Symptom
Your apigee-ingressgateway
pods show only 1 of 2 containers running when you get the pod listing.
For example, when you run the following command:
kubectl -n apigee get pods -l app=apigee-ingressgateway
Output:
NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 1/2 Running 0 6m48s apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 1/2 Running 0 123m
Additionally, performing a describe
command on one of the above pods will show the readiness probe failing with a 503 status code.
For example, in the Events
section of the pod description, you might see the following message:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning Unhealthy 76s (x32903 over 18h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
Possible cause
Cause | Description |
---|---|
Apigee ingress is configured to listen on port 80 | Apigee ingress configuration on port 80 is no longer supported starting with Apigee Hybrid 1.9. |
Cause: Apigee ingress is configured to listen on port 80
This issue is caused by the Apigee ingress gateway being configured to listen on port 80, which is no longer supported starting with Apigee Hybrid 1.9.
This can happen if you upgraded from an earlier version of Apigee Hybrid that allowed port 80, or if there's another misconfiguration that enabled it.
Diagnosis
-
Get a listing of your
apigee-ingressgateway
pods.Run the following command:
kubectl -n apigee get pods -l app=apigee-ingressgateway
Sample output
NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 1/2 Running 0 6m48s apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 1/2 Running 0 123m
-
Describe one of the listed pods to check the events:
kubectl -n apigee describe pod APIGEE_INGRESSGATEWAY_POD
Where APIGEE_INGRESSGATEWAY_POD is an
apigee-ingressgateway
pod listed in the previous command output.Sample output:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning Unhealthy 76s (x32903 over 18h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
-
Get the logs for the APIGEE_INGRESSGATEWAY_POD pod.
kubectl -n apigee logs APIGEE_INGRESSGATEWAY_POD
You may see a log entry showing that port 80 failed to bind due to a permission denied error followed by a message that envoy is not ready.
2025-09-11T06:16:45.457621Z error envoy config external/envoy/source/common/listener_manager/listener_manager_impl.cc:1186 listener '0.0.0.0_80' failed to bind or apply socket options: cannot bind '0.0.0.0:80': Permission denied ... 2025-09-11T06:16:46.365818Z warn Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejected
- Review the current
apigeeroute
configuration to find the one that has port 80 (HTTP) enabled.-
Get a list of the defined apigee routes.
kubectl -n apigee get apigeeroute
Sample output:
NAME STATE AGE myorg-hyb-dev-grp-000-33620d0 running 2d1h non-sni running 17s
-
Check each
apigeeroute
for where port 80 is defined.Run the following command for each
apigeeroute
listed in the previous command output:kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml
Where APIGEE_ROUTE_NAME is the name of an individual
apigeeroute
.Sample Command:
kubectl -n apigee get apigeeroute non-sni -o yaml
Sample output:
The non-sniapiVersion: apigee.cloud.google.com/v1alpha2 kind: ApigeeRoute metadata: name: non-sni namespace: apigee resourceVersion: "240441468" spec: enableNonSniClient: true hostnames: - '*' ports: - number: 443 protocol: HTTPS tls: credentialName: myorg-hyb-dev-grp minProtocolVersion: TLS_AUTO mode: SIMPLE - number: 80 protocol: HTTP selector: app: apigee-ingressgateway status: lastAppliedGeneration: 1 state: running
apigeeroute
shows that port 80 is enabled as part of this route.
-
Get a list of the defined apigee routes.
Resolution
To resolve this issue, disable port 80 in the original apigeeroute
yaml file by removing the following lines.
- number: 80 protocol: HTTP
If you do not have the original apigeeroute
yaml file, you can follow the following steps:
- Export the current configuration with the following command:
kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml > APIGEE_ROUTE_FILENAME.yaml
Where APIGEE_ROUTE_NAME is the
apigeeroute
being updated to remove the port 80 configuration.Where APIGEE_ROUTE_FILENAME is the output file name containing the
apigeeroute
yaml content. -
Edit the
apigeeroute
yaml file to remove the port 80 configuration.Open the APIGEE_ROUTE_FILENAME file in a text editor and remove the following lines:
- number: 80 protocol: HTTP
-
Replace the existing
apigeeroute
with the modified YAML file:kubectl -n apigee replace -f APIGEE_ROUTE_FILENAME.yaml
Where APIGEE_ROUTE_FILENAME is the output file containing the updated
apigeeroute
configuration. -
The
apigee-ingressgateway
pods should now run with 2/2 containers. If they do not, delete the pods to allow new ones to be created automatically.NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 2/2 Running 0 25h apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 2/2 Running 0 26h
Must gather diagnostic information
If the problem persists even after following the above instructions, gather the following diagnostic information and then contact Google Cloud Customer Care:- Overrides.yaml
- Output of the following commands:
kubectl -n apigee get pods -l app=apigee-ingressgateway
kubectl -n apigee logs APIGEE_INGRESSGATEWAY_POD
kubectl -n apigee get apigeeroutes
- For each of the stated routes, run:
kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml
- As an alternative, you may run and provide the Apigee hybrid must-gather information.