Need help troubleshooting Istio IngressGateway HTTP ERROR 503
As 503 often occurs and it´s hard to find the issue I set up little troubleshooting answer, there are another questions with 503 error which I encountered for several months with answers, useful informations from istio documentation and things I would check.
Examples with 503 error:
- Istio 503:s between (Public) Gateway and Service
- IstIO egress gateway gives HTTP 503 error
- Istio Ingress Gateway with TLS termination returning 503 service unavailable
- how to terminate ssl at ingress-gateway in istio?
- Accessing service using istio ingress gives 503 error when mTLS is enabled
Common cause of 503 errors from istio documentation:
- https://istio.io/docs/ops/best-practices/traffic-management/#avoid-503-errors-while-reconfiguring-service-routes
- https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule
- https://istio.io/latest/docs/concepts/traffic-management/#working-with-your-applications
Few things I would check first:
- Check services ports name, Istio can route correctly the traffic if it knows the protocol. It should be
<protocol>[-<suffix>]
as mentioned in istiodocumentation. - Check mTLS, if there are any problems caused by mTLS, usually those problems would result in error 503.
- Check if istio works, I would recommend to apply bookinfo application example and check if it works as expected.
- Check if your namespace is injected with
kubectl get namespace -L istio-injection
- If the VirtualService using the subsets arrives before the DestinationRule where the subsets are defined, the Envoy configuration generated by Pilot would refer to non-existent upstream pools. This results in HTTP 503 errors until all configuration objects are available to Pilot.
Hope you find this useful.