Apigee ingress gateway pods show 1 of 2 containers running

Symptom

Your apigee-ingressgateway pods show only 1 of 2 containers running when you get the pod listing.

For example, when you run the following command:

 kubectl -n apigee get pods -l app=apigee-ingressgateway

Output:

 NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 1/2 Running 0 6m48s apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 1/2 Running 0 123m

Additionally, performing a describe command on one of the above pods will show the readiness probe failing with a 503 status code.

For example, in the Events section of the pod description, you might see the following message:

 Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning Unhealthy 76s (x32903 over 18h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503

Possible cause

Cause Description
Apigee ingress is configured to listen on port 80 Apigee ingress configuration on port 80 is no longer supported starting with Apigee Hybrid 1.9.

Cause: Apigee ingress is configured to listen on port 80

This issue is caused by the Apigee ingress gateway being configured to listen on port 80, which is no longer supported starting with Apigee Hybrid 1.9.

This can happen if you upgraded from an earlier version of Apigee Hybrid that allowed port 80, or if there's another misconfiguration that enabled it.

Diagnosis

  1. Get a listing of your apigee-ingressgateway pods.

    Run the following command:

    kubectl -n apigee get pods -l app=apigee-ingressgateway

    Sample output

     NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 1/2 Running 0 6m48s apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 1/2 Running 0 123m
  2. Describe one of the listed pods to check the events: 
    kubectl -n apigee describe pod APIGEE_INGRESSGATEWAY_POD

    Where APIGEE_INGRESSGATEWAY_POD is an apigee-ingressgateway pod listed in the previous command output.

    Sample output:

     Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning Unhealthy 76s (x32903 over 18h) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
  3. Get the logs for the APIGEE_INGRESSGATEWAY_POD pod. 
    kubectl -n apigee logs APIGEE_INGRESSGATEWAY_POD

    You may see a log entry showing that port 80 failed to bind due to a permission denied error followed by a message that envoy is not ready.

     2025-09-11T06:16:45.457621Z error envoy config external/envoy/source/common/listener_manager/listener_manager_impl.cc:1186 listener '0.0.0.0_80' failed to bind or apply socket options: cannot bind '0.0.0.0:80': Permission denied ... 2025-09-11T06:16:46.365818Z warn Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 1 successful, 0 rejected; lds updates: 0 successful, 1 rejected
  4. Review the current apigeeroute configuration to find the one that has port 80 (HTTP) enabled.
    • Get a list of the defined apigee routes. 
      kubectl -n apigee get apigeeroute

      Sample output:

       NAME STATE AGE myorg-hyb-dev-grp-000-33620d0 running 2d1h non-sni running 17s
    • Check each apigeeroute for where port 80 is defined.

      Run the following command for each apigeeroute listed in the previous command output:

      kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml

      Where APIGEE_ROUTE_NAME is the name of an individual apigeeroute.

      Sample Command:

       kubectl -n apigee get apigeeroute non-sni -o yaml

      Sample output:

       apiVersion: apigee.cloud.google.com/v1alpha2 kind: ApigeeRoute metadata: name: non-sni namespace: apigee resourceVersion: "240441468" spec: enableNonSniClient: true hostnames: - '*' ports: - number: 443 protocol: HTTPS tls: credentialName: myorg-hyb-dev-grp minProtocolVersion: TLS_AUTO mode: SIMPLE - number: 80 protocol: HTTP selector: app: apigee-ingressgateway status: lastAppliedGeneration: 1 state: running
      The non-sni apigeeroute shows that port 80 is enabled as part of this route.

Resolution

To resolve this issue, disable port 80 in the original apigeeroute yaml file by removing the following lines.

 - number: 80 protocol: HTTP

If you do not have the original apigeeroute yaml file, you can follow the following steps:

  1. Export the current configuration with the following command: 
    kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml > APIGEE_ROUTE_FILENAME.yaml

    Where APIGEE_ROUTE_NAME is the apigeeroute being updated to remove the port 80 configuration.

    Where APIGEE_ROUTE_FILENAME is the output file name containing the apigeeroute yaml content.

  2. Edit the apigeeroute yaml file to remove the port 80 configuration.

    Open the APIGEE_ROUTE_FILENAME file in a text editor and remove the following lines:

     - number: 80 protocol: HTTP
  3. Replace the existing apigeeroute with the modified YAML file: 
    kubectl -n apigee replace -f APIGEE_ROUTE_FILENAME.yaml

    Where APIGEE_ROUTE_FILENAME is the output file containing the updated apigeeroute configuration.

  4. The apigee-ingressgateway pods should now run with 2/2 containers. If they do not, delete the pods to allow new ones to be created automatically. 
     NAME READY STATUS RESTARTS AGE apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-shl9r 2/2 Running 0 25h apigee-ingressgateway-ext-ingress-myorg-hyb-8f2c412-vvzsf 2/2 Running 0 26h

Must gather diagnostic information

If the problem persists even after following the above instructions, gather the following diagnostic information and then contact Google Cloud Customer Care:
  • Overrides.yaml
  • Output of the following commands: 
    •  kubectl -n apigee get pods -l app=apigee-ingressgateway
    • kubectl -n apigee logs APIGEE_INGRESSGATEWAY_POD
    • kubectl -n apigee get apigeeroutes
    • For each of the stated routes, run: 
      kubectl -n apigee get apigeeroute APIGEE_ROUTE_NAME -o yaml
  • As an alternative, you may run and provide the Apigee hybrid must-gather information.