Symptom
Your apigee-ingressgateway pods show only 1 of 2 containers running when you get the pod listing.
For example, when you run the following command:
kubectl -n apigee get pods -l app=apigee-ingressgateway
Output:
NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 1/2 Running 0 6m48s apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 1/2 Running 0 123m
Additionally, performing a describe command on one of the above pods will show the readiness probe failing with a 503 status code.
For example, in the Events section of the pod description, you might see the following message:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning Unhealthy 76s (x32903 over 18h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
Possible cause
| Cause | Description |
|---|---|
| Apigee ingress is configured to listen on port 80 | Apigee ingress configuration on port 80 is no longer supported starting with Apigee Hybrid 1.9. |
Cause: Apigee ingress is configured to listen on port 80
This issue is caused by the Apigee ingress gateway being configured to listen on port 80, which is no longer supported starting with Apigee Hybrid 1.9.
This can happen if you upgraded from an earlier version of Apigee Hybrid that allowed port 80, or if there's another misconfiguration that enabled it.
Diagnosis
-
Get a listing of your
apigee-ingressgatewaypods.Run the following command:
kubectl -n apigee get pods -l app=apigee-ingressgatewaySample output
NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 1/2 Running 0 6m48s apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 1/2 Running 0 123m
-
Describe one of the listed pods to check the events:
kubectl -n apigee describe pod APIGEE_INGRESSGATEWAY_PODWhere APIGEE_INGRESSGATEWAY_POD is an
apigee-ingressgatewaypod listed in the previous command output.Sample output:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning Unhealthy 76s (x32903 over 18h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
-
Get the logs for the APIGEE_INGRESSGATEWAY_POD pod.
kubectl -n apigee logs APIGEE_INGRESSGATEWAY_PODYou may see a log entry showing that port 80 failed to bind due to a permission denied error followed by a message that envoy is not ready.
2025-09-11T06:16:45.457621Z error envoy config external/envoy/source/common/listener_manager/listener_manager_impl.cc:1186 listener '0.0.0.0_80' failed to bind or apply socket options: cannot bind '0.0.0.0:80': Permission denied ... 2025-09-11T06:16:46.365818Z warn Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejected
- Review the current
apigeerouteconfiguration to find the one that has port 80 (HTTP) enabled.-
Get a list of the defined apigee routes.
kubectl -n apigee get apigeerouteSample output:
NAME STATE AGE myorg-hyb-dev-grp-000-33620d0 running 2d1h non-sni running 17s
-
Check each
apigeeroutefor where port 80 is defined.Run the following command for each
apigeeroutelisted in the previous command output:kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yamlWhere APIGEE_ROUTE_NAME is the name of an individual
apigeeroute.Sample Command:
kubectl -n apigee get apigeeroute non-sni -o yamlSample output:
apiVersion: apigee.cloud.google.com/v1alpha2 kind: ApigeeRoute metadata: name: non-sni namespace: apigee resourceVersion: "240441468" spec: enableNonSniClient: true hostnames: - '*' ports: - number: 443 protocol: HTTPS tls: credentialName: myorg-hyb-dev-grp minProtocolVersion: TLS_AUTO mode: SIMPLE - number: 80 protocol: HTTP selector: app: apigee-ingressgateway status: lastAppliedGeneration: 1 state: runningapigeerouteshows that port 80 is enabled as part of this route.
-
Get a list of the defined apigee routes.
Resolution
To resolve this issue, disable port 80 in the original apigeeroute yaml file by removing the following lines.
- number: 80
protocol: HTTP
If you do not have the original apigeeroute yaml file, you can follow the following steps:
- Export the current configuration with the following command:
kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml > APIGEE_ROUTE_FILENAME.yamlWhere APIGEE_ROUTE_NAME is the
apigeeroutebeing updated to remove the port 80 configuration.Where APIGEE_ROUTE_FILENAME is the output file name containing the
apigeerouteyaml content. -
Edit the
apigeerouteyaml file to remove the port 80 configuration.Open the APIGEE_ROUTE_FILENAME file in a text editor and remove the following lines:
- number: 80 protocol: HTTP -
Replace the existing
apigeeroutewith the modified YAML file:kubectl -n apigee replace -f APIGEE_ROUTE_FILENAME.yamlWhere APIGEE_ROUTE_FILENAME is the output file containing the updated
apigeerouteconfiguration. -
The
apigee-ingressgatewaypods should now run with 2/2 containers. If they do not, delete the pods to allow new ones to be created automatically.NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 2/2 Running 0 25h apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 2/2 Running 0 26h
Must gather diagnostic information
If the problem persists even after following the above instructions, gather the following diagnostic information and then contact Google Cloud Customer Care:- Overrides.yaml
- Output of the following commands:
kubectl -n apigee get pods -l app=apigee-ingressgateway
kubectl -n apigee logs APIGEE_INGRESSGATEWAY_POD
kubectl -n apigee get apigeeroutes
- For each of the stated routes, run:
kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml
- As an alternative, you may run and provide the Apigee hybrid must-gather information.