not sure if there are errors that will result in failing health checks while connections are still possible.
Ingressgateway only servers health checks on a different than the traffic port. So to allow checking those as well, PyBal's ProxyFetch monitor would need to be extended to allow checking a different port. A proposal CR exists at https://gerrit.wikimedia.org/r/c/operations/debs/pybal/+/759749