Can't Access a Kyma Endpoint (503 status code)

Symptom

You try to access a Kyma endpoint and receive the 503 status code.

Cause

This behavior might be caused by a configuration error in Istio Ingress Gateway. As a result, the endpoint you call is not exposed.

Solution

To fix this problem, restart the Pods of Istio Ingress Gateway.

List all available endpoints:

bash

kubectl get virtualservice --all-namespaces

To trigger the recreation of their configuration, delete the Pods of Istio Ingress Gateway:
bash
```
kubectl delete pod -l app=istio-ingressgateway -n istio-system
```

If the restart doesn't help, follow these steps:

kubectl

Check all ports used by Istio Ingress Gateway.
1. List all the Pods of Istio Ingress Gateway:
  bash
```
kubectl get pod -l app=istio-ingressgateway -n istio-system -o name
```
2. For each of the listed Pods, replace {ISTIO_INGRESS_GATEWAY_POD_NAME} with the Pods'a name and check the ports that the istio-proxy container uses:
  bash
```
kubectl get -n istio-system {ISTIO_INGRESS_GATEWAY_POD_NAME} -o jsonpath='{.spec.containers[*].ports[*].containerPort}'
```
If the ports 80 and 443 are not used, check the logs of the istio-proxy container for errors related to certificates.
bash
```
kubectl logs -n istio-system -l app=istio-ingressgateway -c istio-proxy
```
To make sure that a corrupted certificate is regenerated, verify if the spec.enableKymaGateway field of your APIGateway custom resource is set to true. If you are running Kyma provisioned through Gardener, follow the Gardener troubleshooting guide instead.

Kyma Dashboard

Check all ports used by Istio Ingress Gateway:
1. Go to the istio-system namespace.
2. In the Workloads section, select Pods.
3. Search for a Pod labeled with app=istio-ingressgateway and click on its name.
4. Scroll down to find the Containers section and check which ports the istio-proxy container uses.
If the ports 80 and 443 are not used, check the logs of the istio-proxy container for errors related to certificates. To do this, click View Logs.
To make sure that a corrupted certificate is regenerated, verify if the spec.enableKymaGateway field of your APIGateway custom resource is set to true. If you are running Kyma provisioned through Gardener, follow the Gardener troubleshooting guide instead.

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Tutorials

Expose a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Expose and Secure a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Security

Custom Resources

APIGateway Custom Resource

APIRule Custom Resource

v2

v2alpha1

v1beta1

APIRule Migration

Technical Reference

Troubleshooting Guides

APIRule and Service Connection Issues

APIRule v2

APIRule v2alpha1

APIRule v1beta1

External DNS Management Errors

APIRule v2 Introduction

Resources

Tutorials

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Tutorials

Commands

Can't Access a Kyma Endpoint (503 status code) ​

Symptom ​

Cause ​

Solution ​

kubectl ​

Kyma Dashboard ​

Can't Access a Kyma Endpoint (503 status code)

Symptom

Cause

Solution

kubectl

Kyma Dashboard