Can't access a Kyma endpoint (503 status code)
You try to access a Kyma endpoint and receive the
503 status code.
This can be caused by a configuration error in the Istio Ingress Gateway. As a result, the endpoint you call is not exposed.
To fix this problem, restart the Pods of the Gateway.
List all available endpoints:Click to copykubectl get virtualservice --all-namespaces
Restart the Pods of the Istio Ingress Gateway to force them to recreate their configuration:Click to copykubectl delete pod -l app=istio-ingressgateway -n istio-system
If this solution doesn't work, you need to change the image of the Istio Ingress Gateway to allow further investigation. Kyma uses distroless Istio images which are more secure, but you cannot execute commands inside them. Follow this steps:
Edit the Istio Ingress Gateway Deployment:Click to copykubectl edit deployment -n istio-system istio-ingressgateway
istio-proxycontainer and delete the
Check all ports used by the Istio Ingress Gateway:Click to copykubectl exec -ti -n istio-system $(kubectl get pod -l app=istio-ingressgateway -n istio-system -o name) -c istio-proxy -- netstat -lptnu
443are not used, check the logs of the Istio Ingress Gateway container for errors related to certificates. Run:Click to copykubectl logs -n istio-system -l app=istio-ingressgateway -c ingress-sds
In the case of certificate-related issues, make sure that the
kyma-gateway-certs-cacertSecrets are available in the
istio-systemNamespace and that they contain proper data. Run:Click to copykubectl get secrets -n istio-system kyma-gateway-certs -oyamlkubectl get secrets -n istio-system kyma-gateway-certs-cacert -oyaml