Pod is not ready
It might be possible that the following problem could be observed after labeling a working Pod with sidecar.microgateway.airlock.com/inject: true.
- The Pod is in
runningstate but notready. - The old Pod is still handling the requests and the rollover is not completed.
The examples depend on the fact that the web application Pod was running perfectly before labeling it.
Verify the Pod's state
Follow the instructions below to verify the Pod's state.
- Use
kubectl describe podto retrieve thestatus. - Example
kubectl describe pod webapp-84b785f954-r49wt ... Readiness Gates: Type Status microgateway.airlock.com/engine-config-ready False Conditions: Type Status Initialized True Ready False ContainersReady True PodScheduled True microgateway.airlock.com/engine-config-ready False
The
Readiness Gatesmicrogateway.airlock.com/engine-config-readyindicates whether the Microgateway Engine container is ready or not.- Log messages containing
initial fetch timedare logged by the Microgateway Engine container when it is not ready. - Example
kubectl logs webapp-84b785f954-r49wt -c airlock-microgateway-engine ... [2022-09-13 11:05:12.130][1][warning][config] [external/envoy/source/common/config/grpc_subscription_impl.cc:118] gRPC config: initial fetch timed out for type.googleapis.com/envoy.config.listener.v3.Listener ...
Other observed behaviors
Depending on where you look first, you might face other issues. The examples below illustrate how the same issue could look when using other commands.
- The old and new Deployment are in
Runningstate. - Example
kubectl get deployment NAME READY UP-TO-DATE AVAILABLE AGE webapp 1/1 1 1 29m
- Example
kubectl get pods NAME READY STATUS RESTARTS AGE webapp-849f69665c-hw4t4 1/1 Running 0 29m webapp-84b785f954-r49wt 2/2 Running 0 29m
- The command
kubectl get pods -o wideshows that the Pod is not yet ready. - Example
kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES webapp-849f69665c-hw4t4 1/1 Running 0 32m 10.43.1.173 worker-0 <none> <none> webapp-84b785f954-r49wt 2/2 Running 0 32m 10.43.2.173 worker-1 <none> 0/1
- The
ReadinessandLiveness probesfailed. - Example
kubectl describe pod webapp-84b785f954-r49wt ... Events: Type Reason Age From Message ---- ------ ---- ---- ------- ... Warning Unhealthy 50m (x2 over 50m) kubelet Liveness probe failed: Get "http://10.43.2.173:19001/ready": dial tcp 10.43.2.173:19001: connect: connection refused Warning Unhealthy 50m (x2 over 50m) kubelet Readiness probe failed: Get "http://10.43.2.173:19001/ready": dial tcp 10.43.2.173:19001: connect: connection refused
Possible reasons
The following reasons could cause the observed behavior.
No Custom Resource SidecarGateway is associated with the Pod. Check the following:
- If the
ReadinessandLiveness probesfor the Microgateway Engine have failed. - Ensure that a CR
SidecarGatewayexists and matches the Web application Pod labels. - Most likely, no CR
SidecarGatewaymatching the Pod. Follow the instructions in CR SidecarGateway to correct this.
The referenced Custom Resource does not exist. Check the following:
- Ensure that the referenced Custom Resource exists.
- Check the status of the Custom Resource
SidecarGateway: - Example
kubectl get sidecargateways.microgateway.airlock.com NAME STATUS AGE webapp Error 3m25s
- Example
kubectl describe sidecargateways.microgateway.airlock.com webapp ... Status: Conditions: Last Transition Time: 2022-09-13T12:48:24Z Message: Missing referenced ContentSecurity 'webapp' Reason: ConfigResourcesMissing Status: False Type: ConfigReferencesLoaded Pods: Name: webapp-849f69665c-hw4t4 Name: webapp-84b785f954-r49wt Status: Error Events: <none> - The status shows if the
SidecarGatewayis ready or not. In this example, the referencedContentSecurityis missing. Follow the instructions in CR SidecarGateway to correct this.
Further information and links
Internal links:
- For sidecar injection, see Annotations for the Microgateway Operator.